From 283f9f081f890e5ffd20123a32466dbcdbd3af60 Mon Sep 17 00:00:00 2001 From: "Wayne E. Seguin" Date: Wed, 14 Dec 2022 02:14:07 -0500 Subject: [PATCH] Ocfp (#211) [Major Improvement] * Added `ocfp` feature which encodes the opensource cloud foundry platform reference architecture. `ocfp` specifies that inputs for features come from vault. The reference architecture specifies the `network`, `vm_type`, `disk_type`, and `azs` based on `dev` vs `prod` environment scales. Naming scheme is entirely based on environment name, and is designed to work with the `ocfp-ops-scripts` `ocfp` cli in order to generate configs, initialize and test environments. * Support for dynamic isolation segments added. * `bosh-dns` is explicitely leveraged. * Features included by default: - `enable-service-discovery` - iaas specific external blobstores - external-db - autoscaler integration - app-scheduler integration - scs / spring cloud services integration - prometheus integration * Automatic overrides for inputs from vault for trusted certificates: - org (ex: company wide internal ca) - datbase cert (ex: rds) * Automatic overrides for included features for inputs to come from vault: - trust-blacksmith-ca - nfs-volume-services - smb-volume-services - stratos-integration [Improvements] * New addon hooks: - Spring Cloud Services (scs) - deploys scs to CF as a marketplace service. - stratos - Deploys stratos as the apps ui to CF. Co-authored-by: Dennis Bell Co-authored-by: ChrisMcGowan Co-authored-by: Benjamin Gandon Co-authored-by: DigitalEagle Co-authored-by: Chris Weibel --- hooks/addon | 115 +- hooks/addon-scs | 222 +++ hooks/addon-stratos | 127 ++ hooks/blueprint | 1564 ++++++++++------- hooks/features | 12 +- hooks/post-deploy | 42 +- hooks/pre-deploy | 4 + ocfp/aws/azs.yml | 46 + ocfp/aws/blobstore.yml | 16 + ocfp/aws/ocf.yml | 14 + ocfp/aws/windows.yml | 40 + ocfp/azure/azs.yml | 0 ocfp/azure/ocf.yml | 2 + ocfp/azure/windows.yml | 2 + ocfp/external-blobstore.yml | 9 + ocfp/external-db-prep.yml | 66 + ocfp/external-db.yml | 355 ++++ ocfp/gcp/azs.yml | 0 ocfp/gcp/ocf.yml | 2 + ocfp/gcp/windows.yml | 2 + ocfp/meta.yml | 23 + ocfp/nfs-ldap-data.yml | 30 + ocfp/nfs-ldap.yml | 18 + ocfp/ocfp.yml | 39 + ocfp/scale/dev.yml | 75 + ocfp/scale/prod.yml | 76 + ocfp/smb-broker.yml | 14 + ocfp/stratos.yml | 4 + ocfp/trust-blacksmith-ca.yml | 8 + ocfp/trusted-certs-windows.yml | 10 + ocfp/trusted-certs.yml | 16 + ocfp/vsphere/azs.yml | 0 ocfp/vsphere/ocf.yml | 2 + ocfp/vsphere/windows.yml | 2 + operations/diego-cells-networking.yml | 30 + operations/scale-to-three-azs.yml | 41 + overlay/addons/app-scheduler.yml | 3 +- overlay/addons/autoscaler.yml | 2 +- overlay/addons/nfs-ldap-config.yml | 26 + overlay/addons/nfs-ldap-tls.yml | 16 +- overlay/addons/scs.yml | 26 + overlay/addons/stratos.yml | 30 + overlay/addons/trust-blacksmith-ca.yml | 8 + overlay/addons/uaa-admin-client.yml | 4 + overlay/base.yml | 28 +- ...ation-segment-additional-trusted-certs.yml | 13 +- .../isolation-segment-dns-sd.yml | 26 + .../isolation-segment-network.yml | 4 +- .../isolation-segment-nfs-ldap-config.yml | 23 + .../isolation-segment-nfs-ldap-ocfp.yml | 28 + .../isolation-segment-nfs-ldap-tls.yml | 3 +- .../isolation-segment-nfs.yml | 3 +- .../isolation-segment-ocfp-trusted-certs.yml | 8 + .../dynamic-templates/isolation-segment.yml | 86 +- spec/results/isolation-segments-extended.yml | 311 +++- spec/results/isolation-segments.yml | 227 ++- 56 files changed, 3085 insertions(+), 818 deletions(-) create mode 100755 hooks/addon-scs create mode 100755 hooks/addon-stratos create mode 100644 ocfp/aws/azs.yml create mode 100644 ocfp/aws/blobstore.yml create mode 100644 ocfp/aws/ocf.yml create mode 100644 ocfp/aws/windows.yml create mode 100644 ocfp/azure/azs.yml create mode 100644 ocfp/azure/ocf.yml create mode 100644 ocfp/azure/windows.yml create mode 100644 ocfp/external-blobstore.yml create mode 100644 ocfp/external-db-prep.yml create mode 100644 ocfp/external-db.yml create mode 100644 ocfp/gcp/azs.yml create mode 100644 ocfp/gcp/ocf.yml create mode 100644 ocfp/gcp/windows.yml create mode 100644 ocfp/meta.yml create mode 100644 ocfp/nfs-ldap-data.yml create mode 100644 ocfp/nfs-ldap.yml create mode 100644 ocfp/ocfp.yml create mode 100644 ocfp/scale/dev.yml create mode 100644 ocfp/scale/prod.yml create mode 100644 ocfp/smb-broker.yml create mode 100644 ocfp/stratos.yml create mode 100644 ocfp/trust-blacksmith-ca.yml create mode 100644 ocfp/trusted-certs-windows.yml create mode 100644 ocfp/trusted-certs.yml create mode 100644 ocfp/vsphere/azs.yml create mode 100644 ocfp/vsphere/ocf.yml create mode 100644 ocfp/vsphere/windows.yml create mode 100644 operations/diego-cells-networking.yml create mode 100644 operations/scale-to-three-azs.yml create mode 100644 overlay/addons/nfs-ldap-config.yml create mode 100644 overlay/addons/scs.yml create mode 100644 overlay/addons/stratos.yml create mode 100644 overlay/addons/trust-blacksmith-ca.yml create mode 100644 overlay/addons/uaa-admin-client.yml create mode 100644 overlay/dynamic-templates/isolation-segment-dns-sd.yml create mode 100644 overlay/dynamic-templates/isolation-segment-nfs-ldap-config.yml create mode 100644 overlay/dynamic-templates/isolation-segment-nfs-ldap-ocfp.yml create mode 100644 overlay/dynamic-templates/isolation-segment-ocfp-trusted-certs.yml diff --git a/hooks/addon b/hooks/addon index f684ac2f..06e9d7f1 100755 --- a/hooks/addon +++ b/hooks/addon @@ -14,19 +14,20 @@ list() { echo echo " smoketest Run the smoke tests errand on the first vm in the" echo " api instance group." + echo + echo " stratos Deploy Stratos, the Cloud Foundry web console." + echo } - login() { if ! cf plugins | grep -q '^cf-targets'; then describe "#Y{The cf-targets plugin does not seem to be installed}" - echo "Install it first, via 'genesis do $GENESIS_ENVIRONMENT -- setup-cli'" + echo "Install it first, via 'genesis do $GENESIS_ENVIRONMENT -- setup-cli'" exit 1 fi - base="$(lookup params.base_domain)" - system_domain="$(lookup --exodus system_domain "system.$base")" - api_url=https://api.$system_domain + api_domain="$(exodus api_domain)" + api_url="https://${api_domain}" username="$(exodus admin_username)" password="$(exodus admin_password)" @@ -34,64 +35,56 @@ login() { cf api "$api_url" --skip-ssl-validation cf auth "$username" "$password" cf save-target -f "$GENESIS_ENVIRONMENT" - echo ; echo + echo -e "\n\n" cf target } case $GENESIS_ADDON_SCRIPT in -list) - list - exit 0 - ;; - -login) - login - exit 0 - ;; - -remigrate) - # Migrate the secrets - set -e - #shellcheck disable=SC1091 - source ./hooks/migrate-to-2.0 - validate_expected_vault_secrets - correct_x509_certs - migrate_credentials_to_credhub - ;; - -setup-cli) - - force=0 - while test $# -gt 0 ; do - case "$1" in - -f) force=1;; - -*) describe "#R{[ERROR]} Bad option $1: expecting -f" && exit 1 ;; - *) describe "#R{[ERROR]} setup-cli does not take any arguments" && exit 1;; - esac - shift - done - if ! cf list-plugin-repos | grep -q CF-Community; then - describe 'Adding #G{Cloud Foundry Community} plugins repository...' - cf add-plugin-repo CF-Community http://plugins.cloudfoundry.org - fi - if ! cf plugins | grep -q '^cf-targets'; then - describe 'Installing the #C{cf-targets} plugin...' - cmd=( cf install-plugin -r CF-Community Targets ) - if [[ "$force" == "1" ]] ; then - cmd+=( -f ) - fi - "${cmd[@]}" - fi - cf plugins - ;; - -smoketest) - "$GENESIS_BOSH_COMMAND" -e "$BOSH_ENVIRONMENT" -d "$BOSH_DEPLOYMENT" run-errand smoke_tests - ;; - -*) - echo "Unrecognized Cloud Foundry Genesis Kit addon." - list - exit 1 - ;; + (list) list ; exit 0 ;; + + (login) login ; exit 0 ;; + + (remigrate) + # Migrate the secrets + set -e + #shellcheck disable=SC1091 + source ./hooks/migrate-to-2.0 + validate_expected_vault_secrets + correct_x509_certs + migrate_credentials_to_credhub + ;; + + (setup-cli) + force=0 + while test $# -gt 0 ; do + case "$1" in + (-f) force=1;; + (-*) describe "#R{[ERROR]} Bad option $1: expecting -f" && exit 1 ;; + (*) describe "#R{[ERROR]} setup-cli does not take any arguments" && exit 1;; + esac + shift + done + if ! cf list-plugin-repos | grep -q CF-Community; then + describe 'Adding #G{Cloud Foundry Community} plugins repository...' + cf add-plugin-repo CF-Community http://plugins.cloudfoundry.org + fi + if ! cf plugins | grep -q '^cf-targets'; then + describe 'Installing the #C{cf-targets} plugin...' + cmd=( cf install-plugin -r CF-Community Targets ) + if [[ "$force" == "1" ]] ; then + cmd+=( -f ) + fi + "${cmd[@]}" + fi + cf plugins + ;; + + (smoketest) + "$GENESIS_BOSH_COMMAND" -e "$BOSH_ENVIRONMENT" -d "$BOSH_DEPLOYMENT" run-errand smoke_tests + ;; + + (*) run_extended_addon "$@" ;; # This will run the addon script in the + # $GENESIS_ADDON_SCRIPT file, if it exists. + # Ex: hooks/addon-stratos esac + diff --git a/hooks/addon-scs b/hooks/addon-scs new file mode 100755 index 00000000..f43f31de --- /dev/null +++ b/hooks/addon-scs @@ -0,0 +1,222 @@ +#!/bin/bash +set -eu + +fail() { echo "$@" >&2 ; exit 1; } + +fetch::uri() { + local url=$1 + curl --fail --silent --show-error --location --remote-name \ + --url "${url}" \ + || fail "Failed to download: ${url}" +} + +fetch::artifacts() { + mkdir artifacts + pushd artifacts + for uri in "${configserver_jar_uri}" "${registry_jar_uri}" + do fetch::uri "${uri}" + done + popd +} + +extract() { + case "${1}" in + (*.zip) unzip -o "${1}" ;; # unzip scs-*.zip + (*gz) tar zxf "${1}" ;; # extract scs-*gz + (*) fail "Unknown file type: ${1}" ;; + esac + rm ${1} +} + +exodus_path=$(lookup --partial "genesis.exodus_base") +system_api_domain="$(exodus api_domain)" +system_domain="$(exodus system_domain)" +cf_admin_username="$(exodus admin_username)" +cf_admin_password="$(exodus admin_password)" +apps_domain="$(exodus apps_domain)" + +org="system" +space="scs" +cf create-space -o "${org}" "${space}" +cf target -o "${org}" -s "${space}" + +scs_client=$(safe get ${exodus_path}:scs_client) +scs_client_secret=$(safe get ${exodus_path}:scs_secret) +scs_space_guid=$(cf space ${space} --guid) + +memory="256M" +disk="1048M" +buildpack="go_buildpack" +release_tag="Greenwich.SR3" +broker_uri="https://github.com/starkandwayne/scs-broker/archive/refs/tags/v0.0.2.tar.gz" +configserver_jar_uri="https://github.com/starkandwayne/cf-spring-cloud-config-server/releases/download/1.1.0/spring-cloud-config-server-1.1.0-2.5.14.SCS.3.1.37.jar" +registry_jar_uri="https://github.com/starkandwayne/scs-service-registry/releases/download/1.0.1-3.1.37/service-registry-1.0.1-3.1.37.jar" + +broker_name="scs-broker" +broker_old_name="scs-broker" +broker_auth_username=${BROKER_AUTH_USERNAME:-"admin"} +broker_auth_password=${BROKER_AUTH_PASSWORD:-"admin"} +skip_ssl_validation="true" +scs_broker_archive= # Default to downloading + +deploy=0 +register=0 + +while [[ $# > 0 ]] +do # Process opertor arguments + case "${1}" in + (run) shift ;; + (skip_ssl_validation) + skip_ssl_validation="${2}" + shift 2 || fail "Usage: ... skip_ssl_validation " + ;; + (memory) + memory="${2}" + shift 2 || fail "Usage: ... memory <#M>" + ;; + (disk) + disk="${2}" + shift 2 || fail "Usage: ... disk <#M>" + ;; + (buildpack) + buildpack="${2}" + shift 2 || fail "Usage: ... buildpack " + ;; + (release_tag) + release_tag="${2}" + shift 2 || fail "Usage: ... release_tag " + ;; + (broker_uri) + broker_uri="${2}" + shift 2 || fail "Usage: ... broker_uri " + ;; + (broker_username) + broker_auth_username="${2}" + shift 2 || fail "Usage: ... broker_username " + ;; + (broker_password) + broker_auth_password="${2}" + shift 2 || fail "Usage: ... broker_password " + ;; + (configserver_jar_uri) + configserver_jar_uri="${2}" + shift 2 || fail "Usage: ... configserver_jar_uri " + ;; + (registry_jar_uri) + registry_jar_uri="${2}" + shift 2 || fail "Usage: ... registry_jar_uri " + ;; + (deploy) + deploy=1 + shift + ;; + (register) + register=1 + shift + ;; + (*) + fail "Unknown argument: ${1}" + ;; + esac +done + +if [[ ${deploy} > 0 ]] +then + echo "Deploying SCS Broker" + + fetch::uri "${broker_uri}" + + extract $(basename "${broker_uri}") + + cd scs-broker-* + + fetch::artifacts + + cat > manifest.yml <<-APPMANIFEST +--- +applications: + - name: scs-broker + buildpack: ${buildpack} + memory: ${memory} + disk_quota: ${disk} + host: console + timeout: 180 + health-check-type: port + env: + GOPACKAGENAME: scs-broker + SCS_BROKER_CONFIG: |- + { + "broker_id": "${broker_name}", + "broker_name": "${broker_name}", + "description": "Broker to create SCS services", + "long_description": "Broker to create Spring Cloud Services (SCS) Config Servers or Service Registries", + "instance_domain": "${apps_domain}", + "instance_space_guid": "${scs_space_guid}", + "artifacts_directory": "/app/artifacts", + "broker_auth": { + "user": "${broker_auth_username}", + "password": $(jq --null-input --arg "val" "${broker_auth_password}" '$val') + }, + "cloud_foundry_config": { + "api_url": "https://${system_api_domain}", + "skip_ssl_validation": ${skip_ssl_validation}, + "cf_username": "${cf_admin_username}", + "cf_password": $(jq --null-input --arg "val" "${cf_admin_password}" '$val'), + "uaa_client_id": "${scs_client}", + "uaa_client_secret": "${scs_client_secret}" + }, + "services": [ + { + "service_id": "config-server", + "service_name": "config-server", + "service_plan_id": "default-cs", + "service_plan_name": "default", + "service_description": "Broker to create Config Servers", + "service_download_uri": "${configserver_jar_uri}" + }, + { + "service_id": "service-registry", + "service_name": "service-registry", + "service_plan_id": "default-sr", + "service_plan_name": "default", + "service_description": "Broker to create Service Registries", + "service_download_uri": "${registry_jar_uri}" + } + ] + } + +APPMANIFEST + + echo "Pushing SCS Broker..." + cf push -f "manifest.yml" + + echo <<-EOT +SCS service broker is now running, you should now be able to create a service, e.g.: +\t$ cf create-service config-server default test-service -c "{...whatever json configuration you wish to use for config-server - see config-server docs from Spring.io...}" +EOT +fi + +if [[ ${register} > 0 ]] +then + broker_is_registered=$( + cf curl "/v2/service_brokers" \ + | jq --raw-output \ + --arg "broker_name" "${broker_name}" \ + --arg "broker_old_name" "${broker_old_name}" \ + '.resources[].entity + | select(.name == $broker_name or .name == $broker_old_name) + | .name' + ) + broker_action="creat" + if [[ -n ${broker_is_registered} ]]; then + broker_action="updat" + fi + + echo "Registering SCS Broker" + echo "${broker_action^}ing the service broker..." + cf "${broker_action}e-service-broker" "${broker_name}" \ + "${broker_auth_username}" "${broker_auth_password}" \ + "https://scs-broker.${apps_domain}" +fi + +exit 0 diff --git a/hooks/addon-stratos b/hooks/addon-stratos new file mode 100755 index 00000000..e8bac063 --- /dev/null +++ b/hooks/addon-stratos @@ -0,0 +1,127 @@ +#!/bin/bash +set -eu + +stratos_version="4.4.0" + +exodus_path=$(lookup --partial genesis.exodus_base) + +system_api_domain="$(exodus api_domain)" + +secrets_mount=$(lookup genesis.secrets_mount) +vault_env=$(lookup genesis.env) + +case "${GENESIS_REQUESTED_FEATURES}" in + (*ocfp*) + echo "Looking up OCFP information from the manifest, this will take a few moments..." + tf_path=$(lookup --partial meta.ocfp.vault.tf) + secrets_mount=$(lookup --partial genesis.secrets_mount) + vault_env=$(lookup --partial genesis.vault_env) + env_path="${secrets_mount}${vault_env}" + + stratos_domain=$(safe get ${tf_path}/ocf/fqdns:stratos) + + echo "Looking up database credentials from vault at ${env_path}/stratos/db/stratos ..." + stratos_db_scheme=$( safe get ${env_path}/stratos/db/stratos:scheme) + stratos_db_hostname=$(safe get ${env_path}/stratos/db/stratos:hostname) + stratos_db_username=$(safe get ${env_path}/stratos/db/stratos:username) + stratos_db_password=$(safe get ${env_path}/stratos/db/stratos:password) + stratos_db_port=$( safe get ${env_path}/stratos/db/stratos:port) + stratos_db_database=$(safe get ${env_path}/stratos/db/stratos:database) + stratos_db_sslmode="verify-ca" + ;; + (*) + stratos_domain="console.$(exodus apps_domain)" + + stratos_db_scheme="postgres" + stratos_db_hostname=$(lookup params.db_hostname) + stratos_db_username=$(lookup params.db_username "stratos") + stratos_db_password=$(lookup params.db_password "stratos") + stratos_db_port=$( lookup params.db_port 5432) + stratos_db_database=$(lookup params.db_database "stratos") + stratos_db_sslmode=$( lookup params.db_sslmode "disabled") # verify-ca + ;; +esac + +stratos_session_store_sekret=$(echo $RANDOM | sha256sum | awk '{print $1}') + +stratos_client=$(safe get ${exodus_path}:stratos_client) +stratos_client_secret=$(safe get ${exodus_path}:stratos_secret) + +shift # run +create_sgs= +while [[ $# > 0 ]] +do + arg="$1" ; shift + case $arg in + (file) + file="$1" + shift || fail "Expected a filename after 'file'" + ;; + (sgs) + create_sgs=true + ;; + esac +done + + +if [[ -s "${1:-}" ]] ; then + shift + unzip -o "$1" +else + echo "Downloading Stratos ${stratos_version}..." + wget https://github.com/orange-cloudfoundry/stratos-ui-cf-packager/releases/download/${stratos_version}/stratos-ui-packaged.zip && + unzip -o stratos-ui-packaged.zip && rm stratos-ui-packaged.zip +fi + +cf create-space -o system stratos +cf target -o system -s stratos + +cf cups console_db_tls_verify_ca -p "$( cat <<-EOF +{ "uri": "${stratos_db_scheme}://", "username":"${stratos_db_username}", "password":"${stratos_db_password}", "hostname":"${stratos_db_hostname}", "port":"${stratos_db_port}", "dbname":"${stratos_db_database}", "sslmode":"${stratos_db_sslmode}" }' +EOF +)" || true + +if [[ -n ${create_sgs} ]] +then # Security group that allows to talk to VPC IP Range + cat > vpc-sg.json < manifest.yml <<-APPMANIFEST +--- +applications: + - name: apps + memory: 1512M + disk_quota: 1024M + host: console + timeout: 180 + buildpack: binary_buildpack + health-check-type: port + env: + CF_API_URL: https://${system_api_domain} + CF_CLIENT: ${stratos_client} + CF_CLIENT_SECRET: ${stratos_client_secret} + SESSION_STORE_SECRET: ${stratos_session_store_sekret} + SSO_OPTIONS: "nosplash, logout" + SSO_WHITELIST: "https://${stratos_domain}/*" + SSO_LOGIN: "true" + DB_SSL_MODE: "${stratos_db_sslmode}" + services: + - console_db_tls_verify_ca +APPMANIFEST + +cf push -f manifest.yml + diff --git a/hooks/blueprint b/hooks/blueprint index 63ea12ac..2eb57d88 100755 --- a/hooks/blueprint +++ b/hooks/blueprint @@ -1,39 +1,37 @@ #!