├── .github ├── pull_request_template.md └── workflows │ └── security-considerations.yml ├── .gitignore ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE.md ├── README.md ├── SECURITY.md ├── bosh ├── opsfiles │ ├── add-autoscaler-ca.yml │ ├── add-bosh-dns-other-deployments.yml │ ├── add-opensearch-ca.yml │ ├── add-saml-key.yml │ ├── aggregate_drains.yml │ ├── api-defaults.yml │ ├── apps-domain.yml │ ├── cf-networking.yml │ ├── clients.yml │ ├── content-security-policy.yml │ ├── development-clients.yml │ ├── diego-cell-consumes-provides.yml │ ├── diego-cell-disk.yml │ ├── diego-cpu-entitlement-diego-cell.yml │ ├── diego-overcommit.yml │ ├── diego-rds-certs-diego-cell.yml │ ├── disable-secure-service-credentials-diego-cell.yml │ ├── disable-secure-service-credentials.yml │ ├── encryption.yml │ ├── instance-profiles.yml │ ├── latest-stemcell.yml │ ├── log-levels-diego-cell.yml │ ├── log-levels.yml │ ├── loggregator.yml │ ├── pages-clients-dev.yml │ ├── pages-clients-production.yml │ ├── pages-clients-staging.yml │ ├── pin-capi.yml │ ├── pin-uaa.yml │ ├── platform-cells.yml │ ├── rds-ca.yml │ ├── remove-routing-components-for-transition.yml │ ├── router-logstash-dev.yml │ ├── router-logstash.yml │ ├── router-main-dev.yml │ ├── router-main.yml │ ├── routing.yml │ ├── scaling-development.yml │ ├── scaling-production.yml │ ├── scaling-staging.yml │ ├── secureproxy.yml │ ├── smoke-tests.yml │ ├── sql.yml │ ├── tcp-cells-and-routers.yml │ ├── temp-buildpack.yml │ ├── uaa-branding.yml │ ├── uaa-cors.yml │ ├── uaa-customized.yml │ ├── uaa-groups.yml │ ├── uaa-login.yml │ ├── uaa-oauth-providers.yml │ ├── uaa-rds-ca.yml │ ├── uaa-saml.yml │ ├── uaa-user.yml │ ├── use-master-bosh-ca.yml │ ├── use-s3-blobstore.yml │ ├── users.yml │ └── wazuh.yml └── varsfiles │ ├── development.yml │ ├── production.yml │ ├── staging.yml │ └── terraform.yml ├── cf-secrets-example.external.yml ├── cf-secrets-example.main.yml ├── ci ├── acceptance-tests-config.sh ├── acceptance-tests-config.yml ├── check-deployment-was-zdt.sh ├── check-deployment-was-zdt.yml ├── config.yml ├── create-diego-cell-iso-seg.sh ├── create-diego-cell-iso-seg.yml ├── create-diego-platform-cell.sh ├── create-diego-platform-cell.yml ├── create-router-logstash.sh ├── create-router-logstash.yml ├── create-router-main.sh ├── create-router-main.yml ├── enable-cf-features.sh ├── enable-cf-features.yml ├── pipeline.yml ├── terraform-secrets.sh ├── terraform-secrets.yml ├── test-headers │ ├── .cfignore │ ├── README.md │ ├── clean.sh │ ├── deploy-env.sh │ ├── main.py │ ├── requirements.txt │ ├── run-tests.sh │ ├── runtime.txt │ ├── task-clean-test-env.yml │ ├── task-deploy-test-env.yml │ ├── task-run-tests.yml │ └── test-matrix ├── test-space-egress │ ├── .cfignore │ ├── README.md │ ├── clean.sh │ ├── deploy-env.sh │ ├── main.py │ ├── requirements.txt │ ├── run-tests.sh │ ├── runtime.txt │ ├── task-clean-test-env.yml │ ├── task-deploy-test-env.yml │ ├── task-run-tests.yml │ └── test-matrix ├── tic-smoke-tests.sh ├── tic-smoke-tests.yml ├── uaa-client-audit.sh ├── uaa-client-audit.yml ├── uaa-monitor-account-creation.sh └── uaa-monitor-account-creation.yml ├── credentials.example.yml ├── generate-all-certificates.sh ├── rfc └── RFC-0001-platform-test-suite.md └── terraform ├── modules ├── csb │ ├── csb.tf │ ├── docproxy.tf │ ├── shared.tf │ ├── variables.tf │ └── versions.tf ├── tcp-routing │ ├── routing.tf │ ├── variables.tf │ └── versions.tf └── test_cdn │ ├── test_cdn.tf │ ├── variables.tf │ └── versions.tf ├── stacks ├── apps │ ├── README.md │ ├── apps.tf │ ├── data.tf │ ├── providers.tf │ ├── variables.tf │ └── versions.tf └── cf │ ├── apps.tf │ ├── asg.tf │ ├── data.tf │ ├── iso.tf │ ├── orgs.tf │ ├── providers.tf │ ├── quotas.tf │ ├── spaces.tf │ ├── variables.tf │ └── versions.tf ├── terraform-apply.sh └── terraform-apply.yml /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Changes proposed in this pull request: 2 | - 3 | - 4 | - 5 | 6 | ## security considerations 7 | [Note the any security considerations here, or make note of why there are none] 8 | -------------------------------------------------------------------------------- /.github/workflows/security-considerations.yml: -------------------------------------------------------------------------------- 1 | name: Security Considerations 2 | 3 | on: 4 | pull_request: 5 | types: [opened, edited, reopened] 6 | branches: [main, master, develop] 7 | 8 | jobs: 9 | security-considerations: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: cloud-gov/security-considerations-action@main 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # YAML property files 2 | manifest.yml 3 | cf-secrets.yml 4 | secrets.yml 5 | cf-secrets-staging.yml 6 | manifest-staging.yml 7 | manifest-staging.yml-- 8 | credentials.yml 9 | credentials.dev.yml 10 | 11 | # Mac files 12 | .DS_Store 13 | 14 | # Eclipse files 15 | .project 16 | 17 | # Temporary directory 18 | tmp/ 19 | 20 | # Certs 21 | 22 | *-certs 23 | jwt_* 24 | 25 | # Python 26 | __pycache__/ 27 | *.py[cod] 28 | venv 29 | 30 | # Python Environments 31 | .venv 32 | .terraform 33 | .terraform.lock.hcl 34 | 35 | # Terraform 36 | *.tfvars 37 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cloud-gov/platform-ops 2 | 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Public domain 2 | 3 | This project is in the public domain within the United States, and 4 | copyright and related rights in the work worldwide are waived through 5 | the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). 6 | 7 | All contributions to this project will be released under the CC0 8 | dedication. By submitting a pull request, you are agreeing to comply 9 | with this waiver of copyright interest. 10 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | As a work of the United States Government, this project is in the 2 | public domain within the United States. 3 | 4 | Additionally, we waive copyright and related rights in the work 5 | worldwide through the CC0 1.0 Universal public domain dedication. 6 | 7 | ## CC0 1.0 Universal Summary 8 | 9 | This is a human-readable summary of the 10 | [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). 11 | 12 | ### No Copyright 13 | 14 | The person who associated a work with this deed has dedicated the work to 15 | the public domain by waiving all of his or her rights to the work worldwide 16 | under copyright law, including all related and neighboring rights, to the 17 | extent allowed by law. 18 | 19 | You can copy, modify, distribute and perform the work, even for commercial 20 | purposes, all without asking permission. 21 | 22 | ### Other Information 23 | 24 | In no way are the patent or trademark rights of any person affected by CC0, 25 | nor are the rights that other persons may have in the work or in how the 26 | work is used, such as publicity or privacy rights. 27 | 28 | Unless expressly stated otherwise, the person who associated a work with 29 | this deed makes no warranties about the work, and disclaims liability for 30 | all uses of the work, to the fullest extent permitted by applicable law. 31 | When using or citing the work, you should not imply endorsement by the 32 | author or the affirmer. 33 | 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 18F Cloud Foundry Bosh Deployment Manifests and Concourse pipeline 2 | 3 | This repo contains the source for the Bosh deployment manifest and deployment pipeline for the 18F Cloud Foundry deployment. 4 | 5 | ### How to generate the final manifest: 6 | 7 | 1. Install `spiff` 8 | 1. Copy the secrets examples to secrets files: 9 | ``` 10 | cp cf-secrets-example.main.yml cf-secrets.main.yml 11 | cp cf-secrets-example.external.yml cf-secrets.external.yml 12 | ``` 13 | 1. Change all the variables in CAPS from `cf-secrets.*.yml` to proper values 14 | 1. Easily rotated secrets exist in the `main.yml` file, while external 15 | dependencies which can be either rotated in coordination with other 16 | resources (e.g. uaa.clients) or cannot be rotated at all (e.g. cc.db_encryption_key) 17 | exist in the `external.yml` file. 18 | 1. Run `./generate.sh` 19 | 20 | ### How to deploy the manifest: 21 | 22 | Wherever you have your bosh installation run: 23 | 24 | 1. `CREATE EXTENSION "uuid-ossp"` on the Postgres RDS instance for ccdb 25 | 1. `bosh deployment manifest.yml` 26 | 1. `bosh deploy` 27 | 28 | ### How to generate all certificates: 29 | 30 | Run the certificate generation script. For more information use the `--help` 31 | flag. 32 | 33 | 1. `./generate-all-certificates.sh` 34 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | **Reporting Security Issues** 3 | 4 | Please refrain from reporting security vulnerabilities through public GitHub issues. 5 | 6 | Instead, kindly report them via the information provided in [cloud.gov's security.txt](https://cloud.gov/.well-known/security.txt). 7 | 8 | When reporting, include the following details (as much as possible) to help us understand the nature and extent of the potential issue: 9 | 10 | - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) 11 | - Full paths of related source file(s) 12 | - Location of affected source code (tag/branch/commit or direct URL) 13 | - Any special configuration required to reproduce the issue 14 | - Step-by-step instructions to reproduce the issue 15 | - Proof-of-concept or exploit code (if available) 16 | - Impact of the issue, including potential exploitation by attackers 17 | 18 | Providing this information will facilitate a quicker triage of your report. 19 | -------------------------------------------------------------------------------- /bosh/opsfiles/add-autoscaler-ca.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/ca_certs?/- 3 | value: ((/bosh/app-autoscaler/app_autoscaler_ca_cert.ca)) 4 | -------------------------------------------------------------------------------- /bosh/opsfiles/add-bosh-dns-other-deployments.yml: -------------------------------------------------------------------------------- 1 | # Adds BOSH DNS lookup to autoscaler deployment so route-registrar can communicate with the routers over TLS: 2 | - type: replace 3 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 4 | value: 5 | domain: app-autoscaler.apiserver.service.cf.internal 6 | targets: 7 | - deployment: app-autoscaler 8 | domain: bosh 9 | instance_group: apiserver 10 | network: default 11 | query: '*' 12 | - type: replace 13 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 14 | value: 15 | domain: app-autoscaler.autoscalerscheduler.service.cf.internal 16 | targets: 17 | - deployment: app-autoscaler 18 | domain: bosh 19 | instance_group: scheduler 20 | network: default 21 | query: '*' 22 | - type: replace 23 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 24 | value: 25 | domain: app-autoscaler.servicebroker.service.cf.internal 26 | targets: 27 | - deployment: app-autoscaler 28 | domain: bosh 29 | instance_group: apiserver 30 | network: default 31 | query: '*' 32 | - type: replace 33 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 34 | value: 35 | domain: app-autoscaler.eventgenerator.service.cf.internal 36 | targets: 37 | - deployment: app-autoscaler 38 | domain: bosh 39 | instance_group: eventgenerator 40 | network: default 41 | query: '*' 42 | - type: replace 43 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 44 | value: 45 | domain: app-autoscaler.scalingengine.service.cf.internal 46 | targets: 47 | - deployment: app-autoscaler 48 | domain: bosh 49 | instance_group: scalingengine 50 | network: default 51 | query: '*' 52 | - type: replace 53 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 54 | value: 55 | domain: app-autoscaler.metricsforwarder.service.cf.internal 56 | targets: 57 | - deployment: app-autoscaler 58 | domain: bosh 59 | instance_group: metricsforwarder 60 | network: default 61 | query: '*' 62 | - type: replace 63 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 64 | value: 65 | domain: app-autoscaler.operator.service.cf.internal 66 | targets: 67 | - deployment: app-autoscaler 68 | domain: bosh 69 | instance_group: operator 70 | network: default 71 | query: '*' 72 | 73 | # Other deployments (tbd) to go here: 74 | 75 | -------------------------------------------------------------------------------- /bosh/opsfiles/add-opensearch-ca.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/ca_certs?/- 3 | value: ((/bosh/logs-opensearch/opensearch_ca.ca)) 4 | -------------------------------------------------------------------------------- /bosh/opsfiles/add-saml-key.yml: -------------------------------------------------------------------------------- 1 | # to rotate cert use bosh interpolate locally, using this file as an argument, then append this key to the map for uaa saml keys and deploy. 2 | - path: /variables/- 3 | type: replace 4 | value: 5 | name: uaa_service_provider_ssl_key_2 6 | options: 7 | alternative_names: 8 | - ((system_domain)) 9 | ca: default_ca 10 | common_name: ((system_domain)) 11 | type: certificate 12 | 13 | -------------------------------------------------------------------------------- /bosh/opsfiles/aggregate_drains.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=scheduler/jobs/name=loggr-syslog-binding-cache/properties?/aggregate_drains?/- 3 | value: 4 | url: syslog-tls://logs-opensearch.ingestor.service.cf.internal:6972?drain-data=all 5 | ca: ((/bosh/logs-opensearch/opensearch_ca.ca)) 6 | cert: ((/bosh/logs-opensearch/ingestor_syslog_client_tls.certificate)) 7 | key: ((/bosh/logs-opensearch/ingestor_syslog_client_tls.private_key)) 8 | 9 | - type: replace 10 | path: /instance_groups/name=scheduler/jobs/name=loggr-syslog-binding-cache/properties?/aggregate_drains?/- 11 | value: 12 | url: syslog-tls://logs-opensearch.archiver.service.cf.internal:7891?drain-data=all 13 | ca: ((/bosh/logs-opensearch/opensearch_ca.ca)) 14 | cert: ((/bosh/logs-opensearch/archiver_syslog_client_tls.certificate)) 15 | key: ((/bosh/logs-opensearch/archiver_syslog_client_tls.private_key)) 16 | 17 | - type: replace 18 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=logs-opensearch.ingestor.service.cf.internal?/targets/- 19 | value: 20 | deployment: logs-opensearch 21 | domain: bosh 22 | instance_group: ingestor 23 | network: services 24 | query: '*' 25 | 26 | - type: replace 27 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=logs-opensearch.archiver.service.cf.internal?/targets/- 28 | value: 29 | deployment: logs-opensearch 30 | domain: bosh 31 | instance_group: archiver 32 | network: services 33 | query: '*' 34 | -------------------------------------------------------------------------------- /bosh/opsfiles/api-defaults.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/default_app_memory? 3 | value: 512 4 | 5 | - type: replace 6 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/default_app_disk_in_mb? 7 | value: 2048 8 | 9 | - type: replace 10 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/maximum_app_disk_in_mb? 11 | value: 7168 12 | 13 | - type: replace 14 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/min_recommended_cli_version? 15 | value: 8.9.0 16 | 17 | 18 | - type: replace 19 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/maximum_app_disk_in_mb? 20 | value: 7168 21 | 22 | - type: replace 23 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/client_max_body_size? 24 | value: "1536M" 25 | 26 | - type: replace 27 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/maximum_app_disk_in_mb? 28 | value: 7168 29 | 30 | - type: replace 31 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/thresholds? 32 | value: 33 | worker: 34 | restart_if_above_mb: 1024 35 | restart_if_consistently_above_mb: 768 36 | alert_if_above_mb: 768 37 | -------------------------------------------------------------------------------- /bosh/opsfiles/apps-domain.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/app_domains? 3 | value: 4 | - ((app_domain)) 5 | 6 | - type: replace 7 | path: /instance_groups/name=smoke-tests/jobs/name=smoke_tests/properties/smoke_tests/apps_domain 8 | value: ((app_domain)) 9 | -------------------------------------------------------------------------------- /bosh/opsfiles/cf-networking.yml: -------------------------------------------------------------------------------- 1 | # CF Networking Release 2 | # https://github.com/cloudfoundry/cf-networking-release 3 | 4 | # Grant all SpaceDevelopers permissions to configure network policies 5 | - type: replace 6 | path: /instance_groups/name=api/jobs/name=policy-server/properties/enable_space_developer_self_service? 7 | value: true 8 | 9 | -------------------------------------------------------------------------------- /bosh/opsfiles/content-security-policy.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=router/jobs/name=secureproxy/properties/secureproxy/csp? 3 | value: 4 | enable: ((csp-enabled)) 5 | report_only: ((csp-report-only)) 6 | report_uri: ((csp-report-uri)) 7 | host_patterns: ((csp-host-patterns)) 8 | 9 | -------------------------------------------------------------------------------- /bosh/opsfiles/development-clients.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/logsearchv2_firehose_ingestor? 3 | value: 4 | override: true 5 | access-token-validity: 172800 6 | authorized-grant-types: client_credentials 7 | authorities: doppler.firehose,cloud_controller.global_auditor 8 | secret: ((logsearchv2-firehose-ingestor-client-secret)) 9 | 10 | - type: replace 11 | path: /variables/- 12 | value: 13 | name: logsearchv2-firehose-ingestor-client-secret 14 | type: password 15 | 16 | - type: replace 17 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/opensearch_dashboards_proxy_test? 18 | value: 19 | override: true 20 | scope: cloud_controller.read,openid,scim.read 21 | authorized-grant-types: refresh_token,authorization_code,client_credentials 22 | authorities: scim.read 23 | name: "Test Logs" 24 | autoapprove: true 25 | show-on-homepage: true 26 | app-icon: 'iVBORw0KGgoAAAANSUhEUgAAAGAAAABgCAYAAADimHc4AAAAAXNSR0IArs4c6QAAA29JREFUeF7tnGtOxDAMhMPJgJMBJwNOBmu0Ed2qrcdp2kmTWWnFjzpxOp/tPFr2KelDVeCJ6l3OkwCQg0AABICsANm9MkAAyAqQ3SsDBICsANm9MkAAyAqQ3SsDLgrgPaX0nFJ6IY+/FfdfKaXvmx72177wJ5oBJvwb3PuYhh+32zadoE8EgMSHJP0zgiGgACQ+Ln62hCAgAKzOf8b9q8UtE1x9XYN7PVPdL4snNwsQABb9Wu2UAbAV0etWUwTAT5lvtborsKlxDQBIHz3T8AJUAA6mLwAHC+x1LwCeQgdfF4AVgfPmMZ/N2JIwdE4DghOABaGWls7ukhAUfG4mADNFtvYt7saoAIIATERDjk1qQxCACQBk1y4ABWmONEGiP3RSiTi9PR9RBtyF8oSY6lkzCzy/Q+yES55X1IIwPIBI6TkiC4YHgEy8a+W8RhYMDaA0+mtOxkMD2BP9tSDQAYCrtVWzfD6z+eRoofXe6N87brT94asgdCCeXfSsxos882dQDRTzmfZlAJhg6KSILDszUMTWC4491y8FAIGAlh6L/lzemBC6A4BMvPNMEoBgDq+VIiT61+YSFoTLZcBWGUKif1p65tyR9sFYcc0vCWAJAhLB3kpquiI662WzwwGUvBeEiDkvQ+iy84jnvlth7o2rSQB2QxEIiK0X/W6tKDToHoAJi7ydvVX7C7WFml0WAJoFiAroBg7pK2ozPABW6cmgLg2gRhawSo8A3I8aoqeo0RLj2V8+A/ZkATv6bezDAmDX/m5KUL4RZK0/LQctRH83GRAtQ8xl53xO6KIERbKgldLTXQlCs6CV0tMlAA9Ca9Hf1Rwwra1n/oOFt873rnc1B+SbnZ/btzTpdj0Je9HW4vUuM6BFodfGJABkWgIwOgDy/TfvfvczYcarHM2rCg7Q3bcgbzRED8nAsQ1h5i6fEQDIbm8INQtu0j02QQEoC+Lqu9FvXaIAvDOa+PD6bgGJHwUgCFjQwOKXALA2dk5jX/108T+Q/NPF8C/m5qaREoTxl1VIAQEIyVXfWADqaxrqUQBCctU3XgLgne7VH8VYPT5oLgDnwxeA8zV/8CgAAkBWgOxeGSAAZAXI7pUBrQMgj28s99oJk3kLgACQFSC7VwYIAFkBsntlgACQFSC7VwYIAFkBsntlgACQFSC7/wXS9tRhjM55xgAAAABJRU5ErkJggg==' 27 | app-launch-url: https://logs-test.