diff --git a/MANUAL.md b/MANUAL.md
index 15f2f6c6..3d01f0c6 100644
--- a/MANUAL.md
+++ b/MANUAL.md
@@ -56,6 +56,7 @@ General:
- `compiled-releases` - Use pre-compiled releases to speed up initial deploy time (alias of upstream `cf-deployment/operations/use-compiled-releases`).
- `small-footprint` - Use the minimal number of vms and only 1 az to deploy cf.
- `nfs-volume-services` - Alias of `cf-deployment/operations/enable-nfs-volume-service`
+ - `nfs-ldap` - Use LDAP to access nfs volume services (Alias `cf-deployment/operations/enable-nfs-ldap`, required `nfs-volume-servies` feature)
- `enable-service-discovery` - Enables bosh-dns support on diego cells.
- `app-autoscaler-integration` - Add a uaa client for the app autoscaler (must be deployed via [cf-app-autoscaler-genesis-kit](https://github.com/genesis-community/cf-app-autoscaler-genesis-kit)).
- `prometheus-integration` - Configure cf to export to prometheus (must deployed via [prometheus-genesis-kit](https://github.com/genesis-community/prometheus-genesis-kit)).
@@ -65,7 +66,7 @@ General:
- `ssh-proxy-on-routers` - moves the ssh-proxy from scheduler instance group to the router instance group, placing it on the edge network, and enabling scaling via scaling the routers.
- `no-tcp-routers` - removes the tcp-router instance group and associated resource allocations for systems that don't need tcp routes.
- `windows-diego-cells` - Adds Windows Diego cell functionality.
- - `isolation-segments` - enables usage of [isolation segments](https://docs.cloudfoundry.org/adminguide/routing-is.html#overview) using minimal configuration.
+ - `isolation-segments` - enables usage of [isolation segments](https://docs.cloudfoundry.org/adminguide/routing-is.html#overview) using minimal configuration. Supports nfs-volume-services, nfs-ldap and smb-volume-services features.
Database related - choose one:
- `postgres-db` - Use an external postgres instance to host persistent data.
@@ -114,6 +115,7 @@ kit:
## Feature Params
The following params are always included:
+
| param | description | default |
| --- | --- | --- |
| `cf_core_network` | What network should be used for cf core-components? | `cf-core` |
@@ -126,7 +128,9 @@ The following params are always included:
| `identity_description` | Identity description | `"Use 'genesis info' on environment file for more details"` |
These params need to be set when activating features:
+
- **aws-blobstore/aws-blobstore-iam**:
+
| param | description | default |
| --- | --- | --- |
| `blobstore_s3_region` | The s3 region of the blobstore | |
@@ -138,6 +142,7 @@ These params need to be set when activating features:
| `blobstore_resources_directory` | Directory for the app packages | `blobstore_bucket_prefix` + `"-resources-"` + `blobstore_bucket_suffix` |
- **minio-blobstore**:
+
| param | description | default |
| --- | --- | --- |
| `blobstore_minio_endpoint` | The URL (including protocol and option port) of the Minio endpoint of the blobstore | |
@@ -149,6 +154,7 @@ These params need to be set when activating features:
| `blobstore_resources_directory` | Directory for the app packages | `blobstore_bucket_prefix` + `"-resources-"` + `blobstore_bucket_suffix` |
- **azure-blobstore**:
+
| param | description | default |
| --- | --- | --- |
| `azure_environment` | What is environment where this blobstore exists? | `AzureCloud` |
@@ -160,11 +166,13 @@ These params need to be set when activating features:
| `blobstore_resources_directory` | Directory for the app packages | `blobstore_bucket_prefix` + `"-resources-"` + `blobstore_bucket_suffix` |
- **bare**:
+
| param | description | default |
| --- | --- | --- |
| `network` | What network should Cloud Foundry be deployed to? | `default` |
- **external-mysql**:
+
| param | description | default |
| --- | --- | --- |
| `external_db_host` | The default host for your mysql db | |
@@ -211,6 +219,7 @@ These params need to be set when activating features:
| `credhubdb_password` | The Credhub database password | `external_db_password` |
- **external-postgres**:
+
| param | description | default |
| --- | --- | --- |
| `external_db_host` | The external host for your postgres db | |
@@ -257,6 +266,7 @@ These params need to be set when activating features:
| `credhubdb_password` | The Credhub database password | `external_db_password` |
- **haproxy**:
+
| param | description | default |
| --- | --- | --- |
| `internal_only_domains` | Internal only domains | `[]` |
@@ -268,17 +278,20 @@ These params need to be set when activating features:
| `availability_zones` | What azs should haproxy be deployed to? | `[z1, z2, z3]` |
- **haproxy** + **small-footprint**:
+
| param | description | default |
| --- | --- | --- |
| `haproxy_instances` | How many haproxy instances? | 1 |
- **haproxy** + **tls**:
+
| param | description | default |
| --- | --- | --- |
| `disable_tls_10` | Disable tls 10? | `true` |
| `disable_tls_11` | Disable tls 11? | `true` |
- **override-db-names**:
+
| param | description | default |
| --- | --- | --- |
| `uaadb_name` | Name of the UAA database | `uuadb` |
@@ -299,21 +312,41 @@ These params need to be set when activating features:
| `credhubdb_user` | Name of the Credhub database user | `credhubadmin` |
- **windows-diego-cells**:
+
| param | description | default |
| --- | --- | ---- |
| `windows_diego_cell_vm_type` | Windows Diego cell VM Type | `small-highmem` |
| `windows_diego_cell_instances`| Windows Diego Cell Instance Count | `1` |
- **isolation-segments**:
- | param | description | default |
- | --- | --- | --- |
- | `name` | (required) Name of the isolation segment and placement tag for cloud foundry | |
- | `azs`| (required) Avaliability zones network configuration | |
- | `instances`| Amount of VM instances to be created | `1` |
- | `vm_type`| VM Type to be applied | `minimal` |
- | `vm_extensions`| Extensions to be added to the created VM's | `[]` |
- | `network_name`| Name of the network that VM's will be created with | `default` |
- | `stemcell`| Name of the stemcell to be used | `default` |
+
+ | param | description | default |
+ | --------------- | ----------------------------------------------------------------- | ------- |
+ | `name` | (required) Name of the isolation segment for cloud foundry | |
+ | `azs` | Avaliability zones network configuration | `[ z1, z2]` [1] |
+ | `instances` | Amount of VM instances to be created | `1` |
+ | `vm_type` | VM Type to be applied | `small-highmem` [2] |
+ | `vm_extensions` | Extensions to be added to the created VM's | `[ 100GB_ephemeral_disk ]` |
+ | `network_name` | Name of the network that VM's will be created with | `default` [3] |
+ | `stemcell` | Name of the stemcell to be used | `default` |
+ | `tag` | Name of the rep placement tag | same as `name` param |
+ | `tags` | List of rep placement tags (optional: overrides `tag` and `name`) | |
+ | `additional_trusted_certs` | List of additional trusted certs (optional) | |
+
+ `[1]` The default azs are [z1,z2] unless migrating from cf kit v1.x, in
+ which case the default azs are [z1,z2,z3], or if the scale-to-single-az
+ feature is in use, in which case the default azs are [z1]. Setting
+ `params.availability_zones` will override the default availability zones
+ deployment-wide.
+
+ `[2]` The default vm_type for all diego-cell based instance groups can be
+ done by specifying `param.diego_cell_vm_type`
+
+ `[3]` The network name defaults to the `params.cf_runtime_network` when
+ using not using the base feature or if explicitly using the
+ partitioned-network feature. If that parameter is not specified, it
+ defaults to `cf-runtime`.
+
# Retired Parameters (from v1.x)
@@ -857,6 +890,34 @@ NFS volumes provided by the NFS Volume Services Broker.
There are currently no parameters defined for this feature.
+## NFS LDAP
+
+The `nfs-ldap` feature extends the `nfs-volume-services` feature by
+providing LDAP integration. It supports the folowing parameters:
+
+ - `nfs-ldap-service-user`:
+ - ldap service account user name
+ - required
+
+ - `nfs-ldap-host`:
+ - ldap server host name or ip address
+ - required
+
+ - `nfs-ldap-fqdn`:
+ - ldap fqdn for user records we will search against when looking up user uids
+ - required
+ - example: `cn=Users,dc=corp,dc=test,dc=com`
+
+ - `nfs-ldap-port`:
+ - ldap server port
+ - defaults to `389`
+
+ - `nfs-ldap-proto`:
+ - ldap server protocol
+ - defaults to `tcp`
+
+You also must set credhub secret `ldap-service-password` to password for the
+specified service user.
