From 26c64f3bf3c1b26e51e9849b4b1d07afa4a173cf Mon Sep 17 00:00:00 2001 From: Dennis Bell Date: Fri, 29 May 2020 13:44:49 -0700 Subject: [PATCH] Don't apply best-practice CA expiry for bare The `bare` feature is intended to do nothing more that absolutely required for Genesis to deploy upstream cf-deployment. To preserve this expectation, the best practice of 10-year CA expiry was moved to its own overlay and included if `bare` feature is not specified. --- hooks/blueprint | 15 +++++++++------ overlay/base.yml | 18 ------------------ overlay/ten-year-ca-expiry.yml | 14 ++++++++++++++ 3 files changed, 23 insertions(+), 24 deletions(-) create mode 100644 overlay/ten-year-ca-expiry.yml diff --git a/hooks/blueprint b/hooks/blueprint index 9553a492..ab96f7a6 100755 --- a/hooks/blueprint +++ b/hooks/blueprint @@ -63,8 +63,13 @@ fi ### Minimal injections required for Genesis compliance manifest+=( overlay/base.yml ) -### Overlay apps-domains/app_domains/apps_domain if not bare -want_feature "bare" || manifest+=( "overlay/override-app-domains.yml" ) +### Set up some best practices if not bare +if ! want_feature "bare" ; then + manifest+=( \ + "overlay/override-app-domains.yml" \ + "overlay/ten-year-ca-expiry.yml" \ + ) +fi version="" abort= @@ -287,14 +292,12 @@ for want in $GENESIS_REQUESTED_FEATURES; do local-postgres-db) databases+=( "$want" ) - manifest+=( \ - "cf-deployment/operations/use-postgres.yml" \ - ) + manifest+=( "cf-deployment/operations/use-postgres.yml" ) ;; local-mysql-db) databases+=( "$want" ) - # Default - no modifications needed + manifest+=( "overlay/local-mysql-db.yml" ) ;; ###----------------------------------------------------------------------------- diff --git a/overlay/base.yml b/overlay/base.yml index 8a0f1c54..10d13d8a 100644 --- a/overlay/base.yml +++ b/overlay/base.yml @@ -38,21 +38,3 @@ params: system_domain: (( concat "system." params.base_domain )) app_domains: (( grab meta.default_apps_domains meta.internal_app_domains )) apps_domain: (( grab params.app_domains[0] )) - - -name: (( grab params.name )) - -# CAs should last 10 years instead of the default Credhub 1y -variables: -- { name: silk_ca, options: { duration: 3650 } } -- { name: network_policy_ca, options: { duration: 3650 } } -- { name: service_cf_internal_ca, options: { duration: 3650 } } -- { name: loggregator_ca, options: { duration: 3650 } } -- { name: log_cache_ca, options: { duration: 3650 } } -- { name: router_ca, options: { duration: 3650 } } -- { name: routing_api_ca, options: { duration: 3650 } } -- { name: uaa_ca, options: { duration: 3650 } } -- { name: application_ca, options: { duration: 3650 } } -- { name: diego_instance_identity_ca, options: { duration: 3650 } } -- { name: credhub_ca, options: { duration: 3650 } } -- { name: metric_scraper_ca, options: { duration: 3650 } } \ No newline at end of file diff --git a/overlay/ten-year-ca-expiry.yml b/overlay/ten-year-ca-expiry.yml new file mode 100644 index 00000000..5d8bb28e --- /dev/null +++ b/overlay/ten-year-ca-expiry.yml @@ -0,0 +1,14 @@ +# CAs should last 10 years instead of the default Credhub 1y +variables: +- { name: silk_ca, options: { duration: 3650 } } +- { name: network_policy_ca, options: { duration: 3650 } } +- { name: service_cf_internal_ca, options: { duration: 3650 } } +- { name: loggregator_ca, options: { duration: 3650 } } +- { name: log_cache_ca, options: { duration: 3650 } } +- { name: router_ca, options: { duration: 3650 } } +- { name: routing_api_ca, options: { duration: 3650 } } +- { name: uaa_ca, options: { duration: 3650 } } +- { name: application_ca, options: { duration: 3650 } } +- { name: diego_instance_identity_ca, options: { duration: 3650 } } +- { name: credhub_ca, options: { duration: 3650 } } +- { name: metric_scraper_ca, options: { duration: 3650 } }