Skip to content

Commit

Permalink
OCF-221: Isolation Segments dynamic creation (#194)
Browse files Browse the repository at this point in the history 
Add isolation segments feature

[Improvement]

* Added dynamically created Isolation Segments feature
  • Loading branch information
@patryk-kozak
patryk-kozak authored Jul 1, 2022
1 parent cae21e9 commit 3bd6e78
Show file tree
Hide file tree
Showing 10 changed files with 3,081 additions and 11 deletions.
13 changes: 12 additions & 1 deletion MANUAL.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ General:
- `ssh-proxy-on-routers` - moves the ssh-proxy from scheduler instance group to the router instance group, placing it on the edge network, and enabling scaling via scaling the routers.
- `no-tcp-routers` - removes the tcp-router instance group and associated resource allocations for systems that don't need tcp routes.
- `windows-diego-cells` - Adds Windows Diego cell functionality.

- `isolation-segments` - enables usage of [isolation segments](https://docs.cloudfoundry.org/adminguide/routing-is.html#overview) using minimal configuration.

Database related - choose one:
- `postgres-db` - Use an external postgres instance to host persistent data.
Expand Down Expand Up @@ -303,6 +303,17 @@ These params need to be set when activating features:
| --- | --- | ---- |
| `windows_diego_cell_vm_type` | Windows Diego cell VM Type | `small-highmem` |
| `windows_diego_cell_instances`| Windows Diego Cell Instance Count | `1` |

- **isolation-segments**:
| param | description | default |
| --- | --- | --- |
| `name` | (required) Name of the isolation segment and placement tag for cloud foundry | |
| `azs`| (required) Avaliability zones network configuration | |
| `instances`| Amount of VM instances to be created | `1` |
| `vm_type`| VM Type to be applied | `minimal` |
| `vm_extensions`| Extensions to be added to the created VM's | `[]` |
| `network_name`| Name of the network that VM's will be created with | `default` |
| `stemcell`| Name of the stemcell to be used | `default` |

# Retired Parameters (from v1.x)

Expand Down
27 changes: 25 additions & 2 deletions hooks/blueprint
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,27 @@ switch_cf_version() {
echo >&2
}

generate_dynamic_isolation_segments() {
isolation_groups="$(
echo "$1" | \
jq -r '.isolation_segments[] | .name'
)"

generated_segments=()

for group in $isolation_groups; do
seg=$(echo $1 | jq -r ".isolation_segments[] | select(.name==\"$group\")")
segment_tmp_file="operations/dynamic/isolation_segments_$group.yml"
touch $segment_tmp_file
cat operations/dynamic-templates/isolation-segment.yml > "$segment_tmp_file"
sed -i "" "s/params.isolation_segments.iso_group/params.isolation_segments.$group/g" $segment_tmp_file
generated_segments+=("$segment_tmp_file")
done

echo ${generated_segments[*]}
}


### ============================================================================
### Main
### ============================================================================
Expand Down Expand Up @@ -221,7 +242,7 @@ for want in $GENESIS_REQUESTED_FEATURES; do
features+=( "small-footprint" );
;;
local-postgres-db|local-mysql-db|mysql-db|postgres-db) db_specified=1; features+=( "$want" ) ;;
bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed) features+=( "$want" ) ;;
bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) features+=( "$want" ) ;;
minio-blobstore|aws-blobstore|aws-blobstore-iam|azure-blobstore|gcp-blobstore|gcp-use-access-key) features+=( "$want" ) ;;
nfs-volume-services|enable-service-discovery|ssh-proxy-on-routers|no-tcp-routers|smb-volume-services) features+=( "$want" ) ;;
app-scheduler-integration|app-autoscaler-integration|prometheus-integration|v2-nats-credentials) features+=( "$want" ) ;;
Expand Down Expand Up @@ -432,7 +453,7 @@ for want in $GENESIS_REQUESTED_FEATURES; do
"overlay/override-releases/static-windows.yml" \
)
if want_feature "compiled-releases"; then
manifests+=( \
manifest+=( \
"cf-deployment/operations/experimental/use-compiled-releases-windows.yml" \
"overlay/override-releases/compiled-windows.yml" \
)
Expand All @@ -443,6 +464,8 @@ for want in $GENESIS_REQUESTED_FEATURES; do
)
fi
;;
isolation-segments)
manifest+=( $(generate_dynamic_isolation_segments "$params") ) ;;
+migrated-v1-env)
manifest+=( "overlay/addons/migration.yml" ) ;;