## SMB Volume Services
diff --git a/hooks/blueprint b/hooks/blueprint
index 268d8063..98ced8a7 100755
--- a/hooks/blueprint
+++ b/hooks/blueprint
@@ -43,17 +43,34 @@ switch_cf_version() {
}
generate_dynamic_isolation_segments() {
- isolation_groups="$(
- echo "$1" | \
- jq -r '.isolation_segments[] | .name'
- )"
+ isolation_groups="$(echo "$1" | jq -r '.isolation_segments[] | .name')"
+
+ iso_seg_merges=();
+ if ! want_feature "bare" || want_feature "partitioned-network" ; then
+ iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-network.yml )
+ fi
+ if want_feature "nfs-volume-services" ; then
+ iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs.yml )
+ if want_feature "nfs-ldap" ; then
+ iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap.yml )
+ fi
+ fi
+ if want_feature "smb-volume-services" ; then
+ iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs.yml )
+ fi
for group in $isolation_groups; do
- segment_tmp_file="operations/dynamic/isolation_segments_$group.yml"
- sed "s/params.isolation_segments.iso_group/params.isolation_segments.$group/g" \
- < "operations/dynamic-templates/isolation-segment.yml" \
- > "$segment_tmp_file"
- echo "$segment_tmp_file"
+ additional_trusted_certs=''
+ if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null ; then
+ additional_trusted_certs='overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml'
+ fi
+ dynamic_segment_fragment_file="overlay/dynamic/isolation_segments_$group.yml"
+ spruce merge --prune "meta" "overlay/dynamic-templates/isolation-segment.yml" \
+ ${iso_seg_merges[@]+"${iso_seg_merges[@]}"} $additional_trusted_certs \
+ <(echo "$1" | jq --arg v "$group" '.isolation_segments[] | select(.name == $v ) | {"meta": .}') \
+ <(echo '{"instance_groups": [ "((prepend))", "((defer append))" ]}') \
+ > "$dynamic_segment_fragment_file"
+ echo "$dynamic_segment_fragment_file"
done
}
@@ -236,10 +253,20 @@ for want in $GENESIS_REQUESTED_FEATURES; do
# dealt with above, but kept for interoperability checks with other features
features+=( "small-footprint" );
;;
+ nfs-volume-services|cf-deployments/operations/enable-nfs-volume-services) features+=( "nfs-volume-services" ) ;;
+ smb-volume-services|cf-deployments/operations/enable-smb-volume-services) features+=( "smb-volume-services" ) ;;
+ nfs-ldap|cf-deployments/operations/enable-nfs-ldap)
+ if ! want_feature 'nfs-volume-services' && ! want_feature "cf-deployments/operations/enable-nfs-volume-services" ; then
+ abort=1
+ describe >&2 \
+ "#R[ERROR]} Feature #c{$want} cannot be specified without feature #c{nfs-volume-services}"
+ fi
+ features+=( "nfs-ldap" )
+ ;;
local-postgres-db|local-mysql-db|mysql-db|postgres-db) db_specified=1; features+=( "$want" ) ;;
bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) features+=( "$want" ) ;;
minio-blobstore|aws-blobstore|aws-blobstore-iam|azure-blobstore|gcp-blobstore|gcp-use-access-key) features+=( "$want" ) ;;
- nfs-volume-services|enable-service-discovery|ssh-proxy-on-routers|no-tcp-routers|smb-volume-services) features+=( "$want" ) ;;
+ enable-service-discovery|ssh-proxy-on-routers|no-tcp-routers) features+=( "$want" ) ;;
app-scheduler-integration|app-autoscaler-integration|prometheus-integration|v2-nats-credentials) features+=( "$want" ) ;;
windows-diego-cells) features+=( "$want" ) ;;
+migrated-v1-env|+override-db-names) features+=( "$want" ) ;;
@@ -417,6 +444,12 @@ for want in $GENESIS_REQUESTED_FEATURES; do
"overlay/addons/nfs-volume-service.yml" \
)
fi
+ if want_feature "nfs-ldap" ; then
+ manifest+=( \
+ "cf-deployment/operations/enable-nfs-ldap.yml" \
+ "overlay/addons/nfs-ldap.yml" \
+ )
+ fi
;;
smb-volume-services)
manifest+=( \
diff --git a/hooks/features b/hooks/features
index ffd25bef..d763f0cc 100755
--- a/hooks/features
+++ b/hooks/features
@@ -1,5 +1,12 @@
#!/bin/bash
-echo "$GENESIS_REQUESTED_FEATURES"
+for f in $GENESIS_REQUESTED_FEATURES ; do
+ case $f in
+ cf-deployment/operations/enable-nfs-volume-services) echo 'nfs-volume-services' ;;
+ cf-deployment/operations/enable-nfs-lambda) echo 'nfs-lambda' ;;
+ cf-deployment/operations/enable-smb-volume-services) echo 'smb-volume-services' ;;
+ *) echo "$f" ;;
+ esac
+done
db_overrides="$(lookup params 2>/dev/null | jq -r '. | keys| .[] | select(. | test("^(cc|uaa|diego|policyserver|silk|locket|routingapi|credhub)db_(name|user)$"))')"
[[ -z "$db_overrides" ]] || echo "+override-db-names"
diff --git a/overlay/addons/nfs-ldap.yml b/overlay/addons/nfs-ldap.yml
new file mode 100644
index 00000000..498bb9ca
--- /dev/null
+++ b/overlay/addons/nfs-ldap.yml
@@ -0,0 +1,15 @@
+---
+bosh-variables:
+ nfs-ldap-service-user: (( grab params.nfs-ldap-service-user ))
+ nfs-ldap-host: (( grab params.nfs-ldap-host ))
+ nfs-ldap-port: (( grab params.nfs-ldap-port ))
+ nfs-ldap-proto: (( grab params.nfs-ldap-proto ))
+ nfs-ldap-fqdn: (( grab params.nfs-ldap-fqdn ))
+
+params:
+ nfs-ldap-service-user: (( param "Provide value for NFS LDAP service user" ))
+ nfs-ldap-host: (( param "Provide value for NFS LDAP host" ))
+ nfs-ldap-port: 389
+ nfs-ldap-proto: tcp
+ nfs-ldap-fqdn: (( param "Provide value for NFS LDAP fqdn" ))
+
diff --git a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml
new file mode 100644
index 00000000..cd0dd684
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml
@@ -0,0 +1,18 @@
+meta:
+ __base_trusted_certs:
+ - ((diego_instance_identity_ca.ca))
+ - ((credhub_tls.ca))
+ - ((uaa_ssl.ca))
+ additional_trusted_certs: []
+
+instance_groups:
+- name: (( grab meta.name ))
+ jobs:
+ - name: cflinuxfs3-rootfs-setup
+ properties:
+ cflinuxfs3-rootfs:
+ trusted_certs: (( grab meta.__base_trusted_certs meta.additional_trusted_certs ))
+ - name: rep
+ properties:
+ containers:
+ trusted_ca_certificates: (( grab meta.__base_trusted_certs meta.additional_trusted_certs ))
diff --git a/overlay/dynamic-templates/isolation-segment-network.yml b/overlay/dynamic-templates/isolation-segment-network.yml
new file mode 100644
index 00000000..6d74b258
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-network.yml
@@ -0,0 +1,23 @@
+instance_groups:
+- (( merge on name ))
+- name: (( grab meta.name ))
+ networks:
+ - (( replace ))
+ - name: (( grab meta.network_name || "(( grab params.cf_runtime_network ))" ))
+
+addons:
+- jobs:
+ - name: bosh-dns-aliases
+ properties:
+ aliases:
+ - domain: _.cell.service.cf.internal
+ targets:
+ - (( replace ))
+ - (( defer append ))
+ - deployment: ((deployment_name))
+ domain: bosh
+ instance_group: (( grab meta.name ))
+ network: (( grab meta.network_name || "(( grab params.cf_runtime_network ))" ))
+ query: _
+
+
diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml
new file mode 100644
index 00000000..4aee9bb6
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml
@@ -0,0 +1,14 @@
+instance_groups:
+- name: (( grab meta.name ))
+ jobs:
+ - name: nfsv3driver
+ properties:
+ nfsv3driver:
+ ldap_svc_user: ((nfs-ldap-service-user))
+ ldap_svc_password: ((nfs-ldap-service-password))
+ ldap_host: ((nfs-ldap-host))
+ ldap_port: ((nfs-ldap-port))
+ ldap_proto: ((nfs-ldap-proto))
+ ldap_user_fqdn: ((nfs-ldap-fqdn))
+ allowed-in-source: ""
+ ldap_ca_cert: ((nfs-ldap-ca-cert.ca))
diff --git a/overlay/dynamic-templates/isolation-segment-nfs.yml b/overlay/dynamic-templates/isolation-segment-nfs.yml
new file mode 100644
index 00000000..4f5e1bc3
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-nfs.yml
@@ -0,0 +1,18 @@
+instance_groups:
+- name: (( grab meta.name ))
+ jobs:
+ - name: nfsv3driver
+ properties:
+ nfsv3driver:
+ tls:
+ ca_cert: ((nfsv3driver_cert.ca))
+ client_cert: ((nfsv3driver_client_cert.certificate))
+ client_key: ((nfsv3driver_client_cert.private_key))
+ server_cert: ((nfsv3driver_cert.certificate))
+ server_key: ((nfsv3driver_cert.private_key))
+ release: nfs-volume
+
+ - name: mapfs
+ provides:
+ mapfs: nil
+ release: mapfs
diff --git a/overlay/dynamic-templates/isolation-segment-smb.yml b/overlay/dynamic-templates/isolation-segment-smb.yml
new file mode 100644
index 00000000..ed0cccfc
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-smb.yml
@@ -0,0 +1,12 @@
+instance_groups:
+- name: (( grab meta.name ))
+ jobs:
+ - name: smbdriver
+ properties:
+ tls:
+ ca_cert: ((smbdriver_cert.ca))
+ client_cert: ((smbdriver_client_cert.certificate))
+ client_key: ((smbdriver_client_cert.private_key))
+ server_cert: ((smbdriver_cert.certificate))
+ server_key: ((smbdriver_cert.private_key))
+ release: smb-volume
diff --git a/operations/dynamic-templates/isolation-segment.yml b/overlay/dynamic-templates/isolation-segment.yml
similarity index 79%
rename from operations/dynamic-templates/isolation-segment.yml
rename to overlay/dynamic-templates/isolation-segment.yml
index 54d8b2b2..b294c991 100644
--- a/operations/dynamic-templates/isolation-segment.yml
+++ b/overlay/dynamic-templates/isolation-segment.yml
@@ -1,13 +1,18 @@
+meta:
+ __default_tags:
+ - (( grab meta.tag || meta.name ))
+ __default_vm_extentions:
+ - 100GB_ephemeral_disk
+
instance_groups:
-- ((append))
-- name: (( grab params.isolation_segments.iso_group.name ))
- azs: (( grab params.isolation_segments.iso_group.azs || "[]" ))
- instances: (( grab params.isolation_segments.iso_group.instances || 1 ))
- vm_type: (( grab params.isolation_segments.iso_group.vm_type || "minimal" ))
- vm_extensions: (( grab params.isolation_segments.iso_group.vm_extensions || "[]" ))
- stemcell: (( grab params.isolation_segments.iso_group.stemcell || "default" ))
+- name: (( grab meta.name ))
+ azs: (( grab meta.azs || "(( grab meta.azs ))" ))
+ instances: (( grab meta.instances || 1 ))
+ vm_type: (( grab meta.vm_type || "(( grab params.diego-cell_vm_type || params.diego_cell_vm_type || \"small-highmem\" ))" ))
+ vm_extensions: (( grab meta.vm_extensions || meta.__default_vm_extentions ))
+ stemcell: (( grab meta.stemcell || "default" ))
networks:
- - name: (( grab params.isolation_segments.iso_group.network_name || "default" ))
+ - name: (( grab meta.network_name || "default" ))
jobs:
- name: cflinuxfs3-rootfs-setup
release: cflinuxfs3
@@ -45,8 +50,7 @@ instance_groups:
rep:
preloaded_rootfses:
- cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
- placement_tags:
- - (( grab params.isolation_segments.iso_group.name ))
+ placement_tags: (( grab meta.tags || meta.__default_tags ))
containers:
