-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathkit.yml
432 lines (386 loc) · 16.3 KB
/
kit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
---
name: Cloud Foundry
version: 0.0.1
author: Geoff Franks <[email protected]>
homepage: https://github.com/genesis-community/cf-genesis-kit
github: https://github.com/genesis-community/cf-genesis-kit
description: |
This kit will deploy OSS Cloud Foundry to BOSH. It contains
subkits to help identify where your databases and blobstore are,
customizations for Azure environments, and to enable an appropriate
HA Proxy configuration if desired. It is loosely based off of the
[cf-deployment](https://github.com/cloudfoundry/cf-deployment) repo.
subkits:
# Needs to go first so that it blobstore job is deleted properly
# FIXME: fix things so this is not merge-order-dependent
- prompt: Are you deploying Cloud Foundry on Azure?
subkit: azure
default: no
- prompt: What database backend will you use for uaadb, ccdb, and diegob?
type: database backend
choices:
- subkit: db-external-mysql
label: An MySQL databases deployed externally to Cloud Foundry (e.g. RDS)
- subkit: db-external-postgres
label: A Postgres databases deployed externally to Cloud Foundry (e.g. RDS)
- subkit: db-internal-postgres
label: I do not have external databases to offer Cloud Foundry. Please give me a single-point-of-failure Postgres
- prompt: What blobstore backend will you use for CloudFoundry?
type: blobstore backend
choices:
- subkit: blobstore-s3
label: Amazon S3
- subkit: blobstore-azure
label: Azure Blobstore
- subkit: blobstore-gcp
label: Google Cloud Platform Blobstore
- subkit: blobstore-webdav
label: A single-point-of-failure WebDAV server deployed alongside CF via BOSH
- prompt: |
Do you need to include an HA Proxy configuration in front of Cloud Foundry?
Common reasons for doing so include:
- Deploying to an IaaS that does not provide a built-in load-balancing option,
and not having hardware load balancers to use
- You have multiple app domains pointing to Cloud Foundry, and each require
unique SSL certificates, and your IaaS load balancer doesn't support SNI
- You have domains hosted in Cloud Foundry that should be restricted to
internal-only traffic
type: haproxy backend
choices:
- subkit: haproxy-notls
label: I need HA Proxy installed with Cloud Foundry, but will terminate SSL connections before they are sent to HA Proxy
- subkit: haproxy-tls
label: I need HA Proxy installed with Cloud Foundry, and HA Proxy will terminate SSL
- subkit: omit-haproxy
label: I will be using IaaS-provided load balancer doing SSL termination
- prompt: Do you want to enable NFS Volume Services in your Cloud Foundry?
subkit: nfs-volume-services
- prompt: Do you want to install the SHIELD agent to backup your database/blobstore if applicable?
subkit: shield
- prompt: "Do you want to deploy a non-production, bare-bones Cloud Foundry?"
type: HA-i-ness
choices:
- subkit: minimum-vms
label: "Yes, I want only one of each VM type, and **NO** HA to save on costs in a development environment"
- subkit: ~
label: "No, I need high availability!"
- prompt: Do you wish to send Cloud Foundry metrics to NewRelic? (Requires separate NewRelic account)
subkit: newrelic
default: no
certificates:
base:
consul/certs:
ca: { valid_for: 1y }
server:
valid_for: 1y
names: [ server.dc1.cf.internal ]
agent:
valid_for: 1y
names: [ consul_agent ]
etcd/certs:
ca: { valid_for: 1y }
client:
valid_for: 1y
names: [ clientName ]
server:
valid_for: 1y
names: [ "cf-etcd.service.cf.internal", "*.cf-etcd.service.cf.internal" ]
etcd/peer_certs:
ca: { valid_for: 1y }
peer:
valid_for: 1y
names: [ "cf-etcd.service.cf.internal", "*.cf-etcd.service.cf.internal" ]
uaa/certs:
ca: { valid_for: 1y }
server:
valid_for: 1y
names:
- "uaa.service.cf.internal"
- "*.uaa.service.cf.internal"
- "*.uaa.system.${params.base_domain}"
- "uaa.system.${params.base_domain}"
- "login.system.${params.base_domain}"
- "*.login.system.${params.base_domain}"
diego/certs:
ca: { valid_for: 1y }
capi:
valid_for: 1y
names: [ "cloud-controller-ng.service.cf.internal" ]
cc_uploader:
valid_for: 1y
names: [ "cc_uploader" ]
cc_uploader_server:
valid_for: 1y
names: ["cc-uploader.service.cf.internal"]
syslogdrainbinder:
valid_for: 1y
names: [ "syslogdrainbinder" ]
bbs:
valid_for: 1y
names: [ "bbs.service.cf.internal", "*.bbs.service.cf.internal" ]
bbs_client:
valid_for: 1y
names: [ "bbs client" ]
tps_client:
valid_for: 1y
names: [ "tps client" ]
rep:
valid_for: 1y