((system_domain)) 28 | redirect-uri: ((opensearch_dashboards_proxy_redirect_uri_test)) 29 | secret: ((opensearch-dashboards-test-proxy-secret)) 30 | 31 | - type: replace 32 | path: /variables/- 33 | value: 34 | name: opensearch-dashboards-test-proxy-secret 35 | type: password -------------------------------------------------------------------------------- /bosh/opsfiles/diego-cell-consumes-provides.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh 3 | # - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` 4 | 5 | # Needed because the isolation segment(s) exist 6 | # Use distinct vxlan policy links for tenant cells 7 | - type: replace 8 | path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/provides?/vpa 9 | value: {as: vpa-tenant} 10 | - type: replace 11 | path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/vpa 12 | value: {from: vpa-tenant} 13 | - type: replace 14 | path: /instance_groups/name=diego-cell/jobs/name=silk-cni/consumes?/vpa 15 | value: {from: vpa-tenant} 16 | - type: replace 17 | path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/iptables 18 | value: {from: iptables-tenant} 19 | - type: replace 20 | path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/iptables 21 | value: {from: iptables-tenant} 22 | - type: replace 23 | path: /instance_groups/name=diego-cell/jobs/name=netmon/consumes?/iptables 24 | value: {from: iptables-tenant} 25 | - type: replace 26 | path: /instance_groups/name=diego-cell/jobs/name=garden/provides?/iptables 27 | value: {as: iptables-tenant} 28 | - type: replace 29 | path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/cni_config 30 | value: {from: cni_config_tenant} 31 | - type: replace 32 | path: /instance_groups/name=diego-cell/jobs/name=silk-cni/provides?/cni_config 33 | value: {as: cni_config_tenant} 34 | 35 | -------------------------------------------------------------------------------- /bosh/opsfiles/diego-cell-disk.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh 3 | # - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` 4 | 5 | - type: replace 6 | path: /instance_groups/name=diego-cell/vm_extensions/0 7 | value: 300GB_ephemeral_disk 8 | -------------------------------------------------------------------------------- /bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh 3 | # - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` 4 | 5 | ### This makes sure that absolute-cpu-entitlement is still emitting in addition to newer cpu_entitlement 6 | - type: replace 7 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/loggregator/app_metric_exclusion_filter? 8 | value: [] 9 | 10 | 11 | -------------------------------------------------------------------------------- /bosh/opsfiles/diego-overcommit.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/dea_next?/staging_memory_limit_mb 3 | value: 2048 -------------------------------------------------------------------------------- /bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh 3 | # - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` 4 | 5 | # This file exists to remove CredHub Secured Service Credential Delivery which 6 | # is now on by default in cf-deployment >=4.x. 7 | 8 | - type: replace 9 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates 10 | value: 11 | - ((diego_instance_identity_ca.ca)) 12 | - ((uaa_ssl.ca)) 13 | 14 | - type: replace 15 | path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs/trusted_certs 16 | value: 17 | - ((diego_instance_identity_ca.ca)) 18 | - ((uaa_ssl.ca)) 19 | -------------------------------------------------------------------------------- /bosh/opsfiles/disable-secure-service-credentials.yml: -------------------------------------------------------------------------------- 1 | # This file exists to remove CredHub Secured Service Credential Delivery which 2 | # is now on by default in cf-deployment >=4.x. 3 | 4 | - type: remove 5 | path: /variables/name=credhub_encryption_password 6 | 7 | - type: remove 8 | path: /variables/name=credhub_admin_client_secret 9 | 10 | - type: remove 11 | path: /variables/name=credhub_ca 12 | 13 | - type: remove 14 | path: /variables/name=credhub_tls 15 | 16 | - type: remove 17 | path: /releases/name=credhub 18 | 19 | - type: remove 20 | path: /instance_groups/name=credhub 21 | 22 | - type: remove 23 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=credhub.service.cf.internal 24 | 25 | - type: remove 26 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/cc_service_key_client 27 | 28 | - type: remove 29 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/credhub_admin_client 30 | 31 | - type: remove 32 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/credhub_api 33 | 34 | - type: remove 35 | path: /variables/name=uaa_clients_cc_service_key_client_secret 36 | 37 | -------------------------------------------------------------------------------- /bosh/opsfiles/encryption.yml: -------------------------------------------------------------------------------- 1 | # Encrypt S3 uploads 2 | - type: replace 3 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool/fog_aws_storage_options?/encryption? 4 | value: AES256 5 | - type: replace 6 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages/fog_aws_storage_options?/encryption? 7 | value: AES256 8 | - type: replace 9 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets/fog_aws_storage_options?/encryption? 10 | value: AES256 11 | - type: replace 12 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks/fog_aws_storage_options?/encryption? 13 | value: AES256 14 | 15 | - type: replace 16 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool/fog_aws_storage_options?/encryption? 17 | value: AES256 18 | - type: replace 19 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages/fog_aws_storage_options?/encryption? 20 | value: AES256 21 | - type: replace 22 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets/fog_aws_storage_options?/encryption? 23 | value: AES256 24 | - type: replace 25 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks/fog_aws_storage_options?/encryption? 26 | value: AES256 27 | 28 | - type: replace 29 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool/fog_aws_storage_options?/encryption? 30 | value: AES256 31 | - type: replace 32 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages/fog_aws_storage_options?/encryption? 33 | value: AES256 34 | - type: replace 35 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets/fog_aws_storage_options?/encryption? 36 | value: AES256 37 | - type: replace 38 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks/fog_aws_storage_options?/encryption? 39 | value: AES256 40 | -------------------------------------------------------------------------------- /bosh/opsfiles/instance-profiles.yml: -------------------------------------------------------------------------------- 1 | # Add blobstore instance profile to cloud controller 2 | - type: replace 3 | path: /instance_groups/name=api/vm_extensions?/- 4 | value: blobstore-profile 5 | - type: replace 6 | path: /instance_groups/name=cc-worker/vm_extensions?/- 7 | value: blobstore-profile 8 | 9 | # Add compilation profile to errands 10 | - type: replace 11 | path: /instance_groups/name=smoke-tests/vm_extensions?/- 12 | value: errand-profile 13 | -------------------------------------------------------------------------------- /bosh/opsfiles/latest-stemcell.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /stemcells/alias=default/version 3 | value: latest 4 | -------------------------------------------------------------------------------- /bosh/opsfiles/log-levels-diego-cell.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh 3 | # - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` 4 | 5 | - type: replace 6 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/log_level? 7 | value: error 8 | 9 | - type: replace 10 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/log_level? 11 | value: error 12 | 13 | - type: replace 14 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego/route_emitter/log_level? 15 | value: error 16 | -------------------------------------------------------------------------------- /bosh/opsfiles/log-levels.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/security_event_logging?/enabled 3 | value: true 4 | -------------------------------------------------------------------------------- /bosh/opsfiles/loggregator.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/name=loggregator? 3 | value: 4 | name: loggregator 5 | sha1: af9a37be9fe1cc814165ac4c01086a8f290cc3e5 6 | url: https://bosh.io/d/github.com/cloudfoundry/loggregator-release?v=106.7.4 7 | version: 106.7.4 8 | -------------------------------------------------------------------------------- /bosh/opsfiles/pin-capi.yml: -------------------------------------------------------------------------------- 1 | # Pin CAPI because of valkey 2 | - type: replace 3 | path: /releases/name=capi 4 | value: 5 | name: capi 6 | version: 1.183.0 7 | url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.183.0 8 | sha1: fceb5095f6ffc975fe12e0cc36daca00a3cf4db4 9 | 10 | # Switch to Redis 11 | - type: remove 12 | path: /instance_groups/name=api/jobs/name=valkey 13 | 14 | - type: replace 15 | path: /instance_groups/name=api/jobs/- 16 | value: 17 | name: redis 18 | release: capi 19 | -------------------------------------------------------------------------------- /bosh/opsfiles/pin-uaa.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/name=uaa 3 | value: 4 | name: uaa 5 | url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=77.20.4 6 | version: 77.20.4 7 | sha1: 085416a3f822e3da99968a63aa114392be5246c5 8 | 9 | 10 | - type: replace 11 | path: /releases/name=uaa-customized/version? 12 | value: "59" 13 | -------------------------------------------------------------------------------- /bosh/opsfiles/platform-cells.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - Other than the scaling-*.yml files, this should be the only file to contain configurations for the diego-platform-cell instance group 3 | # - This one is unique from other isolation segments in that it gets a custom identity profile on the vm 4 | 5 | # Set platform cell instance profile and placement tag 6 | - type: replace 7 | path: /instance_groups/name=diego-platform-cell/vm_extensions/- 8 | value: diego-platform-cell-profile 9 | - type: replace 10 | path: /instance_groups/name=diego-platform-cell/jobs/name=rep/properties/diego/rep/placement_tags?/- 11 | value: platform 12 | 13 | 14 | # Add platform cells to DNS aliases 15 | - type: replace 16 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=_.cell.service.cf.internal/targets/- 17 | value: 18 | query: '_' 19 | instance_group: diego-platform-cell 20 | deployment: ((deployment_name)) 21 | network: ((network_name)) 22 | domain: bosh 23 | 24 | -------------------------------------------------------------------------------- /bosh/opsfiles/rds-ca.yml: -------------------------------------------------------------------------------- 1 | ### Enable requirement of SSL for silk-controller 2 | 3 | - type: replace 4 | path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/require_ssl? 5 | value: true 6 | 7 | - type: replace 8 | path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/ca_cert? 9 | value: |+ 10 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 11 | -----BEGIN CERTIFICATE----- 12 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 13 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 14 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 15 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 16 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 17 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 18 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 19 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 20 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 21 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 22 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 23 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 24 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 25 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 26 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 27 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 28 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 29 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 30 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 31 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 32 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 33 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 34 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 35 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 36 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 37 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 38 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 39 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 40 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 41 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 42 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 43 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 44 | JS/rbzD4FPbvc/g= 45 | -----END CERTIFICATE----- 46 | 47 | - type: replace 48 | path: /instance_groups/name=diego-api/jobs/name=silk-controller/properties/database/skip_hostname_validation? 49 | value: true 50 | 51 | ### Enable requirement of SSL for policy-server 52 | 53 | - type: replace 54 | path: /instance_groups/name=api/jobs/name=policy-server/properties/database/require_ssl? 55 | value: true 56 | 57 | - type: replace 58 | path: /instance_groups/name=api/jobs/name=policy-server/properties/database/ca_cert? 59 | value: |+ 60 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 61 | -----BEGIN CERTIFICATE----- 62 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 63 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 64 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 65 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 66 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 67 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 68 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 69 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 70 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 71 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 72 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 73 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 74 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 75 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 76 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 77 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 78 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 79 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 80 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 81 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 82 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 83 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 84 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 85 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 86 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 87 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 88 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 89 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 90 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 91 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 92 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 93 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 94 | JS/rbzD4FPbvc/g= 95 | -----END CERTIFICATE----- 96 | 97 | - type: replace 98 | path: /instance_groups/name=api/jobs/name=policy-server/properties/database/skip_hostname_validation? 99 | value: true -------------------------------------------------------------------------------- /bosh/opsfiles/remove-routing-components-for-transition.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /instance_groups/name=api/jobs/name=routing-api 3 | 4 | - type: remove 5 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/routing_api_client 6 | 7 | - type: remove 8 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/tcp_router 9 | 10 | - type: remove 11 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/routing_api 12 | 13 | - type: remove 14 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/routing_api 15 | 16 | - type: remove 17 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/routing_api 18 | 19 | - type: remove 20 | path: /instance_groups/name=router/jobs/name=gorouter/properties/routing_api 21 | 22 | - type: remove 23 | path: /instance_groups/name=tcp-router 24 | 25 | - type: remove 26 | path: /variables/name=uaa_clients_tcp_router_secret 27 | 28 | - type: remove 29 | path: /variables/name=uaa_clients_routing_api_client_secret 30 | 31 | - type: remove 32 | path: /variables/name=diego_locket_client 33 | -------------------------------------------------------------------------------- /bosh/opsfiles/router-logstash-dev.yml: -------------------------------------------------------------------------------- 1 | # This ops file is only currently used in dev so putting the router-logstash instance group override here 2 | - type: replace 3 | path: /instance_groups/name=router-logstash/jobs/name=secureproxy/properties/secureproxy/csp? 4 | value: 5 | enable: ((csp-enabled)) 6 | report_only: ((csp-report-only)) 7 | report_uri: ((csp-report-uri)) 8 | host_patterns: ((csp-host-patterns)) -------------------------------------------------------------------------------- /bosh/opsfiles/router-logstash.yml: -------------------------------------------------------------------------------- 1 | # This combines all the places in cf-deployment and cg-deploy-cf where we override settings 2 | # for the router instance group for the new instance group called router-logstash 3 | 4 | # From cf-deployment/operations/rename-network-and-deployment.yml 5 | - type: replace 6 | path: /instance_groups/name=router-logstash/networks/name=default/name 7 | value: ((network_name)) 8 | 9 | # From cf-manifests/bosh/opsfiles/remove-routing-components-for-transition.yml 10 | - type: remove 11 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/routing_api 12 | 13 | # From cf-manifests/bosh/opsfiles/secureproxy.yml 14 | - type: replace 15 | path: /instance_groups/name=router-logstash/jobs/- 16 | value: 17 | name: secureproxy 18 | release: secureproxy 19 | properties: 20 | secureproxy: 21 | https_listen_port: 443 22 | https_proxy_port: 10443 23 | # Expose gorouter health check for ELB 24 | # For this to work, router.load_balancer_healthy_threshold must be set to 0 25 | custom_server_config: |- 26 | server { 27 | listen 81; 28 | location / { 29 | proxy_pass http://localhost:8080/health; 30 | } 31 | } 32 | 33 | server { 34 | listen 8081; 35 | location ~ (^/.well-known/acme-challenge/.