/bin/bash -set -u -#Version check -min_version="2.7.0" -genesis_version="$(genesis -v 2>&1 | grep '^Genesis v' | sed -e 's/Genesis v\(.*\) (.*$/\1/')" -if ! [[ "$genesis_version" =~ -dev$ ]] && ! new_enough "$genesis_version" "$min_version" ; then - describe >&2 "" "#R{[ERROR]} This kit needs Genesis $min_version. Please upgrade before continuing" "" - exit 1 -fi -set -e + +################################################################################ +# Utility Functions +################################################################################ +warn() { warn=1 ; describe >&2 "#Y{[WARNING]} $(echo -e "$*")\n" ; } +abort() { abort=1 ; describe >&2 "#R{[ERROR]} $(echo -e "$*")\n" ; } +fail() { bail "#R{[ERROR]} $(echo -e "$*")\n" ; exit 1 ; } switch_cf_version() { describe >&2 "" \ "- #y{Experimental Feature Enabled:} Custom cf-deployment version: $version" cfd_file="$GENESIS_ROOT/.genesis/kits/addons/cf-deployment-${version}.tar.gz" - if ! [[ -f "$cfd_file" ]] ; then - # Download + cfd_url="https://github.com/cloudfoundry/cf-deployment/archive/v${version}.tar.gz" + if ! [[ -s "${cfd_file}" ]] + then describe >&2 \ " #i{Fetching cf-deployment-${version} release from cloudfoundry/cf-deployment}" \ " #i{on github.com}" - mkdir -p "$GENESIS_ROOT/.genesis/kits/addons/" - curl -sSL -o "$cfd_file" "https://github.com/cloudfoundry/cf-deployment/archive/v${version}.tar.gz" > /dev/null - if ! [[ -f "$cfd_file" ]] ; then - describe >&2 "" \ - " #R{[ERROR]} Failed to download cf-deployment v$version -- cannot continue" "" - exit 1 - fi + + mkdir -p "${GENESIS_ROOT}/.genesis/kits/addons/" + + curl -sSL -o "${cfd_file}" "${cfd_url}" > /dev/null + + [[ -s "${cfd_file}" ]] || + fail "Failed to download cf-deployment v${version} -- cannot continue" + topdir="$(tar -ztf "$cfd_file" | awk '{print $NF}' | cut -d'/' -f1 | uniq)" - if [[ $topdir != "cf-deployment-$version" ]] ; then - describe >&2 "" \ - " #R{[ERROR]} Downloaded cf-deployment v$version doesn't look like a valid release -- cannot continue" "" + if [[ ${topdir} != "cf-deployment-${version}" ]] ; then + fail "Downloaded cf-deployment v${version} doesn't look like a valid release -- cannot continue" exit 1 fi else - describe >&2 \ - " #i{Using cached copy of cf-deployment-${version} release}" + describe >&2 " #i{Using cached copy of cf-deployment-${version} release}" fi rm -rf "./cf-deployment" @@ -42,707 +40,1005 @@ switch_cf_version() { echo >&2 } -generate_dynamic_isolation_segments() { - isolation_groups="$(echo "$1" | jq -r '.isolation_segments[] | .name')" +################################################################################ +# Go-Patch +################################################################################ +gopatch::replace() { + local _path="$1" _value="$2" + echo -e " - type: replace\n path: ${_path}\n value: ${_value}\n" +} - iso_seg_merges=(); - if ! want_feature "bare" || want_feature "partitioned-network" ; then - iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-network.yml ) +gopatch::remove() { + local _path="$1" + echo -e " - type: remove\n path: ${_path}\n" +} + +################################################################################ +# Dynamic Isolation Segments +################################################################################ +dynamic::isolation::segments() { + declare -a isolation_groups + declare -a iso_seg_merges + + iso_seg_merges=() + isolation_groups=($(echo "$1" | jq -r '.isolation_segments[] | .name')) + + if ! want_feature bare || want_feature partitioned-network + then iso_seg_merges+=( "overlay/dynamic-templates/isolation-segment-network.yml" ) fi - if want_feature "nfs-volume-services" ; then - iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs.yml ) - if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then - iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap.yml ) - if want_feature "nfs-ldap-tls" ; then - iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml ) + + if want_feature nfs-volume-services + then + iso_seg_merges+=( "overlay/dynamic-templates/isolation-segment-nfs.yml" ) + + if want_feature nfs-ldap || want_feature nfs-ldap-tls + then + iso_seg_merges+=( "overlay/dynamic-templates/isolation-segment-nfs-ldap.yml" ) + + if want_feature nfs-ldap-tls + then iso_seg_merges+=( "overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml" ) + fi + + if want_feature ocfp + then + iso_seg_merges+=( + "overlay/dynamic-templates/isolation-segment-nfs-ldap-ocfp.yml" + "ocfp/nfs-ldap-data.yml" + ) fi fi fi - if want_feature "smb-volume-services" ; then - iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-smb.yml ) + + if want_feature smb-volume-services + then iso_seg_merges+=( "overlay/dynamic-templates/isolation-segment-smb.yml" ) fi - for group in $isolation_groups; do + if want_feature ocfp + then + iso_seg_merges+=( "ocfp/meta.yml" ) + if want_feature trust-blacksmith-ca + then iso_seg_merges+=( "ocfp/trust-blacksmith-ca.yml" ) + fi + fi + + for group in "${isolation_groups[@]}" + do additional_trusted_certs='' - if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null ; then - additional_trusted_certs='overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml' + if want_feature ocfp || jq -e --arg v "$group" \ + '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null + then + additional_trusted_certs="$(dynamic::isolation::template::render "additional-trusted-certs" "$group")" + want_feature ocfp && + additional_trusted_certs+=" $(dynamic::isolation::template::render "ocfp-trusted-certs" "$group")" fi - dynamic_segment_fragment_file="overlay/dynamic/isolation_segments_$group.yml" - spruce merge --prune "meta" "overlay/dynamic-templates/isolation-segment.yml" \ - ${iso_seg_merges[@]+"${iso_seg_merges[@]}"} $additional_trusted_certs \ - <(echo "$1" | jq --arg v "$group" '.isolation_segments[] | select(.name == $v ) | {"meta": .}') \ + + dynamic_segment_fragment_file="overlay/dynamic/isolation-segments-$group.yml" + + spruce merge -m --prune meta \ + "overlay/dynamic-templates/isolation-segment.yml" \ + ${iso_seg_merges[@]+"${iso_seg_merges[@]}"} \ + ${additional_trusted_certs} \ + <(echo "$1" | sed -e 's#"(( *#"(( defer #g' | jq --arg v "$group" '.isolation_segments[] | select(.name == $v ) | {"meta": .}') \ <(echo '{"instance_groups": [ "((prepend))", "((defer append))" ]}') \ - > "$dynamic_segment_fragment_file" - echo "$dynamic_segment_fragment_file" + > "${dynamic_segment_fragment_file}" + + echo "${dynamic_segment_fragment_file}" + + dynamic::isolation::template::render "dns-sd" "$group" + + want_feature nfs-volume-services && want_feature ocfp && \ + dynamic::isolation::template::render "nfs-ldap-config" "$group" done } +dynamic::isolation::template::render() { + local _tmpl=$1 _name="$2" -### ============================================================================ -### Main -### ============================================================================ + local _srcdir='overlay/dynamic-templates' + local _dstdir='overlay/dynamic' + local _src="${_srcdir}/isolation-segment-${_tmpl}.yml" + local _dst="${_dstdir}/isolation-segment-${_name}-${_tmpl}.yml" -declare -a manifest + sed -e 's/{{segment-name}}/'"${_name}"'/g' < "${_src}" > "${_dst}" + echo "${_dst}" +} -### Base configuration with minimal injections required for Genesis compliance -manifest=( \ - "cf-deployment/cf-deployment.yml" \ - "overlay/base.yml" \ - "overlay/upstream_version.yml" \ -) +################################################################################ +# Dynamic Instance VM Types +################################################################################ +dynamic::instance::vm::types() { + instance_types="$( echo "$params" | + jq -r 'with_entries(if (.key|test("_vm_type$")) then {key: (.key|capture("(?.*)_vm_type$")|.k), value: .value} else empty end )|to_entries | .[] | "\(.key) \(.value)"' + )" -cpi="$(bosh_cpi)" || true + if [[ -n "$instance_types" ]] ; then + used='' + types_op_file="operations/dynamic/instance_types.yml" + echo "--- # Dynamically created instance type overrides" > "$types_op_file" + while read -r inst_grp type; do + case ${inst_grp} in + (errand|haproxy) + continue # dealt with elsewhere + ;; + (cell) + inst_grp="diego_cell" + warn "Translated: params.cell_vm_type => params.diego_cell_vm_type" + ;; + (diego) + inst_grp="scheduler" + warn "Translated: params.diego_vm_type => params.scheduler_vm_type" + ;; + (bbs) + inst_grp="diego_api" + warn "Translated: params.bbs_vm_type => params.diego_api_vm_type" + ;; + (loggregator) + inst_grp="log_api" + warn "Translated: params.loggregator_vm_type => params.log_api_vm_type" + ;; + (postgres) + inst_grp="database" + warn "Translated: params.postgres_vm_type => params.database_vm_type" + ;; + (blobstore) + inst_grp="singleton-blobstore" + warn "Translated: params.blobstore_vm_type => params.singleton_blobstore_vm_type" + ;; + (windows_diego_cell) + inst_grp="windows2019-cell" + warn "Translated: params.windows_diego_cell_vm_type => params.windows2019-cell_vm_type" + ;; + esac -### Minimal injections required for Genesis compliance -if ! want_feature "bare" || want_feature "partitioned-network" ; then - manifest+=( "operations/rename-network-and-deployment.yml" ) -else - manifest+=( "cf-deployment/operations/rename-network-and-deployment.yml" ) -fi + dashed_inst_grp="$(echo "$inst_grp" | tr _ -)" # convert any _ into - -### Set up some best practices if not bare -if ! want_feature "bare" ; then - manifest+=( \ - "overlay/identity.yml" \ - "overlay/override-app-domains.yml" \ - "overlay/ten-year-ca-expiry.yml" \ - "overlay/uaa-branding.yml" \ - ) + if [[ ! $dashed_inst_grp =~ ^(api|cc-worker|credhub|database|diego-(api|cell)|doppler|errand|haproxy|windows2019-cell|log-api|nats|rotate-cc-database-key|(tcp-)?router|scheduler|singleton-blobstore|smoke-tests|uaa)$ ]] + then + inst_grp="$dashed_inst_grp"; - # Change vm types - must be done before operations delete unused instance_types - if want_feature v1-vm-types ; then - manifest+=( "overlay/addons/v1-vm-types.yml" ) - fi + warn "Unknown instance group $inst_grp - this may be bug in your environment files." \ + "\n\tExpected instance groups are:" \ + "\n\tapi, cc-worker, credhub, database, diego-api, diego-cell, doppler," \ + "\n\terrand, haproxy, log-api, nats, rotate-cc-database-key, router, scheduler," \ + "\n\tsingleton-blobstore, smoke-tests, tcp-router, uaa, and windows2019-cell\n" + fi - # Deal with availability zones - has to be done to core instance groups - # before they potentially get removed by further features - if [[ $cpi == 'azure' ]] || want_feature "small-footprint" || \ - want_feature "cf-deployment/operations/scale-to-one-az"; then - manifest+=( \ - "cf-deployment/operations/scale-to-one-az.yml" \ - "operations/scale-to-one-az.yml" \ - ) + gopatch::replace "/instance_groups/name=${dashed_inst_grp}/vm_type" "${type}" \ + >> "$types_op_file" + + used="$(echo "$used"; echo "$dashed_inst_grp")" + + done < <(echo "$instance_types") + errand_vm_type="$(echo "$params" | jq -r '.errand_vm_type//""')" + if [[ -n "$errand_vm_type" ]] + then # Deal with errand meta-type + for errand_name in smoke-tests rotate-cc-database-key + do + if ! echo "$used" | grep "^$errand_name\$" &>/dev/null + then + gopatch::replace "/instance_groups/name=${errand_name}/vm_type" \ + "${errand_vm_type}" >> "$types_op_file" + + used="$(echo "$used";echo "$errand_name")" + fi + done + fi + + dups="$(echo "$used"|sort|uniq -d)"; + + [[ -z "$dups" ]] || + fail "Instance vm types specified (or translated as) multiple times:" "$dups" + + manifests+=( "$types_op_file" ) fi - manifest+=( "operations/custom-azs.yml" ) +} - # Temporary override of specific releases - keep but leave empty when upstream catches up - manifest+=( "overlay/override-releases/static.yml" ) +################################################################################ +# Dynamic Instance Counts +################################################################################ +dynamic::instance::counts() { + instance_group_counts="$( echo "$params" | + jq -r 'with_entries(if (.key | test("_instances$")) then { key: (.key | capture("(?.*)_instances$") | .k), value: .value } else empty end) | to_entries | .[] | "\(.key) \(.value)"' + )" -fi + if [[ -n "$instance_group_counts" ]] ; then + used='' + counts_opsfile="operations/dynamic/instance_counts.yml" -version="" -abort= -warn= -db_specified= -declare -a features; features=() + echo "--- # Dynamically created instance counts" > "$counts_opsfile" -opsdir="ops" -[[ -n "${PREVIOUS_ENV:-}" ]] && opsdir=".genesis/cached/${PREVIOUS_ENV}/$opsdir" + while read -r inst_grp count; do + case ${inst_grp} in + (errand|haproxy) + continue # dealt with elsewhere + ;; + (cell) + inst_grp="diego_cell" + warn "Translated: params.cell_instances => params.diego_cell_instances" + ;; + (diego) + inst_grp="scheduler" + warn "Translated: params.diego_instances => params.scheduler_instances" + ;; + (bbs) + inst_grp="diego_api" + warn "Translated: params.bbs_instances => params.diego_api_instances" + ;; + (loggregator) + inst_grp="log_api" + warn "Translated: params.loggregator_instances => params.log_api_instances" + ;; + (postgres) + inst_grp="database" + warn "Translated: params.postgres_instances => params.database_instances" + ;; + (blobstore) + inst_grp="singleton-blobstore" + warn "Translated: params.blobstore_instances => params.singleton_blobstore_instances" + ;; + (windows_diego_cell) + inst_grp="windows2019-cell" + warn "Translated: params.windows_diego_cell_instances => params.windows2019-cell_instances" + ;; + esac -for want in $GENESIS_REQUESTED_FEATURES; do - if [[ "$want" =~ ^cf-deployment-version- ]] ; then - # Check if explicit verison of cf-deployment is requested - [[ -z "$version" ]] || bail "#R{[ERROR]} You cannot specify more than one cf-deployment-version-* feature" - version="${want#"cf-deployment-version-"}" - else + dashed_inst_grp="$(echo "$inst_grp" | tr _ -)" # convert any _ into - + + if [[ ! $dashed_inst_grp =~ ^(api|cc-worker|credhub|database|diego-(api|cell)|doppler|errand|haproxy|log-api|nats|windows2019-cell|rotate-cc-database-key|(tcp-)?router|scheduler|singleton-blobstore|smoke-tests|uaa)$ ]] + then + inst_grp="$dashed_inst_grp"; + + warn \ + "Unknown instance group $inst_grp - this may be bug in your environment files." \ + "\n\tExpected instance groups are:" \ + "\n\t\tapi, cc-worker, credhub, database, diego-api, diego-cell, doppler," \ + "\n\t\terrand, haproxy, log-api, nats, rotate-cc-database-key, router, scheduler," \ + "\n\t\tsingleton-blobstore, smoke-tests, tcp-router, and uaa" "" + fi + + gopatch::replace "/instance_groups/name=${dashed_inst_grp}?/instances" \ + "${count}" >> "$counts_opsfile" + + used="$(echo "$used"; echo "$dashed_inst_grp")" + done < <(echo "$instance_group_counts") + + errand_instances="$(echo "$params" | jq -r '.errand_instances//""')" + + if [[ -n "$errand_instances" ]] + then # Deal with errand meta-type + for errand_name in smoke-tests rotate-cc-database-key + do + if ! echo "$used" | grep "^$errand_name\$" &>/dev/null + then + gopatch::replace "/instance_groups/name=${errand_name}?