names: [ "cell.service.cf.internal", "*.cell.service.cf.internal" ]
rep_client:
valid_for: 1y
names: [ "rep client" ]
auctioneer:
valid_for: 1y
names: [ "auctioneer.service.cf.internal" ]
auctioneer_client:
valid_for: 1y
names: [ "auctioneer client" ]
loggregator/certs:
ca: { valid_for: 1y }
doppler:
valid_for: 1y
names: [ "doppler" ]
metron:
valid_for: 1y
names: [ "metron" ]
trafficcontroller:
valid_for: 1y
names: [ "trafficcontroller" ]
reverselogproxy:
valid_for: 1y
names: [ "reverselogproxy" ]
statsdinjector:
valid_for: 1y
names: [ "statsdinjector" ]
blobstore-webdav:
blobstore/certs:
ca: { valid_for: 1y }
server:
valid_for: 1y
names: [ "blobstore.service.cf.internal" ]
credentials:
base:
consul/encryption_key:
current: random 64 fixed #FIXME: rotation requires old + new present and manual key rotation
nats:
password: random 64
admin_user:
password: random 64
uaa/jwt_signing_key: rsa 4096 fixed
uaa/client_secrets:
admin_client: random 64
cc_broker: random 64
cc_routing: random 64
cc_user_lookup: random 64
doppler: random 64
firehose: random 64
gorouter: random 64
notifications: random 64
ssh_proxy: random 64
tcp_emitter: random 64
tcp_router: random 64
cc:
directory_key: random 16 allowed-chars a-z0-9 fixed
bulk_api: random 64
internal_api: random 64
staging_upload: random 64
db_encryption_key: random 64 fixed
loggregator/endpoint:
secret: random 64
gorouter/route_services:
secret: random 64
gorouter/status:
password: random 64
diego/encryption_key:
value: random 64 fixed
ssh_proxy/host_key: ssh 2048
blobstore-webdav:
blobstore/creds:
password: random 64
secret: random 64
db-internal-postgres:
uaadb:
password: random 64
ccdb:
password: random 64
diegodb:
password: random 64
shield-dbs:
postgres:
shield_password: random 64
params:
base:
- ask: What is the base domain of your Cloud Foundry?
param: base_domain
description: |
This is used to autocalculate many domain-based values of your Cloud Foundry.
Changing it will have widespread changes throughout the installation. If you change
this, make sure to audit the domains available in your system org, as well as
the shared domains.
example: bosh-lite.com
- description: |
Used to scale out the number of VMs performing various jobs. Here are some commonly
scaled instance groups, but all can be used, following the pattern
`<instance_group_name>_instances`
params:
- cell_instances
- router_instances
- diego_instances
- loggregator_instances
- description: |
To ensure that CF apps have access to talk to their services, we've added a default
Application Security Group called `services`. It needs a list of networks that you
wish to allow applications to access.
ask: What networks will your CF apps need to talk to for their services?
type: list
param: app_services_networks
- description: |
To ensure that CF apps can talk to other CF applications, we've added a default
Application Security Group to allow access to the CF public IPs. This property
needs a list of all the public IPs your Cloud Foundry domains are in front of
Try `dig @8.8.8.8 +short myapp.<domain>` for each of your CF domains to get a full
list.
ask: What are all the Public IPs for your CF?
type: list
param: cf_public_ips
- description: |
Override the default amount of memory given to new Apps when they are created.
Users may request apps have more memory, but if
this is commonly overridden to the same value
for all apps, consider updating the default here
param: default_app_memory
- description: |
This tells various CF components to skip strict
SSL certificate validation when connecting over HTTPS
This should only be used in non-production environments,
if the SSL certs for CF itself are self-signed
param: skip_ssl_validation
- description: |
Sets the log level for various CF components (API, UAA, router, Consul)
param: log_level
- description: |
This is the port that CF will advertise the
doppler/loggregator endpoint on. Usually either
443 or 4443, depending on how your load balancer
handles WebSockets
param: logger_port
haproxy-no-tls: &haproxy
- param: internal_only_domains
description: |
The `internal_only_domains` are used to tell HA Proxy what domains to refuse requests for
unless the requests originate from addresses in the `trusted_domain_cidrs`. This is
useful for hiding private domains that only your apps should be able to see. Consider
using this even if the domain is not publicly resolvable, as HTTP Host header spoofing
could otherwise be used to access the private apps.
