├── .envrc ├── .gitignore ├── .versions ├── CODE_OF_CONDUCT.md ├── README.md ├── bin ├── bootstrap-infrastructure-azure ├── bootstrap-infrastructure-digitalocean ├── bootstrap-infrastructure-google ├── bootstrap-infrastructure-minikube ├── bootstrap-kubernetes-demos ├── bootstrap-system-cert-manager ├── bootstrap-system-cf-broker ├── bootstrap-system-cf-operator ├── bootstrap-system-helm ├── bootstrap-system-k-rail ├── bootstrap-system-knative ├── bootstrap-system-kpack ├── bootstrap-system-kubeapps ├── bootstrap-system-kubecf ├── bootstrap-system-nginx-ingress ├── bootstrap-system-rancher ├── bootstrap-system-rio ├── bootstrap-system-servicecatalog └── bootstrap-system-tekton └── resources ├── eirini ├── cf-domains.sh ├── kwt.sh └── scf │ ├── Chart.yaml │ ├── assets │ ├── cf-deployment.yml │ ├── operations │ │ ├── addons.yaml │ │ ├── certs.yaml │ │ ├── instance_groups │ │ │ ├── adapter.yaml │ │ │ ├── api.yaml │ │ │ ├── bits-service.yaml │ │ │ ├── cc-worker.yaml │ │ │ ├── database.yaml │ │ │ ├── diego-api.yaml │ │ │ ├── diego-cell.yaml │ │ │ ├── doppler.yaml │ │ │ ├── eirini.yaml │ │ │ ├── log-api.yaml │ │ │ ├── nats.yaml │ │ │ ├── router.yaml │ │ │ ├── scheduler.yaml │ │ │ ├── singleton-blobstore.yaml │ │ │ └── uaa.yaml │ │ ├── pre_render_scripts │ │ │ ├── api_binary-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_binary-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_cc_uploader_patch_pre-start_sh.yaml │ │ │ ├── api_cloud_controller_ng_patch_bpm_sh.yaml │ │ │ ├── api_cloud_controller_ng_patch_post-start_sh.yaml │ │ │ ├── api_cloud_controller_ng_remove_tee_output_to_sys_log_sh.yaml │ │ │ ├── api_dotnet-core-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_dotnet-core-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_go-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_go-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_java-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_java-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_nginx-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_nginx-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_nodejs-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_nodejs-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_php-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_php-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_python-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_python-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_r-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_r-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_routing-api_patch_bpm_sh.yaml │ │ │ ├── api_ruby-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_ruby-buildpack_patch_job_mf_sh.yaml │ │ │ ├── api_staticfile-buildpack_create_bosh_pre_start_sh.yaml │ │ │ ├── api_staticfile-buildpack_patch_job_mf_sh.yaml │ │ │ ├── bits_bits-service_patch_bits_config_yml_sh.yaml │ │ │ ├── database_mysql_patch_pre-start-setup_sh.yaml │ │ │ ├── diego-api_bbs_patch_bbs_json_sh.yaml │ │ │ ├── diego-cell_cflinuxfs3-rootfs-setup_patch_pre-start_sh.yaml │ │ │ ├── diego-cell_garden_patch_post-start_sh.yaml │ │ │ ├── diego-cell_rep_patch_pre-start_sh.yaml │ │ │ ├── diego-cell_rep_patch_rep_json_sh.yaml │ │ │ ├── eirini_eirini-loggregator-bridge_patch_bpm_sh.yaml │ │ │ ├── eirini_opi_patch_bpm_sh.yaml │ │ │ ├── eirini_opi_patch_opi_yml_sh.yaml │ │ │ ├── singleton-blobstore_blobstore_patch_blobstore_conf_sh.yaml │ │ │ ├── singleton-blobstore_blobstore_patch_blobstore_pre-start_sh.yaml │ │ │ ├── singleton-blobstore_blobstore_patch_job_mf_sh.yaml │ │ │ ├── uaa_uaa_patch_pre-start_sh.yaml │ │ │ └── uaa_uaa_patch_uaa_sh.yaml │ │ ├── set_opensuse_stemcells.yaml │ │ ├── set_release_urls.yaml │ │ ├── set_release_versions.yaml │ │ ├── temporary │ │ │ ├── remove_roles.yaml │ │ │ └── remove_variables.yaml │ │ └── zz-remove-diego-if-eirini.yaml │ └── use-bits-service.yml │ ├── templates │ ├── _helpers.tpl │ ├── bosh_deployment.yaml │ ├── cf_deployment.yaml │ ├── eirini.yaml │ ├── implicit_vars.yaml │ ├── ops-use-bits-service.yaml │ ├── ops.yaml │ └── single_availability.yaml │ └── values.yaml └── kpack ├── builder-bionic.yaml └── builder-cflinuxfs3.yaml /.envrc: -------------------------------------------------------------------------------- 1 | export PATH=$PWD/bin:$PATH 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | tmp 2 | state 3 | *serviceaccount*yaml 4 | bin/kn 5 | bin/helm 6 | bin/rio 7 | -------------------------------------------------------------------------------- /.versions: -------------------------------------------------------------------------------- 1 | helm-cli=3.0.3 2 | kubecf=0.2.0 3 | cf-operator-helm-file=cf-operator-v2.0.0-0.g0142d1e9.tgz 4 | knative-serving=0.9.0 5 | knative-istio-major=1.3 6 | kpack=0.0.5 7 | cert-manager=0.13.0 8 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | 3 | ### Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ### Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ### Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, pull requests, and other 42 | contributions that are not aligned to this Code of Conduct, or to ban 43 | temporarily or permanently any contributor for other behaviors that they deem 44 | inappropriate, threatening, offensive, or harmful. 45 | 46 | ### Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ### Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at conduct@starkandwayne.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ### Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bootstrap Kubernetes and demonstrations 2 | 3 | It is great to have a single tool to bring up a Kubernetes cluster, and install one or more demonstration/development/experimentation systems. 4 | 5 | New Kubernetes clusters can be provisioned on: 6 | 7 | * Google Kubernetes Engine (GKE) 8 | * Azure Container Service (AKS) 9 | * DigitalOcean Kubernetes 10 | * Minikube 11 | 12 | ## Basic Usage 13 | 14 | ```plain 15 | bootstrap-kubernetes-demos up --google --kubecf 16 | bootstrap-kubernetes-demos up --azure --knative --kpack 17 | bootstrap-kubernetes-demos up --digitalocean --rancher 18 | bootstrap-kubernetes-demos up --minikube --cert-manager 19 | ``` 20 | 21 | Later, to discard the cluster (if it was bootstrap by this tool): 22 | 23 | ```plain 24 | bootstrap-kubernetes-demos down 25 | ``` 26 | 27 | The initial flags are remembered, so you can subsequently `up` again and the same system will be rebuilt or upgraded: 28 | 29 | ```plain 30 | bootstrap-kubernetes-demos up 31 | ``` 32 | 33 | ## Installation 34 | 35 | ```plain 36 | git clone --recurse-submodules https://github.com/starkandwayne/bootstrap-kubernetes-demos.git 37 | cd bootstrap-kubernetes-demos 38 | 39 | direnv allow 40 | # or 41 | export PATH=$PWD/bin:$PATH 42 | ``` 43 | 44 | ## Minikube 45 | 46 | First, install [Minikube](https://kubernetes.io/docs/setup/learning-environment/minikube/). 47 | 48 | To start Minikube, plus additional subsystems: 49 | 50 | ```plain 51 | bootstrap-kubernetes-demos up --minikube 52 | ``` 53 | 54 | ## Google Cloud 55 | 56 | Login to Google Cloud: 57 | 58 | ```plain 59 | gcloud auth login 60 | ``` 61 | 62 | Target a Google Cloud region/zone: 63 | 64 | ```plain 65 | gcloud config set compute/region australia-southeast1 66 | gcloud config set compute/zone australia-southeast1-a 67 | ``` 68 | 69 | To deploy a GKE cluster: 70 | 71 | ```plain 72 | bootstrap-kubernetes-demos up --google 73 | ``` 74 | 75 | ### Google Cloud Configuration 76 | 77 | There are several environment variables that can be set to override defaults: 78 | 79 | ```bash 80 | : ${PROJECT_NAME:=$(gcloud config get-value core/project)} 81 | : ${CLUSTER_REGION:=$(gcloud config get-value compute/region)} 82 | : ${CLUSTER_ZONE:=$(gcloud config get-value compute/zone)} 83 | : ${CLUSTER_NAME:="$(whoami)-dev"} 84 | : ${CLUSTER_VERSION:=latest} 85 | : ${MACHINE_TYPE:=n1-standard-2} 86 | ``` 87 | 88 | ## Azure 89 | 90 | Also supported. Just doesn't have a documentation paragraph. 91 | 92 | ```plain 93 | bootstrap-kubernetes-demos up --azure 94 | ``` 95 | 96 | ## Digital Ocean 97 | 98 | ```plain 99 | bootstrap-kubernetes-demos up --digitalocean 100 | ``` 101 | 102 | The Digital Ocean cluster will install 3 x 2 CPU/2Gb nodes, and will install the nginx-ingress controller. 103 | 104 | ## Subsystems 105 | 106 | But there are many subsystems that can be conveniently deployed after your cluster is setup: 107 | 108 | ```plain 109 | $ bootstrap-kubernetes-demos 110 | Bootstrap Kubernetes and/or subsystems for demonstrations: 111 | up 112 | [--minikube|--local] -- bootstrap Minikube 113 | [--gke|--google] -- bootstrap new Google GKE cluster 114 | [--az|--azure] -- bootstrap new Azure AKE cluster 115 | [--do|--digitalocean] -- bootstrap new Digital Ocean cluster 116 | 117 | [--ingress|--nginx-ingress] -- deploys Nginx Ingress 118 | [--cert-manager] -- deploys cert-manager 119 | [--k-rail|--krail] -- deploys k-rail to enforce policies for end users 120 | [--helm|--tiller] -- deploys secure Helm Tiller (deprecated) 121 | 122 | [--cf|--kubecf|--eirini] -- deploys Cloud Foundry/Eirini 123 | [--cf-operator] -- deploys only CF Operator 124 | [--kpack] -- deploys kpack to build images with buildpacks 125 | [--tekton] -- deploys Tekton CD 126 | [--knative] -- deploys Knative Serving/Eventing/Istio 127 | [--rancher] -- deploys Rancher 128 | [--rio] -- deploys Rancher Rio 129 | [--kubeapp] -- deploys Kubeapps 130 | [--service-catalog|--sc] -- deploys Helm/Service Catalog 131 | [--cf-broker] -- deploys Helm/Service Catalog/Cloud Foundry Service Broker 132 | 133 | down -- destroys cluster, if originally bootstrapped 134 | clean -- cleans up cached state files 135 | ``` 136 | 137 | ## Rancher 138 | 139 | You can install the Rancher management tool into your cluster. It will also install cert-manager, which it uses. 140 | 141 | ```plain 142 | bootstrap-kubernetes-demos up --digitalocean --rancher 143 | ``` 144 | 145 | Once the Rancher chart is installed, it will print out the URL for Rancher. 146 | 147 | ```plain 148 | ... 149 | Browse to https://rancher.35.230.87.102.xip.io 150 | 151 | Happy Containering! 152 | Waiting for deployment "rancher" rollout to finish: 0 of 3 updated replicas are available... 153 | Waiting for deployment "rancher" rollout to finish: 1 of 3 updated replicas are available... 154 | Waiting for deployment "rancher" rollout to finish: 2 of 3 updated replicas are available... 155 | deployment "rancher" successfully rolled out 156 | ``` 157 | 158 | NOTE: [rancher/rancher#16213](https://github.com/rancher/rancher/issues/16213) 159 | 160 | Once you've logged into Rancher, the `local` cluster will not "provision". You need to edit and save it, and then the `local` cluster will be available. 