*) { 36 | resolver 8.8.8.8; 37 | 38 | proxy_set_header Host s3-us-gov-west-1.amazonaws.com; 39 | proxy_set_header Authorization $http_authorization; 40 | proxy_set_header Connection ''; 41 | 42 | set $s3_host 's3-us-gov-west-1.amazonaws.com'; 43 | proxy_pass https://$s3_host/((challenge_bucket))$1; 44 | } 45 | } 46 | tic: 47 | host_whitelist: 48 | - hostname: api.((system_domain)) 49 | exclude: 50 | - ^/v2/info 51 | - ^/v3/info 52 | - hostname: dashboard.((system_domain)) 53 | exclude: [] 54 | secret: ((tic-secret)) 55 | whitelist: ((tic-whitelist)) 56 | proxy_whitelist: ((tic-proxy-whitelist)) 57 | 58 | - type: remove 59 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/port? 60 | 61 | - type: replace 62 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/disable_http? 63 | value: true 64 | 65 | - type: replace 66 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/load_balancer_healthy_threshold? 67 | value: 0 68 | 69 | - type: replace 70 | path: /instance_groups/name=router-logstash/jobs/name=secureproxy/properties/secureproxy/tls_cert? 71 | value: ((router_ssl.certificate)) 72 | 73 | - type: replace 74 | path: /instance_groups/name=router-logstash/jobs/name=secureproxy/properties/secureproxy/tls_key? 75 | value: ((router_ssl.private_key)) 76 | 77 | - type: replace 78 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/tls_port? 79 | value: 10443 80 | 81 | # From cf-manifests/bosh/opsfiles/routing.yml 82 | - type: replace 83 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/request_timeout_in_seconds? 84 | value: 3600 85 | 86 | # Needed for BOSH DNS, concatenate the new router group to the existing one (not overwrite) 87 | - type: replace 88 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=gorouter.service.cf.internal/targets/instance_group=router:after 89 | value: 90 | deployment: ((deployment_name)) 91 | domain: bosh 92 | instance_group: router-logstash 93 | network: ((network_name)) 94 | query: "*" 95 | 96 | # Set vm_extension, need to wipe the existing default array value of cf-router-network-properties with cf-router-logstash-network-properties 97 | - type: remove 98 | path: /instance_groups/name=router-logstash/vm_extensions? 99 | - type: replace 100 | path: /instance_groups/name=router-logstash/vm_extensions? 101 | value: 102 | - cf-router-logstash-network-properties 103 | 104 | # Used to avoid bosh link error: "Failed to resolve link 'router' with type 'http-router'..." 105 | - type: replace 106 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/provides? 107 | value: 108 | gorouter: nil 109 | 110 | - type: replace 111 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/http_rewrite? 112 | value: 113 | responses: 114 | add_headers_if_not_present: 115 | - name: "Strict-Transport-Security" 116 | value: "max-age=31536000" 117 | - name: "X-Content-Type-Options" 118 | value: "nosniff" 119 | - name: "Content-Type" 120 | value: "text/plain; charset=utf-8" 121 | - name: "X-Frame-Options" 122 | value: "DENY" 123 | 124 | - type: replace 125 | path: /instance_groups/name=router-logstash/jobs/name=gorouter/properties/router/max_tls_version? 126 | value: TLSv1.3 127 | -------------------------------------------------------------------------------- /bosh/opsfiles/router-main-dev.yml: -------------------------------------------------------------------------------- 1 | # This ops file is only currently used in dev so putting the router-main instance group override here 2 | - type: replace 3 | path: /instance_groups/name=router-main/jobs/name=secureproxy/properties/secureproxy/csp? 4 | value: 5 | enable: ((csp-enabled)) 6 | report_only: ((csp-report-only)) 7 | report_uri: ((csp-report-uri)) 8 | host_patterns: ((csp-host-patterns)) -------------------------------------------------------------------------------- /bosh/opsfiles/router-main.yml: -------------------------------------------------------------------------------- 1 | # This combines all the places in cf-deployment and cg-deploy-cf where we override settings 2 | # for the router instance group for the new instance group called router-main 3 | 4 | # From cf-deployment/operations/rename-network-and-deployment.yml 5 | - type: replace 6 | path: /instance_groups/name=router-main/networks/name=default/name 7 | value: ((network_name)) 8 | 9 | # From cf-manifests/bosh/opsfiles/remove-routing-components-for-transition.yml 10 | - type: remove 11 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/routing_api 12 | 13 | # From cf-manifests/bosh/opsfiles/secureproxy.yml 14 | - type: replace 15 | path: /instance_groups/name=router-main/jobs/- 16 | value: 17 | name: secureproxy 18 | release: secureproxy 19 | properties: 20 | secureproxy: 21 | https_listen_port: 443 22 | https_proxy_port: 10443 23 | # Expose gorouter health check for ELB 24 | # For this to work, router.load_balancer_healthy_threshold must be set to 0 25 | custom_server_config: |- 26 | server { 27 | listen 81; 28 | location / { 29 | proxy_pass http://localhost:8080/health; 30 | } 31 | } 32 | 33 | server { 34 | listen 8081; 35 | location ~ (^/.well-known/acme-challenge/.*) { 36 | resolver 8.8.8.8; 37 | 38 | proxy_set_header Host s3-us-gov-west-1.amazonaws.com; 39 | proxy_set_header Authorization $http_authorization; 40 | proxy_set_header Connection ''; 41 | 42 | set $s3_host 's3-us-gov-west-1.amazonaws.com'; 43 | proxy_pass https://$s3_host/((challenge_bucket))$1; 44 | } 45 | } 46 | tic: 47 | host_whitelist: 48 | - hostname: api.((system_domain)) 49 | exclude: 50 | - ^/v2/info 51 | - ^/v3/info 52 | - hostname: dashboard.((system_domain)) 53 | exclude: [] 54 | secret: ((tic-secret)) 55 | whitelist: ((tic-whitelist)) 56 | proxy_whitelist: ((tic-proxy-whitelist)) 57 | 58 | - type: remove 59 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/port? 60 | 61 | - type: replace 62 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/disable_http? 63 | value: true 64 | 65 | - type: replace 66 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/load_balancer_healthy_threshold? 67 | value: 0 68 | 69 | - type: replace 70 | path: /instance_groups/name=router-main/jobs/name=secureproxy/properties/secureproxy/tls_cert? 71 | value: ((router_ssl.certificate)) 72 | 73 | - type: replace 74 | path: /instance_groups/name=router-main/jobs/name=secureproxy/properties/secureproxy/tls_key? 75 | value: ((router_ssl.private_key)) 76 | 77 | - type: replace 78 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/tls_port? 79 | value: 10443 80 | 81 | # From cf-manifests/bosh/opsfiles/routing.yml 82 | - type: replace 83 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/request_timeout_in_seconds? 84 | value: 3600 85 | 86 | # Needed for BOSH DNS, concatenate the new router group to the existing one (not overwrite) 87 | - type: replace 88 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=gorouter.service.cf.internal/targets/instance_group=router:after 89 | value: 90 | deployment: ((deployment_name)) 91 | domain: bosh 92 | instance_group: router-main 93 | network: ((network_name)) 94 | query: "*" 95 | 96 | # Set vm_extension, need to wipe the existing default array value of cf-router-network-properties with cf-router-main-network-properties 97 | - type: remove 98 | path: /instance_groups/name=router-main/vm_extensions? 99 | - type: replace 100 | path: /instance_groups/name=router-main/vm_extensions? 101 | value: 102 | - cf-router-main-network-properties 103 | 104 | # Used to avoid bosh link error: "Failed to resolve link 'router' with type 'http-router'..." 105 | - type: replace 106 | path: /instance_groups/name=router-main/jobs/name=gorouter/provides? 107 | value: 108 | gorouter: nil 109 | 110 | - type: replace 111 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/http_rewrite? 112 | value: 113 | responses: 114 | add_headers_if_not_present: 115 | - name: "Strict-Transport-Security" 116 | value: "max-age=31536000" 117 | - name: "X-Content-Type-Options" 118 | value: "nosniff" 119 | - name: "Content-Type" 120 | value: "text/plain; charset=utf-8" 121 | - name: "X-Frame-Options" 122 | value: "DENY" 123 | 124 | - type: replace 125 | path: /instance_groups/name=router-main/jobs/name=gorouter/properties/router/max_tls_version? 126 | value: TLSv1.3 127 | -------------------------------------------------------------------------------- /bosh/opsfiles/routing.yml: -------------------------------------------------------------------------------- 1 | # Routing Release 2 | # https://github.com/cloudfoundry/routing-release 3 | 4 | # Set global router timeout (request start to last byte sent) to 3600 seconds 5 | - type: replace 6 | path: /instance_groups/name=router/jobs/name=gorouter/properties/request_timeout_in_seconds? 7 | value: 3600 8 | 9 | - type: replace 10 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/max_tls_version? 11 | value: TLSv1.3 12 | -------------------------------------------------------------------------------- /bosh/opsfiles/scaling-development.yml: -------------------------------------------------------------------------------- 1 | # nats 2 | - type: replace 3 | path: /instance_groups/name=nats/instances 4 | value: 1 5 | - type: replace 6 | path: /instance_groups/name=nats/vm_type 7 | value: t3.small 8 | 9 | # diego api 10 | - type: replace 11 | path: /instance_groups/name=diego-api/instances 12 | value: 1 13 | - type: replace 14 | path: /instance_groups/name=diego-api/vm_type 15 | value: t3.small 16 | 17 | # uaa 18 | - type: replace 19 | path: /instance_groups/name=uaa/instances 20 | value: 2 21 | - type: replace 22 | path: /instance_groups/name=uaa/vm_type 23 | value: t3.medium 24 | 25 | # capi 26 | - type: replace 27 | path: /instance_groups/name=api/instances 28 | value: 2 29 | - type: replace 30 | path: /instance_groups/name=api/vm_type 31 | value: t3.medium 32 | 33 | # capi worker 34 | - type: replace 35 | path: /instance_groups/name=cc-worker/instances 36 | value: 1 37 | - type: replace 38 | path: /instance_groups/name=cc-worker/vm_type 39 | value: t3.medium 40 | 41 | # gorouter 42 | - type: replace 43 | path: /instance_groups/name=router/instances 44 | value: 2 45 | - type: replace 46 | path: /instance_groups/name=router/vm_type 47 | value: t3.small 48 | - type: replace 49 | path: /instance_groups/name=router/update? 50 | value: 51 | max_in_flight: 20% 52 | canaries: 20% 53 | 54 | # router-main 55 | - type: replace 56 | path: /instance_groups/name=router-main/instances 57 | value: 2 58 | - type: replace 59 | path: /instance_groups/name=router-main/vm_type 60 | value: t3.small 61 | - type: replace 62 | path: /instance_groups/name=router-main/update? 63 | value: 64 | max_in_flight: 20% 65 | canaries: 20% 66 | 67 | 68 | # router-logstash 69 | - type: replace 70 | path: /instance_groups/name=router-logstash/instances 71 | value: 2 72 | - type: replace 73 | path: /instance_groups/name=router-logstash/vm_type 74 | value: t3.small 75 | - type: replace 76 | path: /instance_groups/name=router-logstash/update? 77 | value: 78 | max_in_flight: 20% 79 | canaries: 20% 80 | 81 | # scheduler 82 | - type: replace 83 | path: /instance_groups/name=scheduler/instances 84 | value: 1 85 | - type: replace 86 | path: /instance_groups/name=scheduler/vm_type 87 | value: t3.medium 88 | 89 | # doppler 90 | - type: replace 91 | path: /instance_groups/name=doppler/instances 92 | value: 1 93 | - type: replace 94 | path: /instance_groups/name=doppler/vm_type 95 | value: t3.large 96 | - type: replace 97 | path: /instance_groups/name=doppler/update? 98 | value: 99 | max_in_flight: 20% 100 | canaries: 20% 101 | 102 | # log-cache 103 | - type: replace 104 | path: /instance_groups/name=log-cache/instances 105 | value: 1 106 | - type: replace 107 | path: /instance_groups/name=log-cache/vm_type 108 | value: t3.large 109 | - type: replace 110 | path: /instance_groups/name=log-cache/update? 111 | value: 112 | max_in_flight: 40% 113 | canaries: 40% 114 | 115 | # log-api 116 | - type: replace 117 | path: /instance_groups/name=log-api/instances 118 | value: 1 119 | - type: replace 120 | path: /instance_groups/name=log-api/vm_type 121 | value: t3.medium 122 | - type: replace 123 | path: /instance_groups/name=log-api/update? 124 | value: 125 | max_in_flight: 30% 126 | canaries: 30% 127 | 128 | # diego (platform and customer) 129 | - type: replace 130 | path: /instance_groups/name=diego-cell/vm_type 131 | value: t3.xlarge 132 | - type: replace 133 | path: /instance_groups/name=diego-cell/update? 134 | value: 135 | max_in_flight: 11% 136 | canaries: 11% 137 | - type: replace 138 | path: /instance_groups/name=diego-platform-cell/vm_type 139 | value: t3.xlarge 140 | - type: replace 141 | path: /instance_groups/name=diego-platform-cell/instances 142 | value: 3 143 | 144 | # rotate-cc-database-key 145 | - type: replace 146 | path: /instance_groups/name=rotate-cc-database-key/vm_type 147 | value: t3.medium 148 | 149 | 150 | # iso-segs 151 | - type: replace 152 | path: /instance_groups/name=diego-cell-iso-seg-devtools/vm_type 153 | value: t3.large 154 | 155 | - type: replace 156 | path: /instance_groups/name=diego-cell-iso-seg-devtools/instances 157 | value: 1 -------------------------------------------------------------------------------- /bosh/opsfiles/scaling-production.yml: -------------------------------------------------------------------------------- 1 | # nats 2 | - type: replace 3 | path: /instance_groups/name=nats/instances 4 | value: 3 5 | - type: replace 6 | path: /instance_groups/name=nats/vm_type 7 | value: t3.large 8 | 9 | # diego-api 10 | - type: replace 11 | path: /instance_groups/name=diego-api/instances 12 | value: 3 13 | - type: replace 14 | path: /instance_groups/name=diego-api/vm_type 15 | value: t3.large 16 | 17 | # uaa 18 | - type: replace 19 | path: /instance_groups/name=uaa/instances 20 | value: 4 21 | - type: replace 22 | path: /instance_groups/name=uaa/vm_type 23 | value: r6i.large 24 | 25 | # capi 26 | - type: replace 27 | path: /instance_groups/name=api/instances 28 | value: 6 29 | - type: replace 30 | path: /instance_groups/name=api/vm_type 31 | value: m6i.large 32 | 33 | # capi worker 34 | - type: replace 35 | path: /instance_groups/name=cc-worker/instances 36 | value: 2 37 | - type: replace 38 | path: /instance_groups/name=cc-worker/vm_type 39 | value: t3.large 40 | 41 | # gorouters 42 | - type: replace 43 | path: /instance_groups/name=router/instances 44 | value: 20 45 | - type: replace 46 | path: /instance_groups/name=router/vm_type 47 | value: c6i.2xlarge 48 | - type: replace 49 | path: /instance_groups/name=router/update? 50 | value: 51 | serial: true 52 | max_in_flight: 20% 53 | canaries: 20% 54 | 55 | # router-main 56 | - type: replace 57 | path: /instance_groups/name=router-main/instances 58 | value: 3 59 | - type: replace 60 | path: /instance_groups/name=router-main/vm_type 61 | value: c6i.2xlarge 62 | - type: replace 63 | path: /instance_groups/name=router-main/update? 64 | value: 65 | serial: true 66 | max_in_flight: 20% 67 | canaries: 20% 68 | 69 | # router-logstash 70 | - type: replace 71 | path: /instance_groups/name=router-logstash/instances 72 | value: 3 73 | - type: replace 74 | path: /instance_groups/name=router-logstash/vm_type 75 | value: c6i.2xlarge 76 | - type: replace 77 | path: /instance_groups/name=router-logstash/update? 78 | value: 79 | max_in_flight: 20% 80 | canaries: 20% 81 | 82 | 83 | # scheduler 84 | - type: replace 85 | path: /instance_groups/name=scheduler/instances 86 | value: 2 87 | - type: replace 88 | path: /instance_groups/name=scheduler/vm_type 89 | value: t3.xlarge 90 | 91 | # diego platform (platform and customer) 92 | - type: replace 93 | path: /instance_groups/name=diego-cell/instances 94 | value: 42 95 | - type: replace 96 | path: /instance_groups/name=diego-cell/vm_type 97 | value: r6i.2xlarge 98 | - type: replace 99 | path: /instance_groups/name=diego-cell/update? 100 | value: 101 | max_in_flight: 3 102 | canaries: 3 103 | - type: replace 104 | path: /instance_groups/name=diego-platform-cell/vm_type 105 | value: r6i.2xlarge 106 | - type: replace 107 | path: /instance_groups/name=diego-platform-cell/instances 108 | value: 3 109 | 110 | # doppler 111 | - type: replace 112 | path: /instance_groups/name=doppler/instances 113 | value: 10 114 | - type: replace 115 | path: /instance_groups/name=doppler/vm_type 116 | value: m6i.2xlarge 117 | - type: replace 118 | path: /instance_groups/name=doppler/update? 119 | value: 120 | max_in_flight: 20% 121 | canaries: 20% 122 | 123 | # log-cache 124 | - type: replace 125 | path: /instance_groups/name=log-cache/instances 126 | value: 5 127 | - type: replace 128 | path: /instance_groups/name=log-cache/vm_type 129 | value: m6i.2xlarge 130 | - type: replace 131 | path: /instance_groups/name=log-cache/update? 132 | value: 133 | max_in_flight: 40% 134 | canaries: 40% 135 | 136 | # log-api 137 | - type: replace 138 | path: /instance_groups/name=log-api/instances 139 | value: 7 140 | - type: replace 141 | path: /instance_groups/name=log-api/vm_type 142 | value: m6i.xlarge 143 | - type: replace 144 | path: /instance_groups/name=log-api/update? 145 | value: 146 | max_in_flight: 30% 147 | canaries: 30% 148 | 149 | # rotate-cc-database-key 150 | - type: replace 151 | path: /instance_groups/name=rotate-cc-database-key/vm_type 152 | value: t3.medium 153 | 154 | # iso-segs 155 | - type: replace 156 | path: /instance_groups/name=diego-cell-iso-seg-devtools/vm_type 157 | value: r6i.2xlarge 158 | 159 | - type: replace 160 | path: /instance_groups/name=diego-cell-iso-seg-devtools/instances 161 | value: 3 -------------------------------------------------------------------------------- /bosh/opsfiles/scaling-staging.yml: -------------------------------------------------------------------------------- 1 | # nats 2 | - type: replace 3 | path: /instance_groups/name=nats/instances 4 | value: 2 5 | - type: replace 6 | path: /instance_groups/name=nats/vm_type 7 | value: t3.medium 8 | 9 | # diego-api 10 | - type: replace 11 | path: /instance_groups/name=diego-api/instances 12 | value: 2 13 | - type: replace 14 | path: /instance_groups/name=diego-api/vm_type 15 | value: t3.large 16 | 17 | # uaa 18 | - type: replace 19 | path: /instance_groups/name=uaa/instances 20 | value: 2 21 | - type: replace 22 | path: /instance_groups/name=uaa/vm_type 23 | value: t3.large 24 | 25 | # capi 26 | - type: replace 27 | path: /instance_groups/name=api/instances 28 | value: 2 29 | - type: replace 30 | path: /instance_groups/name=api/vm_type 31 | value: t3.large 32 | 33 | # capi worker 34 | - type: replace 35 | path: /instance_groups/name=cc-worker/instances 36 | value: 2 37 | - type: replace 38 | path: /instance_groups/name=cc-worker/vm_type 39 | value: t3.medium 40 | 41 | # gorouters 42 | - type: replace 43 | path: /instance_groups/name=router/instances 44 | value: 2 45 | - type: replace 46 | path: /instance_groups/name=router/vm_type 47 | value: t3.medium 48 | - type: replace 49 | path: /instance_groups/name=router/update? 50 | value: 51 | max_in_flight: 20% 52 | canaries: 20% 53 | 54 | 55 | # router-main 56 | - type: replace 57 | path: /instance_groups/name=router-main/instances 58 | value: 2 59 | - type: replace 60 | path: /instance_groups/name=router-main/vm_type 61 | value: t3.medium 62 | - type: replace 63 | path: /instance_groups/name=router-main/update? 