- param: trusted_domain_cidrs
description: |
The `trusted_domain_cidrs` are used to whitelist traffic destined for domains in the list
of `internal_only_domains`. If a request goes to an internal only domain, and isn't
from the trusted CIDRs, it is blocked. This should be specified as a space-separated list.
haproxy-tls:
- param: internal_only_domains
description: |
The `internal_only_domains` are used to tell HA Proxy what domains to refuse requests for
unless the requests originate from addresses in the `trusted_domain_cidrs`. This is
useful for hiding private domains that only your apps should be able to see. Consider
using this even if the domain is not publicly resolvable, as HTTP Host header spoofing
could otherwise be used to access the private apps.
- param: trusted_domain_cidrs
description: |
The `trusted_domain_cidrs` are used to whitelist traffic destined for domains in the list
of `internal_only_domains`. If a request goes to an internal only domain, and isn't
from the trusted CIDRs, it is blocked. This should be specified as a space-separated list.
- description: Disables TLS v1.0 or v1.1 respectively
params:
- disable_tls_10
- disable_tls_11
blobstore-azure:
- ask: "Please enter the Azure Storage Account Name to be used for the Cloud Controller blobstore"
vault: blobstore:azurerm_sa_name
description: |
This is the name of the Azure Storage Account that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
- ask: "Please enter the Azure Storage Account Key to be used for the Cloud Controller blobstore"
vault: blobstore:azurerm_sa_key
description: |
This is the key of the Azure Storage Account that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
blobstore-gcp:
- ask: "Please enter the GCP Storage Access Key ID to be used for the Cloud Controller blobstore"
vault: blobstore:gcp_sa_key
description: |
This is the Google Storage Access Key ID that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
- ask: "Please enter the GCP Storage Access Secret Key to be used for the Cloud Controller blobstore"
vault: blobstore:gcp_sa_secret
description: |
This is the Google Storage Access Secret Key that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
blobstore-s3:
- ask: "Please enter the AWS Access Key ID to be used for the Cloud Controller blobstore"
vault: blobstore:aws_access_key
description: |
This is the Amazon S3 Access Key ID that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
- ask: "Please enter the AWS Secret Access Key to be used for the Cloud Controller blobstore"
vault: blobstore:aws_access_secret
description: |
This is the Amazon S3 Secret Access Key that the `api` nodes will use
to manage the buildpack, app droplet, app package, and resource group blobstores.
db-external-mysql: &external-db
- ask: "What hostname/IP is the UAA Database accessible at?"
description: |
This is the hostname that the `uaa` nodes will use to connect to their database with
param: uaadb_host
- ask: "What port is the UAA Database accessible at?"
description: |
This is the port that the `UAA` nodes will use to connect to their database with
param: uaadb_port
- ask: "What is the username used to connect to the UAA Database?"
vault: uaadb:user
description: |
This is the username that the `uaa` nodes will use to connect to their database with
- ask: "What is the password used to connect to the UAA Database?"
vault: uaadb:password
description: |
This is the password that the `uaa` nodes will use to connect to their database with
- ask: "What hostname/IP is the CC Database accessible at?"
description: |
This is the hostname that the `api` nodes will use to connect to their database with
param: ccdb_host
- ask: "What port is the CC Database accessible at?"
description: |
This is the port that the `apis` nodes will use to connect to their database with
param: ccdb_port
- ask: "What is the username used to connect to the CC Database?"
description: |
This is the username that the `api` nodes will use to connect to their database with
vault: ccdb:user
- ask: "What is the password used to connect to the CC Database?"
vault: ccdb:password
description: |
This is the password that the `api` nodes will use to connect to their database with
- ask: "What hostname/IP is the Diego Database accessible at?"
description: |
This is the hostname that the `bbs` nodes will use to connect to their database with
param: diegodb_host
- ask: "What port is the Diego Database accessible at?"
description: |
This is the port that the `bbs` nodes will use to connect to their database with
param: diegodb_port
- ask: "What is the username used to connect to the Diego Database?"
description: |
This is the username that the `bbs` nodes will use to connect to their database with
vault: diegodb:user
- ask: "What is the password used to connect to the Diego Database?"
vault: diegodb:password
description: |
This is the password that the `bbs` nodes will use to connect to their database with
db-external-postgres: *external-db
shield:
- ask: What is the Vault path to your SHIELD Agent public key?
description: |
This is usually something like `secret/path/to/keys/for/shield/agent:public`
If you are unsure, use `safe tree` to find it.
param: shield_key_vault_path