/instances" \ + "${errand_instances}" >> "$counts_opsfile" + + used="$(echo "$used"; echo "$errand_name")" + fi + done + fi + + dups="$(echo "$used" | sort | uniq -d)"; + if [[ -n "$dups" ]] ; then + fail "Instance counts specified (or translated as) multiple times:" "$dups" + fi + + manifests+=( "$counts_opsfile" ) + fi +} + +################################################################################ +# Features Validation +################################################################################ +features::validate() { + for want in $GENESIS_REQUESTED_FEATURES; do # Validate requrested features case "$want" in - shield-dbs|shield-blobstores) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} feature has been deprecated, in favor of BOSH add-ons" - ;; - omit-haproxy|local-blobstore|blobstore-webdav|container-routing-integrity|routing-api|loggregator-forwarder-agent) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} feature is now the default behaviour and doesn't need" \ - " to be specified in the environment file" - ;; - blobstore-aws|blobstore-azure|blobstore-gcp) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} feature has been renamed to #c{${want#blobstore-}-blobstore}" - features+=( "${want#blobstore-}-blobstore" ) - ;; - db-external-mysql|db-external-postgres) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} flag has been renamed to #c{${want#db-external-}-db}" - features+=( "${want#db-external-}-db" ) - ;; - db-internal-postgres|local-db) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} flag has been renamed to #c{local-postgres-db}" - db_specified=1 - features+=( "local-postgres-db" ) - ;; - haproxy-tls) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{haproxy-tls} feature flag has been deprecated." \ - " Please replace it with the #c{haproxy} and #c{tls} flags." - features+=( "haproxy" "tls" ) - ;; - haproxy-self-signed) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{haproxy-self-signed} feature flag has been deprecated." \ - " Please replace it with the #c{haproxy} and #c{self-signed} flags." - features+=( "haproxy" "self-signed" ) - ;; - haproxy-notls) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{haproxy-notls} feature flag has been deprecated." \ - " Please replace it with the #c{haproxy} feature flag." \ - " You are HIGHLY ENCOURAGED to also add the #c{tls} flag." - features+=( "haproxy" ) - ;; - minimum-vms) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The 'minimum-vms' feature flag has been renamed to 'small-footprint'" - features+=( "small-footprint" ) - ;; - azure) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{azure} feature does not have to be specified, as it will" \ - " automatically be applied when deploying via an Azure CPI" - ;; - cflinuxfs2) - abort=1 - describe >&2 \ - "#Y{[ERROR]} The #c{cflinuxfs2} feature is no longer able to be supported." - ;; - local-ha-db) - abort=1 - describe >&2 \ - "#R{[ERROR]} The #c{local-ha-db} feature is no longer able to be supported. Consider using" \ - " external database for high-availability." - ;; - autoscaler|autoscaler-postgres) - abort=1 - describe >&2 \ - "#R{[ERROR]} The #c{$want} feature is no longer embedded in the #c{cf} kit. Please see the" \ - " cf-app-autoscaler genesis kit." - ;; - native-garden-runc) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} feature is no longer supported; it has been replaced by the" \ - " upstream #c{cf-deployment/operations/experimental/use-native-garden-runc-runner}" \ - " feature." - features+=( "cf-deployment/operations/experimental/use-native-garden-runc-runner" ) - ;; - app-bosh-dns|dns-service-discovery) - warn=1 - describe >&2 \ - "#Y{[WARNING]} The #c{$want} feature is no longer supported; it has been replaced by the" \ - " upstream #c{cf-deployment/operations/enable-service-discovery} feature." - #features+=( "cf-deployment/operations/enable-service-discovery" ) - features+=( "enable-service-discovery" ) #FIXME once spruce can go-patch over (( grabs )) - ;; - cf-deployment/operations/enable-service-discovery) - if ! want_feature "bare" ; then - features+=( "enable-service-discovery" ) #FIXME remove once spruce can go-patch over (( grabs )) - fi - ;; - compiled-releases) - want_feature "cf-deployment/operations/use-compiled-releases" || features+=( "compiled-releases" ) - ;; - small-footprint|cf-deployment/operations/scale-to-one-az) - # dealt with above, but kept for interoperability checks with other features - features+=( "small-footprint" ); - ;; - nfs-volume-services|cf-deployments/operations/enable-nfs-volume-services) features+=( "nfs-volume-services" ) ;; - smb-volume-services|cf-deployments/operations/enable-smb-volume-services) features+=( "smb-volume-services" ) ;; - nfs-ldap|nfs-ldap-tls|cf-deployments/operations/enable-nfs-ldap) - if ! want_feature 'nfs-volume-services' && ! want_feature "cf-deployments/operations/enable-nfs-volume-services" ; then - abort=1 - describe >&2 \ - "#R[ERROR]} Feature #c{$want} cannot be specified without feature #c{nfs-volume-services}" - fi - if [[ $want == "nfs-ldap-tls" ]] ; then - features+=( "nfs-ldap-tls" ) - else - features+=( "nfs-ldap" ) - fi - ;; - local-postgres-db|local-mysql-db|mysql-db|postgres-db) db_specified=1; features+=( "$want" ) ;; - bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) features+=( "$want" ) ;; - minio-blobstore|aws-blobstore|aws-blobstore-iam|azure-blobstore|gcp-blobstore|gcp-use-access-key) features+=( "$want" ) ;; - enable-service-discovery|ssh-proxy-on-routers|no-tcp-routers) features+=( "$want" ) ;; - app-scheduler-integration|app-autoscaler-integration|prometheus-integration|v2-nats-credentials) features+=( "$want" ) ;; - windows-diego-cells) features+=( "$want" ) ;; - +migrated-v1-env|+override-db-names) features+=( "$want" ) ;; - v1-vm-types|no-v1-vm-types) - : # no-op, dealt with above - ;; - cf-deployment/*) - if [[ -f "$want.yml" ]] ; then + (cf-deployment-version-*) # Check if explicit verison of cf-deployment is requested + [[ -z "$version" ]] || + fail "You cannot specify more than one cf-deployment-version-* feature" + version="${want#"cf-deployment-version-"}" + break + ;; + (shield-dbs|shield-blobstores) + warn "The #c{$want} feature has been deprecated, in favor of BOSH add-ons" + ;; + (omit-haproxy|local-blobstore|blobstore-webdav|container-routing-integrity|routing-api|loggregator-forwarder-agent) + warn "The #c{$want} feature is now the default behaviour and doesn't need" \ + "\n\tto be specified in the environment file" + ;; + (blobstore-aws|blobstore-azure|blobstore-gcp) + warn "The #c{$want} feature has been renamed to #c{${want#blobstore-}-blobstore}" + features+=( "${want#blobstore-}-blobstore" ) + ;; + (db-external-mysql|db-external-postgres) + warn "The #c{$want} flag has been renamed to #c{${want#db-external-}-db}" + features+=( "${want#db-external-}-db" ) + ;; + (db-internal-postgres|local-db) + warn "The #c{$want} flag has been renamed to #c{local-postgres-db}" + features+=( "local-postgres-db" ) + db_specified=1 + ;; + (haproxy-tls) + warn "The #c{haproxy-tls} feature flag has been deprecated." \ + "\n\tPlease replace it with the #c{haproxy} and #c{tls} flags." + features+=( "haproxy" "tls" ) + ;; + (haproxy-self-signed) + warn "The #c{haproxy-self-signed} feature flag has been deprecated." \ + "\n\tPlease replace it with the #c{haproxy} and #c{self-signed} flags." + features+=( "haproxy" "self-signed" ) + ;; + (haproxy-notls) + warn "The #c{haproxy-notls} feature flag has been deprecated." \ + "\n\tPlease replace it with the #c{haproxy} feature flag." \ + "\n\tYou are HIGHLY ENCOURAGED to also add the #c{tls} flag." + features+=( "haproxy" ) + ;; + (minimum-vms) + warn "The 'minimum-vms' feature flag has been renamed to 'small-footprint'" + features+=( "small-footprint" ) + ;; + (azure) + warn "The #c{azure} feature does not have to be specified, as it will" \ + " automatically be applied when deploying via an Azure CPI" + ;; + (cflinuxfs2) + abort "The #c{cflinuxfs2} feature is no longer able to be supported." + ;; + (local-ha-db) + abort "The #c{local-ha-db} feature is no longer able to be supported." \ + "\n\tConsider using external database for high-availability." + ;; + (autoscaler|autoscaler-postgres) + abort "The #c{$want} feature is no longer embedded in the #c{cf} kit." \ + "\n\tPlease see the cf-app-autoscaler genesis kit." + ;; + (native-garden-runc) + warn "The #c{$want} feature is no longer supported; it is replaced by the upstream" \ + "\n\t#c{cf-deployment/operations/experimental/use-native-garden-runc-runner} feature." + features+=( "cf-deployment/operations/experimental/use-native-garden-runc-runner" ) + ;; + (app-bosh-dns|dns-service-discovery) + warn "The #c{$want} feature is no longer supported; it has been replaced by the" \ + "\n\tupstream #c{cf-deployment/operations/enable-service-discovery} feature." + #features+=( "cf-deployment/operations/enable-service-discovery" ) + features+=( "enable-service-discovery" ) #FIXME once spruce can go-patch over (( grabs )) + ;; + (cf-deployment/operations/enable-service-discovery) + if ! want_feature "bare" ; then + features+=( "enable-service-discovery" ) #FIXME remove once spruce can go-patch over (( grabs )) + fi + ;; + (compiled-releases) + want_feature "cf-deployment/operations/use-compiled-releases" || features+=( "compiled-releases" ) + ;; + (small-footprint|cf-deployment/operations/scale-to-one-az) + # dealt with above, but kept for interoperability checks with other features + features+=( "small-footprint" ); + ;; + (nfs-volume-services|cf-deployments/operations/enable-nfs-volume-services) + features+=( "nfs-volume-services" ) + ;; + (smb-volume-services|cf-deployments/operations/enable-smb-volume-services) + features+=( "smb-volume-services" ) + ;; + (nfs-ldap|nfs-ldap-tls|cf-deployments/operations/enable-nfs-ldap) + if ! want_feature 'nfs-volume-services' && + ! want_feature "cf-deployments/operations/enable-nfs-volume-services" + then abort "Feature #c{$want} cannot be specified without feature #c{nfs-volume-services}" + fi features+=( "$want" ) - else - abort=1 - describe >&2 \ - "#R[ERROR]} #c{$want} is not an upstream operation -- see cf-deployment for valid operations." - fi - ;; - *) - if [[ -f "$GENESIS_ROOT/${opsdir}/$want.yml" || -f "$GENESIS_ROOT/ops/$want.yml" ]] ; then + ;; + (local-postgres-db|local-mysql-db|mysql-db|postgres-db) features+=( "$want" ) - else - abort=1 - describe >&2 \ - "#R{[ERROR]} The #c{$want} feature is not supported. See the manual for list" \ - " of valid features." - fi - ;; + db_specified=1; + ;; + (bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) + features+=( "$want" ) + ;; + (minio-blobstore|aws-blobstore|aws-blobstore-iam|azure-blobstore|gcp-blobstore) + if want_feature ocfp + then abort "Cannot specify blobstore with ocfp feature. \n\tWith ocfp feature blobstore specifies you." + fi + features+=( "$want" ) + ;; + (gcp-use-access-key) + features+=( "$want" ) + ;; + (enable-service-discovery|ssh-proxy-on-routers|no-tcp-routers) + features+=( "$want" ) + ;; + (blacksmith-integration|trust-blacksmith-ca|app-scheduler-integration|app-autoscaler-integration|prometheus-integration|stratos-integration|v2-nats-credentials) + features+=( "$want" ) + ;; + (windows-diego-cells) + features+=( "$want" ) + ;; + (+migrated-v1-env|+override-db-names) + features+=( "$want" ) + ;; + (v1-vm-types|no-v1-vm-types) + true # no-op, dealt with above + ;; + (uaa-admin-client) + features+=( "$want" ) + ;; + (cf-deployment/*) + if [[ -f "$want.yml" ]] + then features+=( "$want" ) + else + abort "#c{$want} was not found in upstream files." \ + "\n\tSee cf-deployment for valid ops files." + fi + ;; + (ocfp) + features+=( + "enable-service-discovery" + "$want" + ) + + want_feature uaa-admin-client || + features+=( "uaa-admin-client" ) + ;; + (*) + if [[ -f "$GENESIS_ROOT/${opsdir}/$want.yml" || + -f "$GENESIS_ROOT/ops/$want.yml" ]] + then features+=( "$want" ) + else + abort "The #c{$want} feature is not supported, see MANUAL.md for valid features." + fi + ;; + esac + done + + if want_feature ocfp ; then + case $cpi in + (aws|azure|gcp) features+=( "${iaas}-blobstore" ) ;; + (vsphere) features+=( "minio-blobstore" ) ;; + (*) abort "Blobstores are not supported on #c{${iaas}} yet." ;; esac fi -done -[[ "$abort" == "1" ]] && bail "#R{Cannot continue} - fix your #C{$GENESIS_ENVIRONMENT.yml} file to resolve these issues." -[[ "$warn" == "1" ]] && describe >&2 "" "Update your #C{$GENESIS_ENVIRONMENT.yml} file to remove these warnings." "" + [[ -z "$db_specified" ]] && ! want_feature 'bare' && + features+=( "local-postgres-db" ) -[[ -n $version ]] && switch_cf_version "$version" -[[ -z "$db_specified" ]] && ! want_feature 'bare' && features+=( "local-postgres-db" ) + [[ "$abort" == "1" ]] && + fail "#R{Cannot continue} - fix the #C{$GENESIS_ENVIRONMENT.yml} file." -if [[ "${#features[@]}" -gt 0 ]] ; then - GENESIS_REQUESTED_FEATURES="${features[*]}" -else - GENESIS_REQUESTED_FEATURES="" -fi -declare -a blobstores; blobstores=() -declare -a databases; databases=() + [[ "$warn" == "1" ]] && + warn "Adjust your #C{$GENESIS_ENVIRONMENT.yml} file to remove warnings." +} -if want_feature "+migrated-v1-env" || want_feature "azure-blobstore" || want_feature 'minio-blobstore' || want_feature 'aws-blobstore' || want_feature 'gcp-blobstore' ; then - want_feature 'bare' && bail "Cannot have #C{bare} feature when migrating from v1" - manifest+=( "overlay/blobstore/meta.yml" ) -fi +################################################################################ +# Features Processing Setup +################################################################################ +features::setup() { + # Minimal injections required for Genesis compliance + if ! want_feature "bare" || want_feature "partitioned-network" ; then + manifests+=( "operations/rename-network-and-deployment.yml" ) + else + manifests+=( "cf-deployment/operations/rename-network-and-deployment.yml" ) + fi -params="$(lookup "params" "{}")" -has_availability_zones="$(jq -r '.|has("availability_zones")' <(echo "$params"))" -randomize_az_placement="$(jq -r '.randomize_az_placement//false' <(echo "$params"))" + # Set up some best practices if not bare + if ! want_feature "bare" ; then + manifests+=( + "overlay/identity.yml" + "overlay/override-app-domains.yml" + "overlay/ten-year-ca-expiry.yml" + "overlay/uaa-branding.yml" + ) -for want in $GENESIS_REQUESTED_FEATURES; do - if [[ $want =~ cf-deployment/.* ]] ; then - if [[ -f "$want.yml" ]] ; then - manifest+=( "$want.yml" ) - else - bail "#R[ERROR]} Kit $GENESIS_KIT_NAME/$GENESIS_KIT_VERSION does not support the $want feature" "" + # Change vm types - must be done before operations delete unused instance_types + if want_feature v1-vm-types ; then + manifests+=( "overlay/addons/v1-vm-types.yml" ) fi - elif [[ -f "$GENESIS_ROOT/${opsdir}/$want.yml" ]] ; then - manifest+=( "$GENESIS_ROOT/${opsdir}/$want.yml" ) - elif [[ -f "$GENESIS_ROOT/ops/$want.yml" ]] ; then - manifest+=( "$GENESIS_ROOT/ops/$want.yml" ) - else - case "$want" in - ###----------------------------------------------------------------------------- - ## Blobstore - # - azure-blobstore) - blobstores+=( "$want" ) - manifest+=( \ - "overlay/blobstore/external.yml" \ - "overlay/blobstore/azure.yml" \ - "cf-deployment/operations/use-external-blobstore.yml" \ - "cf-deployment/operations/use-azure-storage-blobstore.yml" \ + # Deal with availability zones - has to be done to core instance groups + # before they potentially get removed by further features + if [[ $cpi == 'azure' ]] || want_feature "small-footprint" || + want_feature "cf-deployment/operations/scale-to-one-az" + then + manifests+=( + "cf-deployment/operations/scale-to-one-az.yml" + "operations/scale-to-one-az.yml" ) - ;; - aws-blobstore|aws-blobstore-iam) - blobstores+=( "$want" ) - manifest+=( \ - "overlay/blobstore/external.yml" \ - "overlay/blobstore/aws.yml" \ - "cf-deployment/operations/use-external-blobstore.yml" \ - ) - want_feature "aws-blobstore-iam" && \ - manifest+=( "overlay/blobstore/aws-iam.yml" ) - ;; - minio-blobstore) - blobstores+=( "$want" ) - manifest+=( \ - "overlay/blobstore/external.yml" \ - "overlay/blobstore/minio.yml" \ - "cf-deployment/operations/use-external-blobstore.yml" \ - ) - ;; - gcp-blobstore) - blobstores+=( "$want" ) - if want_feature gcp-use-access-key ; then - manifest+=( \ + fi + manifests+=( "operations/custom-azs.yml" ) + + # Temporary override of specific releases - keep but leave empty when upstream catches up + manifests+=( "overlay/override-releases/static.yml" ) + fi +} + +################################################################################ +# Version 1 features check +################################################################################ +features::v1::check() { + if want_feature "+migrated-v1-env" || want_feature "azure-blobstore" || + want_feature 'minio-blobstore' || want_feature 'aws-blobstore' || + want_feature 'gcp-blobstore' + then + want_feature 'bare' && + fail "Cannot have #C{bare} feature when migrating from v1" + + manifests+=( "overlay/blobstore/meta.yml" ) + fi +} + +################################################################################ +# Process Requested Features +################################################################################ +features::process() { + for want in $GENESIS_REQUESTED_FEATURES; do + case "$want" in + ############################################################################ + # Blobstore + ############################################################################ + (azure-blobstore) + blobstores+=( "$want" ) + manifests+=( \ "overlay/blobstore/external.yml" \ + "overlay/blobstore/azure.yml" \ "cf-deployment/operations/use-external-blobstore.yml" \ - "cf-deployment/operations/use-gcs-blobstore-access-key.yml" \ + "cf-deployment/operations/use-azure-storage-blobstore.yml" \ ) - else - manifest+=( \ + ;; + (aws-blobstore|aws-blobstore-iam) + blobstores+=( "$want" ) + manifests+=( \ "overlay/blobstore/external.yml" \ + "overlay/blobstore/aws.yml" \ "cf-deployment/operations/use-external-blobstore.yml" \ - "cf-deployment/operations/use-gcs-blobstore-service-account.yml" \ ) - fi - ;; - - ###----------------------------------------------------------------------------- - ## Database - # - - mysql-db|postgres-db) - databases+=( "$want" ) - manifest+=( \ - "cf-deployment/operations/use-external-dbs.yml" \ - "operations/use-external-dbs-ports.yml" \ - "overlay/db/external.yml" \ - "overlay/db/external-${want%-db}.yml" \ - ) - ;; - - local-postgres-db) - databases+=( "$want" ) - manifest+=( "cf-deployment/operations/use-postgres.yml" ) - if want_feature '+override-db-names' ; then - manifest+=( \ - "operations/db-override-names.yml" \ - "operations/db-override-postgres-names.yml" \ - "overlay/db/internal-overrides.yml" \ + want_feature "aws-blobstore-iam" && \ + manifests+=( "overlay/blobstore/aws-iam.yml" ) + ;; + (minio-blobstore) + blobstores+=( "$want" ) + manifests+=( \ + "overlay/blobstore/external.yml" \ + "overlay/blobstore/minio.yml" \ + "cf-deployment/operations/use-external-blobstore.yml" \ ) - if want_feature '+migrated-v1-env' ; then - manifest+=( "overlay/addons/migration-db-override-names.yml" ) + ;; + (gcp-blobstore) + blobstores+=( "$want" ) + if want_feature gcp-use-access-key ; then + manifests+=( \ + "overlay/blobstore/external.yml" \ + "cf-deployment/operations/use-external-blobstore.yml" \ + "cf-deployment/operations/use-gcs-blobstore-access-key.yml" \ + ) + else + manifests+=( \ + "overlay/blobstore/external.yml" \ + "cf-deployment/operations/use-external-blobstore.yml" \ + "cf-deployment/operations/use-gcs-blobstore-service-account.yml" \ + ) fi - fi - ;; - - local-mysql-db) - databases+=( "$want" ) - manifest+=( "overlay/db/local-mysql-db.yml" ) - if want_feature '+override-db-names' ; then - manifest+=( \ - "operations/db-override-names.yml" \ - "operations/db-override-mysql-names.yml" \ - "overlay/db/internal-overrides.yml" \ + ;; + + ############################################################################ + # Database + ############################################################################ + (mysql-db|postgres-db) + databases+=( "$want" ) + manifests+=( + "cf-deployment/operations/use-external-dbs.yml" + "operations/use-external-dbs-ports.yml" + "overlay/db/external.yml" + "overlay/db/external-${want%-db}.yml" ) - if want_feature '+migrated-v1-env' ; then - manifest+=( "overlay/addons/migration-db-override-names.yml" ) + ;; + + (local-postgres-db) + databases+=( "$want" ) + manifests+=( "cf-deployment/operations/use-postgres.yml" ) + if want_feature '+override-db-names'; then + manifests+=( + "operations/db-override-names.yml" + "operations/db-override-postgres-names.yml" + "overlay/db/internal-overrides.yml" + ) + if want_feature '+migrated-v1-env' ; then + manifests+=( "overlay/addons/migration-db-override-names.yml" ) + fi fi - fi - ;; - - ###----------------------------------------------------------------------------- - ## Addons - # - - compiled-releases) - manifest+=( \ - "cf-deployment/operations/use-compiled-releases.yml" \ - "overlay/override-releases/compiled.yml" - ) ;; - small-footprint) - : ;; # already dealt with - nfs-volume-services) - manifest+=( \ - "cf-deployment/operations/enable-nfs-volume-service.yml" \ - ) - if ! want_feature "bare" ; then - manifest+=( \ - "overlay/addons/nfs-volume-service.yml" \ - ) - fi - if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then - manifest+=( \ - "cf-deployment/operations/enable-nfs-ldap.yml" \ - "overlay/addons/nfs-ldap.yml" \ - ) - if want_feature "nfs-ldap-tls"; then - manifest+=( overlay/addons/nfs-ldap-tls.yml ) - # If user provided their own nfs-ldap-ca path, delete the default - if jq <<<"$params" -e '."nfs-ldap-ca-cert-ca"' &> /dev/null ; then - remove_unused_secret_ops_file="operations/dynamic/remove-unused-nfs-ldap-ca-cert.yml" - cat < "$remove_unused_secret_ops_file" -- type: remove - path: /variables/name=nfs-ldap-ca-cert -EOF - manifest+=( "$remove_unused_secret_ops_file" ) + ;; + + (local-mysql-db) + databases+=( "$want" ) + manifests+=( "overlay/db/local-mysql-db.yml" ) + if want_feature '+override-db-names' ; then + manifests+=( + "operations/db-override-names.yml" + "operations/db-override-mysql-names.yml" + "overlay/db/internal-overrides.yml" + ) + if want_feature '+migrated-v1-env' ; then + manifests+=( "overlay/addons/migration-db-override-names.yml" ) fi fi - fi - ;; - smb-volume-services) - manifest+=( \ - "cf-deployment/operations/enable-smb-volume-service.yml" \ - ) - if ! want_feature "bare" ; then - manifest+=( \ - "overlay/addons/smb-volume-service.yml" \ - ) - fi - ;; - enable-service-discovery) - manifest+=( "overlay/enable-service-discovery.yml" ) ;; - app-autoscaler-integration) - manifest+=( "overlay/addons/autoscaler.yml" ) ;; - app-scheduler-integration) - manifest+=( "overlay/addons/app-scheduler.yml" ) ;; - prometheus-integration) - manifest+=( "overlay/addons/prometheus.yml" ) ;; - ssh-proxy-on-routers) - manifest+=( "overlay/addons/ssh-proxy-on-routers.yml" ) ;; - no-tcp-routers) - manifest+=( "overlay/addons/no-tcp-routers.yml" ) ;; - windows-diego-cells) - manifest+=( \ - "cf-deployment/operations/windows2019-cell.yml" \ - "cf-deployment/operations/use-online-windows2019fs.yml" \ - "cf-deployment/operations/use-latest-windows2019-stemcell.yml" \ - "overlay/override-releases/static-windows.yml" \ - ) - if want_feature "compiled-releases"; then - manifest+=( \ - "cf-deployment/operations/experimental/use-compiled-releases-windows.yml" \ - "overlay/override-releases/compiled-windows.yml" \ + ;; + + ############################################################################ + # Addons + ############################################################################ + (compiled-releases) + manifests+=( + "cf-deployment/operations/use-compiled-releases.yml" + "overlay/override-releases/compiled.yml" ) - fi - if ! want_feature "bare" ; then - manifest+=( \ - "overlay/windows.yml" \ + ;; + (small-footprint) + true + ;; # already dealt with + (nfs-volume-services) + manifests+=( "cf-deployment/operations/enable-nfs-volume-service.yml" ) + + if ! want_feature "bare" ; then + manifests+=( "overlay/addons/nfs-volume-service.yml" ) + fi + + if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then + manifests+=( + "cf-deployment/operations/enable-nfs-ldap.yml" + "overlay/addons/nfs-ldap.yml" + ) + if want_feature ocfp + then manifests+=( "overlay/addons/nfs-ldap-config.yml" ) + fi + + if want_feature "nfs-ldap-tls"; then + manifests+=( "overlay/addons/nfs-ldap-tls.yml" ) + # If user provided their own nfs-ldap-ca path, delete the default + if jq <<<"$params" -e '."nfs-ldap-ca-cert-ca"' &> /dev/null + then + remove_unused_variables_opsfile="operations/dynamic/remove-unused-nfs-ldap-ca-cert.yml" + { + echo -e "--- # Remove unused variabels\n" + gopatch::remove "/variables/name=nfs-ldap-ca-cert" + } > "$remove_unused_variables_opsfile" + + manifests+=( "$remove_unused_variables_opsfile" ) + fi + fi + fi + ;; + (smb-volume-services) + manifests+=( "cf-deployment/operations/enable-smb-volume-service.yml" ) + if ! want_feature "bare" ; then + manifests+=( "overlay/addons/smb-volume-service.yml" ) + fi + ;; + (enable-service-discovery) + manifests+=( "overlay/enable-service-discovery.yml" ) + ;; + (trust-blacksmith-ca) + manifests+=( "overlay/addons/trust-blacksmith-ca.yml" ) + if want_feature ocfp + then manifests+=( "ocfp/trust-blacksmith-ca.yml" ) + fi + ;; + (app-autoscaler-integration) + manifests+=( "overlay/addons/autoscaler.yml" ) + ;; + (app-scheduler-integration) + manifests+=( "overlay/addons/app-scheduler.yml" ) + ;; + (scs-integration) + manifests+=( "overlay/addons/scs.yml" ) + ;; + (prometheus-integration) + manifests+=( "overlay/addons/prometheus.yml" ) + ;; + (stratos-integration) + manifests+=( "overlay/addons/stratos.yml" ) + ;; + (ssh-proxy-on-routers) + manifests+=( "overlay/addons/ssh-proxy-on-routers.yml" ) + ;; + (no-tcp-routers) + manifests+=( "overlay/addons/no-tcp-routers.yml" ) + ;; + (windows-diego-cells) + manifests+=( + "cf-deployment/operations/windows2019-cell.yml" + "cf-deployment/operations/use-online-windows2019fs.yml" + "cf-deployment/operations/use-latest-windows2019-stemcell.yml" + "overlay/override-releases/static-windows.yml" ) - fi - ;; - isolation-segments) - while read -r segment; do - manifest+=( "${segment}" ) - done < <(generate_dynamic_isolation_segments "$params") - ;; - +migrated-v1-env) - manifest+=( "overlay/addons/migration.yml" ) ;; - esac + if want_feature "compiled-releases"; then + manifests+=( + "cf-deployment/operations/experimental/use-compiled-releases-windows.yml" + "overlay/override-releases/compiled-windows.yml" + ) + fi + + if ! want_feature "bare" ; then + manifests+=( "overlay/windows.yml") + fi + ;; + (isolation-segments) + # process outside of base features so that base features can be called within iso segs + true + ;; - ###----------------------------------------------------------------------------- - ## HAProxy - # + (uaa-admin-client) + manifests+=( "overlay/addons/uaa-admin-client.yml" ) + ;; + (+migrated-v1-env) + manifests+=( "overlay/addons/migration.yml" ) + ;; + (*) + if [[ $want =~ cf-deployment/.* ]] ; then + if [[ -s "$want.yml" ]] ; then + manifests+=( "$want.yml" ) + else + fail "Kit $GENESIS_KIT_NAME/$GENESIS_KIT_VERSION does not support the '$want' feature." + fi + elif [[ -s "$GENESIS_ROOT/${opsdir}/$want.yml" ]] ; then + if want_feature ocfp + then + opsfiles+=( "$GENESIS_ROOT/${opsdir}/$want.yml" ) + else + manifests+=( "$GENESIS_ROOT/${opsdir}/$want.yml" ) + fi + elif [[ -s "$GENESIS_ROOT/ops/$want.yml" ]] ; then + if want_feature ocfp + then + opsfiles+=( "$GENESIS_ROOT/ops/$want.yml" ) + else + manifests+=( "$GENESIS_ROOT/ops/$want.yml" ) + fi + fi + ;; + esac + + ############################################################################ + # HAProxy + ############################################################################ if [[ "$want" == "haproxy" ]]; then - manifest+=( "overlay/routing/haproxy.yml" ) - if jq -e '(.cf_lb_network // "") != ""' <(echo "$params") &>/dev/null; then - manifest+=( "overlay/routing/haproxy-public-network.yml" ) + manifests+=( "overlay/routing/haproxy.yml" ) + + if jq -e '(.cf_lb_network // "") != ""' <(echo "$params") &>/dev/null + then manifests+=( "overlay/routing/haproxy-public-network.yml" ) fi + if want_feature "tls"; then - manifest+=( "overlay/routing/haproxy-tls.yml" ) + manifests+=( "overlay/routing/haproxy-tls.yml" ) if ! want_feature "self-signed"; then - manifest+=( "overlay/routing/haproxy-provided-cert.yml" ) + manifests+=( "overlay/routing/haproxy-provided-cert.yml" ) fi fi - want_feature "small-footprint" && manifest+=( "overlay/routing/haproxy-small-footprint.yml" ) - fi - - fi -done -if [[ "${#blobstores[@]}" -gt 1 ]] ; then - bail "#R{[ERROR]} Too many blobstores selected; pick only one of: ${blobstores[*]}" -fi -if [[ "${#databases[@]}" -gt 1 ]] ; then - bail "#R{[ERROR]} Too many databases selected; pick only one of: ${databases[*]}" -fi + want_feature "small-footprint" && + manifests+=( "overlay/routing/haproxy-small-footprint.yml" ) + fi + done -if [[ "$has_availability_zones" == 'true' || "$randomize_az_placement" == 'true' ]] ; then - if want_feature "bare"; then - bail "#R{[ERROR]} #M{params.availibility_zones} and #M{params.randomize_az_placement} are not compatible" \ - " with features #C{bare}." + if (( "${#blobstores[@]}" > 1 )) + then fail "Too many blobstores selected; pick only one of: ${blobstores[*]}" fi -fi -if ! want_feature "bare" ; then - want_feature "no-nats-tls" || manifest+=( "overlay/nats-tls.yml" ) - if want_feature '+migrated-v1-env' && ! want_feature 'v2-nats-credentials'; then - manifest+=( "overlay/addons/migration-v1-nats-credentials.yml" ) - want_feature "no-nats-tls" || manifest+=( "overlay/addons/migration-v1-nats-credentials-tls.yml" ) + if (( "${#databases[@]}" > 1 )) + then fail "Too many databases selected; pick only one of: ${databases[*]}" fi - # Handle ssl validation - skip_ssl_validation="$(jq -r '.skip_ssl_validation' <(echo "$params"))" - if [[ "$skip_ssl_validation" == 'false' ]] ; then - if ! want_feature "cf-deployment/operations/stop-skipping-tls-validation"; then - manifest+=( "cf-deployment/operations/stop-skipping-tls-validation" ) + if [[ "$has_availability_zones" == 'true' || "$randomize_az_placement" == 'true' ]] + then + if want_feature "bare"; then + fail "#M{params.availibility_zones} and #M{params.randomize_az_placement}" \ + "\n\tare not compatible with feature '#C{bare}'." fi fi - if [[ "${#databases}" == 0 ]]; then - manifest+=( "cf-deployment/operations/use-postgres.yml" ) - fi + if ! want_feature "bare" + then + want_feature "no-nats-tls" || + manifests+=( "overlay/nats-tls.yml" ) - ###----------------------------------------------------------------------------- - ## IaaS - # - - # Deal with IaaS peculiarities - case "$cpi" in - azure) - # TODO: if this turns out needed, we may re-introduce `azure` feature to include it when bare is specified - if [[ "$has_availability_zones" == 'true' || "$randomize_az_placement" == 'true' ]] ; then - bail "#R{[ERROR]} #M{params.availibility_zones} and #M{params.randomize_az_placement} are not compatible" \ - " with deployments to Azure infrastructure." + if want_feature '+migrated-v1-env' && ! want_feature 'v2-nats-credentials' + then + manifests+=( "overlay/addons/migration-v1-nats-credentials.yml" ) + + want_feature "no-nats-tls" || + manifests+=( "overlay/addons/migration-v1-nats-credentials-tls.yml" ) fi - manifest+=( \ - "cf-deployment/operations/azure.yml" - "overlay/azure_availability_sets.yml" \ - ) - ;; - warden) - manifest+=( "cf-deployment/operations/bosh-lite.yml" ) - ;; - esac - - ###----------------------------------------------------------------------------- - ## Dynamic instance counts - # - instance_group_counts="$( - echo "$params" | \ - jq -r 'with_entries(if (.key|test("_instances$")) then {key: (.key|capture("(?.*)_instances$")|.k), value: .value} else empty end )|to_entries | .[] | "\(.key) \(.value)"' \ - )" - if [[ -n "$instance_group_counts" ]] ; then - used='' - counts_op_file="operations/dynamic/instance_counts.yml" - echo "--- # Dynamically created instance count overrides" > "$counts_op_file" - while read -r inst_grp count; do - [[ $inst_grp == "errand" ]] && continue # dealt with above - [[ $inst_grp == "haproxy" ]] && continue # dealt with elsewhere - [[ $inst_grp == "cell" ]] && inst_grp="diego_cell" && echo >&2 "WARNING: params.cell_instances has been translated as params.diego_cell_instances"; - [[ $inst_grp == "diego" ]] && inst_grp="scheduler" && echo >&2 "WARNING: params.diego_instances has been translated as params.scheduler_instances"; - [[ $inst_grp == "bbs" ]] && inst_grp="diego_api" && echo >&2 "WARNING: params.bbs_instances has been translated as params.diego_api_instances"; - [[ $inst_grp == "loggregator" ]] && inst_grp="log_api" && echo >&2 "WARNING: params.loggregator_instances has been translated as params.log_api_instances"; - [[ $inst_grp == "postgres" ]] && inst_grp="database" && echo >&2 "WARNING: params.postgres_instances has been translated as params.database_instances"; - [[ $inst_grp == "blobstore" ]] && inst_grp="singleton-blobstore" && echo >&2 "WARNING: params.blobstore_instances has been translated as params.singleton_blobstore_instances"; - [[ $inst_grp == "windows_diego_cell" ]] && inst_grp="windows2019-cell" && echo >&2 "WARNING: params.windows_diego_cell_instances has been translated as params.windows2019-cell_instances"; - dashed_inst_grp="$(echo "$inst_grp" | tr _ -)" # convert any _ into - - found='' - if [[ $dashed_inst_grp =~ ^(api|cc-worker|credhub|database|diego-(api|cell)|doppler|errand|haproxy|log-api|nats|windows2019-cell|rotate-cc-database-key|(tcp-)?router|scheduler|singleton-blobstore|smoke-tests|uaa)$ ]] ; then - inst_grp="$dashed_inst_grp"; - found=1 + skip_ssl_validation="$(jq -r '.skip_ssl_validation' <(echo "$params"))" + if [[ "$skip_ssl_validation" == 'false' ]] ; then + if ! want_feature "cf-deployment/operations/stop-skipping-tls-validation" + then manifests+=( "cf-deployment/operations/stop-skipping-tls-validation" ) fi - cat <> "$counts_op_file" - - type: replace - path: /instance_groups/name=${inst_grp}/instances - value: ${count} -EOF - used="$(echo "$used"; echo "$inst_grp")" - if [[ -z "$found" ]] ; then - describe >&2 \ - "#R{[WARNING]} Unknown instance group $inst_grp - this may be bug in your environment files." \ - " Expected instance groups are:" \ - " api, cc-worker, credhub, database, diego-api, diego-cell, doppler," \ - " errand, haproxy, log-api, nats, rotate-cc-database-key, router, scheduler," \ - " singleton-blobstore, smoke-tests, tcp-router, and uaa" "" - fi - done < <(echo "$instance_group_counts") + fi - # Deal with errand meta-type - errand_instances="$(echo "$params" | jq -r '.errand_instances//""')" - if [[ -n "$errand_instances" ]] ;then - for errand_name in smoke-tests rotate-cc-database-key ; do - if ! echo "$used" | grep "^$errand_name\$" &>/dev/null; then - cat <> "$counts_op_file" - - type: replace - path: /instance_groups/name=${errand_name}/instances - value: ${errand_instances} -EOF - used="$(echo "$used";echo "$errand_name")" - fi - done + if [[ "${#databases[@]}" == 0 ]] + then manifests+=( "cf-deployment/operations/use-postgres.yml" ) fi - # Check for dups - dups="$(echo "$used"|sort|uniq -d)"; - if [[ -n "$dups" ]] ; then - bail \ - "#R{[ERROR]} Instance counts specified (or translated as) multiple times:" "$dups" + ############################################################################## + # IaaS - Deal with IaaS peculiarities + ############################################################################## + case "$cpi" in + (azure) + # TODO: if this turns out needed, we may re-introduce `azure` feature to include it when bare is specified + if [[ "$has_availability_zones" == 'true' || "$randomize_az_placement" == 'true' ]] + then + fail "#M{params.availibility_zones} and #M{params.randomize_az_placement} are" \ + "\n\tnot compatible with deployments to Azure infrastructure." + fi + manifests+=( + "cf-deployment/operations/azure.yml" + "overlay/azure_availability_sets.yml" + ) + ;; + (warden) + manifests+=( "cf-deployment/operations/bosh-lite.yml" ) + ;; + esac + + dynamic::instance::counts + + dynamic::instance::vm::types + fi + + # Include the migration manifest fragments + version="$(exodus kit_version)" + if [[ -n "${version}" ]] && + ! new_enough "${version}" "2.0.0-rc0" + then + manifests+=( "operations/migrate/cells.yml") + if want_feature "local-postgres-db"; then # TODO: or postgres-db external?? + manifests+=( "operations/migrate/postgres.yml" ) fi - manifest+=( "$counts_op_file" ) fi +} - ###----------------------------------------------------------------------------- - ## Dynamic instance vm types - # - instance_types="$( - echo "$params" | \ - jq -r 'with_entries(if (.key|test("_vm_type$")) then {key: (.key|capture("(?.*)_vm_type$")|.k), value: .value} else empty end )|to_entries | .