64 | value: 65 | max_in_flight: 20% 66 | canaries: 20% 67 | 68 | # router-logstash 69 | - type: replace 70 | path: /instance_groups/name=router-logstash/instances 71 | value: 2 72 | - type: replace 73 | path: /instance_groups/name=router-logstash/vm_type 74 | value: t3.medium 75 | - type: replace 76 | path: /instance_groups/name=router-logstash/update? 77 | value: 78 | max_in_flight: 20% 79 | canaries: 20% 80 | 81 | 82 | # scheduler 83 | - type: replace 84 | path: /instance_groups/name=scheduler/instances 85 | value: 1 86 | - type: replace 87 | path: /instance_groups/name=scheduler/vm_type 88 | value: t3.xlarge 89 | 90 | # doppler 91 | - type: replace 92 | path: /instance_groups/name=doppler/instances 93 | value: 2 94 | - type: replace 95 | path: /instance_groups/name=doppler/vm_type 96 | value: t3.xlarge 97 | - type: replace 98 | path: /instance_groups/name=doppler/update? 99 | value: 100 | max_in_flight: 20% 101 | canaries: 20% 102 | 103 | # log-cache 104 | - type: replace 105 | path: /instance_groups/name=log-cache/instances 106 | value: 2 107 | - type: replace 108 | path: /instance_groups/name=log-cache/vm_type 109 | value: t3.xlarge 110 | - type: replace 111 | path: /instance_groups/name=log-cache/update? 112 | value: 113 | max_in_flight: 40% 114 | canaries: 40% 115 | 116 | # log-api 117 | - type: replace 118 | path: /instance_groups/name=log-api/instances 119 | value: 1 120 | - type: replace 121 | path: /instance_groups/name=log-api/vm_type 122 | value: t3.xlarge 123 | - type: replace 124 | path: /instance_groups/name=log-api/update? 125 | value: 126 | max_in_flight: 30% 127 | canaries: 30% 128 | 129 | # diego (platform and customer) 130 | - type: replace 131 | path: /instance_groups/name=diego-cell/vm_type 132 | value: r6i.2xlarge 133 | - type: replace 134 | path: /instance_groups/name=diego-cell/update? 135 | value: 136 | max_in_flight: 11% 137 | canaries: 11% 138 | - type: replace 139 | path: /instance_groups/name=diego-platform-cell/vm_type 140 | value: r6i.2xlarge 141 | - type: replace 142 | path: /instance_groups/name=diego-platform-cell/instances 143 | value: 2 144 | 145 | # rotate-cc-database-key 146 | - type: replace 147 | path: /instance_groups/name=rotate-cc-database-key/vm_type 148 | value: t3.medium 149 | 150 | # iso-segs 151 | - type: replace 152 | path: /instance_groups/name=diego-cell-iso-seg-devtools/vm_type 153 | value: r6i.2xlarge 154 | 155 | - type: replace 156 | path: /instance_groups/name=diego-cell-iso-seg-devtools/instances 157 | value: 1 -------------------------------------------------------------------------------- /bosh/opsfiles/secureproxy.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: secureproxy 5 | version: latest 6 | 7 | - type: replace 8 | path: /instance_groups/name=router/jobs/- 9 | value: 10 | name: secureproxy 11 | release: secureproxy 12 | properties: 13 | secureproxy: 14 | https_listen_port: 443 15 | https_proxy_port: 10443 16 | # Expose gorouter health check for ELB 17 | # For this to work, router.load_balancer_healthy_threshold must be set to 0 18 | custom_server_config: |- 19 | server { 20 | listen 81; 21 | location / { 22 | proxy_pass http://localhost:8080/health; 23 | } 24 | } 25 | 26 | server { 27 | listen 8081; 28 | location ~ (^/.well-known/acme-challenge/.*) { 29 | resolver 8.8.8.8; 30 | 31 | proxy_set_header Host s3-us-gov-west-1.amazonaws.com; 32 | proxy_set_header Authorization $http_authorization; 33 | proxy_set_header Connection ''; 34 | 35 | set $s3_host 's3-us-gov-west-1.amazonaws.com'; 36 | proxy_pass https://$s3_host/((challenge_bucket))$1; 37 | } 38 | } 39 | tic: 40 | host_whitelist: 41 | - hostname: api.((system_domain)) 42 | exclude: 43 | - ^/v2/info 44 | - ^/v3/info 45 | - hostname: dashboard.((system_domain)) 46 | exclude: [] 47 | secret: ((tic-secret)) 48 | whitelist: ((tic-whitelist)) 49 | proxy_whitelist: ((tic-proxy-whitelist)) 50 | 51 | # Remove the default router ssl certs and replace with our own signed with master bosh to prevent yearly 3 pave deploys 52 | - type: remove 53 | path: /variables/name=router_ssl 54 | - type: remove 55 | path: /variables/name=router_ca 56 | - type: replace 57 | path: /variables/- 58 | value: 59 | name: router_ssl 60 | type: certificate 61 | options: 62 | ca: /master-bosh-ca 63 | common_name: routerSSL 64 | alternative_names: 65 | - "((system_domain))" 66 | - "*.((system_domain))" 67 | 68 | # Always remove the http port and keep http disabled regardless of cf-deployment manifest 69 | - type: remove 70 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/port? 71 | 72 | - type: replace 73 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/disable_http? 74 | value: true 75 | 76 | # This must be set to 0 to get the behaivor we want according to the rules outlined here: 77 | # https://github.com/cloudfoundry-incubator/routing-release#configure-load-balancer-healthchecks-for-gorouter 78 | # Any other setting and the health check will respond 200 for this period of time, but the router will not actually be up 79 | # TODO: Revisit this setting once https://github.com/cloudfoundry/gorouter/issues/160 is closed 80 | 81 | - type: replace 82 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/load_balancer_healthy_threshold? 83 | value: 0 84 | 85 | - type: replace 86 | path: /instance_groups/name=router/jobs/name=secureproxy/properties/secureproxy/tls_cert? 87 | value: ((router_ssl.certificate)) 88 | 89 | - type: replace 90 | path: /instance_groups/name=router/jobs/name=secureproxy/properties/secureproxy/tls_key? 91 | value: ((router_ssl.private_key)) 92 | 93 | - type: replace 94 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/tls_port? 95 | value: 10443 96 | 97 | - type: replace 98 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/http_rewrite? 99 | value: 100 | responses: 101 | add_headers_if_not_present: 102 | - name: "Strict-Transport-Security" 103 | value: "max-age=31536000" 104 | - name: "X-Content-Type-Options" 105 | value: "nosniff" 106 | - name: "Content-Type" 107 | value: "text/plain; charset=utf-8" 108 | - name: "X-Frame-Options" 109 | value: "DENY" 110 | -------------------------------------------------------------------------------- /bosh/opsfiles/smoke-tests.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=smoke-tests/vm_type 3 | value: t3.medium 4 | 5 | # Reuse existing org and space instead of creating a new one 6 | - type: replace 7 | path: /instance_groups/name=smoke-tests/jobs/name=smoke_tests/properties/smoke_tests?/org 8 | value: cf_smoke_tests_org 9 | 10 | - type: replace 11 | path: /instance_groups/name=smoke-tests/jobs/name=smoke_tests/properties/smoke_tests?/space 12 | value: cf_smoke_tests_space 13 | 14 | - type: replace 15 | path: /instance_groups/name=smoke-tests/jobs/name=smoke_tests/properties/smoke_tests?/use_existing_org 16 | value: true 17 | 18 | - type: replace 19 | path: /instance_groups/name=smoke-tests/jobs/name=smoke_tests/properties/smoke_tests?/use_existing_space 20 | value: true 21 | -------------------------------------------------------------------------------- /bosh/opsfiles/sql.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/max_idle_connections? 3 | value: 50 4 | 5 | - type: replace 6 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/max_open_connections? 7 | value: 100 8 | -------------------------------------------------------------------------------- /bosh/opsfiles/tcp-cells-and-routers.yml: -------------------------------------------------------------------------------- 1 | # Copy original diego-cell from https://github.com/cloudfoundry/cf-deployment/blob/master/cf-deployment.yml 2 | - type: replace 3 | path: /instance_groups/- 4 | value: 5 | name: diego-tcp-cell 6 | azs: 7 | - z1 8 | - z2 9 | instances: 2 10 | vm_type: small-highmem 11 | vm_extensions: 12 | - 100GB_ephemeral_disk 13 | stemcell: default 14 | networks: 15 | - name: default 16 | jobs: 17 | - name: bosh-dns-adapter 18 | properties: 19 | internal_domains: ["apps.internal."] 20 | dnshttps: 21 | client: 22 | tls: ((cf_app_sd_client_tls)) 23 | server: 24 | ca: ((cf_app_sd_client_tls.ca)) 25 | release: cf-networking 26 | - name: cflinuxfs3-rootfs-setup 27 | release: cflinuxfs3 28 | properties: 29 | cflinuxfs3-rootfs: 30 | trusted_certs: 31 | - ((diego_instance_identity_ca.ca)) 32 | - ((uaa_ssl.ca)) 33 | - name: garden 34 | release: garden-runc 35 | provides: 36 | iptables: {as: iptables-tcp} 37 | properties: 38 | garden: 39 | containerd_mode: true 40 | cleanup_process_dirs_on_wait: true 41 | debug_listen_address: 127.0.0.1:17019 42 | default_container_grace_time: 0 43 | destroy_containers_on_start: true 44 | deny_networks: 45 | - 0.0.0.0/0 46 | network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker 47 | network_plugin_extra_args: 48 | - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json 49 | logging: 50 | format: 51 | timestamp: "rfc3339" 52 | - name: rep 53 | release: diego 54 | properties: 55 | bpm: 56 | enabled: true 57 | diego: 58 | executor: 59 | instance_identity_ca_cert: ((diego_instance_identity_ca.certificate)) 60 | instance_identity_key: ((diego_instance_identity_ca.private_key)) 61 | rep: 62 | preloaded_rootfses: 63 | - cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar 64 | containers: 65 | proxy: 66 | enabled: true 67 | require_and_verify_client_certificates: true 68 | trusted_ca_certificates: 69 | - ((gorouter_backend_tls.ca)) 70 | - ((ssh_proxy_backends_tls.ca)) 71 | verify_subject_alt_name: 72 | - gorouter.service.cf.internal 73 | - ssh-proxy.service.cf.internal 74 | trusted_ca_certificates: 75 | - ((diego_instance_identity_ca.ca))) 76 | - ((uaa_ssl.ca)) 77 | enable_consul_service_registration: false 78 | enable_declarative_healthcheck: true 79 | loggregator: *diego_loggregator_client_properties 80 | tls: 81 | ca_cert: "((diego_rep_agent_v2.ca))" 82 | cert: "((diego_rep_agent_v2.certificate))" 83 | key: "((diego_rep_agent_v2.private_key))" 84 | logging: 85 | format: 86 | timestamp: "rfc3339" 87 | - name: cfdot 88 | release: diego 89 | properties: 90 | tls: &cfdot_tls_client_properties 91 | ca_certificate: "((diego_rep_client.ca))" 92 | certificate: "((diego_rep_client.certificate))" 93 | private_key: "((diego_rep_client.private_key))" 94 | - name: route_emitter 95 | release: diego 96 | properties: 97 | bpm: 98 | enabled: true 99 | loggregator: &diego_loggregator_client_properties 100 | use_v2_api: true 101 | ca_cert: "((loggregator_tls_agent.ca))" 102 | cert: "((loggregator_tls_agent.certificate))" 103 | key: "((loggregator_tls_agent.private_key))" 104 | diego: 105 | route_emitter: 106 | local_mode: true 107 | bbs: 108 | ca_cert: "((diego_bbs_client.ca))" 109 | client_cert: "((diego_bbs_client.certificate))" 110 | client_key: "((diego_bbs_client.private_key))" 111 | nats: 112 | tls: 113 | enabled: true 114 | client_cert: "((nats_client_cert.certificate))" 115 | client_key: "((nats_client_cert.private_key))" 116 | tcp: 117 | enabled: true 118 | uaa: 119 | ca_cert: "((uaa_ssl.ca))" 120 | client_secret: "((uaa_clients_tcp_emitter_secret))" 121 | logging: 122 | format: 123 | timestamp: "rfc3339" 124 | internal_routes: 125 | enabled: true 126 | - name: garden-cni 127 | release: cf-networking 128 | properties: 129 | cni_plugin_dir: /var/vcap/packages/silk-cni/bin 130 | cni_config_dir: /var/vcap/jobs/silk-cni/config/cni 131 | - name: netmon 132 | release: silk 133 | consumes: 134 | iptables: {from: iptables-tcp} 135 | - name: vxlan-policy-agent 136 | release: silk 137 | provides: 138 | vpa: {as: vpa-tcp} 139 | consumes: 140 | iptables: {from: iptables-tcp} 141 | cni_config: {from: cni_config_tcp} 142 | properties: 143 | ca_cert: ((network_policy_client.ca)) 144 | client_cert: ((network_policy_client.certificate)) 145 | client_key: ((network_policy_client.private_key)) 146 | - name: silk-daemon 147 | release: silk 148 | consumes: 149 | vpa: {from: vpa-tcp} 150 | iptables: {from: iptables-tcp} 151 | properties: 152 | ca_cert: ((silk_daemon.ca)) 153 | client_cert: ((silk_daemon.certificate)) 154 | client_key: ((silk_daemon.private_key)) 155 | - name: silk-cni 156 | release: silk 157 | properties: 158 | dns_servers: 159 | - 169.254.0.2 160 | consumes: 161 | vpa: {from: vpa-tcp} 162 | provides: 163 | cni_config: {as: cni_config_tcp} 164 | - name: loggr-udp-forwarder 165 | release: loggregator-agent 166 | properties: 167 | loggregator: 168 | tls: 169 | ca: "((loggregator_tls_agent.ca))" 170 | cert: "((loggregator_tls_agent.certificate))" 171 | key: "((loggregator_tls_agent.private_key))" 172 | metrics: 173 | ca_cert: "((loggr_udp_forwarder_tls.ca))" 174 | cert: "((loggr_udp_forwarder_tls.certificate))" 175 | key: "((loggr_udp_forwarder_tls.private_key))" 176 | server_name: loggr_udp_forwarder_metrics 177 | 178 | 179 | # Set platform cell instance profile and placement tag 180 | - type: replace 181 | path: /instance_groups/name=diego-tcp-cell/jobs/name=rep/properties/diego/rep/placement_tags?/- 182 | value: tcp 183 | 184 | # Use distinct vxlan policy links for tenant cells 185 | - type: replace 186 | path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/provides?/vpa 187 | value: {as: vpa-tenant} 188 | - type: replace 189 | path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/vpa 190 | value: {from: vpa-tenant} 191 | - type: replace 192 | path: /instance_groups/name=diego-cell/jobs/name=silk-cni/consumes?/vpa 193 | value: {from: vpa-tenant} 194 | 195 | # Add platform cells to DNS aliases 196 | - type: replace 197 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/domain=_.cell.service.cf.internal/targets/- 198 | value: 199 | query: '_' 200 | instance_group: diego-tcp-cell 201 | deployment: ((deployment_name)) 202 | network: ((network_name)) 203 | domain: bosh 204 | 205 | # Enable service discovery 206 | - type: replace 207 | path: /instance_groups/name=diego-tcp-cell/jobs/name=bosh-dns-adapter? 208 | value: 209 | name: bosh-dns-adapter 210 | properties: 211 | internal_domains: ["apps.internal."] 212 | dnshttps: 213 | client: 214 | tls: ((cf_app_sd_client_tls)) 215 | server: 216 | ca: ((cf_app_sd_server_tls.ca)) 217 | release: cf-networking 218 | - type: replace 219 | path: /instance_groups/name=diego-tcp-cell/jobs/name=route_emitter/properties/internal_routes? 220 | value: 221 | enabled: true 222 | 223 | - type: replace 224 | path: /instance_groups/name=tcp-router/jobs/name=tcp_router/properties/tcp_router/isolation_segments? 225 | value: [tcp] 226 | 227 | - type: replace 228 | path: /instance_groups/name=tcp-router/jobs/name=tcp_router/properties/tcp_router/routing_table_sharding_mode? 229 | value: segments 230 | 231 | - type: replace 232 | path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/router_groups/name=default-tcp? 233 | value: 234 | name: default-tcp 235 | reservable_ports: ((tcp_lb_listener_ports)) 236 | type: tcp -------------------------------------------------------------------------------- /bosh/opsfiles/temp-buildpack.yml: -------------------------------------------------------------------------------- 1 | # Added 12/17/21 to bump php and java buildpacks to cover log4j until cf-deployment catches up 2 | # Removed 03/02/22 from pipeline ci file since cf-deployment has caught up 3 | 4 | - type: replace 5 | path: /releases/name=java-buildpack 6 | value: 7 | name: "java-buildpack" 8 | version: "4.48" 9 | url: "https://bosh.io/d/github.com/cloudfoundry/java-buildpack-release?v=4.48" 10 | sha1: "ed240a6a338a9ac3e2f890bcce87d160abc9c4e8" 11 | 12 | - type: replace 13 | path: /releases/name=php-buildpack 14 | value: 15 | name: "php-buildpack" 16 | version: "4.4.55" 17 | url: "https://bosh.io/d/github.com/cloudfoundry/php-buildpack-release?v=4.4.55" 18 | sha1: "5dcb1988bdfaa67a334aa7c5aa0dcf95873bc362" 19 | 20 | - type: replace 21 | path: /releases/name=ruby-buildpack 22 | value: 23 | name: "ruby-buildpack" 24 | version: "1.8.50" 25 | url: "https://bosh.io/d/github.com/cloudfoundry/ruby-buildpack-release?v=1.8.50" 26 | sha1: "114297e62e958f61b09c10382bf5f71687af271d" -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-cors.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/cors? 3 | value: 4 | default: 5 | allowed: 6 | headers: 7 | - Accept 8 | - Authorization 9 | - Accept-Language 10 | - Content-Type 11 | - Content-Language 12 | - If-Match 13 | - X-Requested-With 14 | - X-Identity-Zone-Id 15 | - X-Identity-Zone-Subdomain 16 | origin: 17 | - ^cloud.gov$ 18 | - ^.*\.cloud.gov$ 19 | - ^localhost$ 20 | - ^.*\.localhost$ 21 | methods: 22 | - GET 23 | - PUT 24 | - POST 25 | - DELETE 26 | - OPTIONS 27 | credentials: true 28 | max_age: 10 29 | xhr: 30 | allowed: 31 | headers: 32 | - Accept 33 | - Authorization 34 | - Accept-Language 35 | - Content-Type 36 | - Content-Language 37 | - If-Match 38 | - X-Requested-With 39 | - X-Identity-Zone-Id 40 | - X-Identity-Zone-Subdomain 41 | origin: 42 | - ^cloud.gov$ 43 | - ^.*\.cloud.gov$ 44 | - ^localhost$ 45 | - ^.*\.localhost$ 46 | methods: 47 | - GET 48 | - POST 49 | - OPTIONS 50 | credentials: true 51 | max_age: 10 -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-customized.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: uaa-customized 5 | version: latest 6 | 7 | - type: replace 8 | path: /instance_groups/name=uaa/jobs/- 9 | value: 10 | name: uaa-customized 11 | release: uaa-customized -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-groups.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/groups? 3 | value: 4 | pages.admin: "Administrators for the Pages product" 5 | pages.support: "Support users for the Pages product" 6 | pages.user: "Users for the Pages product" 7 | -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-login.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/password?/policy 3 | value: &password-policy 4 | minLength: 20 5 | requireDigit: 0 6 | requireUpperCaseCharacter: 0 7 | requireLowerCaseCharacter: 0 8 | requireSpecialCharacter: 0 9 | expirePasswordInMonths: 0 10 | 11 | - type: replace 12 | path: /instance_groups/name=uaa/jobs/name=uaa-customized/properties?/uaa/password/policy 13 | value: *password-policy 14 | 15 | - type: replace 16 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/authentication?/policy 17 | value: 18 | lockoutAfterFailures: 3 19 | countFailuresWithinSeconds: 900 20 | lockoutPeriodSeconds: 1800 21 | 22 | # Expire cookies after 15 minutes per FedRAMP requirement 23 | # also set cookie as secure, and http only 24 | - type: replace 25 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/servlet?/session-cookie 26 | value: 27 | secure: true 28 | http-only: true 29 | max-age: 900 30 | 31 | # disable self-service user management. 32 | # this is currently broken but leaving so it's explicitly set, this is the default. 33 | - type: replace 34 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/login?/self_service_links_enabled? 35 | value: true 36 | -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-oauth-providers.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/oauth?/providers? 3 | value: 4 | ssa.gov: ((uaa-oidc-provider-ssa-gov)) 5 | -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-rds-ca.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/ca_certs? 