diff --git a/base/0-deployment-order.yml b/base/0-deployment-order.yml index 85b50b08..fbea3d53 100644 --- a/base/0-deployment-order.yml +++ b/base/0-deployment-order.yml @@ -74,6 +74,7 @@ instance_groups: stemcell: default networks: - name: (( grab params.cf_internal_network )) + static_ips: (( static_ips(15, 16, 17, 18, 19) )) - name: loggregator_trafficcontroller instances: (( grab params.loggregator_instances )) diff --git a/base/cell.yml b/base/cell.yml index a64cd40a..2e8cf6bb 100644 --- a/base/cell.yml +++ b/base/cell.yml @@ -9,7 +9,7 @@ instance_groups: consul_server: nil consul_client: {from: consul_client_link} - - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2-rootfs } + - { name: cflinuxfs2-rootfs-setup, release: cflinuxfs2 } - name: garden release: garden-runc @@ -24,7 +24,6 @@ instance_groups: persistent_image_list: - "/var/vcap/packages/cflinuxfs2/rootfs" - - name: rep release: diego properties: diff --git a/base/certs.yml b/base/certs.yml index b3d599ac..f6824267 100644 --- a/base/certs.yml +++ b/base/certs.yml @@ -36,6 +36,9 @@ meta: server: public_cert: (( vault meta.vault "/diego/certs/capi:certificate" )) private_key: (( vault meta.vault "/diego/certs/capi:key" )) + client: + cert: (( vault meta.vault "/diego/certs/capi_client:certificate" )) + key: (( vault meta.vault "/diego/certs/capi_client:key" )) cc_uploader: server: diff --git a/base/cloud_controller.yml b/base/cloud_controller.yml index 5d202a58..29a6429d 100644 --- a/base/cloud_controller.yml +++ b/base/cloud_controller.yml @@ -43,6 +43,8 @@ instance_groups: cc-service-dashboards: scope: openid,cloud_controller_service_permissions.read secret: (( grab meta.uaa.cc_broker_secret )) + cc_service_key_client: + secret: (( grab meta.uaa.cc_service_key_client_secret )) cc_routing: secret: (( grab meta.uaa.cc_routing_secret )) cloud_controller_username_lookup: @@ -149,14 +151,15 @@ meta: - load_balancer default_to_diego_backend: true - # This Diego block should go away in a future upgrade - # when these keys just become the defaults + #This is still here even though it was supposed to be gone two releases ago... diego: temporary_local_staging: true temporary_local_tasks: true temporary_local_apps: true temporary_local_tps: true temporary_local_sync: true + temporary_cc_uploader_mtls: true + temporary_droplet_download_mtls: true droplets: .: (( inject meta.blobstore_config )) @@ -220,7 +223,7 @@ meta: rules: (( grab params.app_services_networks )) - name: load_balancer rules: (( grab params.cf_public_ips )) - srv_api_uri: (( concat "https://" meta.api_hostname )) + volume_services_enabled: true statsd_injector: diff --git a/base/loggregator.yml b/base/loggregator.yml index fcc6111a..44e60714 100644 --- a/base/loggregator.yml +++ b/base/loggregator.yml @@ -71,14 +71,17 @@ instance_groups: properties: system_domain: (( grab params.system_domain )) cc: - srv_api_uri: (( grab meta.cc.srv_api_uri )) tls_port: (( grab meta.cc.tls_port )) + internal_service_hostname: cloud-controller-ng.service.cf.internal + mutual_tls: + ca_cert: (( grab meta.cc.mutual_tls.ca_cert )) ssl: skip_cert_verify: (( grab params.skip_ssl_validation )) loggregator: tls: ca_cert: (( grab meta.certs.loggregator.ca )) trafficcontroller: (( grab meta.certs.loggregator.trafficcontroller.server )) + cc_trafficcontroller: (( grab meta.certs.diego.capi.client )) uaa: client_secret: (( grab meta.uaa.doppler_secret )) etcd: @@ -88,7 +91,8 @@ instance_groups: traffic_controller: etcd: (( grab meta.certs.etcd.client )) uaa: - url: (( grab meta.uaa.url )) + internal_url: (( grab meta.uaa.internal_url )) + ca_cert: (( grab meta.certs.uaa.ca )) - name: route_registrar release: routing diff --git a/base/uaa.yml b/base/uaa.yml index 4ae7f5a5..a7446f76 100644 --- a/base/uaa.yml +++ b/base/uaa.yml @@ -26,6 +26,10 @@ instance_groups: authorized-grant-types: client_credentials scope: openid,cloud_controller_service_permissions.read secret: (( grab meta.uaa.cc_broker_secret )) + cc_service_key_client: + authorities: credhub.read,credhub.write + authorized-grant-types: client_credentials + secret: (( grab meta.uaa.cc_service_key_client_secret )) cc_routing: authorities: routing.router_groups.read authorized-grant-types: client_credentials @@ -158,12 +162,14 @@ meta: uaa: url: (( concat "https://uaa." params.system_domain )) + internal_url: "https://uaa.service.cf.internal:8443" port: 8080 ssl_port: 8443 admin_client_secret: (( vault meta.vault "/uaa/client_secrets:admin_client" )) cc_broker_secret: (( vault meta.vault "/uaa/client_secrets:cc_broker" )) cc_routing_secret: (( vault meta.vault "/uaa/client_secrets:cc_routing" )) + cc_service_key_client_secret: (( vault meta.vault "/uaa/client_secrets:cc_service_key_client" )) cc_user_lookup_secret: (( vault meta.vault "/uaa/client_secrets:cc_user_lookup" )) doppler_secret: (( vault meta.vault "/uaa/client_secrets:doppler" )) firehose_secret: (( vault meta.vault "/uaa/client_secrets:firehose" )) diff --git a/kit.yml b/kit.yml index ebcd89ef..efe6508f 100644 --- a/kit.yml +++ b/kit.yml @@ -116,6 +116,9 @@ certificates: capi: valid_for: 1y names: [ "cloud-controller-ng.service.cf.internal" ] + capi_client: + valid_for: 1y + names: [ "cloud controller client" ] cc_uploader: valid_for: 1y names: [ "cc_uploader" ] @@ -184,6 +187,7 @@ credentials: uaa/client_secrets: admin_client: random 64 cc_broker: random 64 + cc_service_key_client: random 64 cc_routing: random 64 cc_user_lookup: random 64 doppler: random 64