proxy:
enabled: true
@@ -114,11 +118,11 @@ addons:
aliases:
- domain: _.cell.service.cf.internal
targets:
- - (( append ))
+ - (( defer append ))
- deployment: ((deployment_name))
domain: bosh
- instance_group: (( grab params.isolation_segments.iso_group.name ))
- network: (( grab params.isolation_segments.iso_group.network_name || "default" ))
+ instance_group: (( grab meta.name ))
+ network: (( grab meta.network_name || "default" ))
query: _
release: bosh-dns-aliases
name: bosh-dns-aliases
diff --git a/overlay/dynamic/.keep b/overlay/dynamic/.keep
new file mode 100644
index 00000000..a82d1b41
--- /dev/null
+++ b/overlay/dynamic/.keep
@@ -0,0 +1 @@
+#placeholder
diff --git a/spec/credhub/isolation-segments-extended.yml b/spec/credhub/isolation-segments-extended.yml
new file mode 100644
index 00000000..ca6c9717
--- /dev/null
+++ b/spec/credhub/isolation-segments-extended.yml
@@ -0,0 +1,387 @@
+application_ca:
+ ca:
+ certificate:
+ private_key:
+binding_cache_api_tls:
+ ca:
+ certificate:
+ private_key:
+binding_cache_tls:
+ ca:
+ certificate:
+ private_key:
+blobstore_admin_users_password:
+blobstore_secure_link_secret:
+blobstore_tls:
+ ca:
+ certificate:
+ private_key:
+cc_bridge_cc_uploader:
+ ca:
+ certificate:
+ private_key:
+cc_bridge_cc_uploader_server:
+ ca:
+ certificate:
+ private_key:
+cc_bridge_tps:
+ ca:
+ certificate:
+ private_key:
+cc_bulk_api_password:
+cc_database_password:
+cc_db_encryption_key:
+cc_internal_api_password:
+cc_logcache_tls:
+ ca:
+ certificate:
+ private_key:
+cc_public_tls:
+ ca:
+ certificate:
+ private_key:
+cc_staging_upload_password:
+cc_tls:
+ ca:
+ certificate:
+ private_key:
+cf_admin_password:
+cf_app_sd_ca:
+ ca:
+ certificate:
+ private_key:
+cf_app_sd_client_tls:
+ ca:
+ certificate:
+ private_key:
+cf_app_sd_server_tls:
+ ca:
+ certificate:
+ private_key:
+cf_mysql_mysql_admin_password:
+cf_mysql_mysql_cluster_health_password:
+cf_mysql_mysql_galera_healthcheck_endpoint_password:
+cf_mysql_mysql_galera_healthcheck_password:
+cf_mysql_proxy_api_password:
+credhub_admin_client_secret:
+credhub_ca:
+ ca:
+ certificate:
+ private_key:
+credhub_database_password:
+credhub_encryption_password:
+credhub_tls:
+ ca:
+ certificate:
+ private_key:
+diego_auctioneer_client:
+ ca:
+ certificate:
+ private_key:
+diego_auctioneer_server:
+ ca:
+ certificate:
+ private_key:
+diego_bbs_client:
+ ca:
+ certificate:
+ private_key:
+diego_bbs_encryption_keys_passphrase:
+diego_bbs_server:
+ ca:
+ certificate:
+ private_key:
+diego_database_password:
+diego_instance_identity_ca:
+ ca:
+ certificate:
+ private_key:
+diego_locket_client:
+ ca:
+ certificate:
+ private_key:
+diego_locket_server:
+ ca:
+ certificate:
+ private_key:
+diego_rep_agent_v2:
+ ca:
+ certificate:
+ private_key:
+diego_rep_client:
+ ca:
+ certificate:
+ private_key:
+diego_ssh_proxy_host_key:
+ private_key:
+ public_key:
+ public_key_fingerprint:
+forwarder_agent_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+gorouter_backend_tls:
+ ca:
+ certificate:
+ private_key:
+locket_database_password:
+log_cache:
+ ca:
+ certificate:
+ private_key:
+log_cache_ca:
+ ca:
+ certificate:
+ private_key:
+log_cache_cf_auth_proxy_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+log_cache_gateway_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+log_cache_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+log_cache_nozzle_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+log_cache_proxy_tls:
+ ca:
+ certificate:
+ private_key:
+log_cache_to_loggregator_agent:
+ ca:
+ certificate:
+ private_key:
+logcache_ssl:
+ ca:
+ certificate:
+ private_key:
+loggr_syslog_binding_cache_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+loggr_udp_forwarder_tls:
+ ca:
+ certificate:
+ private_key:
+loggregator_agent_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+loggregator_ca:
+ ca:
+ certificate:
+ private_key:
+loggregator_rlp_gateway:
+ ca:
+ certificate:
+ private_key:
+loggregator_rlp_gateway_tls:
+ ca:
+ certificate:
+ private_key:
+loggregator_rlp_gateway_tls_cc:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_agent:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_cc_tc:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_doppler:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_rlp:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_statsdinjector:
+ ca:
+ certificate:
+ private_key:
+loggregator_tls_tc:
+ ca:
+ certificate:
+ private_key:
+loggregator_trafficcontroller_tls:
+ ca:
+ certificate:
+ private_key:
+logs_provider:
+ ca:
+ certificate:
+ private_key:
+metric_scraper_ca:
+ ca:
+ certificate:
+ private_key:
+metrics_agent_tls:
+ ca:
+ certificate:
+ private_key:
+metrics_discovery_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+nats_ca:
+ ca:
+ certificate:
+ private_key:
+nats_client_cert:
+ ca:
+ certificate:
+ private_key:
+nats_internal_ca:
+ ca:
+ certificate:
+ private_key:
+nats_internal_cert:
+ ca:
+ certificate:
+ private_key:
+nats_password:
+nats_server_cert:
+ ca:
+ certificate:
+ private_key:
+network_connectivity_database_password:
+network_policy_ca:
+ ca:
+ certificate:
+ private_key:
+network_policy_client:
+ ca:
+ certificate:
+ private_key:
+network_policy_database_password:
+network_policy_server:
+ ca:
+ certificate:
+ private_key:
+network_policy_server_external:
+ ca:
+ certificate:
+ private_key:
+nfs-broker-credhub-password:
+nfs-broker-credhub-uaa-client-secret:
+nfs-broker-password:
+nfs-broker-push-uaa-client-secret:
+nfs_ca:
+ ca:
+ certificate:
+ private_key:
+nfsv3driver_cert:
+ ca:
+ certificate:
+ private_key:
+nfsv3driver_client_cert:
+ ca:
+ certificate:
+ private_key:
+prom_scraper_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+prom_scraper_scrape_tls:
+ ca:
+ certificate:
+ private_key:
+rlp_gateway_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+router_ca:
+ ca:
+ certificate:
+ private_key:
+router_route_services_secret:
+router_ssl:
+ ca:
+ certificate:
+ private_key:
+router_status_password:
+routing_api_ca:
+ ca:
+ certificate:
+ private_key:
+routing_api_database_password:
+routing_api_tls:
+ ca:
+ certificate:
+ private_key:
+routing_api_tls_client:
+ ca:
+ certificate:
+ private_key:
+scrape_config_generator_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+service_cf_internal_ca:
+ ca:
+ certificate:
+ private_key:
+silk_ca:
+ ca:
+ certificate:
+ private_key:
+silk_controller:
+ ca:
+ certificate:
+ private_key:
+silk_daemon:
+ ca:
+ certificate:
+ private_key:
+ssh_proxy_backends_tls:
+ ca:
+ certificate:
+ private_key:
+syslog_agent_api_tls:
+ ca:
+ certificate:
+ private_key:
+syslog_agent_metrics_tls:
+ ca:
+ certificate:
+ private_key:
+uaa_admin_client_secret:
+uaa_ca:
+ ca:
+ certificate:
+ private_key:
+uaa_clients_cc-routing_secret:
+uaa_clients_cc-service-dashboards_secret:
+uaa_clients_cc_service_key_client_secret:
+uaa_clients_cf_smoke_tests_secret:
+uaa_clients_cloud_controller_username_lookup_secret:
+uaa_clients_doppler_secret:
+uaa_clients_gorouter_secret:
+uaa_clients_network_policy_secret:
+uaa_clients_routing_api_client_secret:
+uaa_clients_ssh-proxy_secret:
+uaa_clients_tcp_emitter_secret:
+uaa_clients_tcp_router_secret:
+uaa_database_password:
+uaa_default_encryption_passphrase:
+uaa_jwt_signing_key:
+ private_key:
+ public_key:
+uaa_login_saml:
+ ca:
+ certificate:
+ private_key:
+uaa_ssl:
+ ca:
+ certificate:
+ private_key:
diff --git a/spec/credhub_variables/isolation-segments-addl-certs.yml b/spec/credhub_variables/isolation-segments-addl-certs.yml
new file mode 100644
index 00000000..31a2f795
--- /dev/null
+++ b/spec/credhub_variables/isolation-segments-addl-certs.yml
@@ -0,0 +1,6 @@
+another-cert-of-dubious-validity:
+ certificate: first-additional-test-ssl-cert
+ private_key: first-additional-test-ssl-private-key
+some-strange-cert:
+ certificate: second-additional-test-ssl-cert
+ private_key: second-additional-test-ssl-private-key
diff --git a/spec/credhub_variables/isolation-segments-nfs.yml b/spec/credhub_variables/isolation-segments-nfs.yml
new file mode 100644
index 00000000..8ed226ab
--- /dev/null
+++ b/spec/credhub_variables/isolation-segments-nfs.yml
@@ -0,0 +1,5 @@
+nfs-ldap-ca-cert:
+ ca: nfs-ldap-ca-cert-ca
+ certificate: nfs-ldap-ca-cert-cert
+ private_key: nfs-ldap-ca-cert-private-key
+nfs-ldap-service-password: ldap-secure-password
diff --git a/spec/deployments/isolation-segments-extended.yml b/spec/deployments/isolation-segments-extended.yml
new file mode 100644
index 00000000..937127f5
--- /dev/null
+++ b/spec/deployments/isolation-segments-extended.yml
@@ -0,0 +1,39 @@
+---
+kit:
+ name: dev
+ version: 2.1.2
+ features:
+ - isolation-segments
+ - nfs-volume-services
+ - nfs-ldap
+
+genesis:
+ env: isolation-segments-extended
+
+params:
+ base_domain: cf.testing.example
+ availability_zones: [zoneA, zoneB, zoneC, zoneD]
+ diego_cell_vm_type: xlarge
+ cf_runtime_network: cf-core
+ isolation_segments:
+ - name: custom-params-group
+ azs:
+ - custom-az
+ instances: 5
+ vm_type: small-highmem
+ stemcell: test
+ tag: custom-iso-group
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ - cf-router-network-properties
+ - name: default-params-group
+ azs:
+ - z1
+ network_name: default
+ tags:
+ - default-iso-group
+ - default
+
+ nfs-ldap-fqdn: cn=Users,dc=corp,dc=test,dc=com
+ nfs-ldap-host: ldap.myhost.com
+ nfs-ldap-service-user: ldap-user
diff --git a/spec/deployments/isolation-segments.yml b/spec/deployments/isolation-segments.yml
index 48e936d5..36cd6713 100644
--- a/spec/deployments/isolation-segments.yml
+++ b/spec/deployments/isolation-segments.yml
@@ -16,11 +16,14 @@ params:
- custom-az
instances: 5
vm_type: small-highmem
- network_name: ((cf_runtime_network))
stemcell: test
vm_extensions:
- 100GB_ephemeral_disk
- cf-router-network-properties
- name: default-params-group
azs:
- - z1
\ No newline at end of file
+ - z1
+ network_name: default
+ additional_trusted_certs:
+ - ((some-strange-cert))
+ - ((another-cert-of-dubious-validity))
diff --git a/spec/results/isolation-segments-extended.yml b/spec/results/isolation-segments-extended.yml
new file mode 100644
index 00000000..896b3739
--- /dev/null
+++ b/spec/results/isolation-segments-extended.yml
@@ -0,0 +1,2596 @@
+addons:
+- exclude:
+ jobs:
+ - name: smoke_tests
+ release: cf-smoke-tests