161 | 162 | ## k-rail to enforce policies 163 | 164 | > [k-rail](https://github.com/cruise-automation/k-rail) is a workload policy enforcement tool for Kubernetes. It can help you secure a multi tenant cluster with minimal disruption and maximum velocity. 165 | 166 | ```plain 167 | bootstrap-kubernetes-demos up --k-rail 168 | ``` 169 | 170 | To demonstrate the various policies being enforced there is an example bad deployment that will fail to install: 171 | 172 | ```plain 173 | bootstrap-system-k-rail example 174 | ``` 175 | 176 | ## Helm / Tiller 177 | 178 | **Deprecated** - Helm v3 no longer includes Tiller. There is a `helm3` branch of this repo which will stop installing Tiller. It is blocked on some of the other subsystem's still requiring tiller's install hooks. 179 | 180 | Helm v2 requires a Kubernetes-running component Tiller. The `bootstrap-kubernetes-demos up --helm` command (and others that depend on Helm for installation) will create Tiller for you. 181 | 182 | It will also secure it with generated TLS certificates (stored in `state/` folder, and copied into `~/.helm`). 183 | 184 | To use `helm` commands yourself, please set the following env var to tell `helm` to use TLS: 185 | 186 | ```shell 187 | export HELM_TLS_VERIFY=true 188 | ``` 189 | 190 | Put that in your `.profile` for all terminal sessions. 191 | 192 | ## Cloud Foundry / Eirini / Quarks 193 | 194 | To bootstrap GKE, and then install Cloud Foundry (with Eirini/Quarks) use the `--cf` flag (or `--kubecf`, or `--eirini` flags). The explicit `--ingress` flag will automatically setup a default `.xip.io` system domain. 195 | 196 | ```plain 197 | bootstrap-kubernetes-demos up --cf 198 | bootstrap-kubernetes-demos up --google --cf 199 | bootstrap-kubernetes-demos up --azure --cf 200 | bootstrap-kubernetes-demos up --digitalocean --cf 201 | ``` 202 | 203 | Your Cloud Foundry Buildpacks will be automatically updated to the latest from GitHub, and each day a cronjob will run to update them again. 204 | 205 | To target and login: 206 | 207 | ```plain 208 | SYSTEM_DOMAIN=$(kubectl get secret kubecf.var-system-domain -ojsonpath='{.data.value}' | base64 --decode) 209 | ADMIN_PASSWORD=$(kubectl get secret kubecf.var-cf-admin-password -ojsonpath='{.data.password}' | base64 --decode) 210 | 211 | cf login -a https://api.$SYSTEM_DOMAIN --skip-ssl-validation -u admin -p $ADMIN_PASSWORD 212 | ``` 213 | 214 | This is also available via: 215 | 216 | ```plain 217 | bootstrap-system-kubecf login 218 | ``` 219 | 220 | ### Access to KubeCF 221 | 222 | Currently this CF deployment does not setup a public ingress into the Cloud Foundry router. Nor will it ever set up your public DNS to map to your Cloud Foundry ingress/router. 223 | 224 | But fear not. You can run `kwt net start` to proxy any requests to CF or to applications running on CF from your local machine. 225 | 226 | The [`kwt`](https://github.com/k14s/kwt) CLI can be installed to MacOS with Homebrew: 227 | 228 | ```plain 229 | brew install k14s/tap/kwt 230 | ``` 231 | Install KWT on linux: 232 | 233 | ```plain 234 | wget https://github.com/k14s/kwt/releases/download/v0.0.5/kwt-linux-amd64 235 | chmod +x kwt-linux-amd64 && sudo mv kwt-linux-amd64 /usr/local/bin/kwt 236 | ``` 237 | 238 | 239 | Run the helper script to configure and run `kwt net start` proxy services: 240 | 241 | ```plain 242 | bootstrap-system-kubecf kwt 243 | ``` 244 | 245 | Provide your sudo root password at the prompt. 246 | 247 | The `kwt net start` command launches a new pod `kwt-net` in the `kubecf` namespace, which is used to proxy your traffic into the cluster. 248 | 249 | The `kwt` proxy is ready when the output looks similar to: 250 | 251 | ```plain 252 | ... 253 | 07:17:27AM: info: KubeEntryPoint: Waiting for networking pod 'kwt-net' in namespace 'kubecf' to start... 254 | ... 255 | 07:17:47AM: info: ForwardingProxy: Ready! 256 | ``` 257 | 258 | ### Deploy first app 259 | 260 | In another terminal you can now `cf login` and `cf push` apps: 261 | 262 | ```plain 263 | cf login -a https://api.kubecf.suse.dev --skip-ssl-validation -u admin \ 264 | -p "$(kubectl get secret -n kubecf kubecf.var-cf-admin-password -o json | jq -r .data.password | base64 --decode)" 265 | ``` 266 | 267 | You can now create organizations, spaces, and deploy applications: 268 | 269 | ```plain 270 | cf create-space dev 271 | cf target -s dev 272 | ``` 273 | 274 | Find sample applications at [github.com/cloudfoundry-samples](https://github.com/cloudfoundry-samples). 275 | 276 | ```plain 277 | git clone https://github.com/cloudfoundry-samples/cf-sample-app-nodejs 278 | cd cf-sample-app-nodejs 279 | cf push 280 | ``` 281 | 282 | Load the application URL into your browser, accept the risks of "insecure" self-signed certificates, and your application will look like: 283 | 284 | ![app](https://cl.ly/9ebcd7a4e4b9/cf-nodejs-app.png) 285 | 286 | ### Install a Service Broker 287 | 288 | Let's install the [World's Simplest Service Broker](https://github.com/cloudfoundry-community/worlds-simplest-service-broker) via Helm, and register it as a service broker in our new Cloud Foundry. 289 | 290 | ```plain 291 | helm repo add starkandwayne https://helm.starkandwayne.com 292 | helm repo update 293 | 294 | helm upgrade --install email starkandwayne/worlds-simplest-service-broker \ 295 | --namespace brokers \ 296 | --wait \ 297 | --set "serviceBroker.class=smtp" \ 298 | --set "serviceBroker.plan=shared" \ 299 | --set "serviceBroker.tags=shared\,email\,smtp" \ 300 | --set "serviceBroker.baseGUID=some-guid" \ 301 | --set "serviceBroker.credentials=\{\"host\":\"mail.authsmtp.com\"\,\"port\":2525\,\"username\":\"ac123456\"\,\"password\":\"special-secret\"\}" 302 | ``` 303 | 304 | When this finishes you can now register it with your Cloud Foundry: 305 | 306 | ```plain 307 | cf create-service-broker email \ 308 | broker broker \ 309 | http://email-worlds-simplest-service-broker.brokers.svc.cluster.local:3000 310 | 311 | cf enable-service-access smtp 312 | ``` 313 | 314 | Note: this URL assumes you installed your broker in to the `--namespace brokers` namespace above. 315 | 316 | The `smtp` service is now available to all users: 317 | 318 | ```plain 319 | $ cf marketplace 320 | Getting services from marketplace in org system / space dev as admin... 321 | OK 322 | 323 | service plans description broker 324 | smtp shared Shared service for smtp email 325 | 326 | $ cf create-service smtp shared email 327 | $ cf delete-service smtp shared email 328 | ``` 329 | 330 | ### Restart cf-operator 331 | 332 | The `cf-operator` (from the Quarks project) is like a BOSH director for Kubernetes. 333 | 334 | If you need/want to update it then you need to both delete some system webhooks and delete the pod (see discussion in [issue #436](https://github.com/cloudfoundry-incubator/cf-operator/issues/436)). 335 | 336 | There is a `restart` helper you can run to do this: 337 | 338 | ```plain 339 | bootstrap-system-cf-operator restart 340 | ``` 341 | 342 | ## Knative 343 | 344 | ```plain 345 | bootstrap-kubernetes-demos up --knative 346 | ``` 347 | 348 | This will install a small Istio (no mTLS between containers), Knative Serving, and Knative Eventing. Knative Build has been deprecated and is no longer considered to be part of Knative. 349 | 350 | ### Deploy First App 351 | 352 | You can create Knative Services (Applications) using: 353 | 354 | * core team CLI [`kn`](https://github.com/knative/client/) 355 | * community CLI [`knctl`](https://github.com/cppforlife/knctl) 356 | * Create resources of `services.serving.knative.dev` CRD (`ksvc` alias) 357 | 358 | The latest `kn` CLI will be automatically downloaded for you and is used in the examples below. 359 | 360 | ```plain 361 | kubectl create ns test-app 362 | kn service create \ 363 | sample-app-nodejs \ 364 | --image starkandwayne/sample-app-nodejs:latest \ 365 | --namespace test-app 366 | ``` 367 | 368 | This creates a `ksvc`: 369 | 370 | ```plain 371 | kubectl get ksvc -n test-app 372 | NAME URL LATESTCREATED LATESTREADY READY REASON 373 | sample-app-nodejs http://sample-app-nodejs.test-app.example.com sample-app-nodejs-jrskg-1 sample-app-nodejs-jrskg-1 True 374 | ``` 375 | 376 | To see all the resources created, run: 377 | 378 | ```plain 379 | kubectl get ksvc,rev,rt,cfg -n test-app 380 | ``` 381 | 382 | But how do we access the URL above? 383 | 384 | ### Access / Ingress with kwt 385 | 386 | This Knative deployment does setup a public ingress via Istio, but it does not setup public DNS to map to your ingress IP. Additionally, the URL `http://sample-app-nodejs.test-app.example.com` is not a publicly valid DNS entry (`example.com`). 387 | 388 | But fear not. You can run `kwt net start` to proxy any requests to Knative applications (called Knative Services) in a given namespace. 389 | 390 | The [`kwt`](https://github.com/k14s/kwt) CLI can be installed to MacOS with Homebrew: 391 | 392 | ```plain 393 | brew install k14s/tap/kwt 394 | ``` 395 | 396 | Run the helper script to configure and run `kwt net start` proxy services: 397 | 398 | ```plain 399 | bootstrap-system-knative kwt test-app 400 | bootstrap-system-knative kwt default 401 | ``` 402 | 403 | The first argument to `bootstrap-system-knative kwt` is the namespace when you are deploying your Knative apps. 404 | 405 | Provide your sudo root password at the prompt. 406 | 407 | The `kwt net start` command launches a new pod `kwt-net` in the `kubecf` namespace, which is used to proxy your traffic into the cluster. 408 | 409 | The `kwt` proxy is ready when the output looks similar to: 410 | 411 | ```plain 412 | ... 413 | 07:17:27AM: info: KubeEntryPoint: Waiting for networking pod 'kwt-net' in namespace 'kubecf' to start... 414 | ... 415 | 07:17:47AM: info: ForwardingProxy: Ready! 416 | ``` 417 | 418 | We can now access the `.test-app.example.com` application URLs: 419 | 420 | ```plain 421 | $ curl http://sample-app-nodejs.test-app.example.com 422 | Hello World! 423 | ``` 424 | 425 | ## Rancher Rio 426 | 427 | [Rancher](https://rancher.com/)'s [Rio](https://rio.io/) is: 428 | 429 | > The MicroPaaS for Kubernetes: Build, test, deploy, scale, and version stateless apps in any Kubernetes cluster. 430 | 431 | ```plain 432 | bootstrap-kubernetes-demos up --rio 433 | ``` 434 | 435 | The output might look similar to: 436 | 437 | ```plain 438 | [INFO] Finding latest release 439 | [INFO] Using v0.5.0 as release 440 | [INFO] Downloading hash https://github.com/rancher/rio/releases/download/v0.5.0/sha256sum-amd64.txt 441 | [INFO] Downloading binary https://github.com/rancher/rio/releases/download/v0.5.0/rio-darwin-amd64 442 | % Total % Received % Xferd Average Speed Time Time Time Current 443 | Dload Upload Total Spent Left Speed 444 | 100 607 0 607 0 0 701 0 --:--:-- --:--:-- --:--:-- 700 445 | 100 72.0M 100 72.0M 0 0 454k 0 0:02:42 0:02:42 --:--:-- 1488k 446 | [INFO] Verifying binary download 447 | [INFO] Installing rio to /Users/drnic/Projects/kubernetes/bootstrap-kubernetes-demos/bin/rio 448 | Deploying Rio control plane.... 