Update properties to work with cf-release v276ish

genesis-community · Feb 15, 2018 · b9c33ed · b9c33ed
1 parent 6d0b685
commit b9c33ed
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 7 deletions.
diff --git a/base/0-deployment-order.yml b/base/0-deployment-order.yml
@@ -74,6 +74,7 @@ instance_groups:
   stemcell: default
   networks:
   - name: (( grab params.cf_internal_network ))
+    static_ips: (( static_ips(15, 16, 17, 18, 19) ))
 
 - name: loggregator_trafficcontroller
   instances: (( grab params.loggregator_instances ))

diff --git a/base/cell.yml b/base/cell.yml
@@ -9,7 +9,7 @@ instance_groups:
       consul_server: nil
       consul_client: {from: consul_client_link}
 
-  - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2-rootfs }
+  - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2 }
 
   - name: garden
     release: garden-runc
@@ -24,7 +24,6 @@ instance_groups:
         persistent_image_list:
         - "/var/vcap/packages/cflinuxfs2/rootfs"
 
-
   - name: rep
     release: diego
     properties:

diff --git a/base/certs.yml b/base/certs.yml
@@ -36,6 +36,9 @@ meta:
         server:
           public_cert: (( vault meta.vault "/diego/certs/capi:certificate" ))
           private_key: (( vault meta.vault "/diego/certs/capi:key" ))
+        client:
+          cert: (( vault meta.vault "/diego/certs/capi_client:certificate" ))
+          key: (( vault meta.vault "/diego/certs/capi_client:key" ))
 
       cc_uploader:
         server:

diff --git a/base/cloud_controller.yml b/base/cloud_controller.yml
@@ -43,6 +43,8 @@ instance_groups:
           cc-service-dashboards:
             scope: openid,cloud_controller_service_permissions.read
             secret: (( grab meta.uaa.cc_broker_secret ))
+          cc_service_key_client:
+            secret: (( grab meta.uaa.cc_service_key_client_secret ))
           cc_routing:
             secret: (( grab meta.uaa.cc_routing_secret ))
           cloud_controller_username_lookup:
@@ -149,14 +151,15 @@ meta:
     - load_balancer
     default_to_diego_backend: true
 
-    # This Diego block should go away in a future upgrade
-    # when these keys just become the defaults
+    #This is still here even though it was supposed to be gone two releases ago...
     diego:
       temporary_local_staging: true
       temporary_local_tasks: true
       temporary_local_apps: true
       temporary_local_tps: true
       temporary_local_sync: true
+      temporary_cc_uploader_mtls: true
+      temporary_droplet_download_mtls: true
 
     droplets:
       .: (( inject meta.blobstore_config ))
@@ -220,7 +223,7 @@ meta:
       rules: (( grab params.app_services_networks ))
     - name: load_balancer
       rules: (( grab params.cf_public_ips ))
-    srv_api_uri: (( concat "https://" meta.api_hostname ))
+
     volume_services_enabled: true
 
   statsd_injector:

diff --git a/base/loggregator.yml b/base/loggregator.yml
@@ -71,14 +71,17 @@ instance_groups:
     properties:
       system_domain: (( grab params.system_domain ))
       cc:
-        srv_api_uri: (( grab meta.cc.srv_api_uri ))
         tls_port: (( grab meta.cc.tls_port ))
+        internal_service_hostname: cloud-controller-ng.service.cf.internal
+        mutual_tls:
+          ca_cert: (( grab meta.cc.mutual_tls.ca_cert ))
       ssl:
         skip_cert_verify: (( grab params.skip_ssl_validation ))
       loggregator:
         tls:
           ca_cert: (( grab meta.certs.loggregator.ca ))
           trafficcontroller: (( grab meta.certs.loggregator.trafficcontroller.server ))
+          cc_trafficcontroller: (( grab meta.certs.diego.capi.client ))
         uaa:
           client_secret: (( grab meta.uaa.doppler_secret ))
         etcd:
@@ -88,7 +91,8 @@ instance_groups:
       traffic_controller:
         etcd: (( grab meta.certs.etcd.client ))
       uaa:
-        url: (( grab meta.uaa.url ))
+        internal_url: (( grab meta.uaa.internal_url ))
+        ca_cert: (( grab meta.certs.uaa.ca ))
 
   - name: route_registrar
     release: routing

diff --git a/base/uaa.yml b/base/uaa.yml
@@ -26,6 +26,10 @@ instance_groups:
             authorized-grant-types: client_credentials
             scope: openid,cloud_controller_service_permissions.read
             secret: (( grab meta.uaa.cc_broker_secret ))
+          cc_service_key_client:
+            authorities: credhub.read,credhub.write
+            authorized-grant-types: client_credentials
+            secret: (( grab meta.uaa.cc_service_key_client_secret ))
           cc_routing:
             authorities: routing.router_groups.read
             authorized-grant-types: client_credentials
@@ -158,12 +162,14 @@ meta:
 
   uaa:
     url: (( concat "https://uaa." params.system_domain ))
+    internal_url: "https://uaa.service.cf.internal:8443"
     port: 8080
     ssl_port: 8443
 
     admin_client_secret:   (( vault meta.vault "/uaa/client_secrets:admin_client" ))
     cc_broker_secret:      (( vault meta.vault "/uaa/client_secrets:cc_broker" ))
     cc_routing_secret:     (( vault meta.vault "/uaa/client_secrets:cc_routing" ))
+    cc_service_key_client_secret: (( vault meta.vault "/uaa/client_secrets:cc_service_key_client" ))
     cc_user_lookup_secret: (( vault meta.vault "/uaa/client_secrets:cc_user_lookup" ))
     doppler_secret:        (( vault meta.vault "/uaa/client_secrets:doppler" ))
     firehose_secret:       (( vault meta.vault "/uaa/client_secrets:firehose" ))

diff --git a/kit.yml b/kit.yml
@@ -116,6 +116,9 @@ certificates:
       capi:
         valid_for: 1y
         names: [ "cloud-controller-ng.service.cf.internal" ]
+      capi_client:
+        valid_for: 1y
+        names: [ "cloud controller client" ]
       cc_uploader:
         valid_for: 1y
         names: [ "cc_uploader" ]
@@ -184,6 +187,7 @@ credentials:
     uaa/client_secrets:
       admin_client:   random 64
       cc_broker:      random 64
+      cc_service_key_client: random 64
       cc_routing:     random 64
       cc_user_lookup: random 64
       doppler:        random 64