3 | value: 4 | - |+ 5 | # UAA requires each cert as an array object 6 | # RDS US-GOV-WEST-1-BUNDLE.PEM UPDATED APRIL 2022 7 | # Amazon RDS GovCloud Root CA expires May22 8 | -----BEGIN CERTIFICATE----- 9 | MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD 10 | VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi 11 | MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h 12 | em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X 13 | DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw 14 | DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB 15 | bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw 16 | IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 17 | DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u 18 | j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh 19 | q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW 20 | nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 21 | xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m 22 | tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G 23 | A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu 24 | ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN 25 | BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg 26 | /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ 27 | ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk 28 | kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 29 | S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD 30 | pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== 31 | -----END CERTIFICATE----- 32 | - |+ 33 | # Amazon RDS us-gov-west-1 CA expires May22 34 | -----BEGIN CERTIFICATE----- 35 | MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT 36 | MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK 37 | DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT 38 | MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 39 | MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM 40 | Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX 41 | ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM 42 | G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD 43 | ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 44 | 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz 45 | +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 46 | b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b 47 | 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm 48 | RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ 49 | BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g 50 | 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG 51 | SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 52 | zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 53 | sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 54 | 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch 55 | RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ 56 | l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ 57 | -----END CERTIFICATE----- 58 | - |+ 59 | # Amazon RDS us-gov-west-1 Root CA RSA2048 G1 expires April2162 60 | -----BEGIN CERTIFICATE----- 61 | MIIEBzCCAu+gAwIBAgIRAMSbo6rMlQ+TZDCb7zg40qUwDQYJKoZIhvcNAQEMBQAw 62 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 63 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 64 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 65 | A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMjM1MjFaGA8yMDYyMDQxNTIzMzUyMVow 66 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 67 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 68 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G 69 | A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3U 70 | XJp6XLyNdOmyuj19ZKNmbJTGoRbsnrdxYLxbhQRCykOga7Hh/D5qKPMR/B80OsoK 71 | uWpxWmQCaCP4Z9Aa9N68L0TRJXZoArZjV8q5nfjsYWQqOPx+cKtIxqvyotov5WE2 72 | RKaujqpKBAyI49542NNmOEROUshunxYh/7s3Z8oPxOX8kp6hLBtckqUzFbAb7/vM 73 | X0YpgNUpJ2G1Q9MLKfxEmw2p0WE1FEW35gMvUN4jFtTaKjsXtqGu6iF4YqEASwrv 74 | vPmLhBHuyKC9ZfEvYzFjw2+l5SMENvhAde10WUpBuJnK+ZoKgFxLOUcdyZO9fR1Y 75 | wVG5twjPnOhHUOLpAP0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E 76 | FgQUsjcnO96t1VCa/JBZSqY1asXWaZ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 77 | DQEBDAUAA4IBAQCYx0FHyvrX1CeuKd4CEi50QUZzY1HjGoySz+by6rY1+jZ1v2cp 78 | JIBrhQ8VUiJ8EqCDKzzv1mBOA1lx+5jpWB2yKP2hq3YJ93BNK+KO7BgasCkUYLGk 79 | v3c2jo4J5qbWsNsqa/dog+qQbLAcqCx4MeZIadpdLv++ejGPjA0+zjXWwWmQ4RKe 80 | ILiR1wO52uKF90tiDTNi3C5oMaEYbW+Kbsfsx5NpybEU7DkrVKb4MTVgtFuAELrF 81 | 8Zmdbpv8xnUA+oo/QdLLX+eJP/+8tdeDdB6rYFKpJmC2B3EnaKS4X4UpxZJFAgig 82 | oB6q5jNJ5onkWIfx8luNdbagKSFZXHhSO8KP 83 | -----END CERTIFICATE----- 84 | - |+ 85 | # Amazon RDS us-gov-west-1 Root CA RSA4096 G1 expires May2121 86 | -----BEGIN CERTIFICATE----- 87 | MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw 88 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 89 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 90 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 91 | A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow 92 | gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ 93 | bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr 94 | QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G 95 | A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY 96 | M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF 97 | 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo 98 | Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F 99 | Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs 100 | OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H 101 | bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 102 | KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR 103 | g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN 104 | zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra 105 | jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R 106 | 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB 107 | /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB 108 | /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p 109 | CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A 110 | kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx 111 | Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW 112 | osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL 113 | PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 114 | vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 115 | JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF 116 | K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ 117 | egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 118 | SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT 119 | JS/rbzD4FPbvc/g= 120 | -----END CERTIFICATE----- 121 | - |+ 122 | # Amazon RDS us-gov-west-1 Root CA ECC384 G1 expires May2121 123 | -----BEGIN CERTIFICATE----- 124 | MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL 125 | MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x 126 | EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 127 | b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM 128 | B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw 129 | CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET 130 | MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv 131 | biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH 132 | U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j 133 | 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj 134 | q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw 135 | AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD 136 | AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM 137 | BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z 138 | vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 139 | -----END CERTIFICATE----- 140 | - |+ 141 | # rds-ca-2015-root.pem 142 | -----BEGIN CERTIFICATE----- 143 | MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx 144 | EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM 145 | GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx 146 | GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y 147 | MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv 148 | bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl 149 | cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE 150 | UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V 151 | u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF 152 | Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf 153 | AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 154 | T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J 155 | P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp 156 | BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw 157 | AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU 158 | TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm 159 | MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 160 | 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r 161 | 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf 162 | 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV 163 | A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr 164 | /40NawZfTUU= 165 | -----END CERTIFICATE----- 166 | - |+ 167 | # rds-ca-2012-us-gov-west-1.pem 168 | -----BEGIN CERTIFICATE----- 169 | MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV 170 | BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw 171 | EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h 172 | bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 173 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh 174 | dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD 175 | ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB 176 | gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL 177 | 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 178 | k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G 179 | A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf 180 | NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh 181 | c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x 182 | DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs 183 | 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH 184 | 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo 185 | 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R 186 | bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= 187 | -----END CERTIFICATE----- 188 | - type: replace 189 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/tls? 190 | value: enabled -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-saml.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/saml/activeKeyId 3 | value: ((uaa-saml-active-key-id)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/saml/keys 7 | value: ((uaa-saml-keys)) 8 | 9 | - type: replace 10 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/saml/providers? 11 | value: ((uaa-saml-providers)) 12 | -------------------------------------------------------------------------------- /bosh/opsfiles/uaa-user.yml: -------------------------------------------------------------------------------- 1 | # Setup default authorities including dashboard and invite requirements 2 | - type: replace 3 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/user? 4 | value: 5 | authorities: 6 | - openid 7 | - scim.me 8 | - cloud_controller.read 9 | - cloud_controller.write 10 | - cloud_controller_service_permissions.read 11 | - password.write 12 | - uaa.user 13 | - approvals.me 14 | - oauth.approvals 15 | - notification_preferences.read 16 | - notification_preferences.write 17 | - profile 18 | - roles 19 | - user_attributes 20 | - uaa.offline_token 21 | - scim.userids 22 | - scim.invite 23 | -------------------------------------------------------------------------------- /bosh/opsfiles/use-master-bosh-ca.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /variables/name=cf_app_sd_ca 3 | - type: replace 4 | path: /variables/name=cf_app_sd_client_tls/options/ca 5 | value: /master-bosh-ca 6 | - type: replace 7 | path: /variables/name=cf_app_sd_server_tls/options/ca 8 | value: /master-bosh-ca 9 | 10 | - type: remove 11 | path: /variables/name=silk_ca 12 | - type: replace 13 | path: /variables/name=silk_controller/options/ca 14 | value: /master-bosh-ca 15 | - type: replace 16 | path: /variables/name=silk_daemon/options/ca 17 | value: /master-bosh-ca 18 | 19 | - type: remove 20 | path: /variables/name=network_policy_ca 21 | - type: replace 22 | path: /variables/name=network_policy_server_external/options/ca 23 | value: /master-bosh-ca 24 | - type: replace 25 | path: /variables/name=network_policy_server/options/ca 26 | value: /master-bosh-ca 27 | - type: replace 28 | path: /variables/name=network_policy_client/options/ca 29 | value: /master-bosh-ca 30 | 31 | - type: remove 32 | path: /variables/name=service_cf_internal_ca 33 | - type: replace 34 | path: /variables/name=diego_auctioneer_client/options/ca 35 | value: /master-bosh-ca 36 | - type: replace 37 | path: /variables/name=diego_auctioneer_server/options/ca 38 | value: /master-bosh-ca 39 | - type: replace 40 | path: /variables/name=diego_bbs_client/options/ca 41 | value: /master-bosh-ca 42 | - type: replace 43 | path: /variables/name=diego_bbs_server/options/ca 44 | value: /master-bosh-ca 45 | - type: replace 46 | path: /variables/name=diego_rep_client/options/ca 47 | value: /master-bosh-ca 48 | - type: replace 49 | path: /variables/name=diego_rep_agent_v2/options/ca 50 | value: /master-bosh-ca 51 | 52 | - type: remove 53 | path: /variables/name=loggregator_ca 54 | - type: replace 55 | path: /variables/name=loggregator_tls_statsdinjector/options/ca 56 | value: /master-bosh-ca 57 | - type: replace 58 | path: /variables/name=loggregator_tls_agent/options/ca 59 | value: /master-bosh-ca 60 | - type: replace 61 | path: /variables/name=loggregator_tls_doppler/options/ca 62 | value: /master-bosh-ca 63 | - type: replace 64 | path: /variables/name=loggregator_tls_tc/options/ca 65 | value: /master-bosh-ca 66 | - type: replace 67 | path: /variables/name=loggregator_tls_cc_tc/options/ca 68 | value: /master-bosh-ca 69 | - type: replace 70 | path: /variables/name=loggregator_rlp_gateway_tls_cc/options/ca 71 | value: /master-bosh-ca 72 | - type: replace 73 | path: /variables/name=loggregator_tls_rlp/options/ca 74 | value: /master-bosh-ca 75 | - type: replace 76 | path: /variables/name=loggregator_rlp_gateway/options/ca 77 | value: /master-bosh-ca 78 | - type: replace 79 | path: /variables/name=logs_provider/options/ca 80 | value: /master-bosh-ca 81 | 82 | - type: remove 83 | path: /variables/name=log_cache_ca 84 | - type: replace 85 | path: /variables/name=log_cache/options/ca 86 | value: /master-bosh-ca 87 | - type: replace 88 | path: /variables/name=log_cache_to_loggregator_agent/options/ca 89 | value: /master-bosh-ca 90 | - type: replace 91 | path: /variables/name=cc_logcache_tls/options/ca 92 | value: /master-bosh-ca 93 | - type: replace 94 | path: /variables/name=logcache_ssl/options/ca 95 | value: /master-bosh-ca 96 | - type: replace 97 | path: /variables/name=log_cache_proxy_tls/options/ca 98 | value: /master-bosh-ca 99 | 100 | - type: remove 101 | path: /variables/name=uaa_ca 102 | - type: replace 103 | path: /variables/name=uaa_ssl/options/ca 104 | value: /master-bosh-ca 105 | - type: replace 106 | path: /variables/name=uaa_login_saml/options/ca 107 | value: /master-bosh-ca 108 | 109 | - type: replace 110 | path: /variables/name=cc_tls/options/ca 111 | value: /master-bosh-ca 112 | - type: replace 113 | path: /variables/name=cc_public_tls/options/ca 114 | value: /master-bosh-ca 115 | - type: replace 116 | path: /variables/name=cc_bridge_tps/options/ca 117 | value: /master-bosh-ca 118 | - type: replace 119 | path: /variables/name=cc_bridge_cc_uploader/options/ca 120 | value: /master-bosh-ca 121 | - type: replace 122 | path: /variables/name=cc_bridge_cc_uploader_server/options/ca 123 | value: /master-bosh-ca 124 | - type: replace 125 | path: /variables/name=diego_locket_server/options/ca 126 | value: /master-bosh-ca 127 | 128 | - type: replace 129 | path: /variables/name=gorouter_backend_tls/options/ca 130 | value: /master-bosh-ca 131 | - type: replace 132 | path: /variables/name=ssh_proxy_backends_tls/options/ca 133 | value: /master-bosh-ca 134 | - type: replace 135 | path: /variables/name=loggregator_rlp_gateway_tls/options/ca 136 | value: /master-bosh-ca 137 | - type: replace 138 | path: /variables/name=loggregator_trafficcontroller_tls/options/ca 139 | value: /master-bosh-ca 140 | 141 | - type: remove 142 | path: /variables/name=metric_scraper_ca 143 | - type: replace 144 | path: /variables/name=metrics_agent_tls/options/ca 145 | value: /master-bosh-ca 146 | - type: replace 147 | path: /variables/name=metrics_discovery_metrics_tls/options/ca 148 | value: /master-bosh-ca 149 | - type: replace 150 | path: /variables/name=scrape_config_generator_metrics_tls/options/ca 151 | value: /master-bosh-ca 152 | - type: replace 153 | path: /variables/name=log_cache_metrics_tls/options/ca 154 | value: /master-bosh-ca 155 | - type: replace 156 | path: /variables/name=log_cache_nozzle_metrics_tls/options/ca 157 | value: /master-bosh-ca 158 | - type: replace 159 | path: /variables/name=log_cache_cf_auth_proxy_metrics_tls/options/ca 160 | value: /master-bosh-ca 161 | - type: replace 162 | path: /variables/name=log_cache_gateway_metrics_tls/options/ca 163 | value: /master-bosh-ca 164 | - type: replace 165 | path: /variables/name=forwarder_agent_metrics_tls/options/ca 166 | value: /master-bosh-ca 167 | - type: replace 168 | path: /variables/name=loggregator_agent_metrics_tls/options/ca 169 | value: /master-bosh-ca 170 | - type: replace 171 | path: /variables/name=loggr_udp_forwarder_tls/options/ca 172 | value: /master-bosh-ca 173 | - type: replace 174 | path: /variables/name=syslog_agent_api_tls/options/ca 175 | value: /master-bosh-ca 176 | - type: replace 177 | path: /variables/name=binding_cache_api_tls/options/ca 178 | value: /master-bosh-ca 179 | - type: replace 180 | path: /variables/name=binding_cache_tls/options/ca 181 | value: /master-bosh-ca 182 | - type: replace 183 | path: /variables/name=syslog_agent_metrics_tls/options/ca 184 | value: /master-bosh-ca 185 | - type: replace 186 | path: /variables/name=loggr_syslog_binding_cache_metrics_tls/options/ca 187 | value: /master-bosh-ca 188 | - type: replace 189 | path: /variables/name=prom_scraper_scrape_tls/options/ca 190 | value: /master-bosh-ca 191 | - type: replace 192 | path: /variables/name=prom_scraper_metrics_tls/options/ca 193 | value: /master-bosh-ca 194 | - type: replace 195 | path: /variables/name=rlp_gateway_metrics_tls/options/ca 196 | value: /master-bosh-ca 197 | 198 | - type: remove 199 | path: /variables/name=nats_internal_ca 200 | - type: replace 201 | path: /variables/name=nats_internal_cert/options/ca 202 | value: /master-bosh-ca 203 | 204 | - type: remove 205 | path: /variables/name=nats_ca 206 | - type: replace 207 | path: /variables/name=nats_client_cert/options/ca 208 | value: /master-bosh-ca 209 | - type: replace 210 | path: /variables/name=nats_server_cert/options/ca 211 | value: /master-bosh-ca 212 | 213 | - type: replace 214 | path: /variables/- 215 | value: 216 | name: broker-deployer-password 217 | type: password 218 | - type: replace 219 | path: /variables/- 220 | value: 221 | name: user-tester-password 222 | type: password 223 | - type: replace 224 | path: /variables/- 225 | value: 226 | name: uaa-extras-client-secret 227 | type: password 228 | - type: replace 229 | path: /variables/- 230 | value: 231 | name: uaa-credentials-broker-client-secret 232 | type: password 233 | - type: replace 234 | path: /variables/- 235 | value: 236 | name: uaa-client-audit-client-secret 237 | type: password 238 | - type: replace 239 | path: /variables/- 240 | value: 241 | name: terraform-client-secret 242 | type: password 243 | - type: replace 244 | path: /variables/- 245 | value: 246 | name: stratos-client-secret 247 | type: password 248 | - type: replace 249 | path: /variables/- 250 | value: 251 | name: sandbox-bot-client-secret 252 | type: password 253 | - type: replace 254 | path: /variables/- 255 | value: 256 | name: s3-broker-client-secret 257 | type: password 258 | - type: replace 259 | path: /variables/- 260 | value: 261 | name: logsearch-firehose-ingestor-client-secret 262 | type: password 263 | - type: replace 264 | path: /variables/- 265 | value: 266 | name: kibana-client-secret 267 | type: password 268 | - type: replace 269 | path: /variables/- 270 | value: 271 | name: firehose-exporter-client-secret 272 | type: password 273 | - type: replace 274 | path: /variables/- 275 | value: 276 | name: cf-exporter-client-secret 277 | type: password 278 | - type: replace 279 | path: /variables/- 280 | value: 281 | name: cdn-broker-secret 282 | type: password 283 | - type: replace 284 | path: /variables/- 285 | value: 286 | name: buildpack-notifier-client-secret 287 | type: password 288 | - type: replace 289 | -------------------------------------------------------------------------------- /bosh/opsfiles/use-s3-blobstore.