Enhance storage-cli webdav config

[kathap]

Needs new storage-cli release with cloudfoundry/storage-cli#105 to be merged first, and #650 and cloudfoundry/cloud_controller_ng#4974 to be deployed together.

• A short explanation of the proposed change:
  Fix and complete the WebDAV/DAV storage-cli config templates across all Cloud Controller jobs so that storage-cli's signed URL generation works correctly. This includes constructing the endpoint with the resource directory key, passing through the optional public_endpoint for dual-endpoint lazy signing, and fixing the TLS cert structure to match storage-cli's expected format.

• An explanation of the use cases your change solves

  • Signed URL generation (HMAC-SHA256): Storage-cli extracts the directory key from the endpoint path (e.g. /admin/cc-droplets) and embeds it in signed URLs
    (/signed/cc-droplets/). Without the correct endpoint, signed URLs would be malformed and nginx would reject them with 403.
  • Dual-endpoint lazy signing: When public_endpoint is configured, sign-public generates user-facing URLs with the external blobstore hostname for app clients, while sign-internal
    uses the private endpoint for Diego. Without this pass-through, both commands would use the same host.
  • Legacy fog name support: Both "webdav" (legacy fog name) and "dav" (native storage-cli name) are accepted and normalised to "dav" at render time, enabling zero-downtime
    migration without manifest changes.

  Changes Made:

  20 config template files updated across 5 Cloud Controller job types:

  • cloud_controller_ng
  • cloud_controller_worker
  • cloud_controller_clock
  • cc_deployment_updater
  • blobstore_benchmark

  3 key modifications to each WebDAV/DAV config section:

  a. Endpoint construction with directory key — built from private_endpoint + "/admin/" + <resource_directory_key> (e.g. https://blobstore.internal:4443/admin/cc-droplets) instead
  of incorrectly using public_endpoint with no path

  b. Optional public_endpoint pass-through — passed to storage-cli when set, enabling sign-public to generate URLs with the external blobstore hostname

  c. Fixed TLS cert structure — corrected from {"cert": ca_cert} to {"cert": {"ca": ca_cert}} to match storage-cli's config format; added nil guard for environments without a CA
  cert

  Example Manifest Usage:

 cc:
   droplets:
     blobstore_type: storage-cli
     blobstore_provider: dav
     connection_config:
       username: blobstore-user
       password: ((blobstore_admin_users_password))
       private_endpoint: https://blobstore.service.cf.internal:4443
       public_endpoint: https://blobstore.cf.example.com  # optional, for sign-public
       secret: ((blobstore_secure_link_secret))

• Links to any other associated PRs

  • Add Dav Signing Functionality storage-cli#105 — DAV signing implementation
  • Add SHA256 HMAC signed URL support to blobstore #650 — nginx HMAC-SHA256 signed URL locations
  • Add WebDAV support to storage-cli client and improve test quality cloud_controller_ng#4974 — CC uses storage-cli for signed URL generation

• I have viewed signed and have submitted the Contributor License Agreement

• I have made this pull request to the develop branch

• I have run CF Acceptance Tests on bosh lite

[jochenehret]

I've tested this PR together with the related PRs on a bbl environment:
cloudfoundry/cloud_controller_ng#4974
cloudfoundry/storage-cli#105
#650

Works! We just need to update the relevant configuration documentation:

1. In the spec files, the parameter cc.<bucket>.blobstore_provider should mention the new type dav.
2. The parameter cc.<bucket>.connection_config is documented with Azure Storage Cli connection hash, should be changed to Storage CLI connection configuration (that's not related to this specific PR ;-)).
3. In the "Example Manifest Usage" section, we should align the credential names with the cf-deployment base manifest:
   blobstore_password -> blobstore_admin_users_password
blobstore_secret -> blobstore_secure_link_secret
4. The paramter retry_attempts should be documented.