+ include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: loggregator_agent
+ properties:
+ disable_udp: true
+ grpc_port: 3459
+ loggregator:
+ tls:
+ agent:
+ cert:
+ key:
+ ca_cert:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggregator_agent_metrics
+ release: loggregator-agent
+ name: loggregator_agent
+- include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: loggr-forwarder-agent
+ properties:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: forwarder_agent_metrics
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: loggregator-agent
+ name: forwarder_agent
+- exclude:
+ jobs:
+ - name: smoke_tests
+ release: cf-smoke-tests
+ include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: loggr-syslog-agent
+ properties:
+ cache:
+ tls:
+ ca_cert:
+ cert:
+ cn: binding-cache
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: syslog_agent_metrics
+ port: 3460
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: loggregator-agent
+ name: loggr-syslog-agent
+- exclude:
+ jobs:
+ - name: smoke_tests
+ release: cf-smoke-tests
+ include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: prom_scraper
+ properties:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: prom_scraper_metrics
+ scrape:
+ tls:
+ ca_cert:
+ cert:
+ key:
+ scrape_interval: 60s
+ release: loggregator-agent
+ name: prom_scraper
+- exclude:
+ jobs:
+ - name: smoke_tests
+ release: cf-smoke-tests
+ include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: metrics-discovery-registrar
+ properties:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: metrics_discovery_metrics
+ nats_client:
+ cert:
+ key:
+ release: metrics-discovery
+ name: metrics-discovery-registrar
+- exclude:
+ jobs:
+ - name: smoke_tests
+ release: cf-smoke-tests
+ include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: metrics-agent
+ properties:
+ grpc:
+ ca_cert:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: metrics_agent
+ scrape:
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: metrics-discovery
+ name: metrics-agent
+- include:
+ stemcell:
+ - os: ubuntu-xenial
+ - os: ubuntu-bionic
+ jobs:
+ - name: bpm
+ release: bpm
+ name: bpm
+- jobs:
+ - name: bosh-dns-aliases
+ properties:
+ aliases:
+ - domain: _.cell.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: diego-cell
+ network: cf-core
+ query: _
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: windows2012R2-cell
+ network: cf-core
+ query: _
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: windows2016-cell
+ network: cf-core
+ query: _
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: isolated-diego-cell
+ network: cf-core
+ query: _
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: custom-params-group
+ network: cf-core
+ query: _
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: default-params-group
+ network: default
+ query: _
+ - domain: auctioneer.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: scheduler
+ network: cf-core
+ query: q-s4
+ - domain: bbs.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: diego-api
+ network: cf-core
+ query: q-s4
+ - domain: blobstore.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: singleton-blobstore
+ network: cf-core
+ query: '*'
+ - domain: cc-uploader.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: api
+ network: cf-core
+ query: '*'
+ - domain: cloud-controller-ng.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: api
+ network: cf-core
+ query: '*'
+ - domain: credhub.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: credhub
+ network: cf-core
+ query: '*'
+ - domain: doppler.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: doppler
+ network: cf-core
+ query: '*'
+ - domain: file-server.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: api
+ network: cf-core
+ query: '*'
+ - domain: gorouter.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: router
+ network: cf-edge
+ query: '*'
+ - domain: locket.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: diego-api
+ network: cf-core
+ query: '*'
+ - domain: loggregator-trafficcontroller.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: log-api
+ network: cf-core
+ query: '*'
+ - domain: policy-server.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: api
+ network: cf-core
+ query: '*'
+ - domain: reverse-log-proxy.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: log-api
+ network: cf-core
+ query: '*'
+ - domain: routing-api.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: api
+ network: cf-core
+ query: '*'
+ - domain: silk-controller.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: diego-api
+ network: cf-core
+ query: '*'
+ - domain: sql-db.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: database
+ network: cf-core
+ query: '*'
+ - domain: ssh-proxy.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: scheduler
+ network: cf-core
+ query: '*'
+ - domain: tps.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: scheduler
+ network: cf-core
+ query: '*'
+ - domain: uaa.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: uaa
+ network: cf-core
+ query: '*'
+ - domain: nats.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: nats
+ network: cf-core
+ query: '*'
+ - domain: _.nats.service.cf.internal
+ targets:
+ - deployment: isolation-segments-extended-cf
+ domain: bosh
+ instance_group: nats
+ network: cf-core
+ query: _
+ release: bosh-dns-aliases
+ name: bosh-dns-aliases
+exodus:
+ admin_password:
+ admin_username: admin
+ api_domain: api.system.cf.testing.example
+ app_domains:
+ - run.cf.testing.example
+ apps_domain: run.cf.testing.example
+ base_domain: cf.testing.example
+ bosh: isolation-segments-extended
+ cf-deployment-date: 2022-Feb-14 03:48:47 UTC
+ cf-deployment-hotfixes: true
+ cf-deployment-url: https://github.com/cloudfoundry/cf-deployment/releases/tag/v16.25.0
+ cf-deployment-version: 16.25.0
+ core_network: cf-core
+ db_network: cf-core
+ edge_network: cf-edge
+ features: isolation-segments,nfs-volume-services,nfs-ldap
+ is_director: false
+ runtime_network: cf-core
+ system_domain: system.cf.testing.example
+ system_org: system
+ system_space: system
+ use_create_env: false
+ vaulted_uaa_clients: /secret/isolation/segments/extended/cf/uaa/client_secrets:firehose
+features:
+ randomize_az_placement: true
+instance_groups:
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 1
+ jobs:
+ - name: smoke_tests
+ properties:
+ bpm:
+ enabled: true
+ smoke_tests:
+ api: https://api.system.cf.testing.example
+ apps_domain: run.cf.testing.example
+ cf_dial_timeout_in_seconds: 300
+ client: cf_smoke_tests
+ client_secret:
+ org: cf_smoke_tests_org
+ skip_ssl_validation: true
+ space: cf_smoke_tests_space
+ release: cf-smoke-tests
+ - name: cf-cli-7-linux
+ release: cf-cli
+ lifecycle: errand
+ name: smoke-tests
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: nats
+ properties:
+ nats:
+ hostname: nats.service.cf.internal
+ internal:
+ tls:
+ ca:
+ certificate:
+ enabled: true
+ private_key:
+ password:
+ user: nats
+ provides:
+ nats:
+ as: nats
+ shared: true
+ release: nats
+ - custom_provider_definitions:
+ - name: nats-tls-address
+ type: address
+ name: nats-tls
+ properties:
+ nats:
+ external:
+ tls:
+ ca:
+ certificate:
+ private_key:
+ hostname: nats.service.cf.internal
+ internal:
+ tls:
+ ca:
+ certificate:
+ enabled: true
+ private_key:
+ password:
+ user: nats
+ provides:
+ nats-tls:
+ as: nats-tls
+ shared: true
+ release: nats
+ name: nats
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ instances: 1
+ jobs:
+ - name: postgres
+ properties:
+ databases:
+ databases:
+ - citext: true
+ name: cloud_controller
+ tag: cc
+ - citext: true
+ name: uaa
+ tag: uaa
+ - citext: true
+ name: diego
+ tag: diego
+ - citext: true
+ name: routing-api
+ tag: routing-api
+ - citext: false
+ name: network_policy
+ tag: networkpolicy
+ - citext: false
+ name: network_connectivity
+ tag: networkconnectivity
+ - citext: true
+ name: locket
+ tag: locket
+ - citext: true
+ name: credhub
+ tag: credhub
+ db_scheme: postgres
+ port: 5524
+ roles:
+ - name: cloud_controller
+ password:
+ tag: admin
+ - name: uaa
+ password:
+ tag: admin
+ - name: diego
+ password:
+ tag: admin
+ - name: routing-api
+ password:
+ tag: admin
+ - name: network_policy
+ password:
+ tag: admin
+ - name: network_connectivity
+ password:
+ tag: admin
+ - name: locket
+ password:
+ tag: locket
+ - name: credhub
+ password:
+ tag: admin
+ release: postgres
+ migrated_from:
+ - name: postgres
+ - name: singleton-database
+ name: database
+ networks:
+ - name: cf-core
+ persistent_disk_type: 10GB
+ stemcell: default
+ update:
+ serial: true
+ vm_type: small
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: cfdot
+ properties:
+ tls:
+ ca_certificate:
+ certificate:
+ private_key:
+ release: diego
+ - name: bbs
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ bbs:
+ active_key_label: key-2016-06
+ auctioneer:
+ ca_cert:
+ client_cert:
+ client_key:
+ ca_cert:
+ detect_consul_cell_registrations: false
+ encryption_keys:
+ - label: key-2016-06
+ passphrase:
+ rep:
+ ca_cert:
+ client_cert:
+ client_key:
+ require_tls: true
+ server_cert:
+ server_key:
+ skip_consul_lock: true
+ sql:
+ db_driver: postgres
+ db_host: sql-db.service.cf.internal
+ db_password:
+ db_port: 5524
+ db_schema: diego
+ db_username: diego
+ enable_consul_service_registration: false
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ release: diego
+ - name: silk-controller
+ properties:
+ ca_cert:
+ database:
+ host: sql-db.service.cf.internal
+ name: network_connectivity
+ password:
+ port: 5524
+ type: postgres
+ username: network_connectivity
+ server_cert:
+ server_key:
+ silk_daemon:
+ ca_cert:
+ client_cert:
+ client_key:
+ release: silk
+ - name: locket
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ locket:
+ sql:
+ db_driver: postgres
+ db_host: sql-db.service.cf.internal
+ db_password:
+ db_port: 5524
+ db_schema: locket
+ db_username: locket
+ enable_consul_service_registration: false
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: diego
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ migrated_from:
+ - name: diego-bbs
+ name: diego-api
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: small
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: uaa