[] | "\(.key) \(.value)"' \ - )" - if [[ -n "$instance_types" ]] ; then - used='' - types_op_file="operations/dynamic/instance_types.yml" - echo "--- # Dynamically created instance type overrides" > "$types_op_file" - while read -r inst_grp type; do - [[ $inst_grp == "errand" ]] && continue # dealt with below - [[ $inst_grp == "haproxy" ]] && continue # dealt with elsewhere - [[ $inst_grp == "cell" ]] && inst_grp="diego_cell" && echo >&2 "WARNING: params.cell_vm_type has been translated as params.diego_cell_vm_type"; - [[ $inst_grp == "diego" ]] && inst_grp="scheduler" && echo >&2 "WARNING: params.diego_vm_type has been translated as params.scheduler_vm_type"; - [[ $inst_grp == "bbs" ]] && inst_grp="diego_api" && echo >&2 "WARNING: params.bbs_vm_type has been translated as params.diego_api_vm_type"; - [[ $inst_grp == "loggregator" ]] && inst_grp="log_api" && echo >&2 "WARNING: params.loggregator_vm_type has been translated as params.log_api_vm_type"; - [[ $inst_grp == "postgres" ]] && inst_grp="database" && echo >&2 "WARNING: params.postgres_vm_type has been translated as params.database_vm_type"; - [[ $inst_grp == "blobstore" ]] && inst_grp="singleton-blobstore" && echo >&2 "WARNING: params.blobstore_vm_type has been translated as params.singleton_blobstore_vm_type"; - [[ $inst_grp == "windows_diego_cell" ]] && inst_grp="windows2019-cell" && echo >&2 "WARNING: params.windows_diego_cell_vm_type has been translated as params.windows2019-cell_vm_type"; +################################################################################ +# Isolation Segments Feature +################################################################################ +features::isos() { + want_feature isolation-segments || return 0 + manifests+=( "operations/diego-cells-networking.yml" ) - dashed_inst_grp="$(echo "$inst_grp" | tr _ -)" # convert any _ into - - found='' - if [[ $dashed_inst_grp =~ ^(api|cc-worker|credhub|database|diego-(api|cell)|doppler|errand|haproxy|windows2019-cell|log-api|nats|rotate-cc-database-key|(tcp-)?router|scheduler|singleton-blobstore|smoke-tests|uaa)$ ]] ; then - inst_grp="$dashed_inst_grp"; - found=1 - fi - cat <> "$types_op_file" - - type: replace - path: /instance_groups/name=${inst_grp}/vm_type - value: ${type} -EOF - used="$(echo "$used";echo "$inst_grp")" - if [[ -z "$found" ]] ; then - describe >&2 \ - "#R{[WARNING]} Unknown instance group $inst_grp - this may be bug in your environment files." \ - " Expected instance groups are:" \ - " api, cc-worker, credhub, database, diego-api, diego-cell, doppler," \ - " errand, haproxy, log-api, nats, rotate-cc-database-key, router, scheduler," \ - " singleton-blobstore, smoke-tests, tcp-router, uaa, and windows2019-cell" "" - fi - done < <(echo "$instance_types") + while read -r segment + do manifests+=( "${segment}" ) + done < <(dynamic::isolation::segments "$params") +} - # Deal with errand meta-type - errand_vm_type="$(echo "$params" | jq -r '.errand_vm_type//""')" - if [[ -n "$errand_vm_type" ]] ;then - for errand_name in smoke-tests rotate-cc-database-key ; do - if ! echo "$used" | grep "^$errand_name\$" &>/dev/null ; then - cat <> "$types_op_file" - - type: replace - path: /instance_groups/name=${errand_name}/vm_type - value: ${errand_vm_type} -EOF - used="$(echo "$used";echo "$errand_name")" - fi - done - fi +################################################################################ +# OCFP Features +################################################################################ +features::ocfp() { + want_feature ocfp || return 0 - # Check for dups - dups="$(echo "$used"|sort|uniq -d)"; - if [[ -n "$dups" ]] ; then - bail \ - "#R{[ERROR]} Instance vm types specified (or translated as) multiple times:" "$dups" - fi - manifest+=( "$types_op_file" ) + env_scale=$(lookup "params.ocfp_env_scale" "dev") + + manifests+=( + "overlay/addons/autoscaler.yml" + "overlay/addons/app-scheduler.yml" + "overlay/addons/scs.yml" + "overlay/addons/prometheus.yml" + "overlay/blobstore/meta.yml" + ) + + # OCFP Overrides + manifests+=( + "ocfp/meta.yml" + "ocfp/ocfp.yml" + "ocfp/external-db-prep.yml" + "ocfp/external-db.yml" + "ocfp/external-blobstore.yml" + "ocfp/trusted-certs.yml" + ) + + manifests+=( + "ocfp/${iaas}/ocf.yml" + "ocfp/${iaas}/azs.yml" + "ocfp/${iaas}/blobstore.yml" + ) + + if want_feature "windows-diego-cells" + then + manifests+=( + "ocfp/${iaas}/windows.yml" + "ocfp/trusted-certs-windows.yml" + ) fi + + manifests+=( "ocfp/scale/${env_scale}.yml" ) + + for want in "${GENESIS_REQUESTED_FEATURES[@]}" + do + case "${want}" in + (stratos-integration) + manifests+=( "ocfp/stratos.yml" ) + ;; + (nfs-volume-services) + manifests+=( "ocfp/nfs-ldap.yml" ) + manifests+=( "ocfp/nfs-ldap-data.yml" ) + ;; + (smb-volume-services) + manifests+=( "ocfp/smb-broker.yml" ) + ;; + (*) + true # Skip what we don't care about + ;; + esac + done +} + +################################################################################ +# Genesis Version Check +################################################################################ +set -ue +genesis_min_version="2.8.5" +genesis_version="$(genesis -v 2>&1 | awk '{gsub("v",""); print $2}')" +if ! [[ "${genesis_version}" =~ -dev$ ]] && + ! new_enough "${genesis_version}" "${genesis_min_version}" +then + fail "This kit needs at least Genesis '${genesis_min_version}'." \ + "\n\tPlease upgrade and try again." + exit 1 fi -# Include the migration manifest fragments -version="$(exodus kit_version)" -if [[ -n "${version}" ]] && ! new_enough "${version}" "2.0.0-rc0"; then - manifest+=( "operations/migrate/cells.yml") +################################################################################ +# Variables +################################################################################ +declare -a manifests; manifests=() +declare -a features; features=() +declare -a opsfiles; opsfiles=() +declare -a blobstores; blobstores=() +declare -a databases; databases=() - if want_feature "local-postgres-db"; then # TODO: or postgres-db external?? - manifest+=( "operations/migrate/postgres.yml" ) - fi - : +version="" +abort= +warn= +db_specified= +cpi="$(bosh_cpi)" || true +iaas="$cpi" +[[ $iaas == 'google' ]] && iaas='gcp' +opsdir="ops" +[[ -n "${PREVIOUS_ENV:-}" ]] && + opsdir=".genesis/cached/${PREVIOUS_ENV}/${opsdir}" + +# Base configuration with minimal injections required for Genesis compliance +manifests=( + "cf-deployment/cf-deployment.yml" + "overlay/base.yml" + "overlay/upstream_version.yml" +) + +[[ -n $version ]] && switch_cf_version "$version" + +params="$(lookup "params" "{}")" +has_availability_zones="$(jq -r '.|has("availability_zones")' <(echo "$params"))" +randomize_az_placement="$(jq -r '.randomize_az_placement//false' <(echo "$params"))" + +################################################################################ +# Features +################################################################################ +features::validate +features::setup + +if (( ${#features[@]} > 0 )) +then GENESIS_REQUESTED_FEATURES="${features[*]}" +else GENESIS_REQUESTED_FEATURES="" +fi + +features::v1::check +features::process +features::isos # Then we process isolation segments +features::ocfp # ocfp overrides base manifests + +if want_feature ocfp +then manifests+=( ${opsfiles[@]+"${opsfiles[@]}"} ) # opsfiles override everything in ocfp arch fi -echo "${manifest[@]}" +echo "${manifests[@]}" # Finally, we print out the list of yamls to be merged diff --git a/hooks/features b/hooks/features index d763f0cc..b527a581 100755 --- a/hooks/features +++ b/hooks/features @@ -1,10 +1,10 @@ #!/bin/bash -for f in $GENESIS_REQUESTED_FEATURES ; do - case $f in - cf-deployment/operations/enable-nfs-volume-services) echo 'nfs-volume-services' ;; - cf-deployment/operations/enable-nfs-lambda) echo 'nfs-lambda' ;; - cf-deployment/operations/enable-smb-volume-services) echo 'smb-volume-services' ;; - *) echo "$f" ;; +for feature in $GENESIS_REQUESTED_FEATURES ; do + case $feature in + (cf-deployment/operations/enable-nfs-volume-services) echo "nfs-volume-services" ;; + (cf-deployment/operations/enable-nfs-lambda) echo "nfs-lambda" ;; + (cf-deployment/operations/enable-smb-volume-services) echo "smb-volume-services" ;; + (*) echo "$feature" ;; esac done db_overrides="$(lookup params 2>/dev/null | jq -r '. | keys| .[] | select(. | test("^(cc|uaa|diego|policyserver|silk|locket|routingapi|credhub)db_(name|user)$"))')" diff --git a/hooks/post-deploy b/hooks/post-deploy index 1863d5ed..2646ce72 100755 --- a/hooks/post-deploy +++ b/hooks/post-deploy @@ -1,22 +1,28 @@ #!/bin/bash set -eu -if [[ $GENESIS_DEPLOY_RC == 0 ]]; then - - echo; echo; - describe "#M{$GENESIS_ENVIRONMENT} Cloud Foundry deployed!" - echo - echo "For details about the deployment, run" - echo - describe " #G{$GENESIS_CALL info $GENESIS_ENVIRONMENT}" - echo - echo "To set up your local cf CLI installation with useful plugins:" - echo - describe " #G{$GENESIS_CALL do $GENESIS_ENVIRONMENT -- setup-cli}" - echo - echo "To log into Cloud Foundry, run" - echo - describe " #G{$GENESIS_CALL do $GENESIS_ENVIRONMENT -- login}" - echo - +if [[ $GENESIS_DEPLOY_RC == 0 ]] +then + describe \ + "" \ + "#M{$GENESIS_ENVIRONMENT} Cloud Foundry deployed!" \ + "" \ + "For details about the deployment, run" \ + "" \ + " #G{$GENESIS_CALL_ENV info}" \ + "" \ + "To see a list of available addons, run" \ + "" \ + " #G{$GENESIS_CALL_ENV do -- list}" \ + "" \ + "To set up your local cf CLI installation with useful plugins:" \ + "" \ + " #G{$GENESIS_CALL_ENV do -- setup-cli}" \ + "" \ + "To log into Cloud Foundry, run" \ + "" \ + " #G{$GENESIS_CALL_ENV do -- login}" \ + "" fi + +exit 0 diff --git a/hooks/pre-deploy b/hooks/pre-deploy index 6499028b..0d14c763 100755 --- a/hooks/pre-deploy +++ b/hooks/pre-deploy @@ -66,4 +66,8 @@ else fi [[ "$cc_ok" == "no" ]] && exit 1 + +echo + + exit 0 diff --git a/ocfp/aws/azs.yml b/ocfp/aws/azs.yml new file mode 100644 index 00000000..ce32f9d2 --- /dev/null +++ b/ocfp/aws/azs.yml @@ -0,0 +1,46 @@ +--- +# 3 AZs +- type: replace + path: /instance_groups/name=nats/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=diego-api/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=uaa/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=scheduler/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=diego-cell/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=router/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=api/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=cc-worker/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=doppler/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=log-api/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=tcp-router/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=credhub/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=rotate-cc-database-key?/azs + value: (( grab meta.ocfp.azs )) +- type: replace + path: /instance_groups/name=smoke-tests/azs + value: (( grab meta.ocfp.azs )) + + diff --git a/ocfp/aws/blobstore.yml b/ocfp/aws/blobstore.yml new file mode 100644 index 00000000..c81d3cfd --- /dev/null +++ b/ocfp/aws/blobstore.yml @@ -0,0 +1,16 @@ +--- +bosh-variables: + fog_connection: + provider: AWS + aws_access_key_id: (( grab params.blobstore_s3_access_key )) + aws_secret_access_key: (( grab params.blobstore_s3_secret_key )) + region: (( grab params.blobstore_s3_region )) + +# Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html a key cannot +# contain upper case so override here to exclude upper case +variables: +- name: cc_directory_key + type: password + options: + exclude_upper: true + diff --git a/ocfp/aws/ocf.yml b/ocfp/aws/ocf.yml new file mode 100644 index 00000000..9ae82c07 --- /dev/null +++ b/ocfp/aws/ocf.yml @@ -0,0 +1,14 @@ +--- +meta: + ocfp: + azs: + - (( concat genesis.env "-z1" )) + - (( concat genesis.env "-z2" )) + - (( concat genesis.env "-z3" )) +--- +# OCFP Cloud Config accounts for larger ephemeral disks vvv +- type: remove + path: /instance_groups/name=diego-cell/vm_extensions +- type: remove + path: /instance_groups/name=api/vm_extensions + diff --git a/ocfp/aws/windows.yml b/ocfp/aws/windows.yml new file mode 100644 index 00000000..7a5bef3d --- /dev/null +++ b/ocfp/aws/windows.yml @@ -0,0 +1,40 @@ +--- +- type: replace + path: /instance_groups/name=windows2019-cell/networks + value: + - name: (( concat genesis.env "-ocf" )) + +- type: replace + path: /instance_groups/name=windows2019-cell/azs + value: + - (( concat genesis.env "-z1" )) + - (( concat genesis.env "-z2" )) + - (( concat genesis.env "-z3" )) + +- type: replace + path: /instance_groups/name=windows2019-cell/vm_type + value: (( grab params.windows_diego_cell_vm_type || "default" )) + +- type: replace + path: /instance_groups/name=windows2019-cell/instances + value: (( grab params.windows_diego_cell_instances || 1 )) + +- type: remove + path: /instance_groups/name=windows2019-cell/vm_extensions + +- type: remove + path: /instance_groups/name=smoke-tests-windows? + +#- type: replace +# path: /instance_groups/name=smoke-tests-windows/networks +# value: +# - name: (( concat genesis.env "-ocf" )) +# +# path: /instance_groups/name=smoke-tests-windows/azs +# value: +# - (( concat genesis.env "-z1" )) +# +#- type: replace +# path: /instance_groups/name=smoke-tests-windows/vm_type +# value: (( grab params.errand_vm_type || "default" )) + diff --git a/ocfp/azure/azs.yml b/ocfp/azure/azs.yml new file mode 100644 index 00000000..e69de29b diff --git a/ocfp/azure/ocf.yml b/ocfp/azure/ocf.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/azure/ocf.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocfp/azure/windows.yml b/ocfp/azure/windows.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/azure/windows.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocfp/external-blobstore.yml b/ocfp/external-blobstore.yml new file mode 100644 index 00000000..72780f0d --- /dev/null +++ b/ocfp/external-blobstore.yml @@ -0,0 +1,9 @@ +--- +params: + blobstore_s3_region: (( vault meta.ocfp.vault.tf "/bosh/iaas/region:name" )) + blobstore_s3_access_key: (( vault meta.ocfp.vault.tf "/bosh/iam/s3:access_key" )) + blobstore_s3_secret_key: (( vault meta.ocfp.vault.tf "/bosh/iam/s3:secret_key" )) + blobstore_app_packages_directory: (( vault meta.ocfp.vault.tf "/blobstores/app_packages:name" )) + blobstore_buildpacks_directory: (( vault meta.ocfp.vault.tf "/blobstores/buildpacks:name" )) + blobstore_droplets_directory: (( vault meta.ocfp.vault.tf "/blobstores/droplets:name" )) + blobstore_resources_directory: (( vault meta.ocfp.vault.tf "/blobstores/resources:name" )) diff --git a/ocfp/external-db-prep.yml b/ocfp/external-db-prep.yml new file mode 100644 index 00000000..4f6355f7 --- /dev/null +++ b/ocfp/external-db-prep.yml @@ -0,0 +1,66 @@ +--- +# Remove MySQL +- type: remove + path: /instance_groups/name=database? +- type: remove + path: /releases/name=pxc? + +# Remove MySQL variables +- type: remove + path: /variables/name=cf_mysql_mysql_admin_password? +- type: remove + path: /variables/name=cf_mysql_mysql_cluster_health_password? +- type: remove + path: /variables/name=cf_mysql_mysql_galera_healthcheck_endpoint_password? +- type: remove + path: /variables/name=cf_mysql_mysql_galera_healthcheck_password? +- type: remove + path: /variables/name=cf_mysql_proxy_api_password? +- type: remove + path: /variables/name=network_policy_database_password? +- type: remove + path: /variables/name=network_connectivity_database_password? +- type: remove + path: /variables/name=routing_api_database_password? +- type: remove + path: /variables/name=locket_database_password? +- type: remove + path: /variables/name=cc_database_password? +- type: remove + path: /variables/name=credhub_database_password? +- type: remove + path: /variables/name=diego_database_password? +- type: remove + path: /variables/name=uaa_database_password? +- type: remove + path: /variables/name=pxc_galera_ca? +- type: remove + path: /variables/name=pxc_server_ca? +- type: remove + path: /variables/name=galera_server_certificate? +- type: remove + path: /variables/name=mysql_server_certificate? + +# nil out database bosh links +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/consumes? + value: {database: nil} +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/consumes? + value: {database: nil} + diff --git a/ocfp/external-db.yml b/ocfp/external-db.yml new file mode 100644 index 00000000..df761d48 --- /dev/null +++ b/ocfp/external-db.yml @@ -0,0 +1,355 @@ +--- +meta: + db: + cc: # ccdb, cc-worker, cc-clock, cc-deployment-updater + scheme: (( vault meta.vault "/db/cloud_controller:scheme" )) + username: (( vault meta.vault "/db/cloud_controller:username" )) + password: (( vault meta.vault "/db/cloud_controller:password" )) + hostname: (( vault meta.vault "/db/cloud_controller:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/cloud_controller:database" )) + ca: (( vault meta.vault "/db/cloud_controller:ca" )) + tls: true + + credhub: + scheme: (( vault meta.vault "/db/credhub:scheme" )) + username: (( vault meta.vault "/db/credhub:username" )) + password: (( vault meta.vault "/db/credhub:password" )) + hostname: (( vault meta.vault "/db/credhub:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/credhub:database" )) + ca: (( vault meta.vault "/db/credhub:ca" )) + tls: true + + diego: # bbs + scheme: (( vault meta.vault "/db/diego:scheme" )) + username: (( vault meta.vault "/db/diego:username" )) + password: (( vault meta.vault "/db/diego:password" )) + hostname: (( vault meta.vault "/db/diego:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/diego:database" )) + ca: (( vault meta.vault "/db/diego:ca" )) + tls: true + + locket: + scheme: (( vault meta.vault "/db/locket:scheme" )) + username: (( vault meta.vault "/db/locket:username" )) + password: (( vault meta.vault "/db/locket:password" )) + hostname: (( vault meta.vault "/db/locket:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/locket:database" )) + ca: (( vault meta.vault "/db/locket:ca" )) + tls: true + + network_connectivity: # silk + scheme: (( vault meta.vault "/db/network_connectivity:scheme" )) + username: (( vault meta.vault "/db/network_connectivity:username" )) + password: (( vault meta.vault "/db/network_connectivity:password" )) + hostname: (( vault meta.vault "/db/network_connectivity:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/network_connectivity:database" )) + ca: (( vault meta.vault "/db/network_connectivity:ca" )) + tls: true + + network_policy: # policy_server + scheme: (( vault meta.vault "/db/network_policy:scheme" )) + username: (( vault meta.vault "/db/network_policy:username" )) + password: (( vault meta.vault "/db/network_policy:password" )) + hostname: (( vault meta.vault "/db/network_policy:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/network_policy:database" )) + ca: (( vault meta.vault "/db/network_policy:ca" )) + tls: true + + routing_api: + scheme: (( vault meta.vault "/db/routing_api:scheme" )) + username: (( vault meta.vault "/db/routing_api:username" )) + password: (( vault meta.vault "/db/routing_api:password" )) + hostname: (( vault meta.vault "/db/routing_api:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/routing_api:database" )) + ca: (( vault meta.vault "/db/routing_api:ca" )) + tls: true + + uaa: # uaadb + scheme: "postgresql" # uaa is different than the rest that use 'postgres' + username: (( vault meta.vault "/db/uaa:username" )) + password: (( vault meta.vault "/db/uaa:password" )) + hostname: (( vault meta.vault "/db/uaa:hostname" )) + port: 5432 # Components fail on strings so hardcoding this... :| + database: (( vault meta.vault "/db/uaa:database" )) + ca: + - (( vault meta.vault "/db/uaa:ca" )) + tls: "enabled" +--- +# UAA +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/db_scheme + value: (( grab meta.db.uaa.scheme )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/port + value: (( grab meta.db.uaa.port )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/databases/tag=uaa/name + value: (( grab meta.db.uaa.database )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/address? + value: (( grab meta.db.uaa.hostname )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/roles/name=uaa/password + value: (( grab meta.db.uaa.password )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/roles/name=uaa/name + value: (( grab meta.db.uaa.username )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa?/ca_certs/- + value: (( join "" meta.db.uaa.ca )) +- type: replace + path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/tls? + value: (( grab meta.db.uaa.tls )) + +# API - Cloud Controller +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/db_scheme + value: (( grab meta.db.cc.scheme )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/port + value: (( grab meta.db.cc.port )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/databases/tag=cc/name + value: (( grab meta.db.cc.database )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/address? + value: (( grab meta.db.cc.hostname )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/roles/name=cloud_controller/password + value: (( grab meta.db.cc.password )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/roles/name=cloud_controller/name + value: (( grab meta.db.cc.username )) +- type: replace + path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/ca_cert? + value: (( grab meta.db.cc.ca )) + +# Cloud Controller Worker +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/db_scheme + value: (( grab meta.db.cc.scheme )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/port + value: (( grab meta.db.cc.port )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/databases/tag=cc/name + value: (( grab meta.db.cc.database )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/address? + value: (( grab meta.db.cc.hostname )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/roles/name=cloud_controller/password + value: (( grab meta.db.cc.password )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/roles/name=cloud_controller/name + value: (( grab meta.db.cc.username )) +- type: replace + path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/ca_cert? + value: (( grab meta.db.cc.ca )) + +# Scheduler - Cloud Controller Clock +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/db_scheme + value: (( grab meta.db.cc.scheme )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/port + value: (( grab meta.db.cc.port )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/databases/tag=cc/name + value: (( grab meta.db.cc.database )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/address? + value: (( grab meta.db.cc.hostname )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/roles/name=cloud_controller/password + value: (( grab meta.db.cc.password )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/roles/name=cloud_controller/name + value: (( grab meta.db.cc.username )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/ca_cert? + value: (( grab meta.db.cc.ca )) + +# Scheduler - Cloud Controller Deployment Updater +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/db_scheme + value: (( grab meta.db.cc.scheme )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/port + value: (( grab meta.db.cc.port )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/databases/tag=cc/name + value: (( grab meta.db.cc.database )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/address? + value: (( grab meta.db.cc.hostname )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/roles/name=cloud_controller/password + value: (( grab meta.db.cc.password )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/roles/name=cloud_controller/name + value: (( grab meta.db.cc.username )) +- type: replace + path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/ca_cert? + value: (( grab meta.db.cc.ca )) + +# Diego API - BBS +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_driver + value: (( grab meta.db.diego.scheme )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_port + value: (( grab meta.db.diego.port )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_schema + value: (( grab meta.db.diego.database )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_host? + value: (( grab meta.db.diego.hostname )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_password + value: (( grab meta.db.diego.password )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_username + value: (( grab meta.db.diego.username )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/ca_cert? + value: (( grab meta.db.diego.ca )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/require_ssl? + value: (( grab meta.db.diego.tls )) + +# API - Routing API +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/type + value: (( grab meta.db.routing_api.scheme )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/port + value: (( grab meta.db.routing_api.port )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/schema + value: (( grab meta.db.routing_api.database )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/host? + value: (( grab meta.db.routing_api.hostname )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/password + value: (( grab meta.db.routing_api.password )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/username + value: (( grab meta.db.routing_api.username )) +- type: replace + path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/ca_cert? + value: (( grab meta.db.routing_api.ca )) + +# API - Policy Server +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/type + value: (( grab meta.db.network_policy.scheme )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/username + value: (( grab meta.db.network_policy.username )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/password + value: (( grab meta.db.network_policy.password )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/host + value: (( grab meta.db.network_policy.hostname )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/port + value: (( grab meta.db.network_policy.port )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/name + value: (( grab meta.db.network_policy.database )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/ca_cert? + value: (( grab meta.db.network_policy.ca )) +- type: replace + path: /instance_groups/name=api/jobs/name=policy-server/properties/database/require_ssl? + value: (( grab meta.db.network_policy.tls )) + +# Diego API - Silk Controller +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/type + value: (( grab meta.db.network_connectivity.scheme )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/username + value: (( grab meta.db.network_connectivity.username )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/password + value: (( grab meta.db.network_connectivity.password )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/host + value: (( grab meta.db.network_connectivity.hostname )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/port + value: (( grab meta.db.network_connectivity.port )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/name + value: (( grab meta.db.network_connectivity.database )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/ca_cert? + value: (( grab meta.db.network_connectivity.ca )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/require_ssl? + value: (( grab meta.db.network_connectivity.tls )) + +# Diego API - Locket +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_driver + value: (( grab meta.db.locket.scheme )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_port + value: (( grab meta.db.locket.port )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_schema + value: (( grab meta.db.locket.database )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_host? + value: (( grab meta.db.locket.hostname )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_password + value: (( grab meta.db.locket.password )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_username + value: (( grab meta.db.locket.username )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/ca_cert? + value: (( grab meta.db.locket.ca )) +- type: replace + path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/require_ssl? + value: (( grab meta.db.locket.tls )) + +# Diego API - Credhub +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/type + value: (( grab meta.db.credhub.scheme )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/username + value: (( grab meta.db.credhub.username )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/password + value: (( grab meta.db.credhub.password )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/host + value: (( grab meta.db.credhub.hostname )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/port + value: (( grab meta.db.credhub.port )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/database + value: (( grab meta.db.credhub.database )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/tls_ca? + value: (( grab meta.db.credhub.ca )) +- type: replace + path: /instance_groups/name=credhub/jobs/name=credhub/properties/credhub/data_storage/require_tls? + value: (( grab meta.db.credhub.tls )) + diff --git a/ocfp/gcp/azs.yml b/ocfp/gcp/azs.yml new file mode 100644 index 00000000..e69de29b diff --git a/ocfp/gcp/ocf.yml b/ocfp/gcp/ocf.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/gcp/ocf.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocfp/gcp/windows.yml b/ocfp/gcp/windows.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/gcp/windows.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocfp/meta.yml b/ocfp/meta.yml new file mode 100644 index 00000000..eb541db5 --- /dev/null +++ b/ocfp/meta.yml @@ -0,0 +1,23 @@ +--- +meta: + ocfp: + env: + scale: (( grab params.ocfp_env_scale || "dev" )) + + vault: + tf: (( concat genesis.secrets_mount "tf/" genesis.vault_env )) + + certs: + trusted: + - (( append )) # Account for unexpected merge orders. + - (( vault genesis.secrets_mount "certs/org:ca" )) # Organization CA, if exists + - (( vault genesis.secrets_mount "certs/dbs:ca" )) # External Databases CA + # TODO: Add Blacksmith Services CA here, add in blacksmith integration + + cf: + fqdns: + base: (( vault meta.ocfp.vault.tf "/ocf/fqdns:base" )) + system: (( vault meta.ocfp.vault.tf "/ocf/fqdns:system" )) + apps: + - (( vault meta.ocfp.vault.tf "/ocf/fqdns:apps" )) + diff --git a/ocfp/nfs-ldap-data.yml b/ocfp/nfs-ldap-data.yml new file mode 100644 index 00000000..a8a26b00 --- /dev/null +++ b/ocfp/nfs-ldap-data.yml @@ -0,0 +1,30 @@ +--- +meta: + nfs: + ldap: + user: (( vault meta.vault "/nfs/ldap:user" )) + pass: (( vault meta.vault "/nfs/ldap:pass" )) + host: (( vault meta.vault "/nfs/ldap:host" )) + port: (( vault meta.vault "/nfs/ldap:port" )) + proto: (( vault meta.vault "/nfs/ldap:proto" )) + fqdn: (( vault meta.vault "/nfs/ldap:fqdn" )) + ca: (( vault meta.vault "/nfs/ldap:ca" )) + +bosh-variables: + nfs-ldap-service-user: (( grab meta.nfs.ldap.user )) + nfs-ldap-service-password: (( grab meta.nfs.ldap.pass )) + nfs-ldap-host: (( grab meta.nfs.ldap.host )) + nfs-ldap-port: (( grab meta.nfs.ldap.port )) + nfs-ldap-proto: (( grab meta.nfs.ldap.proto )) + nfs-ldap-fqdn: (( grab meta.nfs.ldap.fqdn )) + nfs-ldap-ca-cert: (( grab meta.nfs.ldap.ca )) + +params: + nfs-ldap-service-user: (( grab meta.nfs.ldap.user )) + nfs-ldap-service-password: (( grab meta.nfs.ldap.pass )) + nfs-ldap-host: (( grab meta.nfs.ldap.host )) + nfs-ldap-port: (( grab meta.nfs.ldap.port )) + nfs-ldap-proto: (( grab meta.nfs.ldap.proto )) + nfs-ldap-fqdn: (( grab meta.nfs.ldap.fqdn )) + nfs-ldap-ca-cert: (( grab meta.nfs.ldap.ca )) + diff --git a/ocfp/nfs-ldap.yml b/ocfp/nfs-ldap.yml new file mode 100644 index 00000000..586881cb --- /dev/null +++ b/ocfp/nfs-ldap.yml @@ -0,0 +1,18 @@ +--- +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_ca_cert? + value: (( grab meta.nfs.ldap.ca )) + +- type: replace + path: /instance_groups/name=nfs-broker-push/networks + value: + - name: (( concat genesis.env "-ocf" )) + +- type: replace + path: /instance_groups/name=nfs-broker-push/azs + value: (( grab meta.ocfp.azs )) + +- type: replace + path: /instance_groups/name=nfs-broker-push/vm_type + value: (( concat "errand-" meta.ocfp.env.scale )) + diff --git a/ocfp/ocfp.yml b/ocfp/ocfp.yml new file mode 100644 index 00000000..fcab766b --- /dev/null +++ b/ocfp/ocfp.yml @@ -0,0 +1,39 @@ +--- +params: + base_domain: (( grab meta.ocfp.cf.fqdns.base )) + system_domain: (( grab meta.ocfp.cf.fqdns.system )) + apps_domains: (( grab meta.ocfp.cf.fqdns.apps )) + + skip_ssl_validation: true # Using self-signed certs + + cf_core_network: (( concat genesis.env "-ocf" )) + cf_edge_network: (( concat genesis.env "-ocf" )) + cf_runtime_network: (( concat genesis.env "-ocf" )) + cf_db_network: (( concat genesis.env "-ocf" )) + +instance_groups: +- name: router + vm_extensions: + - ((replace)) + - cf-system-apps-lb + +- name: scheduler + vm_extensions: + - ((replace)) + - cf-ssh-lb + +- name: tcp-router + vm_extensions: + - ((replace)) + - (( grab params.tcp_lb_vm_ext || "cf-tcp-lb" )) + +- name: diego-cell + update: + max_in_flight: 3 + +#stemcells default +# NOTE: See codex2 for +#NOTE: Okta feature - LATER +# +#NOTE: update `check` to check for feature required vault things + diff --git a/ocfp/scale/dev.yml b/ocfp/scale/dev.yml new file mode 100644 index 00000000..3284c3e4 --- /dev/null +++ b/ocfp/scale/dev.yml @@ -0,0 +1,75 @@ +--- +params: + api_instances: 3 + cc_worker_instances: 3 + credhub_instances: 3 + diego_api_instances: 3 + diego_cell_instances: 1 + doppler_instances: 3 + log_api_instances: 3 + nats_instances: 3 + router_instances: 3 + scheduler_instances: 3 + tcp_router_instances: 3 + uaa_instances: 3 + + api_vm_type: "api-dev" + cc_worker_vm_type: "cc-worker-dev" + credhub_vm_type: "credhub-dev" + diego_api_vm_type: "diego-api-dev" + diego_cell_vm_type: "diego-cell-dev" + doppler_vm_type: "doppler-dev" + errand_vm_type: "errand-dev" + log_api_vm_type: "log-api-dev" + nats_vm_type: "nats-dev" + router_vm_type: "router-dev" + scheduler_vm_type: "scheduler-dev" + tcp_router_vm_type: "tcp-router-dev" + uaa_vm_type: "uaa-dev" + windows_diego_cell_vm_type: "windows-cell-dev" + +--- +# VM Types +- type: replace + path: /instance_groups/name=diego-cell/vm_type + value: diego-cell-dev +- type: replace + path: /instance_groups/name=diego-api/vm_type + value: diego-api-dev +- type: replace + path: /instance_groups/name=nats/vm_type + value: nats-dev +- type: replace + path: /instance_groups/name=uaa/vm_type + value: uaa-dev +- type: replace + path: /instance_groups/name=api/vm_type + value: api-dev +- type: replace + path: /instance_groups/name=cc-worker/vm_type + value: cc-worker-dev +- type: replace + path: /instance_groups/name=scheduler/vm_type + value: scheduler-dev +- type: replace + path: /instance_groups/name=router/vm_type + value: router-dev +- type: replace + path: /instance_groups/name=tcp-router/vm_type + value: tcp-router-dev +- type: replace + path: /instance_groups/name=doppler/vm_type + value: doppler-dev +- type: replace + path: /instance_groups/name=log-api/vm_type + value: log-api-dev +- type: replace + path: /instance_groups/name=credhub/vm_type + value: credhub-dev +- type: replace + path: /instance_groups/name=rotate-cc-database-key?/vm_type + value: default-dev +- type: replace + path: /instance_groups/name=smoke-tests/vm_type + value: default-dev + diff --git a/ocfp/scale/prod.yml b/ocfp/scale/prod.yml new file mode 100644 index 00000000..e94a3378 --- /dev/null +++ b/ocfp/scale/prod.yml @@ -0,0 +1,76 @@ +--- +params: + api_instances: 3 + cc_worker_instances: 3 + credhub_instances: 3 + diego_api_instances: 3 + diego_cell_instances: 10 + doppler_instances: 3 + log_api_instances: 3 + nats_instances: 3 + router_instances: 3 + scheduler_instances: 3 + tcp_router_instances: 3 + uaa_instances: 3 + # windows_diego_cell_instances: 1 + + api_vm_type: "api-prod" + cc_worker_vm_type: "cc-worker-prod" + credhub_vm_type: "credhub-prod" + diego_api_vm_type: "diego-api-prod" + diego_cell_vm_type: "diego-cell-prod" + doppler_vm_type: "doppler-prod" + errand_vm_type: "errand-prod" + log_api_vm_type: "log-api-prod" + nats_vm_type: "nats-prod" + router_vm_type: "router-prod" + scheduler_vm_type: "scheduler-prod" + tcp_router_vm_type: "tcp-router-prod" + uaa_vm_type: "uaa-prod" + windows_diego_cell_vm_type: "windows-cell-prod" + +--- +# VM Types +- type: replace + path: /instance_groups/name=diego-cell/vm_type + value: diego-cell-prod +- type: replace + path: /instance_groups/name=diego-api/vm_type + value: diego-api-prod +- type: replace + path: /instance_groups/name=nats/vm_type + value: nats-prod +- type: replace + path: /instance_groups/name=uaa/vm_type + value: uaa-prod +- type: replace + path: /instance_groups/name=api/vm_type + value: api-prod +- type: replace + path: /instance_groups/name=cc-worker/vm_type + value: cc-worker-prod +- type: replace + path: /instance_groups/name=scheduler/vm_type + value: scheduler-prod +- type: replace + path: /instance_groups/name=router/vm_type + value: router-prod +- type: replace + path: /instance_groups/name=tcp-router/vm_type + value: tcp-router-prod +- type: replace + path: /instance_groups/name=doppler/vm_type + value: doppler-prod +- type: replace + path: /instance_groups/name=log-api/vm_type + value: log-api-prod +- type: replace + path: /instance_groups/name=credhub/vm_type + value: credhub-prod +- type: replace + path: /instance_groups/name=rotate-cc-database-key?