449 | rio controller version v0.5.0 (303f3652) installed into namespace rio-system 450 | Detecting if clusterDomain is accessible... 451 | ClusterDomain is reachable. Run `rio info` to get more info. 452 | Controller logs are available from `rio systemlogs` 453 | 454 | Welcome to Rio! 455 | 456 | Run `rio run https://github.com/rancher/rio-demo` as an example 457 | ``` 458 | 459 | The `rio` system will download the latest `rio` CLI into `bin/rio`, and will `rio install` into your Kubernetes cluster. 460 | 461 | To run the example `rio run` into `default` namespace and view locally with `kwt`: 462 | 463 | ```plain 464 | rio run https://github.com/rancher/rio-demo 465 | ``` 466 | 467 | Now run `kwt net start` for the `default` namespace in another terminal: 468 | 469 | ```plain 470 | sudo -E kwt net start --namespace default 471 | ``` 472 | 473 | To view the `rio-demo` URL: 474 | 475 | ```plain 476 | $ kwt net svc 477 | Services in namespace 'default' 478 | 479 | Name Internal DNS Cluster IP Ports 480 | bold-wright0 bold-wright0.default.svc.cluster.local 10.0.11.198 80/tcp 481 | bold-wright0-metrics bold-wright0-metrics.default.svc.cluster.local 10.0.8.94 9090/tcp 482 | bold-wright0-priv bold-wright0-priv.default.svc.cluster.local 10.0.6.255 80/tcp 483 | bold-wright0-v0 bold-wright0-v0.default.svc.cluster.local 10.0.12.163 80/tcp 484 | kubernetes kubernetes.default.svc.cluster.local 10.0.0.1 443/tcp 485 | ``` 486 | 487 | When the rio app is ready: 488 | 489 | ```plain 490 | $ curl bold-wright0.default.svc.cluster.local 491 | Hi there, I'm running in Rio 492 | ``` 493 | -------------------------------------------------------------------------------- /bin/bootstrap-infrastructure-azure: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Infos 4 | # https://github.com/SUSE/scf/wiki/How-to-Install-SCF#requirements-for-kubernetes 5 | # https://documentation.suse.com/suse-cap/1/html/cap-guides/cha-cap-depl-aks.html 6 | 7 | set -eu 8 | 9 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 10 | 11 | state_dir=state/azure 12 | mkdir -p $state_dir 13 | 14 | _cluster_name() { 15 | [[ -f $state_dir/cluster-name ]] || { 16 | : ${CLUSTER_NAME:="$(whoami)-$(LC_ALL=C tr -dc 'a-z0-9' $state_dir/cluster-name 18 | } 19 | cat $state_dir/cluster-name 20 | } 21 | 22 | _resource_group_name() { 23 | _cluster_name 24 | } 25 | 26 | _setup_env() { 27 | export SUBSCRIPTION_ID="${SUBSCRIPTION_ID:-$(az account show --query '{ subscription_id: id }' -o tsv)}" 28 | export AKS_NAME=$(_cluster_name) 29 | export RG_NAME=$(_resource_group_name) 30 | [[ -z "${CLUSTER_REGION:-}" && -z $(az configure -l | jq -r 'map(select(.name == "location"))[0].value // ""') ]] && { 31 | echo "Please set a default AKS cluster region or provide \$CLUSTER_REGION" 32 | echo "--> az configure --defaults location=westus2" 33 | echo 34 | echo "To see a list of available region locations for AKS:" 35 | echo "--> az aks get-versions -l showme" 36 | exit 1 37 | } 38 | az aks get-versions > /dev/null 39 | export NODE_COUNT=${NODE_COUNT:-3} 40 | 41 | # https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general 42 | #export NODE_VM_SIZE="Standard_DS4_v2" #this size is recommended by suse 43 | # Standard_A2m_v2 - 2 cpu, 16G ram, 20G temp storage, 20.6c USD in westus2 44 | export NODE_VM_SIZE=${NODE_VM_SIZE:-Standard_A2m_v2} 45 | 46 | export ADMIN_USERNAME=${ADMIN_USERNAME:-bootstrap-admin} 47 | # export NODEPOOL_NAME=${NODEPOOL_NAME:-mypool} 48 | 49 | export K8S_VERSION=${K8S_VERSION:-$(az aks get-versions ${CLUSTER_REGION:+-l "$CLUSTER_REGION"} | jq -r ".orchestrators | last | .orchestratorVersion")} 50 | } 51 | 52 | failfast() { 53 | [[ "$(command -v az)X" != "X" ]] || { 54 | echo "ERROR: missing 'az' CLI from \$PATH" >> $1 55 | } 56 | 57 | [[ -f state/configuration/credhub-base-path ]] && { 58 | CREDHUB_BASE_PATH=$(cat state/configuration/credhub-base-path) 59 | echo "Testing access to Credhub ${CREDHUB_BASE_PATH}..." 60 | credhub find -n "${CREDHUB_BASE_PATH}" > /dev/null 61 | } 62 | } 63 | 64 | clusterJSON() { 65 | az aks list | jq -r --arg name "$AKS_NAME" '. | map(select(.name == $name))[0]' 66 | } 67 | 68 | clusterProvisioningState() { 69 | clusterJSON | jq -r '.provisioningState // ""' 70 | } 71 | 72 | up() { 73 | _setup_env 74 | 75 | [[ -z "$(clusterProvisioningState)" ]] && { 76 | az account set --subscription "$SUBSCRIPTION_ID" 77 | echo 'Verify that the Microsoft.Network, Microsoft.Storage, Microsoft.Compute, and Microsoft.ContainerService providers are enabled:' 78 | provider_json=$(az provider list -o json) 79 | required_namespaces=(Microsoft.Network Microsoft.Storage Microsoft.Compute Microsoft.ContainerService) 80 | for namespace in "${required_namespaces[@]}"; do 81 | status=$(echo "$provider_json" | jq -r --arg namespace "$namespace" '. | map(select(.namespace == $namespace))[0].registrationState // ""') 82 | echo "--> $namespace: $status" 83 | [[ "${status}" == "Registered" ]] || { 84 | echo " Registering..." 85 | az provider register --namespace "$namespace" 86 | } 87 | done 88 | 89 | echo "Creating Azure Resource Group..." 90 | az group create \ 91 | --name "$RG_NAME" \ 92 | --output table \ 93 | ${CLUSTER_REGION:+--location "$CLUSTER_REGION"} 94 | 95 | echo "Creating AKS cluster..." 96 | az aks create \ 97 | --resource-group "${RG_NAME}" \ 98 | --name "${AKS_NAME}" \ 99 | --node-count ${NODE_COUNT} \ 100 | --admin-username ${ADMIN_USERNAME} \ 101 | --node-vm-size ${NODE_VM_SIZE} \ 102 | --node-osdisk-size=80 \ 103 | ${NODEPOOL_NAME:+--nodepool-name "$NODEPOOL_NAME"} \ 104 | ${K8S_VERSION:+--kubernetes-version "$K8S_VERSION"} \ 105 | ${DEBUG:+--verbose} \ 106 | ${SSH_KEY_VALUE:+ --ssh-key-value "$SSH_KEY_VALUE"} 107 | } 108 | 109 | az aks wait -g "${RG_NAME}" -n "${AKS_NAME}" --created --interval 2 --timeout 900 110 | 111 | echo "Current AKS clusters:" 112 | az aks list -o table 113 | 114 | [[ "${cfcontainers:-}" == "1" ]] && { 115 | echo "- Update nodes to support cgroup swap accounting..." 116 | MC_RG_NAME=$(az aks show --resource-group "$RG_NAME" --name $AKS_NAME --query nodeResourceGroup --output json | jq -r '.') 117 | VM_NODES=$(az vm list --resource-group "$MC_RG_NAME" --output json | jq -r '.[] | select (.tags.poolName | contains("'$NODEPOOL_NAME'")) | .name') 118 | for i in $VM_NODES 119 | do 120 | az vm run-command invoke --resource-group "$MC_RG_NAME" --name "$i" --command-id RunShellScript --scripts \ 121 | "sudo sed --in-place --regexp-extended 's|^(GRUB_CMDLINE_LINUX_DEFAULT=)\"(.*.)\"|\1\"\2 swapaccount=1\"|' \ 122 | /etc/default/grub.d/50-cloudimg-settings.cfg && sudo update-grub" 123 | az vm restart --resource-group "$MC_RG_NAME" --name "$i" 124 | done 125 | } 126 | 127 | echo "Get credentials..." 128 | az aks get-credentials --resource-group $RG_NAME --name $AKS_NAME 129 | 130 | echo "Current Kubernetes nodes:" 131 | kubectl get nodes 132 | } 133 | 134 | describe() { 135 | _setup_env 136 | az aks list --resource-group $RG_NAME --subscription "$SUBSCRIPTION_ID" 137 | } 138 | 139 | down() { 140 | echo 'Deleting the AKS cluster and resource group....' 141 | az group delete --name "$(_resource_group_name)" --verbose 142 | } 143 | 144 | case "${1:-usage}" in 145 | failfast) 146 | shift 147 | failfast "$@" 148 | ;; 149 | 150 | up) 151 | shift 152 | up 153 | ;; 154 | 155 | describe) 156 | shift 157 | describe 158 | ;; 159 | 160 | down) 161 | shift 162 | down 163 | ;; 164 | 165 | *) 166 | ;; 167 | esac 168 | -------------------------------------------------------------------------------- /bin/bootstrap-infrastructure-digitalocean: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _cluster_name() { 8 | [[ -f state/digitalocean/cluster-name ]] || { 9 | mkdir -p state/digitalocean 10 | : ${CLUSTER_NAME:="$(whoami)-$(LC_ALL=C tr -dc 'a-z0-9' state/digitalocean/cluster-name 12 | } 13 | cat state/digitalocean/cluster-name 14 | } 15 | 16 | # doctl k8s options sizes 17 | NODE_SIZE=${NODE_SIZE:-"s-2vcpu-4gb"} 18 | _node_size() { 19 | [[ -f state/digitalocean/node-size ]] || { 20 | mkdir -p state/digitalocean 21 | echo "${NODE_SIZE}" > state/digitalocean/node-size 22 | } 23 | cat state/digitalocean/node-size 24 | } 25 | 26 | CLUSTER_SIZE=${CLUSTER_SIZE:-"3"} 27 | _cluster_size() { 28 | [[ -f state/digitalocean/cluster-size ]] || { 29 | mkdir -p state/digitalocean 30 | echo "${CLUSTER_SIZE}" > state/digitalocean/cluster-size 31 | } 32 | cat state/digitalocean/cluster-size 33 | } 34 | 35 | failfast() { 36 | [[ "$(command -v doctl)X" != "X" ]] || { 37 | echo "ERROR: missing 'doctl' CLI from \$PATH" >> $1 38 | echo "---> Please install Digital Ocean CLI from https://github.com/digitalocean/doctl" >> $1 39 | } 40 | } 41 | 42 | clusterStatus() { 43 | result=$(doctl kubernetes cluster get "$(_cluster_name)" -o json) 44 | # valid result is an [] array; an error is a {} object 45 | [[ "${result:0:1}" == "[" ]] && { 46 | echo "$result" | jq -r --arg name "$(_cluster_name)" \ 47 | '. | map(select(.name == $name))[0].status.state // ""' 48 | } 49 | exit 0 50 | } 51 | 52 | up() { 53 | [[ -z "$(clusterStatus)" ]] && { 54 | echo "Creating Digital Ocean cluster $(_cluster_name)..." 55 | doctl kubernetes cluster create "$(_cluster_name)" \ 56 | --auto-upgrade \ 57 | --node-pool "name=default;size=$(_node_size);count=$(_cluster_size);auto-scale=true;min-nodes=2;max-nodes=5" 58 | } 59 | 60 | status=$(clusterStatus) 61 | [[ "$status" != "running" ]] && { echo "Waiting for cluster $(_cluster_name), current status $status"; } 62 | while [[ "$status" != "running" ]]; do 63 | sleep 5 64 | status=$(clusterStatus) 65 | done 66 | 67 | doctl kubernetes cluster kubeconfig save "$(_cluster_name)" 68 | 69 | exit 0 70 | } 71 | 72 | describe() { 73 | doctl kubernetes cluster get "$(_cluster_name)" 74 | } 75 | 76 | down() { 77 | [[ -f state/digitalocean/cluster-name ]] || { echo "No record of provisioned cluster."; exit 1; } 78 | 79 | echo "Deleting cluster..." 80 | doctl kubernetes cluster delete "$(_cluster_name)" --force 81 | 82 | echo "Deleting all load balancers..." 