+ properties:
+ encryption:
+ active_key_label: default_key
+ encryption_keys:
+ - label: default_key
+ passphrase:
+ login:
+ branding:
+ footer_legal_text: null
+ footer_links: null
+ product_logo: null
+ square_logo: null
+ links:
+ passwd: https://login.system.cf.testing.example/forgot_password
+ signup: https://login.system.cf.testing.example/create_account
+ saml:
+ activeKeyId: key-1
+ keys:
+ key-1:
+ certificate:
+ key:
+ passphrase: ""
+ uaa:
+ admin:
+ client_secret:
+ clients:
+ cc-service-dashboards:
+ authorities: clients.read,clients.write,clients.admin
+ authorized-grant-types: client_credentials
+ scope: openid,cloud_controller_service_permissions.read
+ secret:
+ cc_routing:
+ authorities: routing.router_groups.read
+ authorized-grant-types: client_credentials
+ secret:
+ cc_service_key_client:
+ authorities: credhub.read,credhub.write
+ authorized-grant-types: client_credentials
+ secret:
+ cf:
+ access-token-validity: 1200
+ authorities: uaa.none
+ authorized-grant-types: password,refresh_token
+ override: true
+ refresh-token-validity: 2592000
+ scope: network.admin,network.write,cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write,doppler.firehose,uaa.user,routing.router_groups.read,routing.router_groups.write,cloud_controller.admin_read_only,cloud_controller.global_auditor,perm.admin,clients.read
+ secret: ""
+ cf_smoke_tests:
+ authorities: cloud_controller.admin,clients.read
+ authorized-grant-types: client_credentials
+ secret:
+ cloud_controller_username_lookup:
+ authorities: scim.userids
+ authorized-grant-types: client_credentials
+ secret:
+ credhub_admin_client:
+ authorities: credhub.read,credhub.write
+ authorized-grant-types: client_credentials
+ secret:
+ doppler:
+ authorities: uaa.resource
+ authorized-grant-types: client_credentials
+ override: true
+ secret:
+ gorouter:
+ authorities: routing.routes.read
+ authorized-grant-types: client_credentials
+ secret:
+ network-policy:
+ authorities: uaa.resource,cloud_controller.admin_read_only
+ authorized-grant-types: client_credentials
+ secret:
+ nfs-broker-credhub-client:
+ authorities: credhub.read,credhub.write
+ authorized-grant-types: client_credentials
+ secret:
+ nfs-broker-push-client:
+ authorities: cloud_controller.admin,clients.read
+ authorized-grant-types: client_credentials
+ secret:
+ routing_api_client:
+ authorities: routing.routes.write,routing.routes.read,routing.router_groups.read
+ authorized-grant-types: client_credentials
+ secret:
+ ssh-proxy:
+ authorized-grant-types: authorization_code
+ autoapprove: true
+ override: true
+ redirect-uri: https://uaa.system.cf.testing.example/login
+ scope: openid,cloud_controller.read,cloud_controller.write,cloud_controller.admin
+ secret:
+ tcp_emitter:
+ authorities: routing.routes.write,routing.routes.read
+ authorized-grant-types: client_credentials
+ secret:
+ tcp_router:
+ authorities: routing.routes.read,routing.router_groups.read
+ authorized-grant-types: client_credentials
+ secret:
+ jwt:
+ policy:
+ active_key_id: key-1
+ keys:
+ key-1:
+ signingKey:
+ logging_level: INFO
+ scim:
+ users:
+ - groups:
+ - clients.read
+ - cloud_controller.admin
+ - doppler.firehose
+ - network.admin
+ - openid
+ - routing.router_groups.read
+ - routing.router_groups.write
+ - scim.read
+ - scim.write
+ name: admin
+ password:
+ sslCertificate:
+ sslPrivateKey:
+ url: https://uaa.system.cf.testing.example
+ zones:
+ internal:
+ hostnames:
+ - uaa.service.cf.internal
+ uaadb:
+ databases:
+ - name: uaa
+ tag: uaa
+ db_scheme: postgresql
+ port: 5524
+ roles:
+ - name: uaa
+ password:
+ tag: admin
+ tls: disabled
+ release: uaa
+ - name: route_registrar
+ properties:
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ route_registrar:
+ routes:
+ - health_check:
+ name: uaa-healthcheck
+ script_path: /var/vcap/jobs/uaa/bin/dns/healthy
+ name: uaa
+ registration_interval: 10s
+ server_cert_domain_san: uaa.service.cf.internal
+ tags:
+ component: uaa
+ tls_port: 8443
+ uris:
+ - uaa.system.cf.testing.example
+ - '*.uaa.system.cf.testing.example'
+ - login.system.cf.testing.example
+ - '*.login.system.cf.testing.example'
+ release: routing
+ - name: statsd_injector
+ properties:
+ loggregator:
+ tls:
+ ca_cert:
+ statsd_injector:
+ cert:
+ key:
+ release: statsd-injector
+ name: uaa
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ instances: 1
+ jobs:
+ - name: blobstore
+ properties:
+ blobstore:
+ admin_users:
+ - password:
+ username: blobstore-user
+ secure_link:
+ secret:
+ tls:
+ cert:
+ private_key:
+ select_directories_to_backup:
+ - buildpacks
+ - packages
+ - droplets
+ system_domain: system.cf.testing.example
+ release: capi
+ - name: route_registrar
+ properties:
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ route_registrar:
+ routes:
+ - name: blobstore
+ port: 8080
+ registration_interval: 20s
+ tags:
+ component: blobstore
+ uris:
+ - blobstore.system.cf.testing.example
+ release: routing
+ migrated_from:
+ - name: blobstore
+ name: singleton-blobstore
+ networks:
+ - name: cf-core
+ persistent_disk_type: 100GB
+ stemcell: default
+ update:
+ serial: true
+ vm_type: small
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: cloud_controller_ng
+ properties:
+ app_domains:
+ - run.cf.testing.example
+ app_ssh:
+ host_key_fingerprint:
+ build: cf-genesis-kit v2.1.2
+ cc:
+ buildpacks:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ bulk_api_password:
+ database_encryption:
+ current_key_label: encryption_key_0
+ keys:
+ encryption_key_0:
+ db_encryption_key:
+ default_running_security_groups:
+ - public_networks
+ - dns
+ default_staging_security_groups:
+ - public_networks
+ - dns
+ diego:
+ docker_staging_stack: cflinuxfs3
+ droplets:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ install_buildpacks:
+ - name: staticfile_buildpack
+ package: staticfile-buildpack-cflinuxfs3
+ - name: java_buildpack
+ package: java-buildpack-cflinuxfs3
+ - name: ruby_buildpack
+ package: ruby-buildpack-cflinuxfs3
+ - name: dotnet_core_buildpack
+ package: dotnet-core-buildpack-cflinuxfs3
+ - name: nodejs_buildpack
+ package: nodejs-buildpack-cflinuxfs3
+ - name: go_buildpack
+ package: go-buildpack-cflinuxfs3
+ - name: python_buildpack
+ package: python-buildpack-cflinuxfs3
+ - name: php_buildpack
+ package: php-buildpack-cflinuxfs3
+ - name: nginx_buildpack
+ package: nginx-buildpack-cflinuxfs3
+ - name: r_buildpack
+ package: r-buildpack-cflinuxfs3
+ - name: binary_buildpack
+ package: binary-buildpack-cflinuxfs3
+ internal_api_password:
+ logcache_tls:
+ certificate:
+ private_key:
+ min_cli_version: 6.23.0
+ min_recommended_cli_version: 6.23.0
+ mutual_tls:
+ ca_cert:
+ private_key:
+ public_cert:
+ packages:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ public_tls:
+ ca_cert:
+ certificate:
+ private_key:
+ resource_pool:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ security_group_definitions:
+ - name: public_networks
+ rules:
+ - destination: 0.0.0.0-9.255.255.255
+ protocol: all
+ - destination: 11.0.0.0-169.253.255.255
+ protocol: all
+ - destination: 169.255.0.0-172.15.255.255
+ protocol: all
+ - destination: 172.32.0.0-192.167.255.255
+ protocol: all
+ - destination: 192.169.0.0-255.255.255.255
+ protocol: all
+ - name: dns
+ rules:
+ - destination: 0.0.0.0/0
+ ports: "53"
+ protocol: tcp
+ - destination: 0.0.0.0/0
+ ports: "53"
+ protocol: udp
+ stacks:
+ - description: Cloud Foundry Linux-based filesystem (Ubuntu 18.04)
+ name: cflinuxfs3
+ staging_upload_password:
+ staging_upload_user: staging_user
+ temporary_use_logcache: true
+ volume_services_enabled: true
+ ccdb:
+ databases:
+ - name: cloud_controller
+ tag: cc
+ db_scheme: postgres
+ port: 5524
+ roles:
+ - name: cloud_controller
+ password:
+ tag: admin
+ credhub_api:
+ ca_cert:
+ description: Use `genesis info` on environment file for more details
+ name: Cloud Foundry (isolation-segments-extended)
+ router:
+ route_services_secret:
+ routing_api:
+ enabled: true
+ ssl:
+ skip_cert_verify: true
+ support_address: https://github.com/genesis-community/cf-genesis-kit
+ system_domain: system.cf.testing.example
+ uaa:
+ ca_cert:
+ clients:
+ cc-service-dashboards:
+ secret:
+ cc_routing:
+ secret:
+ cc_service_key_client:
+ secret:
+ cloud_controller_username_lookup:
+ secret:
+ url: https://uaa.system.cf.testing.example
+ provides:
+ cloud_controller:
+ as: cloud_controller
+ shared: true
+ release: capi
+ - name: binary-buildpack
+ release: binary-buildpack
+ - name: dotnet-core-buildpack
+ release: dotnet-core-buildpack
+ - name: go-buildpack
+ release: go-buildpack
+ - name: java-buildpack
+ release: java-buildpack
+ - name: nodejs-buildpack
+ release: nodejs-buildpack
+ - name: nginx-buildpack
+ release: nginx-buildpack
+ - name: r-buildpack
+ release: r-buildpack
+ - name: php-buildpack
+ release: php-buildpack
+ - name: python-buildpack
+ release: python-buildpack
+ - name: ruby-buildpack
+ release: ruby-buildpack
+ - name: staticfile-buildpack
+ release: staticfile-buildpack
+ - name: route_registrar
+ properties:
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ route_registrar:
+ routes:
+ - health_check:
+ name: api-health-check
+ script_path: /var/vcap/jobs/cloud_controller_ng/bin/cloud_controller_ng_health_check
+ timeout: 6s
+ name: api
+ port: 9022
+ registration_interval: 10s
+ server_cert_domain_san: api.system.cf.testing.example
+ tags:
+ component: CloudController
+ tls_port: 9024
+ uris:
+ - api.system.cf.testing.example
+ - name: policy-server
+ registration_interval: 20s
+ server_cert_domain_san: api.system.cf.testing.example
+ tls_port: 4002
+ uris:
+ - api.system.cf.testing.example/networking
+ release: routing
+ - name: statsd_injector
+ properties:
+ loggregator:
+ tls:
+ ca_cert:
+ statsd_injector:
+ cert:
+ key:
+ release: statsd-injector
+ - name: file_server
+ properties:
+ bpm:
+ enabled: true
+ enable_consul_service_registration: false
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ release: diego
+ - name: routing-api
+ properties:
+ routing_api:
+ enabled_api_endpoints: both
+ locket:
+ api_location: locket.service.cf.internal:8891
+ ca_cert:
+ client_cert:
+ client_key:
+ mtls_ca:
+ mtls_client_cert:
+ mtls_client_key:
+ mtls_server_cert:
+ mtls_server_key:
+ router_groups:
+ - name: default-tcp
+ reservable_ports: 1024-1033
+ type: tcp
+ skip_consul_lock: true
+ sqldb:
+ host: sql-db.service.cf.internal
+ password:
+ port: 5524
+ schema: routing-api
+ type: postgres
+ username: routing-api
+ system_domain: system.cf.testing.example
+ uaa:
+ ca_cert:
+ tls_port: 8443
+ release: routing
+ - name: policy-server
+ properties:
+ database:
+ host: sql-db.service.cf.internal
+ name: network_policy
+ password:
+ port: 5524
+ type: postgres
+ username: network_policy
+ enable_space_developer_self_service: true
+ enable_tls: true
+ server_cert:
+ server_key:
+ uaa_ca:
+ uaa_client_secret:
+ release: cf-networking
+ - name: policy-server-internal
+ properties:
+ ca_cert:
+ server_cert:
+ server_key:
+ release: cf-networking
+ - name: cc_uploader
+ properties:
+ capi:
+ cc_uploader:
+ cc:
+ ca_cert:
+ client_cert:
+ client_key:
+ mutual_tls:
+ ca_cert:
+ server_cert:
+ server_key:
+ release: capi
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ name: api
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_extensions:
+ - 50GB_ephemeral_disk
+ vm_type: small
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: cloud_controller_worker
+ properties:
+ cc:
+ buildpacks:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ database_encryption:
+ current_key_label: encryption_key_0
+ keys:
+ encryption_key_0:
+ db_encryption_key:
+ droplets:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ internal_api_password:
+ mutual_tls:
+ ca_cert:
+ private_key:
+ public_cert:
+ packages:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ resource_pool:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ staging_upload_password:
+ staging_upload_user: staging_user
+ volume_services_enabled: true
+ ccdb:
+ databases:
+ - name: cloud_controller
+ tag: cc
+ db_scheme: postgres
+ port: 5524
+ roles:
+ - name: cloud_controller
+ password:
+ tag: admin
+ routing_api:
+ enabled: true
+ ssl:
+ skip_cert_verify: true
+ system_domain: system.cf.testing.example
+ uaa:
+ ca_cert:
+ clients:
+ cc-service-dashboards:
+ secret:
+ cc_routing:
+ secret:
+ release: capi
+ name: cc-worker
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: cfdot
+ properties:
+ tls:
+ ca_certificate:
+ certificate:
+ private_key:
+ release: diego
+ - name: auctioneer
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ auctioneer:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ ca_cert:
+ rep:
+ ca_cert:
+ client_cert:
+ client_key:
+ require_tls: true
+ server_cert:
+ server_key:
+ skip_consul_lock: true
+ enable_consul_service_registration: false
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ release: diego
+ - name: cloud_controller_clock
+ properties:
+ cc:
+ buildpacks:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ database_encryption:
+ current_key_label: encryption_key_0
+ keys:
+ encryption_key_0:
+ db_encryption_key:
+ droplets:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ internal_api_password:
+ mutual_tls:
+ ca_cert:
+ private_key:
+ public_cert:
+ packages:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ resource_pool:
+ blobstore_type: webdav
+ webdav_config:
+ blobstore_timeout: 5
+ ca_cert:
+ password:
+ private_endpoint: https://blobstore.service.cf.internal:4443
+ public_endpoint: https://blobstore.system.cf.testing.example
+ username: blobstore-user
+ staging_upload_password:
+ staging_upload_user: staging_user
+ volume_services_enabled: true
+ ccdb:
+ databases:
+ - name: cloud_controller
+ tag: cc
+ db_scheme: postgres
+ port: 5524
+ roles:
+ - name: cloud_controller
+ password:
+ tag: admin
+ routing_api:
+ enabled: true
+ ssl:
+ skip_cert_verify: true
+ system_domain: system.cf.testing.example
+ uaa:
+ ca_cert:
+ clients:
+ cc-service-dashboards:
+ secret:
+ cc_routing:
+ secret:
+ ssl:
+ port: 8443
+ release: capi
+ - name: cc_deployment_updater
+ properties:
+ cc:
+ db_encryption_key:
+ mutual_tls:
+ ca_cert:
+ private_key:
+ public_cert:
+ ccdb:
+ databases:
+ - name: cloud_controller
+ tag: cc
+ db_scheme: postgres
+ port: 5524
+ roles:
+ - name: cloud_controller
+ password:
+ tag: admin
+ release: capi
+ - name: service-discovery-controller
+ properties:
+ dnshttps:
+ client:
+ ca:
+ server:
+ tls:
+ ca:
+ certificate:
+ private_key:
+ nats:
+ cert_chain:
+ private_key:
+ tls_enabled: true
+ release: cf-networking
+ - name: statsd_injector
+ properties:
+ loggregator:
+ tls:
+ ca_cert:
+ statsd_injector:
+ cert:
+ key:
+ release: statsd-injector
+ - name: tps
+ properties:
+ capi:
+ tps:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ cc:
+ ca_cert:
+ client_cert:
+ client_key:
+ watcher:
+ locket:
+ api_location: locket.service.cf.internal:8891
+ skip_consul_lock: true
+ release: capi
+ - name: ssh_proxy
+ properties:
+ backends:
+ tls:
+ ca_certificates:
+ -
+ client_certificate:
+ client_private_key:
+ enabled: true
+ bpm:
+ enabled: true
+ diego:
+ ssh_proxy:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ disable_healthcheck_server: true
+ enable_cf_auth: true
+ host_key:
+ uaa:
+ ca_cert:
+ uaa_secret:
+ enable_consul_service_registration: false
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ release: diego
+ - name: loggr-syslog-binding-cache
+ properties:
+ api:
+ tls:
+ ca_cert:
+ cert:
+ cn: cloud-controller-ng.service.cf.internal
+ key:
+ external_port: 9000
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_syslog_binding_cache_metrics
+ tls:
+ ca_cert:
+ cert:
+ cn: binding-cache
+ key:
+ release: loggregator-agent
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ migrated_from:
+ - name: cc-bridge
+ - name: cc-clock
+ - name: diego-brain
+ name: scheduler
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_extensions:
+ - diego-ssh-proxy-network-properties
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: gorouter
+ properties:
+ nats:
+ cert_chain:
+ private_key:
+ tls_enabled: true
+ router:
+ backends:
+ cert_chain:
+ private_key:
+ ca_certs: |
+
+
+
+
+ enable_ssl: true
+ route_services_secret:
+ status:
+ password:
+ user: router-status
+ tls_pem:
+ - cert_chain:
+ private_key:
+ tracing:
+ enable_zipkin: true
+ routing_api:
+ enabled: true
+ uaa:
+ ca_cert:
+ clients:
+ gorouter:
+ secret:
+ ssl:
+ port: 8443
+ release: routing
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ name: router
+ networks:
+ - name: cf-edge
+ stemcell: default
+ update:
+ serial: true
+ vm_extensions:
+ - cf-router-network-properties
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: tcp_router
+ properties:
+ tcp_router:
+ oauth_secret:
+ router_group: default-tcp
+ uaa:
+ ca_cert:
+ tls_port: 8443
+ release: routing
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ name: tcp-router
+ networks:
+ - name: cf-edge
+ stemcell: default
+ vm_extensions:
+ - cf-tcp-router-network-properties
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 4
+ jobs:
+ - name: doppler
+ properties:
+ loggregator:
+ tls:
+ ca_cert:
+ doppler:
+ cert:
+ key:
+ provides:
+ doppler:
+ as: doppler
+ shared: true
+ release: loggregator
+ - name: log-cache
+ properties:
+ health_addr: localhost:6060
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: log_cache_metrics
+ tls:
+ ca_cert:
+ cert:
+ key:
+ provides:
+ log-cache:
+ shared: true
+ release: log-cache
+ - name: log-cache-gateway
+ properties:
+ gateway_addr: localhost:8081
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: log_cache_gateway_metrics
+ proxy_cert:
+ proxy_key:
+ release: log-cache
+ - consumes:
+ reverse_log_proxy:
+ from: reverse_log_proxy
+ name: log-cache-nozzle
+ properties:
+ logs_provider:
+ tls:
+ ca_cert:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: log_cache_nozzle_metrics
+ release: log-cache
+ - name: route_registrar
+ properties:
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ route_registrar:
+ routes:
+ - name: log-cache-reverse-proxy
+ port: 8083
+ registration_interval: 20s
+ server_cert_domain_san: log-cache.system.cf.testing.example
+ tls_port: 8083
+ uris:
+ - log-cache.system.cf.testing.example
+ - '*.log-cache.system.cf.testing.example'
+ release: routing
+ - name: log-cache-cf-auth-proxy
+ properties:
+ cc:
+ ca_cert:
+ common_name: cloud-controller-ng.service.cf.internal
+ external_cert:
+ external_key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: log_cache_cf_auth_proxy_metrics
+ proxy_ca_cert:
+ proxy_port: 8083
+ uaa:
+ ca_cert:
+ client_id: doppler
+ client_secret:
+ internal_addr: https://uaa.service.cf.internal:8443
+ release: log-cache
+ name: doppler
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 3
+ jobs:
+ - name: bosh-dns-adapter
+ properties:
+ dnshttps:
+ client:
+ tls:
+ ca:
+ certificate:
+ private_key:
+ server:
+ ca:
+ internal_domains:
+ - apps.internal.
+ release: cf-networking
+ - name: cflinuxfs3-rootfs-setup
+ properties:
+ cflinuxfs3-rootfs:
+ trusted_certs:
+ -
+ -
+ -
+ release: cflinuxfs3
+ - name: garden
+ properties:
+ garden:
+ cleanup_process_dirs_on_wait: true
+ containerd_mode: true
+ debug_listen_address: 127.0.0.1:17019
+ default_container_grace_time: 0
+ deny_networks:
+ - 0.0.0.0/0
+ destroy_containers_on_start: true
+ network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker
+ network_plugin_extra_args:
+ - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json
+ logging:
+ format:
+ timestamp: rfc3339
+ release: garden-runc
+ - name: rep
+ properties:
+ bpm:
+ enabled: true
+ containers:
+ proxy:
+ enabled: true
+ require_and_verify_client_certificates: true
+ trusted_ca_certificates:
+ -
+ -
+ verify_subject_alt_name:
+ - gorouter.service.cf.internal
+ - ssh-proxy.service.cf.internal
+ trusted_ca_certificates:
+ -
+ -
+ -
+ diego:
+ executor:
+ instance_identity_ca_cert:
+ instance_identity_key:
+ rep:
+ preloaded_rootfses:
+ - cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
+ enable_consul_service_registration: false
+ enable_declarative_healthcheck: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: diego
+ - name: cfdot
+ properties:
+ tls:
+ ca_certificate:
+ certificate:
+ private_key:
+ release: diego
+ - consumes:
+ nats:
+ ip_addresses: false
+ nats-tls:
+ ip_addresses: false
+ name: route_emitter
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ route_emitter:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ local_mode: true