/vm_type + value: default-prod +- type: replace + path: /instance_groups/name=smoke-tests/vm_type + value: default-prod + diff --git a/ocfp/smb-broker.yml b/ocfp/smb-broker.yml new file mode 100644 index 00000000..ba68c32d --- /dev/null +++ b/ocfp/smb-broker.yml @@ -0,0 +1,14 @@ +--- +- type: replace + path: /instance_groups/name=smb-broker-push/networks + value: + - name: (( concat genesis.env "-ocf" )) + +- type: replace + path: /instance_groups/name=smb-broker-push/azs + value: (( grab meta.ocfp.azs )) + +- type: replace + path: /instance_groups/name=smb-broker-push/vm_type + value: (( concat "errand-" meta.ocfp.env.scale )) + diff --git a/ocfp/stratos.yml b/ocfp/stratos.yml new file mode 100644 index 00000000..e0f6d4b0 --- /dev/null +++ b/ocfp/stratos.yml @@ -0,0 +1,4 @@ +--- +meta: + stratos_domain: (( vault meta.ocfp.vault.tf "/ocf/fqdns:stratos" )) + diff --git a/ocfp/trust-blacksmith-ca.yml b/ocfp/trust-blacksmith-ca.yml new file mode 100644 index 00000000..9974f356 --- /dev/null +++ b/ocfp/trust-blacksmith-ca.yml @@ -0,0 +1,8 @@ +--- +meta: + ocfp: + certs: + trusted: + - (( append )) + - (( vault $GENESIS_EXODUS_MOUNT genesis.env "/blacksmith:blacksmith_ca" )) + diff --git a/ocfp/trusted-certs-windows.yml b/ocfp/trusted-certs-windows.yml new file mode 100644 index 00000000..7a3934d7 --- /dev/null +++ b/ocfp/trusted-certs-windows.yml @@ -0,0 +1,10 @@ +instance_groups: +- name: windows2019-cell + jobs: + - name: rep_windows + properties: + containers: + trusted_ca_certificates: + - (( append )) + - (( join "" meta.ocfp.certs.trusted )) + diff --git a/ocfp/trusted-certs.yml b/ocfp/trusted-certs.yml new file mode 100644 index 00000000..49e9f1a0 --- /dev/null +++ b/ocfp/trusted-certs.yml @@ -0,0 +1,16 @@ +instance_groups: +- name: diego-cell + jobs: + - name: rep + properties: + containers: + trusted_ca_certificates: + - (( append )) + - (( join "" meta.ocfp.certs.trusted )) + - name: cflinuxfs3-rootfs-setup + properties: + cflinuxfs3-rootfs: + trusted_certs: + - (( append )) + - (( join "" meta.ocfp.certs.trusted )) + diff --git a/ocfp/vsphere/azs.yml b/ocfp/vsphere/azs.yml new file mode 100644 index 00000000..e69de29b diff --git a/ocfp/vsphere/ocf.yml b/ocfp/vsphere/ocf.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/vsphere/ocf.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocfp/vsphere/windows.yml b/ocfp/vsphere/windows.yml new file mode 100644 index 00000000..cd21505a --- /dev/null +++ b/ocfp/vsphere/windows.yml @@ -0,0 +1,2 @@ +--- + diff --git a/operations/diego-cells-networking.yml b/operations/diego-cells-networking.yml new file mode 100644 index 00000000..cf26bf87 --- /dev/null +++ b/operations/diego-cells-networking.yml @@ -0,0 +1,30 @@ +--- +# Use distinct vxlan policy links for runtime cells +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/provides?/vpa + value: {as: vpa-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/vpa + value: {from: vpa-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=silk-cni/consumes?/vpa + value: {from: vpa-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/iptables + value: {from: iptables-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/iptables + value: {from: iptables-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=netmon/consumes?/iptables + value: {from: iptables-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=garden/provides?/iptables + value: {as: iptables-runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/cni_config + value: {from: cni_config_runtime} +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=silk-cni/provides?/cni_config + value: {as: cni_config_runtime} + diff --git a/operations/scale-to-three-azs.yml b/operations/scale-to-three-azs.yml new file mode 100644 index 00000000..583a62ad --- /dev/null +++ b/operations/scale-to-three-azs.yml @@ -0,0 +1,41 @@ +--- +# Use this override to deploy 3 Availability Zones. +- type: replace + path: /instance_groups/name=nats/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=diego-api/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=uaa/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=scheduler/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=diego-cell/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=router/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=api/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=cc-worker/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=doppler/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=log-cache/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=log-api/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=tcp-router/azs + value: [ z1, z2, z3 ] +- type: replace + path: /instance_groups/name=credhub/azs + value: [ z1, z2, z3 ] diff --git a/overlay/addons/app-scheduler.yml b/overlay/addons/app-scheduler.yml index 057f8045..4cf89774 100644 --- a/overlay/addons/app-scheduler.yml +++ b/overlay/addons/app-scheduler.yml @@ -1,7 +1,7 @@ --- exodus: app_scheduler_client: app_scheduler_client - app_scheduler_secret: (( grab instance_groups.uaa.jobs.uaa.properties.uaa.clients.app_scheduler_client.secret )) + app_scheduler_secret: ((uaa_clients_app_scheduler_secret)) nats_client_cert: ((nats_client_cert.certificate)) nats_client_key: ((nats_client_cert.private_key)) @@ -20,3 +20,4 @@ instance_groups: variables: - name: uaa_clients_app_scheduler_secret type: password + diff --git a/overlay/addons/autoscaler.yml b/overlay/addons/autoscaler.yml index 0e115a81..e2383b62 100644 --- a/overlay/addons/autoscaler.yml +++ b/overlay/addons/autoscaler.yml @@ -1,7 +1,7 @@ --- exodus: app_autoscaler_client: app_autoscaler_client - app_autoscaler_secret: (( grab instance_groups.uaa.jobs.uaa.properties.uaa.clients.app_autoscaler_client.secret )) + app_autoscaler_secret: ((uaa_clients_app_autoscaler_secret)) loggregator_ca: ((loggregator_ca.certificate)) loggregator_tls_rlp_cert: ((loggregator_tls_rlp.certificate)) loggregator_tls_rlp_key: ((loggregator_tls_rlp.private_key)) diff --git a/overlay/addons/nfs-ldap-config.yml b/overlay/addons/nfs-ldap-config.yml new file mode 100644 index 00000000..4c92d0de --- /dev/null +++ b/overlay/addons/nfs-ldap-config.yml @@ -0,0 +1,26 @@ +--- +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_svc_user? + value: (( grab meta.nfs.ldap.user )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_svc_password? + value: (( grab meta.nfs.ldap.pass )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_host? + value: (( grab meta.nfs.ldap.host )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_port? + value: (( grab meta.nfs.ldap.port )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_proto? + value: (( grab meta.nfs.ldap.proto )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_user_fqdn? + value: (( grab meta.nfs.ldap.fqdn )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/allowed-in-source? + value: "" +- type: replace + path: /instance_groups/name=nfs-broker-push/jobs/name=nfsbrokerpush/properties/nfsbrokerpush/ldap_enabled? + value: true + diff --git a/overlay/addons/nfs-ldap-tls.yml b/overlay/addons/nfs-ldap-tls.yml index 34aa1a94..ac3050de 100644 --- a/overlay/addons/nfs-ldap-tls.yml +++ b/overlay/addons/nfs-ldap-tls.yml @@ -1,13 +1,6 @@ +--- params: - nfs-ldap-ca-cert-ca: ((nfs-ldap-ca-cert.ca)) - -instance_groups: -- name: diego-cell - jobs: - - name: nfsv3driver - properties: - nfsv3driver: - ldap_ca_cert: (( grab params.nfs-ldap-ca-cert-ca )) + nfs-ldap-ca-cert: ((nfs-ldap-ca-cert.ca)) variables: - name: nfs-ldap-ca-cert @@ -16,3 +9,8 @@ variables: common_name: NFSLDAPCA is_ca: true +--- +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_ca_cert? + value: (( grab params.nfs-ldap-ca-cert )) + diff --git a/overlay/addons/scs.yml b/overlay/addons/scs.yml new file mode 100644 index 00000000..f68519ef --- /dev/null +++ b/overlay/addons/scs.yml @@ -0,0 +1,26 @@ +--- +exodus: + scs_client: scs_client + scs_secret: (( grab instance_groups.uaa.jobs.uaa.properties.uaa.clients.scs_client.secret )) + +instance_groups: + - name: uaa + jobs: + - name: uaa + properties: + uaa: + clients: + scs_client: + authorized-grant-types: client_credentials + authorities: uaa.admin,clients.admin,cloud_controller.read,cloud_controller.admin,uaa.resource + secret: "((uaa_clients_scs_secret))" + +variables: +- name: uaa_clients_scs_secret + type: password + +--- +- type: replace + path: /instance_groups/name=api?/jobs/name=cloud_controller_ng/properties/cc/broker_client_timeout_seconds + value: 300 + diff --git a/overlay/addons/stratos.yml b/overlay/addons/stratos.yml new file mode 100644 index 00000000..ec0d776e --- /dev/null +++ b/overlay/addons/stratos.yml @@ -0,0 +1,30 @@ +--- +meta: + stratos_domain: (( concat "console." params.apps_domain )) + +instance_groups: +- name: uaa + jobs: + - name: uaa + properties: + uaa: + clients: + stratos_client: + authorized-grant-types: authorization_code,client_credentials,refresh_token + redirect-uri: (( concat "https://" meta.stratos_domain "/pp/v1/auth/sso_login_callback" )) + autoapprove: true # Bypass users approval + access-token-validity: 1200 + authorities: uaa.none + override: true + refresh-token-validity: 2592000 + scope: network.admin,network.write,cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write,doppler.firehose,uaa.user,routing.router_groups.read,routing.router_groups.write,cloud_controller.admin_read_only,cloud_controller.global_auditor,perm.admin,clients.read + secret: "((stratos_client_secret))" + +variables: +- name: stratos_client_secret + type: password + +exodus: + stratos_client: stratos_client + stratos_secret: ((stratos_client_secret)) + diff --git a/overlay/addons/trust-blacksmith-ca.yml b/overlay/addons/trust-blacksmith-ca.yml new file mode 100644 index 00000000..ac410100 --- /dev/null +++ b/overlay/addons/trust-blacksmith-ca.yml @@ -0,0 +1,8 @@ +--- +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/cflinuxfs3-rootfs/trusted_certs/- + value: (( vault $GENESIS_EXODUS_MOUNT genesis.env "/blacksmith:blacksmith_ca" )) +- type: replace + path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates/- + value: (( vault $GENESIS_EXODUS_MOUNT genesis.env "/blacksmith:blacksmith_ca" )) + diff --git a/overlay/addons/uaa-admin-client.yml b/overlay/addons/uaa-admin-client.yml new file mode 100644 index 00000000..0d3bfcf4 --- /dev/null +++ b/overlay/addons/uaa-admin-client.yml @@ -0,0 +1,4 @@ +--- +exodus: + uaa_admin_client: admin + uaa_admin_client_secret: ((uaa_admin_client_secret)) diff --git a/overlay/base.yml b/overlay/base.yml index cac16f3c..ace2aed9 100644 --- a/overlay/base.yml +++ b/overlay/base.yml @@ -1,19 +1,19 @@ --- # overrides: basic overrides for genesis compatibility exodus: - admin_username: admin - admin_password: ((cf_admin_password)) - base_domain: (( grab params.base_domain )) - system_domain: (( grab params.system_domain )) - app_domains: (( grab params.app_domains )) - apps_domain: (( grab params.apps_domain )) - api_domain: (( concat "api." params.system_domain )) - - edge_network: (( grab params.cf_edge_network || params.network )) - core_network: (( grab params.cf_core_network || params.network )) - runtime_network: (( grab params.cf_runtime_network || params.network )) - db_network: (( grab params.cf_db_network || params.cf_core_network || params.network )) - - vaulted_uaa_clients: (( concat meta.vault "/uaa/client_secrets:firehose" )) + admin_username: admin + admin_password: ((cf_admin_password)) + base_domain: (( grab params.base_domain )) + system_domain: (( grab params.system_domain )) + app_domains: (( grab params.app_domains )) + apps_domain: (( grab params.apps_domain )) + api_domain: (( concat "api." params.system_domain )) + + edge_network: (( grab params.cf_edge_network || params.network )) + core_network: (( grab params.cf_core_network || params.network )) + runtime_network: (( grab params.cf_runtime_network || params.network )) + db_network: (( grab params.cf_db_network || params.cf_core_network || params.network )) + + vaulted_uaa_clients: (( concat meta.vault "/uaa/client_secrets:firehose" )) system_org: system system_space: system diff --git a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml index cd0dd684..d6548fb0 100644 --- a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml +++ b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml @@ -1,9 +1,12 @@ -meta: - __base_trusted_certs: +params: + isolation_segments: + - name: {{segment-name}} + base_trusted_certs: - ((diego_instance_identity_ca.ca)) - ((credhub_tls.ca)) - ((uaa_ssl.ca)) - additional_trusted_certs: [] + additional_trusted_certs: + - (( append )) instance_groups: - name: (( grab meta.name )) @@ -11,8 +14,8 @@ instance_groups: - name: cflinuxfs3-rootfs-setup properties: cflinuxfs3-rootfs: - trusted_certs: (( grab meta.__base_trusted_certs meta.additional_trusted_certs )) + trusted_certs: (( defer grab params.isolation_segments.{{segment-name}}.base_trusted_certs params.isolation_segments.{{segment-name}}.additional_trusted_certs )) - name: rep properties: containers: - trusted_ca_certificates: (( grab meta.__base_trusted_certs meta.additional_trusted_certs )) + trusted_ca_certificates: (( defer grab params.isolation_segments.{{segment-name}}.base_trusted_certs params.isolation_segments.{{segment-name}}.additional_trusted_certs )) diff --git a/overlay/dynamic-templates/isolation-segment-dns-sd.yml b/overlay/dynamic-templates/isolation-segment-dns-sd.yml new file mode 100644 index 00000000..f8fcc2da --- /dev/null +++ b/overlay/dynamic-templates/isolation-segment-dns-sd.yml @@ -0,0 +1,26 @@ +--- +- type: replace + path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=_.cell.service.cf.internal/targets/- + value: + query: '_' + instance_group: {{segment-name}} + deployment: ((deployment_name)) + network: (( grab meta.network_name || "default" )) + domain: bosh +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=bosh-dns-adapter? + value: + name: bosh-dns-adapter + properties: + internal_domains: ["apps.internal."] + dnshttps: + client: + tls: ((cf_app_sd_client_tls)) + server: + ca: ((cf_app_sd_server_tls.ca)) + release: cf-networking +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=route_emitter/properties/internal_routes? + value: + enabled: true + diff --git a/overlay/dynamic-templates/isolation-segment-network.yml b/overlay/dynamic-templates/isolation-segment-network.yml index 6d74b258..9ef501a1 100644 --- a/overlay/dynamic-templates/isolation-segment-network.yml +++ b/overlay/dynamic-templates/isolation-segment-network.yml @@ -6,7 +6,8 @@ instance_groups: - name: (( grab meta.network_name || "(( grab params.cf_runtime_network ))" )) addons: -- jobs: +- name: bosh-dns-aliases + jobs: - name: bosh-dns-aliases properties: aliases: @@ -20,4 +21,3 @@ addons: network: (( grab meta.network_name || "(( grab params.cf_runtime_network ))" )) query: _ - diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap-config.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap-config.yml new file mode 100644 index 00000000..7e9b4e56 --- /dev/null +++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap-config.yml @@ -0,0 +1,23 @@ +--- +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_svc_user? + value: (( grab meta.nfs.ldap.user )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_svc_password? + value: (( grab meta.nfs.ldap.pass )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_host? + value: (( grab meta.nfs.ldap.host )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_port? + value: (( grab meta.nfs.ldap.port )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_proto? + value: (( grab meta.nfs.ldap.proto )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/ldap_user_fqdn? + value: (( grab meta.nfs.ldap.fqdn )) +- type: replace + path: /instance_groups/name={{segment-name}}/jobs/name=nfsv3driver/properties/nfsv3driver/allowed-in-source? + value: "" + diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap-ocfp.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap-ocfp.yml new file mode 100644 index 00000000..e0259e5f --- /dev/null +++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap-ocfp.yml @@ -0,0 +1,28 @@ +--- +meta: + nfs: + ldap: + user: (( vault meta.vault "/nfs/ldap:user" )) + pass: (( vault meta.vault "/nfs/ldap:pass" )) + host: (( vault meta.vault "/nfs/ldap:host" )) + port: (( vault meta.vault "/nfs/ldap:port" )) + proto: (( vault meta.vault "/nfs/ldap:proto" )) + fqdn: (( vault meta.vault "/nfs/ldap:fqdn" )) + ca: (( vault meta.vault "/nfs/ldap:ca" )) + +bosh-variables: + nfs-ldap-service-user: (( grab meta.nfs.ldap.user )) + nfs-ldap-service-password: (( grab meta.nfs.ldap.pass )) + nfs-ldap-host: (( grab meta.nfs.ldap.host )) + nfs-ldap-port: (( grab meta.nfs.ldap.port )) + nfs-ldap-proto: (( grab meta.nfs.ldap.proto )) + nfs-ldap-fqdn: (( grab meta.nfs.ldap.fqdn )) + +params: + nfs-ldap-service-user: (( grab meta.nfs.ldap.user )) + nfs-ldap-service-password: (( grab meta.nfs.ldap.pass )) + nfs-ldap-host: (( grab meta.nfs.ldap.host )) + nfs-ldap-port: (( grab meta.nfs.ldap.port )) + nfs-ldap-proto: (( grab meta.nfs.ldap.proto )) + nfs-ldap-fqdn: (( grab meta.nfs.ldap.fqdn )) + nfs-ldap-ca-cert: (( grab meta.nfs.ldap.ca )) diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml index a54f3afd..2be2f7f8 100644 --- a/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml +++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml @@ -4,4 +4,5 @@ instance_groups: - name: nfsv3driver properties: nfsv3driver: - ldap_ca_cert: (( grab meta.nfs-ldap-ca-cert-ca || params.nfs-ldap-ca-cert-ca )) + ldap_ca_cert: (( grab meta.nfs-ldap-ca-cert || params.nfs-ldap-ca-cert )) + diff --git a/overlay/dynamic-templates/isolation-segment-nfs.yml b/overlay/dynamic-templates/isolation-segment-nfs.yml index 4f5e1bc3..de63b2e7 100644 --- a/overlay/dynamic-templates/isolation-segment-nfs.yml +++ b/overlay/dynamic-templates/isolation-segment-nfs.yml @@ -11,8 +11,7 @@ instance_groups: server_cert: ((nfsv3driver_cert.certificate)) server_key: ((nfsv3driver_cert.private_key)) release: nfs-volume - - name: mapfs + release: mapfs provides: mapfs: nil - release: mapfs diff --git a/overlay/dynamic-templates/isolation-segment-ocfp-trusted-certs.yml b/overlay/dynamic-templates/isolation-segment-ocfp-trusted-certs.yml new file mode 100644 index 00000000..21ea23c7 --- /dev/null +++ b/overlay/dynamic-templates/isolation-segment-ocfp-trusted-certs.yml @@ -0,0 +1,8 @@ +--- +params: + isolation_segments: + - name: {{segment-name}} + additional_trusted_certs: + - (( append )) + - (( grab meta.ocfp.certs.trusted )) + diff --git a/overlay/dynamic-templates/isolation-segment.yml b/overlay/dynamic-templates/isolation-segment.yml index b294c991..e1e6e66a 100644 --- a/overlay/dynamic-templates/isolation-segment.yml +++ b/overlay/dynamic-templates/isolation-segment.yml @@ -1,19 +1,81 @@ +--- +genesis: + env: (( grab $GENESIS_ENVIRONMENT )) + secrets_mount: (( grab $GENESIS_SECRETS_MOUNT )) + vault_prefix: (( grab $GENESIS_VAULT_PREFIX )) + vault_env: (( grab $GENESIS_VAULT_ENV_SLUG )) + meta: + vault: (( concat genesis.secrets_mount genesis.vault_prefix )) + __default_tags: - (( grab meta.tag || meta.name )) + __default_vm_extentions: - 100GB_ephemeral_disk instance_groups: - name: (( grab meta.name )) - azs: (( grab meta.azs || "(( grab meta.azs ))" )) instances: (( grab meta.instances || 1 )) + azs: (( grab meta.azs || "(( grab meta.azs ))" )) + networks: + - name: (( grab meta.network_name || "default" )) vm_type: (( grab meta.vm_type || "(( grab params.diego-cell_vm_type || params.diego_cell_vm_type || \"small-highmem\" ))" )) vm_extensions: (( grab meta.vm_extensions || meta.