83 | echo "TODO - only delete load balancers with no droplets" 84 | doctl compute load-balancer list --format ID,DropletIDs | tail -n +2 | awk '{print $1}' | xargs -L1 doctl compute load-balancer delete -f 85 | } 86 | 87 | 88 | case "${1:-usage}" in 89 | failfast) 90 | shift 91 | failfast "$@" 92 | ;; 93 | 94 | up) 95 | shift 96 | up 97 | ;; 98 | 99 | describe) 100 | shift 101 | describe 102 | ;; 103 | 104 | status) 105 | shift 106 | clusterStatus 107 | ;; 108 | 109 | down) 110 | shift 111 | down 112 | ;; 113 | 114 | *) 115 | ;; 116 | esac 117 | -------------------------------------------------------------------------------- /bin/bootstrap-infrastructure-google: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _cluster_name() { 8 | [[ -f state/google/cluster-name ]] || { 9 | mkdir -p state/google 10 | : ${CLUSTER_NAME:="$(whoami)-$(LC_ALL=C tr -dc 'a-z0-9' state/google/cluster-name 12 | } 13 | cat state/google/cluster-name 14 | } 15 | 16 | _setup_env() { 17 | export PROJECT_NAME="${PROJECT_NAME:-$(gcloud config get-value core/project)}" 18 | export CLUSTER_REGION="${CLUSTER_REGION:-$(gcloud config get-value compute/region)}" 19 | export CLUSTER_ZONE="${CLUSTER_ZONE:-$(gcloud config get-value compute/zone)}" 20 | export CLUSTER_VERSION="${CLUSTER_VERSION:-latest}" 21 | export MACHINE_TYPE="${MACHINE_TYPE:-n1-standard-4}" 22 | } 23 | 24 | failfast() { 25 | [[ "$(command -v gcloud)X" != "X" ]] || { 26 | echo "ERROR: missing 'gcloud' CLI from \$PATH" >> $1 27 | echo "---> Please install Google Cloud SDK from https://cloud.google.com/sdk/" >> $1 28 | } 29 | 30 | [[ -f state/configuration/credhub-base-path ]] && { 31 | CREDHUB_BASE_PATH=$(cat state/configuration/credhub-base-path) 32 | echo "Testing access to Credhub ${CREDHUB_BASE_PATH}..." 33 | credhub find -n "${CREDHUB_BASE_PATH}" > /dev/null 34 | } 35 | } 36 | 37 | clusterStatus() { 38 | gcloud container clusters list --format json | \ 39 | jq -r --arg name \ 40 | "$(_cluster_name)" '. | map(select(.name == $name))[0].status // ""' 41 | } 42 | 43 | up() { 44 | _setup_env 45 | [[ -z "$(clusterStatus)" ]] && { 46 | ( 47 | echo "Creating GKE cluster..." 48 | cluster_name="$(_cluster_name)" 49 | args=() 50 | args+=("--region" "${CLUSTER_ZONE}") 51 | args+=("--cluster-version" "${CLUSTER_VERSION}") 52 | args+=("--machine-type" "${MACHINE_TYPE}") 53 | args+=("--enable-autoscaling") 54 | args+=("--min-nodes=1") 55 | args+=("--max-nodes=5") 56 | args+=("--enable-autorepair") 57 | args+=("--scopes=service-control,service-management,compute-rw,storage-ro,cloud-platform,logging-write,monitoring-write,pubsub,datastore") 58 | args+=("--num-nodes=3") 59 | args+=("--no-enable-basic-auth") 60 | args+=("--no-issue-client-certificate") 61 | args+=("--enable-ip-alias") 62 | args+=("--metadata" "disable-legacy-endpoints=true") 63 | [[ "${cfcontainers:-}" == "1" ]] && { 64 | echo "- Using UBUNTU image-type for cf-containers/eirini requirements" 65 | # https://github.com/SUSE/scf/wiki/Deployment-on-Google-GKE 66 | additional_flags+=("--image-type" "UBUNTU") 67 | # TODO - additional_flags="${additional_flags} --addons=HttpLoadBalancing" 68 | # see https://cloud.google.com/sdk/gcloud/reference/container/clusters/create 69 | additional_flags+=("--no-enable-autorepair") # not supported for UBUNTU 70 | additional_flags+=("--no-enable-autoupgrade") # not supported for UBUNTU 71 | } 72 | set -x 73 | gcloud container clusters create "$cluster_name" "${args[@]}" 74 | ) 75 | } 76 | 77 | status=$(clusterStatus) 78 | [[ "$status" == "STOPPING" ]] && { echo "Cluster stopping. Wait until its finished, or try a new \$CLUSTER_NAME"; exit 1; } 79 | [[ "$status" != "RUNNING" ]] && { echo "Waiting for cluster, current status $status"; } 80 | while [[ "$status" != "RUNNING" ]]; do 81 | sleep 5 82 | status=$(clusterStatus) 83 | done 84 | 85 | gcloud container clusters get-credentials "$(_cluster_name)" --region "$CLUSTER_ZONE" --project "$PROJECT_NAME" 86 | 87 | kubectl create clusterrolebinding cluster-admin-binding \ 88 | --clusterrole=cluster-admin \ 89 | --user="$(gcloud config get-value core/account)" \ 90 | -o yaml | kubectl apply -f - 91 | 92 | [[ "${cfcontainers:-}" == "1" ]] && { 93 | echo "- Update nodes to support cgroup swap accounting..." 94 | instance_names=$(gcloud compute instances list --filter="name~$(_cluster_name)" --format json | jq --raw-output '.[].name') 95 | echo "$instance_names" | xargs -I {} gcloud compute ssh {} -- "sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT=\"console=ttyS0 net.ifnames=0\"/GRUB_CMDLINE_LINUX_DEFAULT=\"console=ttyS0 net.ifnames=0 swapaccount=1\"/g' /etc/default/grub.d/50-cloudimg-settings.cfg" 96 | # Update grub 97 | echo "$instance_names" | xargs -I {} gcloud compute ssh {} -- "sudo update-grub" 98 | # Restart VMs 99 | echo "$instance_names" | xargs gcloud compute instances reset 100 | } 101 | 102 | [[ -f state/configuration/credhub-base-path ]] && { 103 | CREDHUB_BASE_PATH=$(cat state/configuration/credhub-base-path) 104 | echo "Storing cluster into credhub ${CREDHUB_BASE_PATH}..." 105 | credhub set -n "${CREDHUB_BASE_PATH}/gke-project-name" -t value -v "$PROJECT_NAME" 106 | credhub set -n "${CREDHUB_BASE_PATH}/gke-cluster-name" -t value -v "$(_cluster_name)" 107 | credhub set -n "${CREDHUB_BASE_PATH}/gke-cluster-zone" -t value -v "$CLUSTER_ZONE" 108 | credhub set -n "${CREDHUB_BASE_PATH}/gke-cluster-region" -t value -v "$CLUSTER_REGION" 109 | } 110 | 111 | exit 0 112 | } 113 | 114 | describe() { 115 | _setup_env 116 | gcloud container clusters describe "$(_cluster_name)" --region "$CLUSTER_ZONE" 117 | } 118 | 119 | down() { 120 | [[ -f state/google/cluster-name ]] || { echo "No record of provisioned cluster."; exit 1; } 121 | _setup_env 122 | [[ "${CREDHUB_BASE_PATH:-X}" != "X" ]] && { 123 | echo "Deleting values from Credhub ${CREDHUB_BASE_PATH}..." 124 | set +e 125 | credhub delete -n "${CREDHUB_BASE_PATH}/gke-project-name" 126 | credhub delete -n "${CREDHUB_BASE_PATH}/gke-cluster-name" 127 | credhub delete -n "${CREDHUB_BASE_PATH}/gke-cluster-zone" 128 | credhub delete -n "${CREDHUB_BASE_PATH}/gke-cluster-region" 129 | credhub delete -n "${CREDHUB_BASE_PATH}/helm-ca" 130 | credhub delete -n "${CREDHUB_BASE_PATH}/helm-tiller-cert" 131 | credhub delete -n "${CREDHUB_BASE_PATH}/helm-tiller-key" 132 | set -e 133 | } 134 | gcloud container clusters delete "$(_cluster_name)" --region "$CLUSTER_ZONE" --quiet 135 | } 136 | 137 | static_ip() { 138 | name=$1 139 | region="$(gcloud config get-value compute/region)" 140 | gcloud compute addresses create "$name" --region "$region" 141 | gcloud compute addresses describe "$name" --region "$region" | bosh int - --path /address 142 | } 143 | 144 | case "${1:-usage}" in 145 | failfast) 146 | shift 147 | failfast "$@" 148 | ;; 149 | 150 | up) 151 | shift 152 | up 153 | ;; 154 | 155 | describe) 156 | shift 157 | describe 158 | ;; 159 | 160 | down) 161 | shift 162 | down 163 | ;; 164 | 165 | *) 166 | ;; 167 | esac 168 | -------------------------------------------------------------------------------- /bin/bootstrap-infrastructure-minikube: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | failfast() { 8 | [[ "$(command -v minikube)X" != "X" ]] || { 9 | echo "ERROR: missing 'minikube' CLI from \$PATH" >> $1 10 | } 11 | } 12 | 13 | clusterStatus() { 14 | minikube status | grep "host:" | awk '{print $2}' 15 | } 16 | 17 | up() { 18 | [[ "$(clusterStatus)" == "Stopped" ]] && { 19 | echo "Starting Minikube..." 20 | minikube start 21 | } 22 | 23 | status=$(clusterStatus) 24 | [[ "$status" == "Stopping" ]] && { echo "Cluster stopping. Wait until its finished, or try a new \$CLUSTER_NAME"; exit 1; } 25 | [[ "$status" != "Running" ]] && { echo "Waiting for cluster, current status $status"; } 26 | while [[ "$status" != "Running" ]]; do 27 | sleep 5 28 | status=$(clusterStatus) 29 | done 30 | 31 | minikube update-context 32 | 33 | exit 0 34 | } 35 | 36 | describe() { 37 | minikube status 38 | } 39 | 40 | down() { 41 | minikube stop 42 | } 43 | 44 | 45 | case "${1:-usage}" in 46 | failfast) 47 | shift 48 | failfast "$@" 49 | ;; 50 | 51 | up) 52 | shift 53 | up 54 | ;; 55 | 56 | describe) 57 | shift 58 | describe 59 | ;; 60 | 61 | down) 62 | shift 63 | down 64 | ;; 65 | 66 | *) 67 | ;; 68 | esac 69 | -------------------------------------------------------------------------------- /bin/bootstrap-kubernetes-demos: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | mkdir -p state/systems 8 | touch state/systems/zzz-ignoreme 9 | 10 | usage() { 11 | echo "Bootstrap Kubernetes and/or subsystems for demonstrations:" 12 | echo " up" 13 | echo " [--minikube|--local] -- bootstrap Minikube" 14 | echo " [--gke|--google] -- bootstrap new Google GKE cluster" 15 | echo " [--az|--azure] -- bootstrap new Azure AKE cluster" 16 | echo " [--do|--digitalocean] -- bootstrap new Digital Ocean cluster" 17 | echo "" 18 | echo " [--ingress|--nginx-ingress] -- deploys Nginx Ingress" 19 | echo " [--cert-manager] -- deploys cert-manager" 20 | echo " [--k-rail|--krail] -- deploys k-rail to enforce policies for end users" 21 | echo " [--helm|--tiller] -- deploys secure Helm Tiller (deprecated)" 22 | echo "" 23 | echo " [--cf|--kubecf|--eirini] -- deploys Cloud Foundry/Eirini" 24 | echo " [--cf-operator] -- deploys only CF Operator" 25 | echo " [--kpack] -- deploys kpack to build images with buildpacks" 26 | echo " [--tekton] -- deploys Tekton CD" 27 | echo " [--knative] -- deploys Knative Serving/Eventing/Istio" 28 | echo " [--rancher] -- deploys Rancher" 29 | echo " [--rio] -- deploys Rancher Rio" 30 | # echo " [--knative-addr-name name] -- map GCP address to ingress gateway" 31 | echo " [--kubeapp] -- deploys Kubeapps" 32 | echo " [--service-catalog|--sc] -- deploys Helm/Service Catalog" 33 | echo " [--cf-broker] -- deploys Helm/Service Catalog/Cloud Foundry Service Broker" 34 | echo "" 35 | echo " down -- destroys cluster, if originally bootstrapped" 36 | echo " clean -- cleans up cached state files" 37 | } 38 | 39 | # Ordered list of available systems 40 | # TODO: would be nice to discover available systems from bin/bootstrap-system-* and discover dependencies 41 | _available_systems() { 42 | echo " 43 | nginx-ingress 44 | cert-manager 45 | k-rail 46 | helm 47 | kubeapps 48 | servicecatalog cf-broker 49 | cf-operator kubecf 50 | kpack tekton knative 51 | rio rancher 52 | " 53 | } 54 | 55 | # Ordered list of requested systems 56 | _requested_systems() { 57 | for available in $(_available_systems); do 58 | for requested in $(find state/systems/* -print | xargs -L1 basename); do 59 | [[ "$available" == "$requested" && $(cat "state/systems/${requested}") == "1" ]] && { echo "$requested"; } 60 | done 61 | done 62 | } 63 | 64 | failfast() { 65 | set +e 66 | errors_file=$(mktemp) 67 | trap "rm -f ${errors_file}" EXIT 68 | 69 | [[ "$(command -v kubectl)X" == "X" ]] && { echo "ERROR: missing 'kubectl' CLI from \$PATH" >> $errors_file; } 70 | 71 | [[ -f state/infrastructure ]] && { bin/bootstrap-infrastructure-"$(cat state/infrastructure)" failfast "$errors_file"; } 72 | 73 | for system in $(_requested_systems); do 74 | "bin/bootstrap-system-$system" failfast "$errors_file" 75 | done 76 | 77 | cat "${errors_file}" 78 | [[ -n "$(cat "${errors_file}")" ]] && { exit 1; } 79 | set -e 80 | 81 | # migrate state