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Modified from https://github.com/cloudfoundry/cf-deployment/blob/master/operations/use-s3-blobstore.yml 3 | - type: remove 4 | path: /instance_groups/name=singleton-blobstore 5 | 6 | - type: remove 7 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks 8 | - type: remove 9 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets 10 | - type: remove 11 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages 12 | - type: remove 13 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool 14 | 15 | - type: remove 16 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks 17 | - type: remove 18 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets 19 | - type: remove 20 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages 21 | - type: remove 22 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool 23 | 24 | - type: remove 25 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks 26 | - type: remove 27 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets 28 | - type: remove 29 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages 30 | - type: remove 31 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool 32 | 33 | - type: replace 34 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks?/fog_connection? 35 | value: &blobstore-properties 36 | provider: AWS 37 | use_iam_profile: true 38 | region: ((aws_region)) 39 | 40 | - type: replace 41 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets?/fog_connection? 42 | value: *blobstore-properties 43 | 44 | - type: replace 45 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages?/fog_connection? 46 | value: *blobstore-properties 47 | 48 | - type: replace 49 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool?/fog_connection? 50 | value: *blobstore-properties 51 | 52 | - type: replace 53 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks?/fog_connection? 54 | value: *blobstore-properties 55 | 56 | - type: replace 57 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets?/fog_connection? 58 | value: *blobstore-properties 59 | 60 | - type: replace 61 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages?/fog_connection? 62 | value: *blobstore-properties 63 | 64 | - type: replace 65 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool?/fog_connection? 66 | value: *blobstore-properties 67 | 68 | - type: replace 69 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks?/fog_connection? 70 | value: *blobstore-properties 71 | 72 | - type: replace 73 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets?/fog_connection? 74 | value: *blobstore-properties 75 | 76 | - type: replace 77 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages?/fog_connection? 78 | value: *blobstore-properties 79 | 80 | - type: replace 81 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool?/fog_connection? 82 | value: *blobstore-properties 83 | 84 | - type: replace 85 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks/webdav_config? 86 | value: &webdav_config 87 | public_endpoint: blobstore.((system_domain)) 88 | 89 | - type: replace 90 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets/webdav_config? 91 | value: *webdav_config 92 | 93 | - type: replace 94 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages/webdav_config? 95 | value: *webdav_config 96 | 97 | - type: replace 98 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool/webdav_config? 99 | value: *webdav_config 100 | 101 | - type: replace 102 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks/webdav_config? 103 | value: *webdav_config 104 | 105 | - type: replace 106 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets/webdav_config? 107 | value: *webdav_config 108 | 109 | - type: replace 110 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages/webdav_config? 111 | value: *webdav_config 112 | 113 | - type: replace 114 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool/webdav_config? 115 | value: *webdav_config 116 | 117 | - type: replace 118 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks/webdav_config? 119 | value: *webdav_config 120 | 121 | - type: replace 122 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets/webdav_config? 123 | value: *webdav_config 124 | 125 | - type: replace 126 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages/webdav_config? 127 | value: *webdav_config 128 | 129 | - type: replace 130 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool/webdav_config? 131 | value: *webdav_config 132 | 133 | # replace s3 bucket names 134 | - type: replace 135 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks/buildpack_directory_key? 136 | value: ((buildpack_directory_key)) 137 | 138 | - type: replace 139 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets/droplet_directory_key? 140 | value: ((droplet_directory_key)) 141 | 142 | - type: replace 143 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages/app_package_directory_key? 144 | value: ((app_package_directory_key)) 145 | 146 | - type: replace 147 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool/resource_directory_key? 148 | value: ((resource_directory_key)) 149 | 150 | - type: replace 151 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks/buildpack_directory_key? 152 | value: ((buildpack_directory_key)) 153 | 154 | - type: replace 155 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets/droplet_directory_key? 156 | value: ((droplet_directory_key)) 157 | 158 | - type: replace 159 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages/app_package_directory_key? 160 | value: ((app_package_directory_key)) 161 | 162 | - type: replace 163 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool/resource_directory_key? 164 | value: ((resource_directory_key)) 165 | 166 | - type: replace 167 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks/buildpack_directory_key? 168 | value: ((buildpack_directory_key)) 169 | 170 | - type: replace 171 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets/droplet_directory_key? 172 | value: ((droplet_directory_key)) 173 | 174 | - type: replace 175 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages/app_package_directory_key? 176 | value: ((app_package_directory_key)) 177 | 178 | - type: replace 179 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool/resource_directory_key? 180 | value: ((resource_directory_key)) 181 | 182 | # remove unnecessary variables for internal blobstore 183 | 184 | - type: remove 185 | path: /variables/name=blobstore_admin_users_password 186 | 187 | - type: remove 188 | path: /variables/name=blobstore_secure_link_secret 189 | 190 | - type: remove 191 | path: /variables/name=blobstore_tls 192 | -------------------------------------------------------------------------------- /bosh/opsfiles/users.yml: -------------------------------------------------------------------------------- 1 | # Existing user for acceptance tests 2 | - type: replace 3 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/- 4 | value: 5 | name: user-tester 6 | password: ((user-tester-password)) 7 | groups: [openid] 8 | 9 | # Broker deploy user 10 | - type: replace 11 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/- 12 | value: 13 | name: broker-deployer 14 | password: ((broker-deployer-password)) 15 | groups: [openid, cloud_controller.admin] 16 | 17 | # Autoscaler user 18 | - type: replace 19 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/- 20 | value: 21 | name: autoscaler 22 | password: ((autoscaler-password)) 23 | groups: [openid, cloud_controller.admin, scim.read, scim.write] 24 | - type: replace 25 | path: /variables/- 26 | value: 27 | name: autoscaler-password 28 | type: password 29 | 30 | # Sandbox Bot user 31 | # Note: this user is used by the acceptance tests, the sandbox-bot client is used inside the app and doesn't need the higher level of permissions 32 | - type: replace 33 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/- 34 | value: 35 | name: sandbox-bot-user 36 | password: ((sandbox-bot-password)) 37 | groups: [openid, cloud_controller.admin, scim.read, scim.write] 38 | - type: replace 39 | path: /variables/- 40 | value: 41 | name: sandbox-bot-password 42 | type: password -------------------------------------------------------------------------------- /bosh/opsfiles/wazuh.yml: -------------------------------------------------------------------------------- 1 | # NOTES: 2 | # - This should only be used in development until this message is removed 3 | # - This is experimental 4 | 5 | # Add All In One Wazuh to DNS aliases 6 | 7 | 8 | - type: replace 9 | path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/- 10 | value: 11 | domain: wazuh-dashboard.service.cf.internal 12 | targets: 13 | - deployment: wazuh 14 | domain: bosh 15 | instance_group: wazuh-dashboard 16 | network: default 17 | query: '*' 18 | -------------------------------------------------------------------------------- /bosh/varsfiles/development.yml: -------------------------------------------------------------------------------- 1 | environment: development 2 | network_name: default 3 | deployment_name: cf-development 4 | company-name: cloud.gov development 5 | system_domain: dev.us-gov-west-1.aws-us-gov.cloud.gov 6 | app_domain: dev.us-gov-west-1.aws-us-gov.cloud.gov 7 | 8 | buildpack_directory_key: cf-development-buildpacks 9 | droplet_directory_key: cf-development-droplets 10 | app_package_directory_key: cf-development-cc-packages 11 | resource_directory_key: cf-development-cc-resources 12 | 13 | csp-enabled: false 14 | csp-report-only: true 15 | csp-report-uri: cspr-collector.fr.cloud.gov 16 | csp-host-patterns: 17 | - logs.dev.us-gov-west-1.aws-us-gov.cloud.gov 18 | - dashboard.dev.us-gov-west-1.aws-us-gov.cloud.gov 19 | - logs-platform.dev.us-gov-west-1.aws-us-gov.cloud.gov 20 | - admin.dev.us-gov-west-1.aws-us-gov.cloud.gov 21 | - uaa.dev.us-gov-west-1.aws-us-gov.cloud.gov 22 | - login.dev.us-gov-west-1.aws-us-gov.cloud.gov 23 | - account.dev.us-gov-west-1.aws-us-gov.cloud.gov 24 | - idp.dev.us-gov-west-1.aws-us-gov.cloud.gov 25 | -------------------------------------------------------------------------------- /bosh/varsfiles/production.yml: -------------------------------------------------------------------------------- 1 | environment: production 2 | network_name: default 3 | deployment_name: cf-production 4 | company-name: cloud.gov 5 | system_domain: fr.cloud.gov 6 | app_domain: app.cloud.gov 7 | 8 | buildpack_directory_key: cf-production-buildpacks 9 | droplet_directory_key: cf-production-droplets 10 | app_package_directory_key: cf-production-cc-packages 11 | resource_directory_key: cf-production-cc-resources 12 | -------------------------------------------------------------------------------- /bosh/varsfiles/staging.yml: -------------------------------------------------------------------------------- 1 | environment: staging 2 | network_name: default 3 | deployment_name: cf-staging 4 | company-name: cloud.gov staging 5 | system_domain: fr-stage.cloud.gov 6 | app_domain: fr-stage.cloud.gov 7 | 8 | buildpack_directory_key: cf-staging-buildpacks 9 | droplet_directory_key: cf-staging-droplets 10 | app_package_directory_key: cf-staging-cc-packages 11 | resource_directory_key: cf-staging-cc-resources 12 | -------------------------------------------------------------------------------- /bosh/varsfiles/terraform.yml: -------------------------------------------------------------------------------- 1 | aws_region: ((terraform_outputs.vpc_region)) 2 | 3 | external_database_type: ((terraform_outputs.cf_rds_engine)) 4 | external_database_port: 5432 5 | 6 | external_cc_database_name: ccdb 7 | external_cc_database_address: ((terraform_outputs.cf_rds_host)) 8 | external_cc_database_username: ((terraform_outputs.cf_rds_username)) 9 | external_cc_database_password: ((terraform_outputs.cf_rds_password)) 10 | 11 | external_uaa_database_name: uaadb 12 | external_uaa_database_address: ((terraform_outputs.cf_rds_host)) 13 | external_uaa_database_username: ((terraform_outputs.cf_rds_username)) 14 | external_uaa_database_password: ((terraform_outputs.cf_rds_password)) 15 | 16 | external_bbs_database_name: cfdb 17 | external_bbs_database_address: ((terraform_outputs.cf_rds_host)) 18 | external_bbs_database_username: ((terraform_outputs.cf_rds_username)) 19 | external_bbs_database_password: ((terraform_outputs.cf_rds_password)) 20 | 21 | external_locket_database_name: locketdb 22 | external_locket_database_address: ((terraform_outputs.cf_rds_host)) 23 | external_locket_database_username: ((terraform_outputs.cf_rds_username)) 24 | external_locket_database_password: ((terraform_outputs.cf_rds_password)) 25 | 26 | external_policy_server_database_name: policydb 27 | external_policy_server_database_address: ((terraform_outputs.cf_rds_host)) 28 | external_policy_server_database_username: ((terraform_outputs.cf_rds_username)) 29 | external_policy_server_database_password: ((terraform_outputs.cf_rds_password)) 30 | 31 | external_silk_controller_database_name: silkdb 32 | external_silk_controller_database_address: ((terraform_outputs.cf_rds_host)) 33 | external_silk_controller_database_username: ((terraform_outputs.cf_rds_username)) 34 | external_silk_controller_database_password: ((terraform_outputs.cf_rds_password)) 35 | 36 | external_routing_api_database_name: routingdb 37 | external_routing_api_database_address: ((terraform_outputs.cf_rds_host)) 38 | external_routing_api_database_username: ((terraform_outputs.cf_rds_username)) 39 | external_routing_api_database_password: ((terraform_outputs.cf_rds_password)) 40 | 41 | challenge_bucket: ((terraform_outputs.challenge_bucket)) 42 | tcp_lb_listener_ports: ((terraform_outputs.tcp_lb_listener_ports)) 43 | -------------------------------------------------------------------------------- /cf-secrets-example.external.yml: -------------------------------------------------------------------------------- 1 | # External secrets that are not easily rotated 2 | 3 | properties: 4 | cc: 5 | newrelic: 6 | license_key: NEWRELIC_LICENSE_KEY 7 | # README: https://github.com/cloudfoundry/cloud_controller_ng/issues/465 8 | # Cannot be rotated once set. 9 | db_encryption_key: 10 | ccdb: 11 | db_scheme: postgres 12 | roles: 13 | - tag: 14 | name: CCDB_DB_USER 15 | password: CCDB_DB_PASSWORD 16 | databases: 17 | - tag: 18 | name: CCDB_DB_NAME 19 | address: CCDB_DB_HOST 20 | port: 21 | collector: 22 | newrelic_insights: 23 | api_key: 24 | app_id: 25 | newrelic_plugin: 26 | license_key: new_relic_license_key 27 | collectd: 28 | riemann_server: RIEMANN_SERVER_IP 29 | uaadb: 30 | db_scheme: postgresql 31 | roles: 32 | - tag: 33 | name: 34 | password: 35 | databases: 36 | - tag: 37 | name 38 | address: 39 | port: 40 | login: 41 | smtp: 42 | host: 43 | password: 44 | from_address: 45 | port: 46 | user: 47 | saml: 48 | signatureAlgorithm: SHA256 49 | serviceProviderKey: |+ 50 | -----BEGIN RSA PRIVATE KEY----- 51 | -----END RSA PRIVATE KEY----- 52 | serviceProviderKeyPassword: 53 | serviceProviderCertificate: |+ 54 | -----BEGIN CERTIFICATE----- 55 | -----END CERTIFICATE----- 56 | providers: 57 | 58 | uaa: 59 | clients: 60 | kibana_oauth2_client: 61 | secret: 62 | influxdb-firehose-nozzle: 63 | secret: 64 | sandbox-bot: 65 | secret: 66 | uaa-token-audit: 67 | secret: 68 | uaa_extras_app: 69 | secret: 70 | logsearch_firehose_ingestor: 71 | secret: 72 | dashboard: 73 | secret: 74 | buildpack-notifier: 75 | secret: 76 | kubernetes-client: 77 | secret: 78 | cloud-gov-community: 79 | secret: 80 | concourse-broker: 81 | secret: 82 | uaaproxy: 83 | secret: 84 | firehose_exporter: 85 | secret: 86 | newrelic: 87 | production: 88 | app_name: 89 | error_collector: 90 | ignore_errors: akka.actor.ActorKilledException 91 | license_key: new_relic_license_key 92 | scim: 93 | users: 94 | - name: logsearch-firehose-ingestor 95 | password: 96 | groups: 97 | - cloud_controller.admin 98 | - doppler.firehose 99 | nessus-agent: 100 | this-has-moved: to-runtime-config 101 | but-the-manifest: wants-something-to-merge 102 | -------------------------------------------------------------------------------- /cf-secrets-example.main.yml: -------------------------------------------------------------------------------- 1 | # The following line helps maintain current documentation at http://docs.cloudfoundry.org. 2 | # code_snippet cf-stub-aws start 3 | --- 4 | director_uuid: DIRECTOR_ID 5 | meta: 6 | environment: DEPLOYMENT_NAME 7 | 8 | releases: 9 | - name: cf 10 | version: latest 11 | 12 | resource_key: (( meta.environment )) 13 | app_domains: 14 | - APP_DOMAIN 15 | service_domain: mypaas.com 16 | zones: 17 | z1: us-gov-west-1a 18 | z2: us-gov-west-1b 19 | elbs: 20 | - cfrouter 21 | default_env: 22 | # Default vcap & root password on deployed VMs (ie c1oudc0w) 23 | bosh: 24 | password: xxx 25 | aws: 26 | key_name: ~ 27 | 28 | networks: 29 | - name: cf1 30 | subnets: 31 | - cloud_properties: 32 | subnet: SUBNET1_ID 33 | security_groups: 34 | - SECURITY_GROUP 35 | static: 36 | - 10.0.10.65 - 10.0.10.100 37 | range: 10.0.10.100/26 38 | gateway: 10.0.10.1 39 | reserved: 40 | - RESERVED_IP 41 | dns: 42 | - DNS_IP 43 | - name: cf2 44 | subnets: 45 | - cloud_properties: 46 | subnet: SUBNET2_ID 47 | security_groups: 48 | - SECURITY_GROUP 49 | static: 50 | - 10.0.11.65 - 10.0.11.100 51 | range: 10.0.11.100/26 52 | gateway: 10.0.10.1 53 | reserved: 54 | - RESERVED_IP 55 | dns: 56 | - DNS_IP 57 | 58 | properties: 59 | app_ssh: 60 | host_key_fingerprint: DIEGO-SSH-FINGERPRINT 61 | oauth_client_id: ssh-proxy 62 | ssl: 63 | skip_cert_verify: false 64 | 65 | consul: 66 | encrypt_keys: 67 | - RANDOM-SECRET-KEY 68 | ca_cert: | 69 | -----BEGIN CERTIFICATE----- 70 | -----END CERTIFICATE----- 71 | agent_cert: | 72 | -----BEGIN CERTIFICATE----- 73 | -----END CERTIFICATE----- 74 | agent_key: | 75 | -----BEGIN RSA PRIVATE KEY----- 76 | -----END RSA PRIVATE KEY----- 77 | server_cert: | 78 | -----BEGIN CERTIFICATE----- 79 | -----END CERTIFICATE----- 80 | server_key: | 81 | -----BEGIN RSA PRIVATE KEY----- 82 | -----END RSA PRIVATE KEY----- 83 | cc: 84 | mutual_tls: 85 | ca_cert: |- 86 | -----BEGIN CERTIFICATE----- 87 | -----END CERTIFICATE----- 88 | public_cert: |- 89 | -----BEGIN CERTIFICATE----- 90 | -----END CERTIFICATE----- 91 | private_key: |- 92 | -----BEGIN RSA PRIVATE KEY----- 93 | -----END RSA PRIVATE KEY----- 94 | min_cli_version: 6.22.2 95 | default_to_diego_backend: true 96 | users_can_select_backend: false 97 | diego: 98 | staging: optional 99 | running: disabled 100 | droplets: 101 | droplet_directory_key: DROPLET_DIR_KEY 102 | buildpacks: 103 | buildpack_directory_key: BUILDPACK_DIR_KEY 104 | staging_upload_user: STAGING_UPLOADER 105 | staging_upload_password: STAGING_UPLOAD_PASSWORD 106 | bulk_api_password: BULK_API_PASSWORD 107 | <<: ( merge ) 108 | 109 | domain: DOMAIN 110 | nats: 111 | user: NATS_USER 112 | password: NATS_PASSWORD 113 | router: 114 | route_services_secret: ROUTE_SERVICES_SECRET 115 | status: 116 | user: ROUTER_USER 117 | password: ROUTER_PASSWORD 118 | template_only: 119 | aws: 120 | availability_zone: us-gov-west-1a 121 | availability_zone2: us-gov-west-1b 122 | region: us-gov-west-1 123 | uaa: 124 | ca_cert: |- 125 | -----BEGIN CERTIFICATE----- 126 | -----END CERTIFICATE----- 127 | sslCertificate: |- 128 | -----BEGIN CERTIFICATE----- 129 | -----END CERTIFICATE----- 130 | sslPrivateKey: |- 131 | -----BEGIN RSA PRIVATE KEY----- 132 | -----END RSA PRIVATE KEY----- 133 | admin: 134 | client_secret: 135 | cc: 136 | client_secret: 137 | clients: 138 | cc_routing: 139 | secret: 140 | cloud_controller_username_lookup: 141 | secret: 142 | # if you change this, change logregator.uaa.client_secret as well 143 | doppler: 144 | secret: DOPPLER_SECRET 145 | gorouter: 146 | secret: 147 | tcp_emitter: 148 | secret: tcp_emitter_client_secret 149 | tcp_router: 150 | secret: 151 | login: 152 | secret: 153 | notifications: 154 | secret: 155 | <<: (( merge )) 156 | jwt: 157 | signing_key: | 158 | -----BEGIN RSA PRIVATE KEY----- 159 | -----END RSA PRIVATE KEY----- 160 | verification_key: | 161 | -----BEGIN PUBLIC KEY----- 162 | -----END PUBLIC KEY----- 163 | scim: 164 | groups: 165 | admin_ui.user: "Admin UI users" 166 | admin_ui.admin: "Admin UI admins" 167 | users: 168 | - name: admin 169 | password: admin-password 170 | groups: 171 | - scim.write 172 | - openid 173 | - scim.read 174 | - cloud_controller.admin 175 | - doppler.firehose 176 | - name: services 177 | password: services-password 178 | groups: 179 | - scim.write 180 | - openid 181 | - scim.read 182 | - cloud_controller.admin 183 | - name: sys-tester 184 | password: sys-tester-password 185 | groups: 186 | - scim.write 187 | - openid 188 | - scim.read 189 | - cloud_controller.admin 190 | - doppler.firehose 191 | - name: user-tester 192 | password: user_tester_password 193 | groups: 194 | - openid 195 | - <<: (( merge )) 196 | 197 | loggregator: 198 | uaa: 199 | # this is the client secret for the "doppler" client 200 | client_secret: DOPPLER_SECRET 201 | tls: 202 | ca_cert: |- 203 | -----BEGIN CERTIFICATE----- 204 | -----END CERTIFICATE----- 205 | doppler: 206 | cert: |- 207 | -----BEGIN CERTIFICATE----- 208 | -----END CERTIFICATE----- 209 | key: |- 210 | -----BEGIN RSA PRIVATE KEY----- 211 | -----END RSA PRIVATE KEY----- 212 | metron: 213 | cert: |- 214 | -----BEGIN CERTIFICATE----- 215 | -----END CERTIFICATE----- 216 | key: |- 217 | -----BEGIN RSA PRIVATE KEY----- 218 | -----END RSA PRIVATE KEY----- 219 | trafficcontroller: 220 | cert: |- 221 | -----BEGIN CERTIFICATE----- 222 | -----END CERTIFICATE----- 223 | key: |- 224 | -----BEGIN RSA PRIVATE KEY----- 225 | -----END RSA PRIVATE KEY----- 226 | statsd_injector: 227 | cert: |- 228 | -----BEGIN CERTIFICATE----- 229 | -----END CERTIFICATE----- 230 | key: |- 231 | -----BEGIN RSA PRIVATE KEY----- 232 | -----END RSA PRIVATE KEY----- 233 | syslogdrainbinder: 234 | cert: |- 235 | -----BEGIN CERTIFICATE----- 236 | -----END CERTIFICATE----- 237 | key: |- 238 | -----BEGIN RSA PRIVATE KEY----- 239 | -----END RSA PRIVATE KEY----- 240 | loggregator_endpoint: 241 | shared_secret: loggregator_shared_secret 242 | login: 243 | branding: 244 | product_logo: "BASE64_ENCODED_IMAGE" 245 | square_logo: "BASE64_ENCODED_SQUARE_IMAGE" 246 | company_name: cloud.gov 247 | footer_legal_text: "' '" 248 | uaa_certificate: | 249 | -----BEGIN CERTIFICATE----- 250 | -----END CERTIFICATE----- 251 | 252 | acceptance_tests: 253 | api: (( "api." domain )) 254 | apps_domain: APP_DOMAIN 255 | admin_user: sys-tester 256 | admin_password: sys-tester-password 257 | backend: diego 258 | skip_ssl_validation: true 259 | system_domain: (( domain )) 260 | oauth_password: tcp_emitter_client_secret 261 | include_diego_ssh: true 262 | include_route_services: true 263 | include_routing_api: true 264 | include_v3: false 265 | include_tasks: false 266 | # include_sso: true 267 | nodes: 2 268 | existing_user: user-tester 269 | existing_user_password: user_tester_password 270 | include_sso: false 271 | skip_regex: 'dotnet\-core|transparently\sproxies\sboth\sreserved\scharacters\sand\sunsafe\scharacters' 272 | 273 | smoke_tests: 274 | api: (( "api." domain )) 275 | apps_domain: APP_DOMAIN 276 | backend: diego 277 | user: sys-tester 278 | password: sys-tester-password 279 | org: test 280 | space: test 281 | ginkgo_opts: ~ 282 | skip_ssl_validation: true 283 | 284 | <<: ( merge ) 285 | -------------------------------------------------------------------------------- /ci/acceptance-tests-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat > integration-config/integration_config.json < diego-cell_raw.yml 20 | 21 | 22 | ## Loop through and create a single iso seg ops file, intermediate files aren't deleted for debugging 23 | 24 | for iso_seg_name in $ISO_SEG_NAMES; do 25 | 26 | echo "Creating isolation segment ${iso_seg_name}"... 27 | 28 | ## Create ops file header - Always start with the instance group declaration 29 | cat > diego-cell-iso-seg-${iso_seg_name}-header.yml < sed1.yml 39 | sed "s/iptables-tenant/iptables-iso-seg-${iso_seg_name}/" sed1.yml > sed2.yml 40 | sed "s/cni_config_tenant/cni_config_iso-seg-${iso_seg_name}/" sed2.yml > sed3.yml 41 | sed "s/vpa-tenant/vpa-iso-seg-${iso_seg_name}/" sed3.yml > sed4.yml 42 | sed 's/^/ /' sed4.yml > diego-cell_indented-iso-seg-${iso_seg_name}.yml 43 | 44 | ## Create ops file footer - All the "replace" that can only be run once the instance group exists (order matters) 45 | cat > diego-cell-iso-seg-${iso_seg_name}-footer.yml < diego-cell-iso-seg-${iso_seg_name}.yml 75 | 76 | ## Merge this iso-seg into one file which will have all of them at the end of the loop 77 | cat diego-cell-iso-seg-${iso_seg_name}.yml >> diego-cell-iso-seg.yml 78 | done 79 | 80 | ## Either return the iso-seg file or a comment only file so "bosh deploy" will work in the main pipeline 81 | if [ -n "$ISO_SEG_NAMES" ]; then 82 | echo "Returing iso seg ops file for ${ISO_SEG_NAMES}..." 83 | cp diego-cell-iso-seg.yml diego-cell-iso-seg/diego-cell-iso-seg.yml 84 | else 85 | echo "Returing blank iso seg ops file..." 86 | cat > diego-cell-iso-seg/diego-cell-iso-seg.yml << EOF 87 | # Intentionally left blank 88 | EOF 89 | fi 90 | 91 | echo "Final iso seg ops file written to diego-cell-iso-seg/diego-cell-iso-seg.yml" 92 | ## return: diego-cell-iso-seg/diego-cell-iso-seg.yml -------------------------------------------------------------------------------- /ci/create-diego-cell-iso-seg.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: cf-deployment 5 | - name: cf-manifests 6 | outputs: 7 | - name: diego-cell-iso-seg 8 | 9 | run: 10 | path: cf-manifests/ci/create-diego-cell-iso-seg.sh 11 | -------------------------------------------------------------------------------- /ci/create-diego-platform-cell.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | ## Extract current base configuration for the diego-cell instance group from upstream and apply custom ops files 6 | ## NOTE: These ops files can only contain remove/replace for the diego-cell instance group for this to work in the future 7 | bosh int \ 8 | cf-deployment/cf-deployment.yml \ 9 | -o cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml \ 10 | -o cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml \ 11 | -o cf-manifests/bosh/opsfiles/diego-cell-disk.yml \ 12 | -o cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml \ 13 | -o cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml \ 14 | -o cf-manifests/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml \ 15 | --path /instance_groups/name=diego-cell > diego-cell_raw.yml 16 | 17 | ## Create ops file header 18 | cat > diego-platform-cell.yml < sed1.yml 26 | sed 's/iptables-tenant/iptables-platform/' sed1.yml > sed2.yml 27 | sed 's/cni_config_tenant/cni_config_platform/' sed2.yml > sed3.yml 28 | sed 's/vpa-tenant/vpa-platform/' sed3.yml > sed4.yml 29 | sed 's/^/ /' sed4.yml > diego-platform-cell_indented.yml 30 | 31 | ## Append the platform-diego-cell yaml to the ops file header 32 | cat diego-platform-cell_indented.yml >> diego-platform-cell.yml 33 | cp diego-platform-cell.yml diego-platform-cell/diego-platform-cell.yml 34 | 35 | ## return: diego-platform-cell/diego-platform-cell.yml -------------------------------------------------------------------------------- /ci/create-diego-platform-cell.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: cf-deployment 5 | - name: cf-manifests 6 | outputs: 7 | - name: diego-platform-cell 8 | 9 | run: 10 | path: cf-manifests/ci/create-diego-platform-cell.sh 11 | 12 | 13 | -------------------------------------------------------------------------------- /ci/create-router-logstash.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | ## Extract current base configuration for the router instance group from upstream 6 | bosh int cf-deployment/cf-deployment.yml --path /instance_groups/name=router > router_raw.yml 7 | 8 | ## Create ops file header 9 | cat > router_logstash.yml < router_name.yml 17 | sed 's/^/ /' router_name.yml > router_indented.yml 18 | 19 | 20 | ## Append the router yaml to the ops file header 21 | cat router_indented.yml >> router_logstash.yml 22 | cp router_logstash.yml router-logstash/router_logstash.yml 23 | 24 | ## return: router-logstash/router_logstash.yml 25 | -------------------------------------------------------------------------------- /ci/create-router-logstash.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: cf-deployment 5 | - name: cf-manifests 6 | outputs: 7 | - name: router-logstash 8 | 9 | run: 10 | path: cf-manifests/ci/create-router-logstash.sh 11 | 12 | -------------------------------------------------------------------------------- /ci/create-router-main.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | ## Extract current base configuration for the router instance group from upstream 6 | bosh int cf-deployment/cf-deployment.yml --path /instance_groups/name=router > router_raw.yml 7 | 8 | ## Create ops file header 9 | cat > router_main.yml < router_name.yml 17 | sed 's/^/ /' router_name.yml > router_indented.yml 18 | 19 | 20 | ## Append the router yaml to the ops file header 21 | cat router_indented.yml >> router_main.yml 22 | cp router_main.yml router-main/router_main.yml 23 | 24 | ## return: router-main/router_main.yml 25 | -------------------------------------------------------------------------------- /ci/create-router-main.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: cf-deployment 5 | - name: cf-manifests 6 | outputs: 7 | - name: router-main 8 | 9 | run: 10 | path: cf-manifests/ci/create-router-main.sh 11 | 12 | -------------------------------------------------------------------------------- /ci/enable-cf-features.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -exu 2 | 3 | function set_enabled_feature_flags() { 4 | if [ ! -z "${ENABLED_FEATURE_FLAGS}" ]; then 5 | for flag in $ENABLED_FEATURE_FLAGS; do 6 | set_feature_flag "$flag" true 7 | done 8 | fi 9 | } 10 | 11 | function set_disabled_feature_flags() { 12 | if [ ! -z "${DISABLED_FEATURE_FLAGS}" ]; then 13 | for flag in $DISABLED_FEATURE_FLAGS; do 14 | set_feature_flag "$flag" false 15 | done 16 | fi 17 | } 18 | 19 | function set_feature_flag() { 20 | if [ $2 == true ]; then 21 | cf enable-feature-flag "$1" 22 | else 23 | cf disable-feature-flag "$1" 24 | fi 25 | } 26 | 27 | function main() { 28 | cf api "${CF_API_URL}" 29 | (set +x; cf auth "${CF_USERNAME}" "${CF_PASSWORD}") 30 | 31 | set_enabled_feature_flags 32 | set_disabled_feature_flags 33 | cf feature-flags 34 | } 35 | 36 | main 37 | -------------------------------------------------------------------------------- /ci/enable-cf-features.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/enable-cf-features.sh 9 | -------------------------------------------------------------------------------- /ci/terraform-secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | bosh interpolate \ 4 | cf-manifests/bosh/varsfiles/terraform.yml \ 5 | -l terraform-yaml/state.yml \ 6 | > terraform-secrets/terraform.yml 7 | -------------------------------------------------------------------------------- /ci/terraform-secrets.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | - name: terraform-yaml 7 | outputs: 8 | - name: terraform-secrets 9 | 10 | run: 11 | path: cf-manifests/ci/terraform-secrets.sh 12 | -------------------------------------------------------------------------------- /ci/test-headers/.cfignore: -------------------------------------------------------------------------------- 1 | # YAML property files 2 | cf-secrets.yml 3 | secrets.yml 4 | cf-secrets-staging.yml 5 | manifest-staging.yml 6 | manifest-staging.yml-- 7 | credentials.yml 8 | credentials.dev.yml 9 | 10 | # Mac files 11 | .DS_Store 12 | 13 | # Eclipse files 14 | .project 15 | 16 | # Temporary directory 17 | tmp/ 18 | 19 | # Certs 20 | 21 | *-certs 22 | jwt_* 23 | 24 | # python 25 | .venv 26 | __pycache__ 27 | 28 | # Other 29 | README 30 | *.sh 31 | test-* 32 | README.md 33 | -------------------------------------------------------------------------------- /ci/test-headers/README.md: -------------------------------------------------------------------------------- 1 | test-headers 2 | =========== 3 | 4 | An app and test suite to validate secureproxy is correctly setting default headers 5 | and honoring upstream headers 6 | 7 | ## Background 8 | 9 | Tests will be deployed by [cg-deploy-cf's ci pipeline](../ci/pipeline.yml) and they are defined in [cg-deploy-cf's ci test-headers](./README.md). 10 | 11 | 12 | ## Setup 13 | 14 | A test org and space are created in the `deploy-test-env` script 15 | 16 | Tests are defined in a test matrix file by the endpoint, HTTP status code, and an optional HTTP response. 17 | -------------------------------------------------------------------------------- /ci/test-headers/clean.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | DOMAIN=$CF_APP_DOMAIN 7 | SPACE="header-tests" 8 | APP_NAME="test-headers" 9 | 10 | 11 | ## CF Auth 12 | cf api "${CF_API_URL}" 13 | (set +x; cf auth "${CF_USERNAME}" "${CF_PASSWORD}") 14 | 15 | ## Delete apps 16 | 17 | # Change to target space 18 | cf target -o $ORG -s $SPACE 19 | 20 | # Delete app 21 | cf delete $APP_NAME -f 22 | 23 | ## Delete spaces 24 | cf delete-space $SPACE -o $ORG -f 25 | 26 | ## Delete org 27 | cf delete-org $ORG -f 28 | -------------------------------------------------------------------------------- /ci/test-headers/deploy-env.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | QUOTA=$CF_QUOTA 7 | DOMAIN=$CF_APP_DOMAIN 8 | SPACE="header-tests" 9 | ASG_TRUSTED_LOCAL_NETWORKS_INTERNAL_EGRESS="trusted_local_networks_egress" 10 | ASG_PUBLIC_NETWORKS_EGRESS="public_networks_egress" 11 | ASG_DNS_EGRESS="dns_egress" 12 | 13 | # CF Auth 14 | cf api "${CF_API_URL}" 15 | (set +x; cf auth "${CF_USERNAME}" "${CF_PASSWORD}") 16 | 17 | # Function for waiting on a service instance to finish being processed. 