__default_vm_extentions )) stemcell: (( grab meta.stemcell || "default" )) - networks: - - name: (( grab meta.network_name || "default" )) jobs: + - name: cfdot + .: (( defer inject instance_groups.diego-cell.jobs.cfdot )) + + - name: garden-cni + .: (( defer inject instance_groups.diego-cell.jobs.garden-cni )) + + - name: netmon + .: (( defer inject instance_groups.diego-cell.jobs.netmon )) + consumes: + iptables: + from: (( concat "iptables-" meta.name )) + + - name: vxlan-policy-agent + .: (( defer inject instance_groups.diego-cell.jobs.vxlan-policy-agent )) + provides: + vpa: + as: (( concat "vpa-" meta.name )) + consumes: + iptables: + from: (( concat "iptables-" meta.name )) + cni_config: + from: (( concat "cni_config-" meta.name )) + + - name: silk-daemon + .: (( defer inject instance_groups.diego-cell.jobs.silk-daemon )) + consumes: + vpa: + from: (( concat "vpa-" meta.name )) + iptables: + from: (( concat "iptables-" meta.name )) + + - name: silk-cni + .: (( defer inject instance_groups.diego-cell.jobs.silk-cni )) + consumes: + vpa: + from: (( concat "vpa-" meta.name )) + provides: + cni_config: + as: (( concat "cni_config-" meta.name )) + + - name: loggr-udp-forwarder + .: (( defer inject instance_groups.diego-cell.jobs.loggr-udp-forwarder )) + + - name: bosh-dns-adapter + properties: + internal_domains: ["apps.internal."] + dnshttps: + client: + tls: ((cf_app_sd_client_tls)) + server: + ca: ((cf_app_sd_client_tls.ca)) + release: cf-networking - name: cflinuxfs3-rootfs-setup release: cflinuxfs3 properties: @@ -25,7 +87,9 @@ instance_groups: - name: garden release: garden-runc provides: - iptables: nil + iptables: + as: (( concat "iptables-" meta.name )) + properties: garden: containerd_mode: true @@ -35,6 +99,9 @@ instance_groups: graph_cleanup_threshold_in_mb: 0 deny_networks: - 0.0.0.0/0 + network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker + network_plugin_extra_args: + - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json logging: format: timestamp: "rfc3339" @@ -81,6 +148,11 @@ instance_groups: timestamp: "rfc3339" - name: route_emitter release: diego + consumes: + nats: + ip_addresses: false + nats-tls: + ip_addresses: false properties: bpm: enabled: true @@ -111,8 +183,10 @@ instance_groups: uaa: ca_cert: "((uaa_ssl.ca))" client_secret: "((uaa_clients_tcp_emitter_secret))" + addons: -- jobs: +- name: bosh-dns-aliases + jobs: - name: bosh-dns-aliases properties: aliases: @@ -125,4 +199,4 @@ addons: network: (( grab meta.network_name || "default" )) query: _ release: bosh-dns-aliases - name: bosh-dns-aliases + diff --git a/spec/results/isolation-segments-extended.yml b/spec/results/isolation-segments-extended.yml index 0f6ec728..c128185d 100644 --- a/spec/results/isolation-segments-extended.yml +++ b/spec/results/isolation-segments-extended.yml @@ -183,6 +183,16 @@ addons: instance_group: custom-params-group network: cf-core query: _ + - deployment: isolation-segments-extended-cf + domain: bosh + instance_group: custom-params-group + network: default + query: _ + - deployment: isolation-segments-extended-cf + domain: bosh + instance_group: default-params-group + network: default + query: _ - deployment: isolation-segments-extended-cf domain: bosh instance_group: default-params-group @@ -1793,6 +1803,9 @@ instance_groups: logging: format: timestamp: rfc3339 + provides: + iptables: + as: iptables-runtime release: garden-runc - name: rep properties: @@ -1883,24 +1896,46 @@ instance_groups: cni_config_dir: /var/vcap/jobs/silk-cni/config/cni cni_plugin_dir: /var/vcap/packages/silk-cni/bin release: cf-networking - - name: netmon + - consumes: + iptables: + from: iptables-runtime + name: netmon release: silk - - name: vxlan-policy-agent + - consumes: + cni_config: + from: cni_config_runtime + iptables: + from: iptables-runtime + name: vxlan-policy-agent properties: ca_cert: client_cert: client_key: + provides: + vpa: + as: vpa-runtime release: silk - - name: silk-daemon + - consumes: + iptables: + from: iptables-runtime + vpa: + from: vpa-runtime + name: silk-daemon properties: ca_cert: client_cert: client_key: release: silk - - name: silk-cni + - consumes: + vpa: + from: vpa-runtime + name: silk-cni properties: dns_servers: - 169.254.0.2 + provides: + cni_config: + as: cni_config_runtime release: silk - name: loggr-udp-forwarder properties: @@ -2138,10 +2173,131 @@ instance_groups: - name: cf-core stemcell: default vm_type: minimal +- azs: + - zoneA + - zoneB + - zoneC + - zoneD + instances: 1 + jobs: + - name: nfsbrokerpush + properties: + nfsbrokerpush: + app_domain: system.cf.testing.example + app_name: nfs-broker + cf: + client_id: nfs-broker-push-client + client_secret: + create_credhub_security_group: true + create_sql_security_group: false + credhub: + uaa_ca_cert: + uaa_client_id: nfs-broker-credhub-client + uaa_client_secret: + domain: system.cf.testing.example + ldap_enabled: true + organization: system + password: + skip_cert_verify: true + space: nfs-broker-space + store_id: nfsbroker + syslog_url: "" + username: nfs-broker + provides: + nfsbrokerpush: + as: ignore-me + release: nfs-volume + - name: cf-cli-7-linux + release: cf-cli + lifecycle: errand + name: nfs-broker-push + networks: + - name: cf-core + stemcell: default + vm_type: minimal - azs: - custom-az instances: 5 jobs: + - name: cfdot + properties: + tls: + ca_certificate: + certificate: + private_key: + release: diego + - name: garden-cni + properties: + cni_config_dir: /var/vcap/jobs/silk-cni/config/cni + cni_plugin_dir: /var/vcap/packages/silk-cni/bin + release: cf-networking + - consumes: + iptables: + from: iptables-custom-params-group + name: netmon + release: silk + - consumes: + cni_config: + from: cni_config-custom-params-group + iptables: + from: iptables-custom-params-group + name: vxlan-policy-agent + properties: + ca_cert: + client_cert: + client_key: + provides: + vpa: + as: vpa-custom-params-group + release: silk + - consumes: + iptables: + from: iptables-custom-params-group + vpa: + from: vpa-custom-params-group + name: silk-daemon + properties: + ca_cert: + client_cert: + client_key: + release: silk + - consumes: + vpa: + from: vpa-custom-params-group + name: silk-cni + properties: + dns_servers: + - 169.254.0.2 + provides: + cni_config: + as: cni_config-custom-params-group + release: silk + - name: loggr-udp-forwarder + properties: + loggregator: + tls: + ca: + cert: + key: + metrics: + ca_cert: + cert: + key: + server_name: loggr_udp_forwarder_metrics + release: loggregator-agent + - name: bosh-dns-adapter + properties: + dnshttps: + client: + tls: + ca: + certificate: + private_key: + server: + ca: + internal_domains: + - apps.internal. + release: cf-networking - name: cflinuxfs3-rootfs-setup properties: cflinuxfs3-rootfs: @@ -2160,11 +2316,15 @@ instance_groups: - 0.0.0.0/0 destroy_containers_on_start: true graph_cleanup_threshold_in_mb: 0 + network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker + network_plugin_extra_args: + - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json logging: format: timestamp: rfc3339 provides: - iptables: nil + iptables: + as: iptables-custom-params-group release: garden-runc - name: rep properties: @@ -2208,7 +2368,12 @@ instance_groups: cert: key: release: diego - - name: route_emitter + - consumes: + nats: + ip_addresses: false + nats-tls: + ip_addresses: false + name: route_emitter properties: bpm: enabled: true @@ -2273,6 +2438,85 @@ instance_groups: - z1 instances: 1 jobs: + - name: cfdot + properties: + tls: + ca_certificate: + certificate: + private_key: + release: diego + - name: garden-cni + properties: + cni_config_dir: /var/vcap/jobs/silk-cni/config/cni + cni_plugin_dir: /var/vcap/packages/silk-cni/bin + release: cf-networking + - consumes: + iptables: + from: iptables-default-params-group + name: netmon + release: silk + - consumes: + cni_config: + from: cni_config-default-params-group + iptables: + from: iptables-default-params-group + name: vxlan-policy-agent + properties: + ca_cert: + client_cert: + client_key: + provides: + vpa: + as: vpa-default-params-group + release: silk + - consumes: + iptables: + from: iptables-default-params-group + vpa: + from: vpa-default-params-group + name: silk-daemon + properties: + ca_cert: + client_cert: + client_key: + release: silk + - consumes: + vpa: + from: vpa-default-params-group + name: silk-cni + properties: + dns_servers: + - 169.254.0.2 + provides: + cni_config: + as: cni_config-default-params-group + release: silk + - name: loggr-udp-forwarder + properties: + loggregator: + tls: + ca: + cert: + key: + metrics: + ca_cert: + cert: + key: + server_name: loggr_udp_forwarder_metrics + release: loggregator-agent + - name: bosh-dns-adapter + properties: + dnshttps: + client: + tls: + ca: + certificate: + private_key: + server: + ca: + internal_domains: + - apps.internal. + release: cf-networking - name: cflinuxfs3-rootfs-setup properties: cflinuxfs3-rootfs: @@ -2291,11 +2535,15 @@ instance_groups: - 0.0.0.0/0 destroy_containers_on_start: true graph_cleanup_threshold_in_mb: 0 + network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker + network_plugin_extra_args: + - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json logging: format: timestamp: rfc3339 provides: - iptables: nil + iptables: + as: iptables-default-params-group release: garden-runc - name: rep properties: @@ -2340,7 +2588,12 @@ instance_groups: cert: key: release: diego - - name: route_emitter + - consumes: + nats: + ip_addresses: false + nats-tls: + ip_addresses: false + name: route_emitter properties: bpm: enabled: true @@ -2400,48 +2653,6 @@ instance_groups: vm_extensions: - 100GB_ephemeral_disk vm_type: xlarge -- azs: - - zoneA - - zoneB - - zoneC - - zoneD - instances: 1 - jobs: - - name: nfsbrokerpush - properties: - nfsbrokerpush: - app_domain: system.cf.testing.example - app_name: nfs-broker - cf: - client_id: nfs-broker-push-client - client_secret: - create_credhub_security_group: true - create_sql_security_group: false - credhub: - uaa_ca_cert: - uaa_client_id: nfs-broker-credhub-client - uaa_client_secret: - domain: system.cf.testing.example - ldap_enabled: true - organization: system - password: - skip_cert_verify: true - space: nfs-broker-space - store_id: nfsbroker - syslog_url: "" - username: nfs-broker - provides: - nfsbrokerpush: - as: ignore-me - release: nfs-volume - - name: cf-cli-7-linux - release: cf-cli - lifecycle: errand - name: nfs-broker-push - networks: - - name: cf-core - stemcell: default - vm_type: minimal manifest_version: v16.25.0 name: isolation-segments-extended-cf releases: diff --git a/spec/results/isolation-segments.yml b/spec/results/isolation-segments.yml index 3893933b..6e8bef1f 100644 --- a/spec/results/isolation-segments.yml +++ b/spec/results/isolation-segments.yml @@ -183,6 +183,16 @@ addons: instance_group: custom-params-group network: cf-runtime query: _ + - deployment: isolation-segments-cf + domain: bosh + instance_group: custom-params-group + network: default + query: _ + - deployment: isolation-segments-cf + domain: bosh + instance_group: default-params-group + network: default + query: _ - deployment: isolation-segments-cf domain: bosh instance_group: default-params-group @@ -1760,6 +1770,9 @@ instance_groups: logging: format: timestamp: rfc3339 + provides: + iptables: + as: iptables-runtime release: garden-runc - name: rep properties: @@ -1850,24 +1863,46 @@ instance_groups: cni_config_dir: /var/vcap/jobs/silk-cni/config/cni cni_plugin_dir: /var/vcap/packages/silk-cni/bin release: cf-networking - - name: netmon + - consumes: + iptables: + from: iptables-runtime + name: netmon release: silk - - name: vxlan-policy-agent + - consumes: + cni_config: + from: cni_config_runtime + iptables: + from: iptables-runtime + name: vxlan-policy-agent properties: ca_cert: client_cert: client_key: + provides: + vpa: + as: vpa-runtime release: silk - - name: silk-daemon + - consumes: + iptables: + from: iptables-runtime + vpa: + from: vpa-runtime + name: silk-daemon properties: ca_cert: client_cert: client_key: release: silk - - name: silk-cni + - consumes: + vpa: + from: vpa-runtime + name: silk-cni properties: dns_servers: - 169.254.0.2 + provides: + cni_config: + as: cni_config_runtime release: silk - name: loggr-udp-forwarder properties: @@ -2075,6 +2110,85 @@ instance_groups: - custom-az instances: 5 jobs: + - name: cfdot + properties: + tls: + ca_certificate: + certificate: + private_key: + release: diego + - name: garden-cni + properties: + cni_config_dir: /var/vcap/jobs/silk-cni/config/cni + cni_plugin_dir: /var/vcap/packages/silk-cni/bin + release: cf-networking + - consumes: + iptables: + from: iptables-custom-params-group + name: netmon + release: silk + - consumes: + cni_config: + from: cni_config-custom-params-group + iptables: + from: iptables-custom-params-group + name: vxlan-policy-agent + properties: + ca_cert: + client_cert: + client_key: + provides: + vpa: + as: vpa-custom-params-group + release: silk + - consumes: + iptables: + from: iptables-custom-params-group + vpa: + from: vpa-custom-params-group + name: silk-daemon + properties: + ca_cert: + client_cert: + client_key: + release: silk + - consumes: + vpa: + from: vpa-custom-params-group + name: silk-cni + properties: + dns_servers: + - 169.254.0.2 + provides: + cni_config: + as: cni_config-custom-params-group + release: silk + - name: loggr-udp-forwarder + properties: + loggregator: + tls: + ca: + cert: + key: + metrics: + ca_cert: + cert: + key: + server_name: loggr_udp_forwarder_metrics + release: loggregator-agent + - name: bosh-dns-adapter + properties: + dnshttps: + client: + tls: + ca: + certificate: + private_key: + server: + ca: + internal_domains: + - apps.internal. + release: cf-networking - name: cflinuxfs3-rootfs-setup properties: cflinuxfs3-rootfs: @@ -2093,11 +2207,15 @@ instance_groups: - 0.0.0.0/0 destroy_containers_on_start: true graph_cleanup_threshold_in_mb: 0 + network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker + network_plugin_extra_args: + - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json logging: format: timestamp: rfc3339 provides: - iptables: nil + iptables: + as: iptables-custom-params-group release: garden-runc - name: rep properties: @@ -2141,7 +2259,12 @@ instance_groups: cert: key: release: diego - - name: route_emitter + - consumes: + nats: + ip_addresses: false + nats-tls: + ip_addresses: false + name: route_emitter properties: bpm: enabled: true @@ -2185,6 +2308,85 @@ instance_groups: - z1 instances: 1 jobs: + - name: cfdot + properties: + tls: + ca_certificate: + certificate: + private_key: + release: diego + - name: garden-cni + properties: + cni_config_dir: /var/vcap/jobs/silk-cni/config/cni + cni_plugin_dir: /var/vcap/packages/silk-cni/bin + release: cf-networking + - consumes: + iptables: + from: iptables-default-params-group + name: netmon + release: silk + - consumes: + cni_config: + from: cni_config-default-params-group + iptables: + from: iptables-default-params-group + name: vxlan-policy-agent + properties: + ca_cert: + client_cert: + client_key: + provides: + vpa: + as: vpa-default-params-group + release: silk + - consumes: + iptables: + from: iptables-default-params-group + vpa: + from: vpa-default-params-group + name: silk-daemon + properties: + ca_cert: + client_cert: + client_key: + release: silk + - consumes: + vpa: + from: vpa-default-params-group + name: silk-cni + properties: + dns_servers: + - 169.254.0.2 + provides: + cni_config: + as: cni_config-default-params-group + release: silk + - name: loggr-udp-forwarder + properties: + loggregator: + tls: + ca: + cert: + key: + metrics: + ca_cert: + cert: + key: + server_name: loggr_udp_forwarder_metrics + release: loggregator-agent + - name: bosh-dns-adapter + properties: + dnshttps: + client: + tls: + ca: + certificate: + private_key: + server: + ca: + internal_domains: + - apps.internal. + release: cf-networking - name: cflinuxfs3-rootfs-setup properties: cflinuxfs3-rootfs: @@ -2207,11 +2409,15 @@ instance_groups: - 0.0.0.0/0 destroy_containers_on_start: true graph_cleanup_threshold_in_mb: 0 + network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker + network_plugin_extra_args: + - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json logging: format: timestamp: rfc3339 provides: - iptables: nil + iptables: + as: iptables-default-params-group release: garden-runc - name: rep properties: @@ -2259,7 +2465,12 @@ instance_groups: cert: key: release: diego - - name: route_emitter + - consumes: + nats: + ip_addresses: false + nats-tls: + ip_addresses: false + name: route_emitter properties: bpm: enabled: true