Expand Down
124 changes: 124 additions & 0 deletions operations/dynamic-templates/isolation-segment.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
instance_groups:
- ((append))
- name: (( grab params.isolation_segments.iso_group.name ))
azs: (( grab params.isolation_segments.iso_group.azs || "[]" ))
instances: (( grab params.isolation_segments.iso_group.instances || 1 ))
vm_type: (( grab params.isolation_segments.iso_group.vm_type || "minimal" ))
vm_extensions: (( grab params.isolation_segments.iso_group.vm_extensions || "[]" ))
stemcell: (( grab params.isolation_segments.iso_group.stemcell || "default" ))
networks:
- name: (( grab params.isolation_segments.iso_group.network_name || "default" ))
jobs:
- name: cflinuxfs3-rootfs-setup
release: cflinuxfs3
properties:
cflinuxfs3-rootfs:
trusted_certs:
- ((diego_instance_identity_ca.ca))
- ((credhub_tls.ca))
- ((uaa_ssl.ca))
- name: garden
release: garden-runc
provides:
iptables: nil
properties:
garden:
containerd_mode: true
cleanup_process_dirs_on_wait: true
default_container_grace_time: 0
destroy_containers_on_start: true
graph_cleanup_threshold_in_mb: 0
deny_networks:
- 0.0.0.0/0
logging:
format:
timestamp: "rfc3339"
- name: rep
release: diego
properties:
bpm:
enabled: true
diego:
executor:
instance_identity_ca_cert: ((diego_instance_identity_ca.certificate))
instance_identity_key: ((diego_instance_identity_ca.private_key))
rep:
preloaded_rootfses:
- cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
placement_tags:
- (( grab params.isolation_segments.iso_group.name ))
containers:
proxy:
enabled: true
require_and_verify_client_certificates: true
trusted_ca_certificates:
- ((gorouter_backend_tls.ca))
- ((ssh_proxy_backends_tls.ca))
verify_subject_alt_name:
- gorouter.service.cf.internal
- ssh-proxy.service.cf.internal
trusted_ca_certificates:
- ((diego_instance_identity_ca.ca))
- ((credhub_tls.ca))
- ((uaa_ssl.ca))
enable_consul_service_registration: false
enable_declarative_healthcheck: true
loggregator:
use_v2_api: true
ca_cert: "((loggregator_tls_agent.ca))"
cert: "((loggregator_tls_agent.certificate))"
key: "((loggregator_tls_agent.private_key))"
tls:
ca_cert: "((diego_rep_agent_v2.ca))"
cert: "((diego_rep_agent_v2.certificate))"
key: "((diego_rep_agent_v2.private_key))"
logging:
format:
timestamp: "rfc3339"
- name: route_emitter
release: diego
properties:
bpm:
enabled: true
loggregator:
use_v2_api: true
ca_cert: "((loggregator_tls_agent.ca))"
cert: "((loggregator_tls_agent.certificate))"
key: "((loggregator_tls_agent.private_key))"
diego:
route_emitter:
local_mode: true
bbs:
ca_cert: "((diego_bbs_client.ca))"
client_cert: "((diego_bbs_client.certificate))"
client_key: "((diego_bbs_client.private_key))"
nats:
tls:
enabled: true
client_cert: "((nats_client_cert.certificate))"
client_key: "((nats_client_cert.private_key))"
internal_routes:
enabled: true
logging:
format:
timestamp: "rfc3339"
tcp:
enabled: true
uaa:
ca_cert: "((uaa_ssl.ca))"
client_secret: "((uaa_clients_tcp_emitter_secret))"
addons:
- jobs:
- name: bosh-dns-aliases
properties:
aliases:
- domain: _.cell.service.cf.internal
targets:
- (( append ))
- deployment: ((deployment_name))
domain: bosh
instance_group: (( grab params.isolation_segments.iso_group.name ))
network: (( grab params.isolation_segments.iso_group.network_name || "default" ))
query: _
release: bosh-dns-aliases
name: bosh-dns-aliases
Loading

0 comments on commit 3bd6e78

Please sign in to comment.