Don't apply best-practice CA expiry for bare

The `bare` feature is intended to do nothing more that absolutely required for Genesis to deploy upstream cf-deployment. To preserve this expectation, the best practice of 10-year CA expiry was moved to its own overlay and included if `bare` feature is not specified.
genesis-community · May 29, 2020 · 26c64f3 · 26c64f3
1 parent 38246d5
commit 26c64f3
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 24 deletions.
diff --git a/hooks/blueprint b/hooks/blueprint
@@ -63,8 +63,13 @@ fi
 ### Minimal injections required for Genesis compliance
 manifest+=( overlay/base.yml )
 
-### Overlay apps-domains/app_domains/apps_domain if not bare
-want_feature "bare" || manifest+=( "overlay/override-app-domains.yml" )
+### Set up some best practices if not bare
+if ! want_feature "bare" ; then
+  manifest+=( \
+    "overlay/override-app-domains.yml" \
+    "overlay/ten-year-ca-expiry.yml" \
+  )
+fi
 
 version=""
 abort=
@@ -287,14 +292,12 @@ for want in $GENESIS_REQUESTED_FEATURES; do
 
     local-postgres-db)
       databases+=( "$want" )
-      manifest+=( \
-        "cf-deployment/operations/use-postgres.yml" \
-      )
+      manifest+=( "cf-deployment/operations/use-postgres.yml" )
       ;;
 
     local-mysql-db)
       databases+=( "$want" )
-      # Default - no modifications needed
+      manifest+=( "overlay/local-mysql-db.yml" )
       ;;
 
     ###-----------------------------------------------------------------------------

diff --git a/overlay/base.yml b/overlay/base.yml
@@ -38,21 +38,3 @@ params:
   system_domain: (( concat "system." params.base_domain ))
   app_domains: (( grab meta.default_apps_domains meta.internal_app_domains ))
   apps_domain: (( grab params.app_domains[0] ))
-
-
-name: (( grab params.name ))
-
-# CAs should last 10 years instead of the default Credhub 1y
-variables:
-- { name: silk_ca,                    options: { duration: 3650 } }
-- { name: network_policy_ca,          options: { duration: 3650 } }
-- { name: service_cf_internal_ca,     options: { duration: 3650 } }
-- { name: loggregator_ca,             options: { duration: 3650 } }
-- { name: log_cache_ca,               options: { duration: 3650 } }
-- { name: router_ca,                  options: { duration: 3650 } }
-- { name: routing_api_ca,             options: { duration: 3650 } }
-- { name: uaa_ca,                     options: { duration: 3650 } }
-- { name: application_ca,             options: { duration: 3650 } }
-- { name: diego_instance_identity_ca, options: { duration: 3650 } }
-- { name: credhub_ca,                 options: { duration: 3650 } }
-- { name: metric_scraper_ca,          options: { duration: 3650 } }
diff --git a/overlay/ten-year-ca-expiry.yml b/overlay/ten-year-ca-expiry.yml
@@ -0,0 +1,14 @@
+# CAs should last 10 years instead of the default Credhub 1y
+variables:
+- { name: silk_ca,                    options: { duration: 3650 } }
+- { name: network_policy_ca,          options: { duration: 3650 } }
+- { name: service_cf_internal_ca,     options: { duration: 3650 } }
+- { name: loggregator_ca,             options: { duration: 3650 } }
+- { name: log_cache_ca,               options: { duration: 3650 } }
+- { name: router_ca,                  options: { duration: 3650 } }
+- { name: routing_api_ca,             options: { duration: 3650 } }
+- { name: uaa_ca,                     options: { duration: 3650 } }
+- { name: application_ca,             options: { duration: 3650 } }
+- { name: diego_instance_identity_ca, options: { duration: 3650 } }
+- { name: credhub_ca,                 options: { duration: 3650 } }
+- { name: metric_scraper_ca,          options: { duration: 3650 } }