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ internal_routes:
+ enabled: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tcp:
+ enabled: true
+ uaa:
+ ca_cert:
+ client_secret:
+ release: diego
+ - name: garden-cni
+ properties:
+ cni_config_dir: /var/vcap/jobs/silk-cni/config/cni
+ cni_plugin_dir: /var/vcap/packages/silk-cni/bin
+ release: cf-networking
+ - name: netmon
+ release: silk
+ - name: vxlan-policy-agent
+ properties:
+ ca_cert:
+ client_cert:
+ client_key:
+ release: silk
+ - name: silk-daemon
+ properties:
+ ca_cert:
+ client_cert:
+ client_key:
+ release: silk
+ - name: silk-cni
+ properties:
+ dns_servers:
+ - 169.254.0.2
+ release: silk
+ - name: loggr-udp-forwarder
+ properties:
+ loggregator:
+ tls:
+ ca:
+ cert:
+ key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ - name: nfsv3driver
+ properties:
+ nfsv3driver:
+ allowed-in-source: ""
+ ldap_host: ldap.myhost.com
+ ldap_port: 389
+ ldap_proto: tcp
+ ldap_svc_password: ldap-secure-password
+ ldap_svc_user: ldap-user
+ ldap_user_fqdn: cn=Users,dc=corp,dc=test,dc=com
+ tls:
+ ca_cert:
+ client_cert:
+ client_key:
+ server_cert:
+ server_key:
+ release: nfs-volume
+ - name: mapfs
+ release: mapfs
+ name: diego-cell
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ vm_type: xlarge
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - consumes:
+ doppler:
+ from: doppler
+ name: loggregator_trafficcontroller
+ properties:
+ cc:
+ internal_service_hostname: cloud-controller-ng.service.cf.internal
+ mutual_tls:
+ ca_cert:
+ tls_port: 9023
+ loggregator:
+ outgoing_cert:
+ outgoing_key:
+ tls:
+ ca_cert:
+ cc_trafficcontroller:
+ cert:
+ key:
+ trafficcontroller:
+ cert:
+ key:
+ uaa:
+ client_secret:
+ ssl:
+ skip_cert_verify: true
+ system_domain: system.cf.testing.example
+ uaa:
+ ca_cert:
+ internal_url: https://uaa.service.cf.internal:8443
+ release: loggregator
+ - name: reverse_log_proxy
+ properties:
+ loggregator:
+ tls:
+ ca_cert:
+ reverse_log_proxy:
+ cert:
+ key:
+ provides:
+ reverse_log_proxy:
+ as: reverse_log_proxy
+ shared: true
+ release: loggregator
+ - name: reverse_log_proxy_gateway
+ properties:
+ cc:
+ ca_cert:
+ capi_internal_addr: https://cloud-controller-ng.service.cf.internal:9023
+ cert:
+ common_name: cloud-controller-ng.service.cf.internal
+ key:
+ http:
+ address: 0.0.0.0:8088
+ cert:
+ key:
+ logs_provider:
+ ca_cert:
+ client_cert:
+ client_key:
+ metrics:
+ ca_cert:
+ cert:
+ key:
+ server_name: rlp_gateway_metrics
+ uaa:
+ ca_cert:
+ client_id: doppler
+ client_secret:
+ internal_addr: https://uaa.service.cf.internal:8443
+ release: loggregator
+ - name: route_registrar
+ properties:
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ route_registrar:
+ routes:
+ - name: doppler
+ registration_interval: 20s
+ server_cert_domain_san: doppler.system.cf.testing.example
+ tls_port: 8081
+ uris:
+ - doppler.system.cf.testing.example
+ - '*.doppler.system.cf.testing.example'
+ - name: rlp-gateway
+ registration_interval: 20s
+ server_cert_domain_san: log-stream.system.cf.testing.example
+ tls_port: 8088
+ uris:
+ - log-stream.system.cf.testing.example
+ - '*.log-stream.system.cf.testing.example'
+ release: routing
+ name: log-api
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 2
+ jobs:
+ - name: credhub
+ properties:
+ credhub:
+ authentication:
+ mutual_tls:
+ trusted_cas:
+ -
+ uaa:
+ ca_certs:
+ -
+ url: https://uaa.service.cf.internal:8443
+ authorization:
+ acls:
+ enabled: true
+ permissions:
+ - actors:
+ - uaa-client:credhub_admin_client
+ operations:
+ - read
+ - write
+ - delete
+ - read_acl
+ - write_acl
+ path: /*
+ - actors:
+ - uaa-client:cc_service_key_client
+ operations:
+ - read
+ path: /*
+ - actors:
+ - uaa-client:nfs-broker-credhub-client
+ operations:
+ - read
+ - write
+ - delete
+ - read_acl
+ - write_acl
+ path: /nfsbroker/*
+ ca_certificate: |
+
+ data_storage:
+ database: credhub
+ host: sql-db.service.cf.internal
+ password:
+ port: 5524
+ require_tls: false
+ type: postgres
+ username: credhub
+ encryption:
+ keys:
+ - active: true
+ key_properties:
+ encryption_password:
+ provider_name: internal-provider
+ providers:
+ - name: internal-provider
+ type: internal
+ internal_url: https://credhub.service.cf.internal
+ tls:
+ ca:
+ certificate:
+ private_key:
+ release: credhub
+ name: credhub
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 1
+ jobs:
+ - name: rotate_cc_database_key
+ properties: {}
+ release: capi
+ lifecycle: errand
+ name: rotate-cc-database-key
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+- azs:
+ - custom-az
+ instances: 5
+ jobs:
+ - name: cflinuxfs3-rootfs-setup
+ properties:
+ cflinuxfs3-rootfs:
+ trusted_certs:
+ -
+ -
+ -
+ release: cflinuxfs3
+ - name: garden
+ properties:
+ garden:
+ cleanup_process_dirs_on_wait: true
+ containerd_mode: true
+ default_container_grace_time: 0
+ deny_networks:
+ - 0.0.0.0/0
+ destroy_containers_on_start: true
+ graph_cleanup_threshold_in_mb: 0
+ logging:
+ format:
+ timestamp: rfc3339
+ provides:
+ iptables: nil
+ release: garden-runc
+ - name: rep
+ properties:
+ bpm:
+ enabled: true
+ containers:
+ proxy:
+ enabled: true
+ require_and_verify_client_certificates: true
+ trusted_ca_certificates:
+ -
+ -
+ verify_subject_alt_name:
+ - gorouter.service.cf.internal
+ - ssh-proxy.service.cf.internal
+ trusted_ca_certificates:
+ -
+ -
+ -
+ diego:
+ executor:
+ instance_identity_ca_cert:
+ instance_identity_key:
+ rep:
+ placement_tags:
+ - custom-iso-group
+ preloaded_rootfses:
+ - cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
+ enable_consul_service_registration: false
+ enable_declarative_healthcheck: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: diego
+ - name: route_emitter
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ route_emitter:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ local_mode: true
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ internal_routes:
+ enabled: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tcp:
+ enabled: true
+ uaa:
+ ca_cert:
+ client_secret:
+ release: diego
+ - name: nfsv3driver
+ properties:
+ nfsv3driver:
+ allowed-in-source: ""
+ ldap_ca_cert: nfs-ldap-ca-cert-ca
+ ldap_host: ldap.myhost.com
+ ldap_port: 389
+ ldap_proto: tcp
+ ldap_svc_password: ldap-secure-password
+ ldap_svc_user: ldap-user
+ ldap_user_fqdn: cn=Users,dc=corp,dc=test,dc=com
+ tls:
+ ca_cert:
+ client_cert:
+ client_key:
+ server_cert:
+ server_key:
+ release: nfs-volume
+ - name: mapfs
+ provides:
+ mapfs: nil
+ release: mapfs
+ name: custom-params-group
+ networks:
+ - name: cf-core
+ stemcell: test
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ - cf-router-network-properties
+ vm_type: small-highmem
+- azs:
+ - z1
+ instances: 1
+ jobs:
+ - name: cflinuxfs3-rootfs-setup
+ properties:
+ cflinuxfs3-rootfs:
+ trusted_certs:
+ -
+ -
+ -
+ release: cflinuxfs3
+ - name: garden
+ properties:
+ garden:
+ cleanup_process_dirs_on_wait: true
+ containerd_mode: true
+ default_container_grace_time: 0
+ deny_networks:
+ - 0.0.0.0/0
+ destroy_containers_on_start: true
+ graph_cleanup_threshold_in_mb: 0
+ logging:
+ format:
+ timestamp: rfc3339
+ provides:
+ iptables: nil
+ release: garden-runc
+ - name: rep
+ properties:
+ bpm:
+ enabled: true
+ containers:
+ proxy:
+ enabled: true
+ require_and_verify_client_certificates: true
+ trusted_ca_certificates:
+ -
+ -
+ verify_subject_alt_name:
+ - gorouter.service.cf.internal
+ - ssh-proxy.service.cf.internal
+ trusted_ca_certificates:
+ -
+ -
+ -
+ diego:
+ executor:
+ instance_identity_ca_cert:
+ instance_identity_key:
+ rep:
+ placement_tags:
+ - default-iso-group
+ - default
+ preloaded_rootfses:
+ - cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
+ enable_consul_service_registration: false
+ enable_declarative_healthcheck: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tls:
+ ca_cert:
+ cert:
+ key:
+ release: diego
+ - name: route_emitter
+ properties:
+ bpm:
+ enabled: true
+ diego:
+ route_emitter:
+ bbs:
+ ca_cert:
+ client_cert:
+ client_key:
+ local_mode: true
+ nats:
+ tls:
+ client_cert:
+ client_key:
+ enabled: true
+ internal_routes:
+ enabled: true
+ logging:
+ format:
+ timestamp: rfc3339
+ loggregator:
+ ca_cert:
+ cert:
+ key:
+ use_v2_api: true
+ tcp:
+ enabled: true
+ uaa:
+ ca_cert:
+ client_secret:
+ release: diego
+ - name: nfsv3driver
+ properties:
+ nfsv3driver:
+ allowed-in-source: ""
+ ldap_ca_cert: nfs-ldap-ca-cert-ca
+ ldap_host: ldap.myhost.com
+ ldap_port: 389
+ ldap_proto: tcp
+ ldap_svc_password: ldap-secure-password
+ ldap_svc_user: ldap-user
+ ldap_user_fqdn: cn=Users,dc=corp,dc=test,dc=com
+ tls:
+ ca_cert:
+ client_cert:
+ client_key:
+ server_cert:
+ server_key:
+ release: nfs-volume
+ - name: mapfs
+ provides:
+ mapfs: nil
+ release: mapfs
+ name: default-params-group
+ networks:
+ - name: default
+ stemcell: default
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ vm_type: xlarge
+- azs:
+ - zoneA
+ - zoneB
+ - zoneC
+ - zoneD
+ instances: 1
+ jobs:
+ - name: nfsbrokerpush
+ properties:
+ nfsbrokerpush:
+ app_domain: system.cf.testing.example
+ app_name: nfs-broker
+ cf:
+ client_id: nfs-broker-push-client
+ client_secret:
+ create_credhub_security_group: true
+ create_sql_security_group: false
+ credhub:
+ uaa_ca_cert:
+ uaa_client_id: nfs-broker-credhub-client
+ uaa_client_secret:
+ domain: system.cf.testing.example
+ ldap_enabled: true
+ organization: system
+ password:
+ skip_cert_verify: true
+ space: nfs-broker-space
+ store_id: nfsbroker
+ syslog_url: ""
+ username: nfs-broker
+ provides:
+ nfsbrokerpush:
+ as: ignore-me
+ release: nfs-volume
+ - name: cf-cli-7-linux
+ release: cf-cli
+ lifecycle: errand
+ name: nfs-broker-push
+ networks:
+ - name: cf-core
+ stemcell: default
+ vm_type: minimal
+manifest_version: v16.25.0
+name: isolation-segments-extended-cf
+releases:
+- name: binary-buildpack
+ sha1: 6e1ff3753ac5a86e968546222bbbaaba1264d938
+ url: https://bosh.io/d/github.com/cloudfoundry/binary-buildpack-release?v=1.0.40
+ version: 1.0.40
+- name: bpm
+ sha1: 6e1187b180c3d8e6d3dafa2861147a59d4ede27e
+ url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.1.14
+ version: 1.1.14
+- name: capi
+ sha1: f57b95580fa2f555ee7be7f17a4be4db6a1fea34
+ url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.119.0
+ version: 1.119.0