18 | wait_for_service_instance() { 19 | local service_name=$1 20 | local guid=$(cf service --guid $service_name) 21 | local status=$(cf curl /v3/service_instances/${guid} | jq -r '.last_operation.state') 22 | 23 | while [ "$status" == "in progress" ]; do 24 | sleep 60 25 | status=$(cf curl /v3/service_instances/${guid} | jq -r '.last_operation.state') 26 | done 27 | } 28 | 29 | # Go into test directory 30 | pushd cf-manifests/ci/test-headers 31 | 32 | ## Create org 33 | 34 | cf create-org $ORG 35 | 36 | ## Assign a quota 37 | 38 | cf set-org-quota $ORG $QUOTA 39 | 40 | ## Create spaces 41 | 42 | cf create-space $SPACE -o $ORG 43 | 44 | ## Apply security groups 45 | 46 | ### Bind to open egress space 47 | cf bind-security-group $ASG_TRUSTED_LOCAL_NETWORKS_INTERNAL_EGRESS $ORG --space $SPACE 48 | cf bind-security-group $ASG_PUBLIC_NETWORKS_EGRESS $ORG --space $SPACE 49 | cf bind-security-group $ASG_DNS_EGRESS $ORG --space $SPACE 50 | 51 | ## Push app 52 | 53 | # target the correct space 54 | cf target -o $ORG -s $SPACE 55 | 56 | # push the app 57 | cf push test-headers \ 58 | --no-manifest \ 59 | -b python_buildpack \ 60 | -c "uvicorn main:app --port 8080 --host 0.0.0.0" \ 61 | -m "128MB" \ 62 | -k "512MB" 63 | -------------------------------------------------------------------------------- /ci/test-headers/main.py: -------------------------------------------------------------------------------- 1 | """ 2 | ok, this app is kinda doing two things: 3 | - it serves well-known requests at well-known endpoints 4 | - it looks for those well-known requests and returns responses based on them 5 | """ 6 | from fastapi import FastAPI, Response, status 7 | import requests 8 | from cfenv import AppEnv 9 | 10 | app_env = AppEnv() 11 | 12 | HOSTNAME = app_env.uris[0] 13 | 14 | HSTS = "strict-transport-security" 15 | FRAME_OPTIONS = "x-frame-options" 16 | CONTENT_TYPE_OPTIONS = "x-content-type-options" 17 | XSS_PROTECTION = "x-xss-protection" 18 | CONTENT_TYPE = "content-type" 19 | 20 | DEFAULTS = { 21 | HSTS: "max-age=31536000", 22 | FRAME_OPTIONS: "DENY", 23 | CONTENT_TYPE_OPTIONS: "nosniff", 24 | XSS_PROTECTION: "1; mode=block", 25 | CONTENT_TYPE: "text/plain; charset=utf-8", 26 | } 27 | OVERRIDDEN = {name: f"{default}; semaphore" for name, default in DEFAULTS.items()} 28 | 29 | 30 | app = FastAPI() 31 | 32 | 33 | @app.get("/test") 34 | def read_root(): 35 | return "Success" 36 | 37 | 38 | @app.get("/test-defaults") 39 | def get_test_custom_hsts(response: Response): 40 | api_endpoint = f"https://{HOSTNAME}/test" 41 | r = requests.get(api_endpoint) 42 | errors = dict() 43 | for name, expected in DEFAULTS.items(): 44 | if r.headers[name] != expected: 45 | errors[name] = dict(expected=expected, actual=r.headers[name]) 46 | if errors: 47 | response.status_code = status.HTTP_500_CREATED 48 | return errors 49 | return "Success" 50 | 51 | 52 | @app.get("/custom-headers-semaphores") 53 | def get_custom_headers_semaphores(response: Response): 54 | for name, expected in OVERRIDDEN.items(): 55 | response.headers[name] = expected 56 | return "Success" 57 | 58 | 59 | @app.get("/test-custom-headers-semaphores") 60 | def get_test_custom_hsts(response: Response): 61 | api_endpoint = f"https://{HOSTNAME}/custom-headers-semaphores" 62 | r = requests.get(api_endpoint) 63 | errors = dict() 64 | for name, expected in OVERRIDDEN.items(): 65 | if r.headers[name] != expected: 66 | errors[name] = dict(expected=expected, actual=r.headers[name]) 67 | if errors: 68 | response.status_code = status.HTTP_500_CREATED 69 | return errors 70 | return "Success" 71 | 72 | 73 | @app.get("/frame-options-allowall") 74 | def get_frame_options_allowall(response: Response): 75 | response.headers[FRAME_OPTIONS] = "ALLOWALL" 76 | return "Success" 77 | 78 | 79 | @app.get("/test-frame-options-allowall") 80 | def get_test_custom_hsts(response: Response): 81 | """ 82 | secureproxy maps 'ALLOWALL' to empty string in frame options 83 | which means the header should not be set 84 | """ 85 | api_endpoint = f"https://{HOSTNAME}/frame-options-allowall" 86 | r = requests.get(api_endpoint) 87 | if FRAME_OPTIONS in r.headers: 88 | response.status_code = status.HTTP_500_CREATED 89 | return dict(expected="not-the-default", actual=r.headers[FRAME_OPTIONS]) 90 | return "Success" 91 | 92 | 93 | @app.get("/frame-options-allowall") 94 | def get_frame_options_allowall(response: Response): 95 | response.headers[FRAME_OPTIONS] = "ALLOWALL" 96 | return "Success" 97 | 98 | 99 | @app.get("/test-frame-options-allowall") 100 | def get_test_custom_hsts(response: Response): 101 | """ 102 | secureproxy maps 'ALLOWALL' to empty string in frame options 103 | which means the header should not be set 104 | """ 105 | api_endpoint = f"https://{HOSTNAME}/frame-options-allowall" 106 | r = requests.get(api_endpoint) 107 | if FRAME_OPTIONS in r.headers: 108 | response.status_code = status.HTTP_500_CREATED 109 | return dict(expected="not-the-default", actual=r.headers[FRAME_OPTIONS]) 110 | return "Success" 111 | 112 | 113 | 114 | -------------------------------------------------------------------------------- /ci/test-headers/requirements.txt: -------------------------------------------------------------------------------- 1 | fastapi 2 | requests 3 | cfenv 4 | uvicorn -------------------------------------------------------------------------------- /ci/test-headers/run-tests.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | DOMAIN=$CF_APP_DOMAIN 7 | TEST_MATRIX="./test-matrix" 8 | 9 | # Colors 10 | red='\033[0;31m'; 11 | green='\033[0;32m'; 12 | cyan='\033[0;36m'; 13 | no_color='\033[0m'; 14 | 15 | # Go into test directory 16 | pushd cf-manifests/ci/test-headers 17 | 18 | ## Read test matrix file and run each test per line 19 | 20 | echo -e "\n\n${cyan}Running Header Test Suite${no_color}\n\n" 21 | 22 | while IFS= read -r line; do 23 | 24 | ## Create array of arguments 25 | arg_array=($(echo $line | tr "," "\n")) 26 | 27 | ## Parse arguments 28 | url_path="${arg_array[0]}" 29 | expected_status_code="${arg_array[1]}" 30 | expected_response_body="${arg_array[2]}" 31 | baseurl="https://test-headers.$DOMAIN" 32 | endpoint="$baseurl$url_path" 33 | 34 | ## Curl the endpoint for status code and response body 35 | actual_status_code=$(curl -o /dev/null -s -w "%{http_code}\n" $endpoint) 36 | actual_response_body=$(curl -s $endpoint) 37 | 38 | ## Run status code check 39 | if [ "$actual_status_code" != "$expected_status_code" ]; then 40 | echo "" 41 | echo -e "${red}Failed: Status code check for ${space} at $endpoint${no_color}" 42 | echo -e "${cyan}Expected: $expected_status_code${no_color}" 43 | echo -e "${red}Actual: ${actual_status_code}${no_color}" 44 | echo "" 45 | exit 1 46 | else 47 | echo -e "${green}Success: Status code check for ${space} at $endpoint${no_color}" 48 | fi 49 | 50 | ## Run response body check 51 | if [ "\"\"" != "$expected_response_body" ]; then 52 | if [ "$actual_response_body" != "$expected_response_body" ]; then 53 | echo "" 54 | echo -e "${red}Failed: Response body check for ${space} at $endpoint${no_color}" 55 | echo -e "${cyan}Expected: $expected_response_body${no_color}" 56 | echo -e "${red}Actual: ${actual_response_body}${no_color}" 57 | echo "" 58 | exit 1 59 | 60 | else 61 | echo -e "${green}Success: Response body check for ${space} at $endpoint${no_color}" 62 | fi 63 | fi 64 | done < $TEST_MATRIX 65 | -------------------------------------------------------------------------------- /ci/test-headers/runtime.txt: -------------------------------------------------------------------------------- 1 | 3.x 2 | -------------------------------------------------------------------------------- /ci/test-headers/task-clean-test-env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-headers/clean.sh 9 | -------------------------------------------------------------------------------- /ci/test-headers/task-deploy-test-env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-headers/deploy-env.sh 9 | -------------------------------------------------------------------------------- /ci/test-headers/task-run-tests.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-headers/run-tests.sh 9 | -------------------------------------------------------------------------------- /ci/test-headers/test-matrix: -------------------------------------------------------------------------------- 1 | /test,200,"Success" 2 | /test-custom-headers-semaphores,200,"Success" 3 | /test-frame-options-allowall,200,"Success" 4 | -------------------------------------------------------------------------------- /ci/test-space-egress/.cfignore: -------------------------------------------------------------------------------- 1 | # YAML property files 2 | cf-secrets.yml 3 | secrets.yml 4 | cf-secrets-staging.yml 5 | manifest-staging.yml 6 | manifest-staging.yml-- 7 | credentials.yml 8 | credentials.dev.yml 9 | 10 | # Mac files 11 | .DS_Store 12 | 13 | # Eclipse files 14 | .project 15 | 16 | # Temporary directory 17 | tmp/ 18 | 19 | # Certs 20 | 21 | *-certs 22 | jwt_* 23 | 24 | # python 25 | .venv 26 | __pycache__ 27 | 28 | # Other 29 | README 30 | deploy.sh 31 | -------------------------------------------------------------------------------- /ci/test-space-egress/README.md: -------------------------------------------------------------------------------- 1 | test-egress 2 | =========== 3 | 4 | A test suite to verify the app security-group rules are allowing certain egress rules based on the app's space. 5 | The 6 | 7 | ## Background 8 | 9 | Tests will be deployed by [cg-deploy-cf's ci pipeline](../ci/pipeline.yml) and they are defined in [cg-deploy-cf's ci test-egress](./README.md). 10 | 11 | 12 | ## Setup 13 | 14 | ### Space App Security Groups 15 | 16 | Test org and spaces will be defined by [cg-deploy-cf's test-suite terraform](../terraform/) and deployed to each instance of CF with three spaces 17 | - _Org:_ `platform-egress-test` 18 | - _Space:_ `closed-egress` 19 | - _ASG:_ `dns` 20 | - _Space:_ `restricted-egress` 21 | - _ASG:_ `dns` 22 | - _ASG:_ `trusted_local_networks` 23 | - _Space:_ `public-egress` 24 | - _ASG:_ `dns` 25 | - _ASG:_ `trusted_local_networks` 26 | - _ASG:_ `public_networks` 27 | 28 | Tests will be defined in a test matrix file by the space, endpoint, HTTP status code, and an optional HTTP response. 29 | 30 | ### Test Matrix 31 | 32 | |Space|Endpoint|HTTP STATUS CODE|RESPONSE BODY| 33 | |-----|--------|----------------|-------------| 34 | |`closed-egress`| `/`|`200`|`"Success"`| 35 | |`closed-egress`| `/test-internal-network`|`500`|| 36 | |`closed-egress`| `/test-external-network`|`500`|| 37 | |`restricted-egress`| `/`|`200`|`"Success"`| 38 | |`restricted-egress`| `/test-internal-network`|`200`|`"Success"`| 39 | |`restricted-egress`| `/test-external-network`|`500`|| 40 | |`public-egress`| `/`|`200`|`"Success"`| 41 | |`public-egress`| `/test-internal-network`|`200`|`"Success"`| 42 | |`public-egress`| `/test-external-network`|`200`|`"Success"`| 43 | 44 | 45 | ### Deployment 46 | 47 | ### Runner 48 | -------------------------------------------------------------------------------- /ci/test-space-egress/clean.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | DOMAIN=$CF_APP_DOMAIN 7 | SPACE_CLOSED_EGRESS="closed-egress" 8 | SPACE_RESTRICTED_EGRESS="restricted-egress" 9 | SPACE_PUBLIC_EGRESS="public-egress" 10 | 11 | 12 | ## CF Auth 13 | cf api "${CF_API_URL}" 14 | (set +x; cf auth "${CF_USERNAME}" "${CF_PASSWORD}") 15 | 16 | ## Delete apps 17 | 18 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 19 | do 20 | # Change to target space 21 | cf target -o $ORG -s $space 22 | 23 | # Delete app 24 | cf delete $space-app -f 25 | 26 | # Delete app route 27 | cf delete-route $DOMAIN --hostname app-test-$space -f 28 | 29 | # Delete service instance db 30 | cf delete-service $space-db -f 31 | done 32 | 33 | ## Delete spaces 34 | 35 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 36 | do 37 | cf delete-space $space -o $ORG -f 38 | done 39 | 40 | ## Delete org 41 | 42 | cf delete-org $ORG -f 43 | -------------------------------------------------------------------------------- /ci/test-space-egress/deploy-env.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | QUOTA=$CF_QUOTA 7 | DOMAIN=$CF_APP_DOMAIN 8 | SPACE_CLOSED_EGRESS="closed-egress" 9 | SPACE_RESTRICTED_EGRESS="restricted-egress" 10 | SPACE_PUBLIC_EGRESS="public-egress" 11 | ASG_TRUSTED_LOCAL_NETWORKS_INTERNAL_EGRESS="trusted_local_networks_egress" 12 | ASG_PUBLIC_NETWORKS_EGRESS="public_networks_egress" 13 | ASG_DNS_EGRESS="dns_egress" 14 | 15 | # CF Auth 16 | cf api "${CF_API_URL}" 17 | (set +x; cf auth "${CF_USERNAME}" "${CF_PASSWORD}") 18 | 19 | # Function for waiting on a service instance to finish being processed. 20 | wait_for_service_instance() { 21 | local service_name=$1 22 | local guid=$(cf service --guid $service_name) 23 | local status=$(cf curl /v3/service_instances/${guid} | jq -r '.last_operation.state') 24 | 25 | while [ "$status" == "in progress" ]; do 26 | sleep 60 27 | status=$(cf curl /v3/service_instances/${guid} | jq -r '.last_operation.state') 28 | done 29 | } 30 | 31 | # Go into test directory 32 | pushd cf-manifests/ci/test-space-egress 33 | 34 | ## Create org 35 | 36 | cf create-org $ORG 37 | 38 | ## Assign a quota 39 | 40 | cf set-org-quota $ORG $QUOTA 41 | 42 | ## Create spaces 43 | 44 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 45 | do 46 | cf create-space $space -o $ORG 47 | done 48 | 49 | ## Apply security groups 50 | 51 | ### Bind to closed egress space 52 | cf bind-security-group $ASG_TRUSTED_LOCAL_NETWORKS_INTERNAL_EGRESS $ORG --space $SPACE_RESTRICTED_EGRESS 53 | 54 | ### Bind to open egress space 55 | cf bind-security-group $ASG_TRUSTED_LOCAL_NETWORKS_INTERNAL_EGRESS $ORG --space $SPACE_PUBLIC_EGRESS 56 | cf bind-security-group $ASG_PUBLIC_NETWORKS_EGRESS $ORG --space $SPACE_PUBLIC_EGRESS 57 | cf bind-security-group $ASG_DNS_EGRESS $ORG --space $SPACE_PUBLIC_EGRESS 58 | 59 | ## Create databases 60 | 61 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 62 | do 63 | # target the correct space 64 | cf target -o $ORG -s $space 65 | 66 | # Create the db service instance 67 | cf create-service -b aws-broker aws-rds micro-psql $space-db 68 | done 69 | 70 | ## Wait for databases to create 71 | 72 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 73 | do 74 | # target the correct space 75 | cf target -o $ORG -s $space 76 | 77 | # Wait for the database 78 | wait_for_service_instance $space-db 79 | done 80 | 81 | ## Push apps 82 | 83 | for space in $SPACE_CLOSED_EGRESS $SPACE_RESTRICTED_EGRESS $SPACE_PUBLIC_EGRESS 84 | do 85 | # target the correct space 86 | cf target -o $ORG -s $space 87 | 88 | # push the app 89 | cf push $space-app \ 90 | --no-manifest \ 91 | -b python_buildpack \ 92 | -c "uvicorn main:app --port 8080 --host 0.0.0.0" \ 93 | -m "128MB" \ 94 | -k "512MB" \ 95 | --no-route 96 | 97 | # map the route 98 | cf map-route $space-app $DOMAIN --hostname app-test-$space 99 | 100 | # bind db 101 | cf bind-service $space-app $space-db 102 | 103 | # restage app 104 | cf restage $space-app 105 | done 106 | -------------------------------------------------------------------------------- /ci/test-space-egress/main.py: -------------------------------------------------------------------------------- 1 | from fastapi import FastAPI, Response, status 2 | import requests 3 | import psycopg2 4 | from cfenv import AppEnv 5 | 6 | 7 | def test_db_connection(): 8 | db = AppEnv().get_service(label="aws-rds") 9 | conn_string = db.credentials["uri"] 10 | conn = psycopg2.connect(conn_string) 11 | cur = conn.cursor() 12 | cur.execute("select count(1);") 13 | result = cur.fetchone() 14 | cur.close() 15 | conn.close() 16 | 17 | return result 18 | 19 | 20 | app = FastAPI() 21 | 22 | 23 | @app.get("/test") 24 | def read_root(): 25 | return "Success" 26 | 27 | 28 | @app.get("/test-external-networks") 29 | def get_external_networks(response: Response): 30 | api_endpoint = "https://api.usaspending.gov/api/v2/references/toptier_agencies/?sort=budget_authority_amount&order=desc" 31 | 32 | try: 33 | api_response = requests.get(api_endpoint) 34 | 35 | if api_response.status_code != 200: 36 | raise Exception() 37 | 38 | return "Success" 39 | except Exception as e: 40 | response.status_code = status.HTTP_500_CREATED 41 | return response 42 | 43 | 44 | @app.get("/test-internal-networks") 45 | def get_internal_networks(response: Response): 46 | try: 47 | result = test_db_connection() 48 | 49 | if result[0] != 1: 50 | raise Exception() 51 | 52 | return "Success" 53 | except Exception as e: 54 | response.status_code = status.HTTP_500_CREATED 55 | return response 56 | -------------------------------------------------------------------------------- /ci/test-space-egress/requirements.txt: -------------------------------------------------------------------------------- 1 | argcomplete==1.12.3 2 | asgiref==3.4.1 3 | certifi==2024.7.4 4 | cfenv==0.5.3 5 | charset-normalizer==2.0.4 6 | click==8.0.1 7 | fastapi==0.115.4 8 | furl==2.1.3 9 | h11==0.16.0 10 | idna==3.7 11 | mypy-extensions==0.4.3 12 | orderedmultidict==1.0.1 13 | packaging==21.0 14 | pathspec==0.9.0 15 | platformdirs==2.3.0 16 | protobuf==3.18.3 17 | psycopg2==2.9.1 18 | pydantic==1.10.13 19 | pyparsing==2.4.7 20 | regex==2021.8.28 21 | requests==2.32.2 22 | six==1.16.0 23 | starlette==0.40.0 24 | tomli==1.2.1 25 | typing-extensions==4.8.0 26 | urllib3==1.26.19 27 | userpath==1.7.0 28 | uvicorn==0.15.0 29 | -------------------------------------------------------------------------------- /ci/test-space-egress/run-tests.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | 5 | ORG=$CF_ORG 6 | DOMAIN=$CF_APP_DOMAIN 7 | TEST_MATRIX="./test-matrix" 8 | 9 | # Colors 10 | red='\033[0;31m'; 11 | green='\033[0;32m'; 12 | cyan='\033[0;36m'; 13 | no_color='\033[0m'; 14 | 15 | # Go into test directory 16 | pushd cf-manifests/ci/test-space-egress 17 | 18 | ## Read test matrix file and run each test per line 19 | 20 | echo -e "\n\n${cyan}Running Space Egress Test Suite${no_color}\n\n" 21 | 22 | while IFS= read -r line; do 23 | 24 | ## Create array of arguments 25 | arg_array=($(echo $line | tr "," "\n")) 26 | 27 | ## Parse arguments 28 | space="${arg_array[0]}" 29 | url_path="${arg_array[1]}" 30 | expected_status_code="${arg_array[2]}" 31 | expected_response_body="${arg_array[3]}" 32 | baseurl="https://app-test-$space.$DOMAIN" 33 | endpoint="$baseurl$url_path" 34 | 35 | ## Curl the endpoint for status code and response body 36 | actual_status_code=$(curl -o /dev/null -s -w "%{http_code}\n" $endpoint) 37 | actual_response_body=$(curl -s $endpoint) 38 | 39 | ## Run status code check 40 | if [ "$actual_status_code" != "$expected_status_code" ]; then 41 | echo "" 42 | echo -e "${red}Failed: Status code check for ${space} at $endpoint${no_color}" 43 | echo -e "${cyan}Expected: $expected_status_code${no_color}" 44 | echo -e "${red}Actual: ${actual_status_code}${no_color}" 45 | echo "" 46 | exit 1 47 | else 48 | echo -e "${green}Success: Status code check for ${space} at $endpoint${no_color}" 49 | fi 50 | 51 | ## Run response body check 52 | if [ "\"\"" != "$expected_response_body" ]; then 53 | if [ "$actual_response_body" != "$expected_response_body" ]; then 54 | echo "" 55 | echo -e "${red}Failed: Response body check for ${space} at $endpoint${no_color}" 56 | echo -e "${cyan}Expected: $expected_response_body${no_color}" 57 | echo -e "${red}Actual: ${actual_response_body}${no_color}" 58 | echo "" 59 | exit 1 60 | 61 | else 62 | echo -e "${green}Success: Response body check for ${space} at $endpoint${no_color}" 63 | fi 64 | fi 65 | done < $TEST_MATRIX 66 | -------------------------------------------------------------------------------- /ci/test-space-egress/runtime.txt: -------------------------------------------------------------------------------- 1 | 3.10.x 2 | -------------------------------------------------------------------------------- /ci/test-space-egress/task-clean-test-env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-space-egress/clean.sh 9 | -------------------------------------------------------------------------------- /ci/test-space-egress/task-deploy-test-env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-space-egress/deploy-env.sh 9 | -------------------------------------------------------------------------------- /ci/test-space-egress/task-run-tests.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: cf-manifests 6 | 7 | run: 8 | path: cf-manifests/ci/test-space-egress/run-tests.sh 9 | -------------------------------------------------------------------------------- /ci/test-space-egress/test-matrix: -------------------------------------------------------------------------------- 1 | closed-egress,/test,200,"Success" 2 | closed-egress,/test-internal-networks,500,"" 3 | closed-egress,/test-external-networks,500,"" 4 | restricted-egress,/test,200,"Success" 5 | restricted-egress,/test-internal-networks,200,"Success" 6 | restricted-egress,/test-external-networks,500,"" 7 | public-egress,/test,200,"Success" 8 | public-egress,/test-internal-networks,200,"Success" 9 | public-egress,/test-external-networks,200,"Success" 10 | -------------------------------------------------------------------------------- /ci/tic-smoke-tests.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | restricted_payload=$(cat <> "${metrics}" <$last_week))|length") 45 | 46 | echo ${user_count} 47 | } 48 | 49 | metrics=$(mktemp) 50 | value=$(count_users_created_recently) 51 | cat >> "${metrics}" <