files after renaming/upgrades 82 | [[ -f state/systems/scf ]] && { mv state/systems/scf state/systems/kubecf; } 83 | printf "" 84 | } 85 | 86 | up() { 87 | failfast 88 | 89 | [[ -f state/infrastructure ]] && { bin/bootstrap-infrastructure-"$(cat state/infrastructure)" up; } 90 | 91 | [[ -z "$(_requested_systems)" ]] && { echo "No systems selected."; } 92 | for system in $(_requested_systems); do 93 | if [[ -z "${DRY_RUN:-}" ]]; then 94 | "bin/bootstrap-system-$system" up 95 | else 96 | echo "---> bootstrap-system-$system up" 97 | fi 98 | done 99 | } 100 | 101 | down() { 102 | [[ -f state/infrastructure ]] && { bin/bootstrap-infrastructure-"$(cat state/infrastructure)" down; } 103 | } 104 | 105 | clean() { 106 | down 107 | rm -rf state 108 | } 109 | 110 | case "${1:-usage}" in 111 | up) 112 | mkdir -p state/systems state/configuration/ 113 | shift 114 | while [[ $# -gt 0 ]]; do 115 | case "${1:-}" in 116 | --local|--minikube) 117 | echo "minikube" > state/infrastructure 118 | ;; 119 | --gke|--google) 120 | echo "google" > state/infrastructure 121 | ;; 122 | --az|--azure) 123 | echo "azure" > state/infrastructure 124 | ;; 125 | --do|--digitalocean) 126 | echo "digitalocean" > state/infrastructure 127 | echo 1 > state/systems/helm 128 | echo 1 > state/systems/nginx-ingress 129 | ;; 130 | 131 | --ingress|--nginx-ingress) 132 | echo 1 > state/systems/helm 133 | echo 1 > state/systems/nginx-ingress 134 | ;; 135 | 136 | --no-ingress|--no-nginx-ingress) 137 | rm state/systems/nginx-ingress 138 | ;; 139 | 140 | --kubecf|--cf|--scf|--eirini) 141 | echo 1 > state/systems/helm 142 | echo 1 > state/systems/nginx-ingress 143 | echo 1 > state/systems/cf-operator 144 | echo 1 > state/systems/kubecf 145 | ;; 146 | --cf-operator) 147 | echo 1 > state/systems/helm 148 | echo 1 > state/systems/cf-operator 149 | ;; 150 | 151 | --cert-manager) 152 | echo 1 > state/systems/cert-manager 153 | ;; 154 | --k-rail|--krail) 155 | echo 1 > state/systems/k-rail 156 | ;; 157 | --kpack) 158 | echo 1 > state/systems/kpack 159 | ;; 160 | --tekton) 161 | echo 1 > state/systems/tekton 162 | ;; 163 | --knative) 164 | echo 1 > state/systems/knative 165 | ;; 166 | --rancher) 167 | echo 1 > state/systems/helm 168 | echo 1 > state/systems/cert-manager 169 | echo 1 > state/systems/rancher 170 | ;; 171 | --rio) 172 | echo 1 > state/systems/rio 173 | ;; 174 | # --knative-addr-name) 175 | # shift 176 | # echo "$1" > state/configuration/knative-knative_addr_name 177 | # ;; 178 | --helm|--tiller) 179 | echo 1 > state/systems/helm 180 | ;; 181 | --service-catalog|--sc) 182 | echo 1 > state/systems/helm 183 | echo 1 > state/systems/servicecatalog 184 | ;; 185 | --cf-broker) 186 | echo 1 > state/systems/helm 187 | echo 1 > state/systems/servicecatalog 188 | echo 1 > state/systems/cf-broker 189 | ;; 190 | --kubeapps) 191 | echo 1 > state/systems/helm 192 | echo 1 > state/systems/kubeapps 193 | ;; 194 | --credhub-store) 195 | shift 196 | echo "$1" > state/configuration/credhub-base-path 197 | ;; 198 | esac 199 | shift 200 | done 201 | 202 | up 203 | ;; 204 | 205 | clean) 206 | shift 207 | clean 208 | ;; 209 | 210 | failfast) 211 | shift 212 | failfast 213 | ;; 214 | 215 | down) 216 | shift 217 | down 218 | ;; 219 | 220 | *) 221 | usage 222 | exit 1 223 | ;; 224 | esac 225 | -------------------------------------------------------------------------------- /bin/bootstrap-system-cert-manager: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Deploys cert-manager 4 | # https://cert-manager.io/docs/installation/kubernetes/ 5 | 6 | set -eu 7 | 8 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 9 | 10 | _default_version() { 11 | grep "cert-manager" .versions | cut -d= -f2 12 | } 13 | 14 | discover_versions() { 15 | export VERSION=$(_default_version) 16 | } 17 | 18 | up() { 19 | discover_versions 20 | ( 21 | echo "Installing cert-manager v$VERSION..." 22 | set -x 23 | kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v$VERSION/cert-manager.yaml 24 | 25 | kubectl rollout status -n cert-manager deployment/cert-manager 26 | kubectl rollout status -n cert-manager deployment/cert-manager-cainjector 27 | kubectl rollout status -n cert-manager deployment/cert-manager-webhook 28 | ) 29 | } 30 | 31 | # https://cert-manager.io/docs/installation/uninstall/kubernetes/ 32 | down() { 33 | discover_versions 34 | ( 35 | echo "Check all cert-manager resources deleted" 36 | set -x 37 | kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces 38 | ) 39 | 40 | kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v$VERSION/cert-manager.yaml 41 | } 42 | 43 | # $ bootstrap-system-k-rail example 44 | # ingress.extensions/bad-ingress created 45 | # Error from server (k-rail admission review): error when creating "https://raw.githubusercontent.com/cruise-automation/k-rail/master/deploy/non-compliant-deployment.yaml": admission webhook "k-rail.cruise-automation.github.com" denied the request: 46 | # Deployment bad-deployment had violation: Host Bind Mounts: host bind mounts are forbidden 47 | # Deployment bad-deployment had violation: Host Bind Mounts: host bind mounts are forbidden 48 | # Deployment bad-deployment had violation: Docker Sock Mount: mounting the Docker socket is forbidden 49 | # Deployment bad-deployment had violation: Immutable Image Reference: image tag must include its sha256 digest 50 | # Deployment bad-deployment had violation: No Host Network: Using the host network is forbidden 51 | # Deployment bad-deployment had violation: No Privileged Container: Using privileged containers is forbidden 52 | # Deployment bad-deployment had violation: No New Capabilities: Adding additional capabilities is forbidden 53 | # Deployment bad-deployment had violation: No Host PID: Using the host PID namespace is forbidden 54 | # Deployment bad-deployment had violation: Safe to evict: annotation is required for Pods that use emptyDir or hostPath mounts to enable cluster autoscaling 55 | # Deployment bad-deployment had violation: Safe to evict: annotation is required for Pods that use emptyDir or hostPath mounts to enable cluster autoscaling 56 | example() { 57 | kubectl apply -f https://raw.githubusercontent.com/cruise-automation/k-rail/master/deploy/non-compliant-deployment.yaml 58 | } 59 | 60 | case "${1:-usage}" in 61 | up) 62 | shift 63 | up 64 | ;; 65 | 66 | down) 67 | shift 68 | down 69 | ;; 70 | 71 | example) 72 | shift 73 | example 74 | ;; 75 | 76 | *) 77 | ;; 78 | esac 79 | 80 | 81 | -------------------------------------------------------------------------------- /bin/bootstrap-system-cf-broker: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | # helm-manager sets up TLS for tiller; so use `--tls` for all helm commands 6 | export HELM_TLS_VERIFY=${HELM_TLS_VERIFY:-true} 7 | 8 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 9 | 10 | failfast() { 11 | set +eu 12 | [[ -z "${CF_API}" ]] && { echo "\$CF_API is required for --cf-broker" >> $1; } 13 | [[ -z "${CF_USERNAME}" ]] && { echo "\$CF_USERNAME is required for --cf-broker" >> $1; } 14 | [[ -z "${CF_PASSWORD}" ]] && { echo "\$CF_PASSWORD is required for --cf-broker" >> $1; } 15 | [[ -z "${CF_ORGANIZATION}" ]] && { echo "\$CF_ORGANIZATION is required for --cf-broker" >> $1; } 16 | [[ -z "${CF_SPACE}" ]] && { echo "\$CF_SPACE is required for --cf-broker" >> $1; } 17 | [[ -n "$(cat "$1")" ]] && { exit 1; } 18 | 19 | echo "Testing login to Cloud Foundry ${CF_API}..." 20 | cf api "${CF_API}" 21 | cf auth "${CF_USERNAME}" "${CF_PASSWORD}" 22 | cf target -o "${CF_ORGANIZATION}" -s "${CF_SPACE}" 23 | } 24 | 25 | up() { 26 | failfast 27 | echo "Install/upgrade CF Marketplace Service Broker via Helm" 28 | helm repo add starkandwayne https://helm.starkandwayne.com 29 | helm repo update 30 | helm upgrade --install --namespace catalog pws-broker starkandwayne/cf-marketplace-servicebroker --wait \ 31 | --set "cf.api=$CF_API" \ 32 | --set "cf.username=${CF_USERNAME:?required},cf.password=${CF_PASSWORD:?required}" \ 33 | --set "cf.organizationGUID=$(jq -r .OrganizationFields.GUID ~/.cf/config.json)" \ 34 | --set "cf.spaceGUID=$(jq -r .SpaceFields.GUID ~/.cf/config.json)" 35 | 36 | # TODO: move into a kubectl apply -f <(echo "--- {}") 37 | set +e 38 | kubectl create secret generic pws-broker-cf-marketplace-servicebroker-basic-auth \ 39 | --from-literal username=broker \ 40 | --from-literal password=broker 41 | set -e 42 | 43 | sleep 5 44 | svcat register pws-broker-cf-marketplace-servicebroker \ 45 | --url http://pws-broker-cf-marketplace-servicebroker.catalog.svc.cluster.local:8080 \ 46 | --scope cluster \ 47 | --basic-secret pws-broker-cf-marketplace-servicebroker-basic-auth 48 | } 49 | 50 | case "${1:-usage}" in 51 | failfast) 52 | shift 53 | failfast "$@" 54 | ;; 55 | 56 | up) 57 | shift 58 | up 59 | ;; 60 | 61 | *) 62 | ;; 63 | esac 64 | -------------------------------------------------------------------------------- /bin/bootstrap-system-cf-operator: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | # helm-manager sets up TLS for tiller; so use `--tls` for all helm commands 6 | export HELM_TLS_VERIFY=${HELM_TLS_VERIFY:-true} 7 | 8 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 9 | 10 | _namespace() { 11 | [[ -f state/configuration/cf-operator-namespace ]] || { 12 | echo "${CF_OPERATOR_NAMESPACE:-kubecf-operator}" > state/configuration/cf-operator-namespace 13 | } 14 | cat state/configuration/cf-operator-namespace 15 | } 16 | 17 | _kubecf_namespace() { 18 | [[ -f state/configuration/kubecf-namespace ]] || { 19 | echo "${CF_NAMESPACE:-kubecf}" > state/configuration/kubecf-namespace 20 | } 21 | cat state/configuration/kubecf-namespace 22 | } 23 | 24 | _default_helm_file_version() { 25 | grep "cf-operator-helm-file" .versions | cut -d= -f2 26 | } 27 | 28 | discover_versions() { 29 | export CF_OPERATOR_HELM_FILE=${CF_OPERATOR_HELM_FILE:-$(_default_helm_file_version)} 30 | 31 | # Install latest from CI/S3 bucket by default 32 | export CF_OPERATOR_HELM_TGZ=${CF_OPERATOR_HELM_TGZ:-"https://cf-operators.s3.amazonaws.com/helm-charts/${CF_OPERATOR_HELM_FILE}"} 33 | # Override: 34 | # [inside path/to/cf-operator]: bin/build-helm 35 | # [here]: 36 | # CF_OPERATOR_HELM_TGZ=path/to/cf-operator/helm/cf-operator-v0.4.2+42.gf51bf355.tgz 37 | } 38 | 39 | failfast() { 40 | printf "" 41 | } 42 | 43 | build_from_src() { 44 | ( 45 | cd vendor/cf-operator 46 | rm -f helm/*tgz 47 | bin/build-helm 48 | ) 49 | ls vendor/cf-operator/helm/cf-operator*tgz 50 | } 51 | 52 | up() { 53 | discover_versions 54 | failfast 55 | 56 | ns=$(_namespace) 57 | watchNamespace=$(_kubecf_namespace) 58 | 59 | echo "Install Cloud Foundry/Quarks (cf-operator)" 60 | # create scf namespace - helm3 doesn't do this 61 | cat < Using ${CF_OPERATOR_HELM_FILE}${release_date:+ from ${release_date}}" 75 | # TODO: restore $CFOPERATOR_TAG override if it has a purpose 76 | # : "${CFOPERATOR_TAG:=$(curl -sS 'https://registry.hub.docker.com/v2/repositories/cfcontainerization/cf-operator/tags/' | jq -r ".results[].name" | grep "^v0." | head -n1)}" 77 | # [[ -n "${CFOPERATOR_TAG:-}" ]] && { 78 | # echo "--> Using cfcontainerization/cf-operator:${CFOPERATOR_TAG}" 79 | # echo " From $(curl -sS 'https://registry.hub.docker.com/v2/repositories/cfcontainerization/cf-operator/tags/' | jq -r --arg tag "$CFOPERATOR_TAG" '.results | map(select(.name == $tag))[].last_updated // "not recently"')" 80 | # } 81 | 82 | # cf-operator versions have + in them; let's encode that as %2B 83 | CF_OPERATOR_HELM_TGZ=${CF_OPERATOR_HELM_TGZ//'+'/%2B} 84 | 85 | ( 86 | set -x 87 | helm upgrade --install --wait --namespace "$ns" \ 88 | cf-operator \ 89 | "${CF_OPERATOR_HELM_TGZ}" \ 90 | ${CFOPERATOR_TAG:+--set "image.tag=${CFOPERATOR_TAG}"} \ 91 | --set "global.operator.watchNamespace=${watchNamespace}" \ 92 | --set "provider=gke" \ 93 | --set "operator-webhook-use-service-reference=true" # coming in future 94 | ) 95 | } 96 | 97 | sanitytest() { 98 | echo "--> Testing cf-operator with example nats deployment" 99 | kubectl apply -n "$(_namespace)" -f vendor/cf-operator/docs/examples/bosh-deployment/boshdeployment-with-custom-variable.yaml 100 | sleep 5 # TODO: wait for boshdeployment state change 101 | kubectl get pods -n "$(_namespace)" 102 | } 103 | 104 | restart() { 105 | kubectl delete validatingwebhookconfigurations cf-operator-hook-"$(_namespace)" --ignore-not-found 106 | kubectl delete mutatingwebhookconfigurations cf-operator-hook-"$(_namespace)" --ignore-not-found 107 | kubectl delete pod -l name=cf-operator -n "$(_namespace)" --ignore-not-found 108 | } 109 | 110 | down() { 111 | helm delete cf-operator -n "$(_namespace)" 112 | 113 | kubectl delete validatingwebhookconfigurations cf-operator-hook-"$(_namespace)" 114 | kubectl delete mutatingwebhookconfigurations cf-operator-hook-"$(_namespace)" 115 | } 116 | 117 | case "${1:-usage}" in 118 | failfast) 119 | shift 120 | failfast "$@" 121 | ;; 122 | 123 | up) 124 | shift 125 | up 126 | ;; 127 | 128 | restart) 129 | shift 130 | restart 131 | ;; 132 | 133 | down) 134 | shift 135 | down 136 | ;; 137 | 138 | *) 139 | ;; 140 | esac 141 | -------------------------------------------------------------------------------- /bin/bootstrap-system-helm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | repo_root="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | cd "$repo_root" 7 | 8 | # Install S&W Helm Charts rather than some arbitrary default of nonsense 9 | export STABLE_REPO_URL=${STABLE_REPO_URL:-https://helm.starkandwayne.com} 10 | 11 | # helm-manager can put its state into this project, not its own 12 | export HELM_MGR_STATE_ROOT=${HELM_MGR_STATE_ROOT:-$PWD/state/helm} 13 | 14 | # helm-manager sets up TLS for tiller; so use `--tls` for all helm commands 15 | export HELM_TLS_VERIFY=${HELM_TLS_VERIFY:-true} 16 | 17 | _platform() { 18 | if [ "$(uname)" == "Darwin" ]; then 19 | echo "darwin" 20 | elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then 21 | echo "linux" 22 | fi 23 | } 24 | 25 | _ensure_helm3() { 26 | version=$(grep "helm-cli" "${repo_root}/.versions" | cut -d= -f2) 27 | platform=$(_platform) 28 | [[ "$(command -v helm)X" == "X" || "$(helm version | grep "$version")X" == "X" ]] && { 29 | echo "installing helm v${version} into ${repo_root}/bin/" 30 | ( 31 | url="https://get.helm.sh/helm-v${version}-${platform}-amd64.tar.gz" 32 | cd "$(mktemp -d)" 33 | curl -sSL "$url" | tar -xvz "${platform}-amd64/helm" 34 | chmod +x "${platform}-amd64/helm" 35 | mv "${platform}-amd64/helm" "${repo_root}/bin/" 36 | ) 37 | } 38 | printf '' # ensure happy exit regardless of [[ test ]] block 39 | } 40 | 41 | up() { 42 | _ensure_helm3 43 | } 44 | 45 | case "${1:-usage}" in 46 | up) 47 | shift 48 | up 49 | ;; 50 | 51 | *) 52 | ;; 53 | esac 54 | -------------------------------------------------------------------------------- /bin/bootstrap-system-k-rail: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Deploys k-rail from latest github release 4 | # https://github.com/cruise-automation/k-rail 5 | # 6 | # Try failing deployment example: 7 | # $ bootstrap-system-k-rail example 8 | 9 | set -eu 10 | 11 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 12 | 13 | : "${KRAIL_NAMESPACE:="k-rail"}" 14 | 15 | up() { 16 | ( 17 | echo "Installing k-rail..." 18 | ns=$KRAIL_NAMESPACE 19 | 20 | echo "--> downloading latest k-rail release..." 21 | cd $(mktemp -d) 22 | curl -sL https://api.github.com/repos/cruise-automation/k-rail/releases/latest | jq -r .tarball_url | xargs curl -L | tar xzf - 23 | cd cruise-automation*/ 24 | echo "--> installing..." 25 | helm template --namespace "$ns" deploy/helm | kubectl apply -n "$ns" -f - 26 | 27 | echo "--> waiting for k-rail to be active..." 28 | kubectl wait pod -n k-rail -l name=k-rail --for condition=Ready 29 | ) 30 | } 31 | 32 | down() { 33 | kubectl delete ns ${KRAIL_NAMESPACE} 34 | kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io k-rail 35 | } 36 | 37 | # $ bootstrap-system-k-rail example 38 | # ingress.extensions/bad-ingress created 39 | # Error from server (k-rail admission review): error when creating "https://raw.githubusercontent.com/cruise-automation/k-rail/master/deploy/non-compliant-deployment.yaml": admission webhook "k-rail.cruise-automation.github.com" denied the request: 40 | # Deployment bad-deployment had violation: Host Bind Mounts: host bind mounts are forbidden 41 | # Deployment bad-deployment had violation: Host Bind Mounts: host bind mounts are forbidden 42 | # Deployment bad-deployment had violation: Docker Sock Mount: mounting the Docker socket is forbidden 43 | # Deployment bad-deployment had violation: Immutable Image Reference: image tag must include its sha256 digest 44 | # Deployment bad-deployment had violation: No Host Network: Using the host network is forbidden 45 | # Deployment bad-deployment had violation: No Privileged Container: Using privileged containers is forbidden 46 | # Deployment bad-deployment had violation: No New Capabilities: Adding additional capabilities is forbidden 47 | # Deployment bad-deployment had violation: No Host PID: Using the host PID namespace is forbidden 48 | # Deployment bad-deployment had violation: Safe to evict: annotation is required for Pods that use emptyDir or hostPath mounts to enable cluster autoscaling 49 | # Deployment bad-deployment had violation: Safe to evict: annotation is required for Pods that use emptyDir or hostPath mounts to enable cluster autoscaling 50 | example() { 51 | kubectl apply -f https://raw.githubusercontent.com/cruise-automation/k-rail/master/deploy/non-compliant-deployment.yaml 52 | } 53 | 54 | case "${1:-usage}" in 55 | up) 56 | shift 57 | up 58 | ;; 59 | 60 | down) 61 | shift 62 | down 63 | ;; 64 | 65 | example) 66 | shift 67 | example 68 | ;; 69 | 70 | *) 71 | ;; 72 | esac 73 | 74 | 75 | -------------------------------------------------------------------------------- /bin/bootstrap-system-knative: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | root_path="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | cd "$root_path" 7 | 8 | platform() { 9 | if [ "$(uname)" == "Darwin" ]; then 10 | echo "darwin" 11 | elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then 12 | echo "linux" 13 | fi 14 | } 15 | 16 | _default_istio_version() { 17 | grep "knative-istio-major" .versions | cut -d= -f2 18 | } 19 | 20 | _default_knative_version() { 21 | grep "knative-serving" .versions | cut -d= -f2 22 | } 23 | 24 | discover_versions() { 25 | # https://github.com/knative/serving/tree/master/third_party 26 | KNATIVE_ISTIO_MAJOR_VERSION=${KNATIVE_ISTIO_MAJOR_VERSION:-$(_default_istio_version)} 27 | export KNATIVE_ISTIO_VERSION=${KNATIVE_ISTIO_VERSION:-$(curl -sSL https://raw.githubusercontent.com/knative/serving/master/third_party/istio-${KNATIVE_ISTIO_MAJOR_VERSION}-latest)} 28 | 29 | # https://github.com/knative/serving/releases 30 | export KNATIVE_VERSION=${KNATIVE_VERSION:-$(_default_knative_version)} 31 | } 32 | 33 | _kn_download() { 34 | local url="https://storage.googleapis.com/knative-nightly/client/latest/kn-$(platform)-amd64" 35 | local cli=kn 36 | 37 | [[ -f bin/$cli ]] || { 38 | echo "---> installing $cli cli into bin/" 39 | ( 40 | cd $(mktemp -d) 41 | curl -L >$cli "${url}" 42 | chmod +x $cli 43 | mv $cli "$root_path/bin/$cli" 44 | ) 45 | } 46 | } 47 | 48 | up() { 49 | discover_versions 50 | 51 | echo "Install/upgrade Knative without monitoring" 52 | echo "---> install ${KNATIVE_ISTIO_VERSION}" 53 | ( 54 | set -x 55 | kubectl apply --wait=true \ 56 | --filename "https://raw.githubusercontent.com/knative/serving/master/third_party/${KNATIVE_ISTIO_VERSION}/istio-crds.yaml" 57 | kubectl apply --wait=true \ 58 | --filename "https://raw.githubusercontent.com/knative/serving/master/third_party/${KNATIVE_ISTIO_VERSION}/istio-lean.yaml" 59 | ) 60 | 61 | _kn_download 62 | 63 | echo "---> wait for istio pilot to start" 64 | ( 65 | set -x 66 | kubectl wait -l app=pilot pod --for condition=Ready -n istio-system --timeout 5m 67 | ) 68 | 69 | # while [[ $(kubectl get pods -n istio-system -l app=pilot -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for pod" && sleep 1; done 70 | echo "---> install knative serving/eventing CRDs" 71 | # TODO https://github.com/knative/serving/issues/5722 72 | ( 73 | set -x 74 | kubectl apply --wait=true \ 75 | --selector knative.dev/crd-install=true \ 76 | --filename "https://github.com/knative/serving/releases/download/v${KNATIVE_VERSION}/serving.yaml" \ 77 | --filename "https://github.com/knative/eventing/releases/download/v${KNATIVE_VERSION}/release.yaml" || \ 78 | kubectl apply --wait=true \ 79 | --selector knative.dev/crd-install=true \ 80 | --filename "https://github.com/knative/serving/releases/download/v${KNATIVE_VERSION}/serving.yaml" \ 81 | --filename "https://github.com/knative/eventing/releases/download/v${KNATIVE_VERSION}/release.yaml" 82 | ) 83 | echo "---> install knative serving/eventing" 84 | ( 85 | set -x 86 | kubectl apply --wait=true \ 87 | --filename "https://github.com/knative/serving/releases/download/v${KNATIVE_VERSION}/serving.yaml" \ 88 | --filename "https://github.com/knative/eventing/releases/download/v${KNATIVE_VERSION}/release.yaml" 89 | ) 90 | 91 | echo "---> wait for knative to start" 92 | ( 93 | set -x 94 | kubectl wait -l app=controller pod --for condition=Ready -n knative-serving --timeout 300s 95 | ) 96 | 97 | 98 | # knctl domain create --default --domain knative.starkandwayne.com 99 | 100 | # echo "Deploy sanity test app to Knative" 101 | # set +e 102 | # kubectl create ns bootstrap-test 103 | # set -e 104 | # knctl deploy \ 105 | # --namespace bootstrap-test \ 106 | # --service hello \ 107 | # --image gcr.io/knative-samples/helloworld-go \ 108 | # --env TARGET=Bootstrap 109 | 110 | # podStatus=Init 111 | # while [[ "${podStatus}" != "Running" ]]; do 112 | # sleep 2 113 | # podStatus=$(kubectl get pods -n bootstrap-test -l serving.knative.dev/configuration=hello -o jsonpath="{.items[0].status.phase}") 114 | # echo " ${podStatus}" 115 | # done 116 | # knctl curl -n bootstrap-test -s hello 117 | 118 | # [[ -f state/configuration/knative-knative_addr_name ]] && { 119 | # knative_addr_name=$(cat state/configuration/knative-knative_addr_name) 120 | # address=$(gcloud compute addresses describe knative-ingress --region "$CLUSTER_REGION" --format json) 121 | # ip=$(echo "$address" | jq -r ".address") 122 | # echo "Mapping Knative Ingress Gateway to $ip..." 123 | # kubectl patch svc istio-ingressgateway --namespace istio-system --patch \ 124 | # "$(echo "$address" | jq -cr "{spec: {loadBalancerIP: .address}}")" 125 | 126 | # echo 127 | # echo "In a while, test your DNS + ingress with:" 128 | # echo " curl -v hello.bootstrap-test.knative.starkandwayne.com" 129 | # echo 130 | # } 131 | } 132 | 133 | kwt_routing() { 134 | namespace=${1:-default} 135 | set -x 136 | sudo -E kwt net start --dns-map "${namespace}.example.com=$(kubectl get svc istio-ingressgateway --namespace istio-system -o 'jsonpath={.status.loadBalancer.ingress[0].ip}')" --namespace "${namespace}" 137 | } 138 | 139 | case "${1:-usage}" in 140 | up) 141 | shift 142 | up 143 | ;; 144 | 145 | kwt) 146 | shift 147 | kwt_routing "$@" 148 | ;; 149 | 150 | *) 151 | ;; 152 | esac 153 | -------------------------------------------------------------------------------- /bin/bootstrap-system-kpack: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _default_version() { 8 | grep "kpack" .versions | cut -d= -f2 9 | } 10 | 11 | discover_versions() { 12 | export KPACK_VERSION=${KPACK_VERSION:-$(_default_version)} 13 | export KPACK_RELEASE_URL=${KPACK_RELEASE_URL:-"https://github.com/pivotal/kpack/releases/download/v${KPACK_VERSION}/release-${KPACK_VERSION}.yaml"} 14 | } 15 | 16 | up() { 17 | discover_versions 18 | 19 | echo "Install kpack v${KPACK_VERSION}" 20 | ( 21 | set -x 22 | kubectl apply -f "$KPACK_RELEASE_URL" 23 | ) 24 | echo "Installing resources from resources/kpack/*.yaml" 25 | ( 26 | set -x 27 | ls resources/kpack/*.yaml | xargs -L1 kubectl apply -f 28 | ) 29 | } 30 | 31 | case "${1:-usage}" in 32 | up) 33 | shift 34 | up 35 | ;; 36 | 37 | *) 38 | ;; 39 | esac 40 | -------------------------------------------------------------------------------- /bin/bootstrap-system-kubeapps: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | # helm-manager sets up TLS for tiller; so use `--tls` for all helm commands 6 | export HELM_TLS_VERIFY=${HELM_TLS_VERIFY:-true} 7 | 8 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 9 | 10 | up() { 11 | # TODO: convert to kubectl apply -f <() 12 | set +e 13 | kubectl create serviceaccount kubeapps-operator 14 | kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator 15 | set -e 16 | 17 | helm repo add bitnami https://charts.bitnami.com/bitnami 18 | helm upgrade --install kubeapps bitnami/kubeapps --namespace kubeapps \ 19 | --set tillerProxy.tls.verify=true \ 20 | --set tillerProxy.tls.ca="$(cat "$(helm home)/ca.pem")" \ 21 | --set tillerProxy.tls.key="$(cat "$(helm home)/key.pem")" \ 22 | --set tillerProxy.tls.cert="$(cat "$(helm home)/cert.pem")" \ 23 | --wait 24 | 25 | echo "Use the following token to authenticate:" 26 | echo "kubectl get secret \$(kubectl get serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode" 27 | } 28 | 29 | case "${1:-usage}" in 30 | up) 31 | shift 32 | up 33 | ;; 34 | 35 | *) 36 | ;; 37 | esac 38 | -------------------------------------------------------------------------------- /bin/bootstrap-system-kubecf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _system_domain() { 8 | [[ -f state/configuration/kubecf-system-domain ]] || { 9 | if [[ -f state/configuration/ingress-domain ]]; then 10 | cp state/configuration/ingress-domain state/configuration/kubecf-system-domain 11 | else 12 | echo "${CF_SYSTEM_DOMAIN:-kubecf.dev}" > state/configuration/kubecf-system-domain 13 | fi 14 | } 15 | cat state/configuration/kubecf-system-domain 16 | } 17 | 18 | _namespace() { 19 | [[ -f state/configuration/kubecf-namespace ]] || { 20 | echo "${CF_NAMESPACE:-kubecf}" > state/configuration/kubecf-namespace 21 | } 22 | cat state/configuration/kubecf-namespace 23 | } 24 | 25 | _default_version() { 26 | grep "kubecf" .versions | cut -d= -f2 27 | } 28 | 29 | _values_file() { 30 | mkdir -p state/configuration/kubecf 31 | printf "state/configuration/kubecf/values.yaml" 32 | } 33 | 34 | discover_versions() { 35 | # Install latest from CI/S3 bucket by default 36 | # Usage: KUBECF_RELEASE_URL=path/to/kubecf/bazel-bin/deploy/helm/kubecf/kubecf-3.0.0.tgz 37 | : "${KUBECF_RELEASE_URL:=}" 38 | } 39 | 40 | failfast() { 41 | # aws cli not current required for all code paths 42 | # [[ "$(command -v aws)X" != "X" ]] || { echo "ERROR: missing 'aws' CLI so we can look up latest kubecf release from S3 bucket" >> $1; } 43 | printf "" 44 | } 45 | 46 | up() { 47 | discover_versions 48 | failfast 49 | echo "Install Cloud Foundry/Eirini (kubecf) for $(_system_domain)" 50 | [[ "${KUBECF_RELEASE_URL:-X}" == "X" ]] && { 51 | KUBECF_RELEASE_URL="https://github.com/SUSE/kubecf/releases/download/v$(_default_version)/kubecf-$(_default_version).tgz" 52 | } 53 | [[ -f $(_values_file) ]] || { 54 | echo "Creating initial $(_values_file)" 55 | mkdir -p state/configuration/kubecf 56 | cat > state/configuration/kubecf/values.yaml < Using ${KUBECF_RELEASE_URL}" 80 | ns=$(_namespace) 81 | values_file=$(_values_file) 82 | ( 83 | set -x 84 | helm upgrade --install --namespace "$ns" \ 85 | kubecf \ 86 | "$KUBECF_RELEASE_URL" \ 87 | --values $values_file 88 | ) 89 | 90 | echo "Upgrade buildpacks" 91 | helm repo add starkandwayne https://helm.starkandwayne.com 92 | helm repo update 93 | 94 | ( 95 | set -x 96 | helm upgrade --install --namespace "$ns" \ 97 | update-all-cf-buildpacks \ 98 | starkandwayne/update-all-cf-buildpacks 99 | ) 100 | } 101 | 102 | login() { 103 | printf "Fetching system domain... " 104 | SYSTEM_DOMAIN=$(kubectl get secret kubecf.var-system-domain -ojsonpath='{.data.value}' | base64 --decode) 105 | echo "$SYSTEM_DOMAIN" 106 | 107 | printf "Fetching admin password... " 108 | ADMIN_PASSWORD=$(kubectl get secret kubecf.var-cf-admin-password -ojsonpath='{.data.password}' | base64 --decode) 109 | echo "done." 110 | echo 111 | 112 | echo "+ cf login -a https://api.$SYSTEM_DOMAIN --skip-ssl-validation -u admin -p [redacted]" 113 | echo 114 | cf login -a https://api.$SYSTEM_DOMAIN --skip-ssl-validation -u admin -p $ADMIN_PASSWORD 115 | } 116 | 117 | case "${1:-usage}" in 118 | failfast) 119 | shift 120 | failfast "$@" 121 | ;; 122 | 123 | up) 124 | shift 125 | up 126 | ;; 127 | 128 | login) 129 | shift 130 | login 131 | ;; 132 | 133 | *) 134 | ;; 135 | esac 136 | -------------------------------------------------------------------------------- /bin/bootstrap-system-nginx-ingress: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _namespace() { 8 | printf "kube-system" 9 | } 10 | 11 | up() { 12 | # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-on-digitalocean-kubernetes-using-helm 13 | 14 | echo "Install/upgrade Nginx Ingress via Helm" 15 | helm repo add stable https://kubernetes-charts.storage.googleapis.com/ 16 | helm repo update 17 | helm upgrade --install nginx-ingress stable/nginx-ingress \ 18 | --namespace "$(_namespace)" \ 19 | --set controller.publishService.enabled=true 20 | echo "-- waiting for ingress controller" 21 | kubectl -n "$(_namespace)" rollout status deploy/nginx-ingress-controller 22 | 23 | echo "-- waiting for ingress load balancer" 24 | ingress_external_ip=$(kubectl get service -n kube-system nginx-ingress-controller -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') 25 | while [[ "${ingress_external_ip:-X}" == "X" ]]; do 26 | printf "." 27 | sleep 5 28 | ingress_external_ip=$(kubectl get service -n kube-system nginx-ingress-controller -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') 29 | done 30 | 31 | echo "${ingress_external_ip}" > state/configuration/ingress-external-ip 32 | echo "${ingress_external_ip}.xip.io" > state/configuration/ingress-domain 33 | 34 | echo 35 | } 36 | 37 | down() { 38 | namespace=$(_namespace) 39 | set +x 40 | helm delete nginx-ingress -n "$(_namespace)" 41 | } 42 | 43 | kwt_routing() { 44 | [[ "$(command -v kwt)X" != "X" ]] || { echo "ERROR: install 'kwt'"; exit 1; } 45 | 46 | api_ip=$(kubectl get svc -n "$(_namespace)" rancher --template '{{.spec.clusterIP}}') 47 | 48 | echo "Mapping https://$(_hostname) to internal IP ${api_ip}..." 49 | echo 50 | hostname=$(_hostname) 51 | namespace=$(_namespace) 52 | set -x 53 | sudo -E kwt net start --dns-map "${hostname}=${api_ip}" --namespace "$namespace" 54 | } 55 | 56 | case "${1:-usage}" in 57 | up) 58 | shift 59 | up 60 | ;; 61 | 62 | kwt) 63 | shift 64 | kwt_routing 65 | ;; 66 | 67 | *) 68 | ;; 69 | esac 70 | -------------------------------------------------------------------------------- /bin/bootstrap-system-rancher: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | _namespace() { 8 | printf "cattle-system" 9 | } 10 | 11 | _hostname() { 12 | if [[ -f state/configuration/ingress-domain ]]; then 13 | echo "rancher.$(cat state/configuration/ingress-domain)" 14 | else 15 | echo "rancher.mydev" 16 | fi 17 | } 18 | 19 | up() { 20 | echo "Install/upgrade Rancher via Helm" 21 | helm repo add rancher-latest https://releases.rancher.com/server-charts/latest 22 | kubectl create namespace cattle-system || { echo '-> continuing...'; } 23 | helm upgrade --install rancher rancher-latest/rancher \ 24 | --namespace "$(_namespace)" \ 25 | --set ingress.tls.source=rancher \ 26 | --set hostname="$(_hostname)" 27 | kubectl -n "$(_namespace)" rollout status deploy/rancher 28 | } 29 | 30 | down() { 31 | namespace=$(_namespace) 32 | set +x 33 | helm delete rancher -n "$(_namespace)" 34 | } 35 | 36 | kwt_routing() { 37 | [[ "$(command -v kwt)X" != "X" ]] || { echo "ERROR: install 'kwt'"; exit 1; } 38 | 39 | api_ip=$(kubectl get svc -n "$(_namespace)" rancher --template '{{.spec.clusterIP}}') 40 | 41 | echo "Mapping https://$(_hostname) to internal IP ${api_ip}..." 