Broker displays a direct route to a service, not a tunnelled route

[jpluscplusm]

As part of the work to integrate the https://github.com/alphagov/paas-aiven-broker with the GOV.UK PaaS, we're documenting the user-facing ways of interacting with the services it provisions. cf conduit appears to fail to provide a tunnelled-via-an-app route to these services, instead displaying the backend host which is trivially available via cf env.

This is a problem because it doesn't work with services which have an IP whitelist in front of them and which allow only PaaS-originated traffic to reach the service instances.

In Aiven's case, this happens for the Elasticsearch service. It's exposed as an HTTPS URI, with embedded/inline credentials. Perhaps this URI is confusing conduit?

$ cf create-service elasticsearch small-ha-6.x es
Creating service instance foo in org govuk-paas / space demo as admin...
OK

Create in progress. Use 'cf services' or 'cf service es' to check operation status.

$ until cf services | grep ^es | grep -v 'create in progress'; do sleep 5 ; done ; cf conduit es
OK Connecting client
OK Targeting org govuk-paas
OK Targeting space demo
OK Deploying __conduit_8664__
OK Uploading __conduit_8664__ bits
OK Starting __conduit_8664__
OK Waiting for conduit app to become available
OK Fetching service infomation
OK Binding es
OK Fetching environment
OK Starting port forwarding
OK Waiting for port forwarding

The following services are ready for you to connect to:

* service: es (elasticsearch)
  hostname: redacted-1840a56-a302-a57eeb2d3090.aivencloud.com
  password: redacted
  port: 10264
  uri: https://786b50b1-20a0-4d06-b50b-96ca048e4b89:redacted@redacted-1840a56-a302-a57eeb2d3090.aivencloud.com:10264
  username: 786b50b1-20a0-4d06-b50b-96ca048e4b89

Press Ctrl+C to shutdown.

[jpluscplusm]

Closing due to time elapsed.