+- name: cf-networking
+ sha1: ad1c97f03736524128c313f54b3cae16bf5bd986
+ url: https://bosh.io/d/github.com/cloudfoundry/cf-networking-release?v=2.39.0
+ version: 2.39.0
+- name: cf-smoke-tests
+ sha1: b1eb4efe1f88367708ac8cbb08dc78a09dde9c4b
+ url: https://bosh.io/d/github.com/cloudfoundry/cf-smoke-tests-release?v=41.0.2
+ version: 41.0.2
+- name: cflinuxfs3
+ sha1: 0a7bb8199a63a667569c5d1e5a3e0b1d4a7b96d2
+ url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs3-release?v=0.262.0
+ version: 0.262.0
+- name: credhub
+ sha1: f5b5ce04eee1251d352f337a6ecb794c4dba8a39
+ url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=2.11.1
+ version: 2.11.1
+- name: diego
+ sha1: 85f71928d7d0f89e04cdf386c2ab4c3d485fa468
+ url: https://bosh.io/d/github.com/cloudfoundry/diego-release?v=2.53.0
+ version: 2.53.0
+- name: dotnet-core-buildpack
+ sha1: 60442fcaad7552b3bc26e61f77779deef46913b8
+ url: https://bosh.io/d/github.com/cloudfoundry/dotnet-core-buildpack-release?v=2.3.34
+ version: 2.3.34
+- name: garden-runc
+ sha1: d06a32a2e50faabd2df328619384089d9418f355
+ url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.19.30
+ version: 1.19.30
+- name: go-buildpack
+ sha1: b1a756e21b7a9cbf3c04e66402657a41fce7d7e6
+ url: https://bosh.io/d/github.com/cloudfoundry/go-buildpack-release?v=1.9.36
+ version: 1.9.36
+- name: java-buildpack
+ sha1: 437779c708c437f8e60b1c92f218c4d01e809b6c
+ url: https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=4.42
+ version: "4.42"
+- name: loggregator
+ sha1: 9eb81ddf174e826a5f4e59bc4dc6bda9007495eb
+ url: https://bosh.io/d/github.com/cloudfoundry/loggregator-release?v=106.6.0
+ version: 106.6.0
+- name: metrics-discovery
+ sha1: 073f13a065ca15e7c0c435ec71f88675f4e704d3
+ url: https://bosh.io/d/github.com/cloudfoundry/metrics-discovery-release?v=3.0.6
+ version: 3.0.6
+- name: nats
+ sha1: c8b82cebfd24e65b1079b66435aac4b48f4aa3c5
+ url: https://bosh.io/d/github.com/cloudfoundry/nats-release?v=40
+ version: "40"
+- name: nginx-buildpack
+ sha1: 8adeefbcc10e25776d364f17caa4a3fdab8c3334
+ url: https://bosh.io/d/github.com/cloudfoundry/nginx-buildpack-release?v=1.1.32
+ version: 1.1.32
+- name: r-buildpack
+ sha1: 11e2fcb1f349c88a3cc2156d55730c7eb4d143ce
+ url: https://bosh.io/d/github.com/cloudfoundry/r-buildpack-release?v=1.1.22
+ version: 1.1.22
+- name: nodejs-buildpack
+ sha1: 7be381c1e879493239619ad708d258424fe0b626
+ url: https://bosh.io/d/github.com/cloudfoundry/nodejs-buildpack-release?v=1.7.62
+ version: 1.7.62
+- name: php-buildpack
+ sha1: 9f3e8de97495074ebd0362623f23d6884297fab9
+ url: https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.4.46
+ version: 4.4.46
+- name: pxc
+ sha1: 526751fd60912322aafbb2b25f744b732501493f
+ url: https://bosh.io/d/github.com/cloudfoundry-incubator/pxc-release?v=0.39.0
+ version: 0.39.0
+- name: python-buildpack
+ sha1: 73f6790af87c0945e9ab91036817b325b9976ee5
+ url: https://bosh.io/d/github.com/cloudfoundry/python-buildpack-release?v=1.7.46
+ version: 1.7.46
+- name: routing
+ sha1: a5b7f3b746cfa169f466c2b682db296ab8dcd0ad
+ url: https://bosh.io/d/github.com/cloudfoundry/routing-release?v=0.225.0
+ version: 0.225.0
+- name: ruby-buildpack
+ sha1: f6b4d39e0df49746cc4a41c308e6737e6c82764e
+ url: https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.8.47
+ version: 1.8.47
+- name: silk
+ sha1: 7728d15d5e0bc6c0a0a2124f123c99baf79b6ff7
+ url: https://bosh.io/d/github.com/cloudfoundry/silk-release?v=2.39.0
+ version: 2.39.0
+- name: staticfile-buildpack
+ sha1: 713dfd0486f32073281129ab45961031833d7998
+ url: https://bosh.io/d/github.com/cloudfoundry/staticfile-buildpack-release?v=1.5.25
+ version: 1.5.25
+- name: statsd-injector
+ sha1: 4ca93a4ab1a65a2b7cb2c84d27b6cbd725a914a9
+ url: https://bosh.io/d/github.com/cloudfoundry/statsd-injector-release?v=1.11.16
+ version: 1.11.16
+- name: uaa
+ sha1: 57ffc783177cbca45a983cc573b591b636d0c0bf
+ url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=75.14.0
+ version: 75.14.0
+- name: loggregator-agent
+ sha1: 9dd3ad00fb49bebd8290fad8ce7b2e4992dac31f
+ url: https://bosh.io/d/github.com/cloudfoundry/loggregator-agent-release?v=6.3.4
+ version: 6.3.4
+- name: log-cache
+ sha1: f91e89e494ac4f9010f33a9567335dc713287fec
+ url: https://bosh.io/d/github.com/cloudfoundry/log-cache-release?v=2.11.4
+ version: 2.11.4
+- name: bosh-dns-aliases
+ sha1: 55b3dced813ff9ed92a05cda02156e4b5604b273
+ url: https://bosh.io/d/github.com/cloudfoundry/bosh-dns-aliases-release?v=0.0.4
+ version: 0.0.4
+- name: cf-cli
+ sha1: c3d11f473d4518505e2a671d8ad6a553e1b1c1ca
+ url: https://bosh.io/d/github.com/bosh-packages/cf-cli-release?v=1.34.0
+ version: 1.34.0
+- name: nfs-volume
+ sha1: 6dbfcdb3ed5de63fd63e82710dfb58084c566f62
+ url: https://bosh.io/d/github.com/cloudfoundry/nfs-volume-release?v=7.1.1
+ version: 7.1.1
+- name: mapfs
+ sha1: 440014423159187727d3622d41e5779f0f25902d
+ url: https://bosh.io/d/github.com/cloudfoundry/mapfs-release?v=1.2.6
+ version: 1.2.6
+- name: postgres
+ sha1: e44bbe8f8a7cdde1cda67b202e399a239d104db6
+ url: https://bosh.io/d/github.com/cloudfoundry/postgres-release?v=43
+ version: "43"
+stemcells:
+- alias: default
+ os: ubuntu-bionic
+ version: "1.54"
+update:
+ canaries: 1
+ canary_watch_time: 30000-1200000
+ max_in_flight: 1
+ serial: false
+ update_watch_time: 5000-1200000
+variables: []
diff --git a/spec/results/isolation-segments.yml b/spec/results/isolation-segments.yml
index 7d3face7..3893933b 100644
--- a/spec/results/isolation-segments.yml
+++ b/spec/results/isolation-segments.yml
@@ -1580,20 +1580,12 @@ instance_groups:
vm_extensions:
- cf-router-network-properties
vm_type: minimal
-- name: tcp-router
- networks:
- - name: cf-edge
- instances: 2
- stemcell: default
- vm_type: minimal
- azs:
+- azs:
- z1
- z2
- vm_extensions:
- - cf-tcp-router-network-properties
+ instances: 2
jobs:
- name: tcp_router
- release: routing
properties:
tcp_router:
oauth_secret:
@@ -1601,19 +1593,27 @@ instance_groups:
uaa:
ca_cert:
tls_port: 8443
+ release: routing
- name: loggr-udp-forwarder
- release: loggregator-agent
properties:
loggregator:
tls:
- key:
ca:
cert:
+ key:
metrics:
- key:
ca_cert:
cert:
+ key:
server_name: loggr_udp_forwarder_metrics
+ release: loggregator-agent
+ name: tcp-router
+ networks:
+ - name: cf-edge
+ stemcell: default
+ vm_extensions:
+ - cf-tcp-router-network-properties
+ vm_type: minimal
- azs:
- z1
- z2
@@ -2071,30 +2071,19 @@ instance_groups:
- name: cf-core
stemcell: default
vm_type: minimal
-- name: custom-params-group
- networks:
- - name: cf-runtime
- instances: 5
- stemcell: test
- vm_type: small-highmem
- azs:
+- azs:
- custom-az
- vm_extensions:
- - 100GB_ephemeral_disk
- - cf-router-network-properties
+ instances: 5
jobs:
- name: cflinuxfs3-rootfs-setup
- release: cflinuxfs3
properties:
cflinuxfs3-rootfs:
trusted_certs:
-
-
-
+ release: cflinuxfs3
- name: garden
- release: garden-runc
- provides:
- iptables: nil
properties:
garden:
cleanup_process_dirs_on_wait: true
@@ -2107,8 +2096,10 @@ instance_groups:
logging:
format:
timestamp: rfc3339
+ provides:
+ iptables: nil
+ release: garden-runc
- name: rep
- release: diego
properties:
bpm:
enabled: true
@@ -2141,16 +2132,16 @@ instance_groups:
format:
timestamp: rfc3339
loggregator:
- key:
ca_cert:
cert:
+ key:
use_v2_api: true
tls:
- key:
ca_cert:
cert:
- - name: route_emitter
+ key:
release: diego
+ - name: route_emitter
properties:
bpm:
enabled: true
@@ -2172,37 +2163,41 @@ instance_groups:
format:
timestamp: rfc3339
loggregator:
- key:
ca_cert:
cert:
+ key:
use_v2_api: true
tcp:
enabled: true
uaa:
ca_cert:
client_secret:
-- name: default-params-group
+ release: diego
+ name: custom-params-group
networks:
- - name: default
- instances: 1
- stemcell: default
- vm_type: minimal
- vm_extensions: "[]"
- azs:
+ - name: cf-runtime
+ stemcell: test
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ - cf-router-network-properties
+ vm_type: small-highmem
+- azs:
- z1
+ instances: 1
jobs:
- name: cflinuxfs3-rootfs-setup
- release: cflinuxfs3
properties:
cflinuxfs3-rootfs:
trusted_certs:
-
-
-
+ - certificate: second-additional-test-ssl-cert
+ private_key: second-additional-test-ssl-private-key
+ - certificate: first-additional-test-ssl-cert
+ private_key: first-additional-test-ssl-private-key
+ release: cflinuxfs3
- name: garden
- release: garden-runc
- provides:
- iptables: nil
properties:
garden:
cleanup_process_dirs_on_wait: true
@@ -2215,8 +2210,10 @@ instance_groups:
logging:
format:
timestamp: rfc3339
+ provides:
+ iptables: nil
+ release: garden-runc
- name: rep
- release: diego
properties:
bpm:
enabled: true
@@ -2234,6 +2231,10 @@ instance_groups:
-
-
-
+ - certificate: second-additional-test-ssl-cert
+ private_key: second-additional-test-ssl-private-key
+ - certificate: first-additional-test-ssl-cert
+ private_key: first-additional-test-ssl-private-key
diego:
executor:
instance_identity_ca_cert:
@@ -2249,16 +2250,16 @@ instance_groups:
format:
timestamp: rfc3339
loggregator:
- key:
ca_cert:
cert:
+ key:
use_v2_api: true
tls:
- key:
ca_cert:
cert:
- - name: route_emitter
+ key:
release: diego
+ - name: route_emitter
properties:
bpm:
enabled: true
@@ -2280,15 +2281,23 @@ instance_groups:
format:
timestamp: rfc3339
loggregator:
- key:
ca_cert:
cert:
+ key:
use_v2_api: true
tcp:
enabled: true
uaa:
ca_cert:
client_secret:
+ release: diego
+ name: default-params-group
+ networks:
+ - name: default
+ stemcell: default
+ vm_extensions:
+ - 100GB_ephemeral_disk
+ vm_type: small-highmem
manifest_version: v16.25.0
name: isolation-segments-cf
releases:
diff --git a/spec/spec_test.go b/spec/spec_test.go
index 13b9af7b..3e2106de 100644
--- a/spec/spec_test.go
+++ b/spec/spec_test.go
@@ -211,6 +211,14 @@ var _ = Describe("Interal Kit", func() {
Name: "isolation-segments",
CloudConfig: "aws",
RuntimeConfig: "dns",
+ CredhubVars: "isolation-segments-addl-certs",
+ CPI: "aws",
+ })
+ Test(Environment{
+ Name: "isolation-segments-extended",
+ CloudConfig: "aws",
+ RuntimeConfig: "dns",
+ CredhubVars: "isolation-segments-nfs",
CPI: "aws",
})
// Test(Environment{
diff --git a/spec/vault/isolation-segments-extended.yml b/spec/vault/isolation-segments-extended.yml
new file mode 100644
index 00000000..9e26dfee
--- /dev/null
+++ b/spec/vault/isolation-segments-extended.yml
@@ -0,0 +1 @@
+{}
\ No newline at end of file