42 | echo 43 | hostname=$(_hostname) 44 | namespace=$(_namespace) 45 | set -x 46 | sudo -E kwt net start --dns-map "${hostname}=${api_ip}" --namespace "$namespace" 47 | } 48 | 49 | case "${1:-usage}" in 50 | up) 51 | shift 52 | up 53 | ;; 54 | 55 | kwt) 56 | shift 57 | kwt_routing 58 | ;; 59 | 60 | *) 61 | ;; 62 | esac 63 | -------------------------------------------------------------------------------- /bin/bootstrap-system-rio: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | up() { 8 | export SKIP_SUDO=1 9 | export INSTALL_RIO_BIN_DIR=$PWD/bin 10 | curl -sfL https://raw.githubusercontent.com/drnic/rio/my-installer/install.sh | sh - 11 | 12 | rio install --http-port 80 --https-port 443 13 | } 14 | 15 | case "${1:-usage}" in 16 | up) 17 | shift 18 | up 19 | ;; 20 | 21 | *) 22 | ;; 23 | esac 24 | 25 | 26 | -------------------------------------------------------------------------------- /bin/bootstrap-system-servicecatalog: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | # helm-manager sets up TLS for tiller; so use `--tls` for all helm commands 6 | export HELM_TLS_VERIFY=${HELM_TLS_VERIFY:-true} 7 | 8 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 9 | 10 | up() { 11 | echo "Install/upgrade Service Catalog via Helm" 12 | helm repo add svc-cat https://svc-catalog-charts.storage.googleapis.com 13 | helm upgrade --install catalog svc-cat/catalog --namespace catalog --wait 14 | } 15 | 16 | case "${1:-usage}" in 17 | up) 18 | shift 19 | up 20 | ;; 21 | 22 | *) 23 | ;; 24 | esac 25 | -------------------------------------------------------------------------------- /bin/bootstrap-system-tekton: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 6 | 7 | up() { 8 | echo "Install latest tekton" 9 | kubectl apply --filename https://storage.googleapis.com/tekton-releases/latest/release.yaml 10 | echo "Installing resources from resources/tekton/*.yaml" 11 | ls resources/tekton/*.yaml | xargs -L1 kubectl apply -f 12 | } 13 | 14 | case "${1:-usage}" in 15 | up) 16 | shift 17 | up 18 | ;; 19 | 20 | *) 21 | ;; 22 | esac 23 | -------------------------------------------------------------------------------- /resources/eirini/cf-domains.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Returns a JSON object of available domains in current CF 4 | # Used for `kwt net start --dns-map-exec "cf-domains.sh"` 5 | # 6 | # Output example: {"scf.suse.dev":["35.184.47.142"]} 7 | # 8 | # See https://github.com/k14s/kwt/blob/master/docs/network.md#cheatsheet 9 | 10 | : ${CF_SYSTEM_DOMAIN:=scf.suse.dev} 11 | : ${CF_NAMESPACE:=scf} 12 | : ${API_IP:=$(kubectl get svc -n ${CF_NAMESPACE} scf-router-0 --template '{{.spec.clusterIP}}')} 13 | 14 | # If no connection to CF yet (kwt not running), then return static JSON 15 | # {"scf.suse.dev":["35.184.47.142"]} 16 | # echo "{}" | jq -r --arg api_ip "$API_IP" --arg domain $CF_SYSTEM_DOMAIN '{($domain): [$api_ip]}' 17 | 18 | cf curl /v3/domains | jq -r --arg api_ip "$API_IP" '.resources | map({(.name): [$api_ip]}) | add' 19 | -------------------------------------------------------------------------------- /resources/eirini/kwt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # https://github.com/k14s/kwt/blob/master/docs/network.md 4 | 5 | set -eu 6 | 7 | : ${CF_SYSTEM_DOMAIN:=scf.suse.dev} 8 | : ${CF_NAMESPACE:=scf} 9 | : ${API_IP:=$(kubectl get svc -n ${CF_NAMESPACE} scf-router-0 --template '{{.spec.clusterIP}}')} 10 | export API_IP 11 | 12 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | echo "Mapping *.${CF_SYSTEM_DOMAIN} to internal IP ${API_IP}..." 15 | echo 16 | echo "Login with:" 17 | echo "cf login -a https://api.${CF_SYSTEM_DOMAIN} --skip-ssl-validation -u admin \\" 18 | echo ' -p "$(kubectl get secret -n scf scf.var-cf-admin-password -o json | jq -r .data.password | base64 --decode)"' 19 | echo 20 | # Need to run --dns-map first, so that admin can login first, to allow "cf curl" to work 21 | sudo -E kwt net start --dns-map ${CF_SYSTEM_DOMAIN}=${API_IP} --namespace scf 22 | 23 | # After "cf login", can run this line: 24 | # sudo -E kwt net start --dns-map-exec "$DIR/cf-domains.sh" --namespace scf 25 | 26 | # Maybe need a CFDomains Operator that looks into CF API, and create K8s records 27 | # for each Domain; so that kwt can discover them without direct access to CF? 28 | -------------------------------------------------------------------------------- /resources/eirini/scf/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "2.0" 3 | description: A Helm chart SUSE Cloud Foundry 4 | name: scf 5 | version: 3.0.0 6 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/addons.yaml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /addons/name=bpm 3 | - type: remove 4 | path: /addons/name=bosh-dns-aliases 5 | 6 | - type: replace 7 | path: /addons/name=loggregator_agent/jobs/name=loggregator_agent/properties/quarks?/envs? 8 | value: 9 | - name: AGENT_IP 10 | valueFrom: 11 | fieldRef: 12 | apiVersion: v1 13 | fieldPath: status.podIP 14 | - name: AGENT_INDEX 15 | value: "0" 16 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/certs.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /variables/name=log_cache_ca/options/common_name? 3 | value: log-cache-ca 4 | 5 | # --------------------------------------- 6 | - type: replace 7 | path: /variables/name=network_policy_server/options?/alternative_names?/- 8 | value: '((deployment_name))-api' 9 | # --------------------------------------- 10 | - type: replace 11 | path: /variables/name=network_policy_client/options?/alternative_names?/- 12 | value: '((deployment_name))-diego-cell' 13 | # --------------------------------------- 14 | - type: replace 15 | path: /variables/name=blobstore_tls/options?/alternative_names?/- 16 | value: '((deployment_name))-singleton-blobstore' 17 | - type: replace 18 | path: /variables/name=blobstore_tls/options?/alternative_names?/- 19 | value: '((deployment_name))-singleton-blobstore.{{ .Release.Namespace }}' 20 | # --------------------------------------- 21 | - type: replace 22 | path: /variables/name=diego_auctioneer_client/options?/alternative_names?/- 23 | value: '((deployment_name))-diego-api' 24 | # --------------------------------------- 25 | - type: replace 26 | path: /variables/name=diego_auctioneer_server/options?/alternative_names?/- 27 | value: '((deployment_name))-scheduler' 28 | # --------------------------------------- 29 | - type: replace 30 | path: /variables/name=diego_bbs_client/options?/alternative_names?/- 31 | value: '((deployment_name))-diego-cell' 32 | # --------------------------------------- 33 | - type: replace 34 | path: /variables/name=diego_bbs_server/options?/alternative_names?/- 35 | value: '((deployment_name))-diego-api' 36 | - type: replace 37 | path: /variables/name=diego_bbs_server/options?/alternative_names?/- 38 | value: '127.0.0.1' 39 | - type: replace 40 | path: /variables/name=diego_bbs_server/options?/alternative_names?/- 41 | # TODO: loop through replica count/az count, not just ordinal 0 (using helm templating) 42 | value: '((deployment-name))-diego-api-0' 43 | # --------------------------------------- 44 | - type: replace 45 | path: /variables/name=diego_rep_client/options?/alternative_names?/- 46 | value: '((deployment_name))-diego-api' 47 | # --------------------------------------- 48 | - type: replace 49 | path: /variables/name=diego_rep_agent_v2/options?/alternative_names?/- 50 | value: '((deployment_name))-diego-cell' 51 | # --------------------------------------- 52 | - type: replace 53 | path: /variables/name=loggregator_tls_statsdinjector/options?/alternative_names?/- 54 | value: '((deployment_name))-uaa' 55 | # --------------------------------------- 56 | - type: replace 57 | path: /variables/name=loggregator_tls_doppler/options?/alternative_names?/- 58 | value: '((deployment_name))-doppler' 59 | # --------------------------------------- 60 | - type: replace 61 | path: /variables/name=loggregator_tls_doppler/options?/alternative_names?/- 62 | value: 'metron' 63 | # --------------------------------------- 64 | - type: replace 65 | path: /variables/name=loggregator_tls_tc/options?/alternative_names?/- 66 | value: '((deployment_name))-log-api' 67 | # --------------------------------------- 68 | - type: replace 69 | path: /variables/name=loggregator_tls_cc_tc/options?/alternative_names?/- 70 | value: '((deployment_name))-log-api' 71 | # --------------------------------------- 72 | - type: replace 73 | path: /variables/name=loggregator_rlp_gateway_tls_cc/options?/alternative_names?/- 74 | value: '((deployment_name))-log-api' 75 | # --------------------------------------- 76 | - type: replace 77 | path: /variables/name=loggregator_tls_rlp/options?/alternative_names?/- 78 | value: '((deployment_name))-log-api' 79 | # --------------------------------------- 80 | - type: replace 81 | path: /variables/name=loggregator_rlp_gateway/options?/alternative_names?/- 82 | value: '((deployment_name))-log-api' 83 | # --------------------------------------- 84 | - type: replace 85 | path: /variables/name=adapter_rlp_tls/options?/alternative_names?/- 86 | value: '((deployment_name))-adapter' 87 | # --------------------------------------- 88 | - type: replace 89 | path: /variables/name=scheduler_api_tls/options?/alternative_names?/- 90 | value: '((deployment_name))-scheduler' 91 | # --------------------------------------- 92 | - type: replace 93 | path: /variables/name=adapter_tls/options?/alternative_names?/- 94 | value: '((deployment_name))-adapter' 95 | # --------------------------------------- 96 | - type: replace 97 | path: /variables/name=scheduler_client_tls/options?/alternative_names?/- 98 | value: '((deployment_name))-scheduler' 99 | # --------------------------------------- 100 | - type: replace 101 | path: /variables/name=logs_provider/options?/alternative_names?/- 102 | value: '((deployment_name))-doppler' 103 | # --------------------------------------- 104 | - type: replace 105 | path: /variables/name=log_cache/options?/alternative_names?/- 106 | value: '((deployment_name))-doppler' 107 | - type: replace 108 | path: /variables/name=log_cache/options?/alternative_names?/- 109 | value: '((deployment_name))-scheduler' 110 | # --------------------------------------- 111 | - type: replace 112 | path: /variables/name=log_cache_to_loggregator_agent/options?/alternative_names?/- 113 | value: '((deployment_name))-scheduler' 114 | - type: replace 115 | path: /variables/name=log_cache_to_loggregator_agent/options?/alternative_names?/- 116 | value: '((deployment_name))-doppler' 117 | # --------------------------------------- 118 | - type: replace 119 | path: /variables/name=cc_logcache_tls/options?/alternative_names?/- 120 | value: '((deployment_name))-api' 121 | # --------------------------------------- 122 | - type: replace 123 | path: /variables/name=logcache_ssl/options?/alternative_names?/- 124 | value: '((deployment_name))-doppler' 125 | # --------------------------------------- 126 | - type: replace 127 | path: /variables/name=router_ssl/options?/alternative_names?/- 128 | value: '((deployment_name))-router' 129 | # --------------------------------------- 130 | - type: replace 131 | path: /variables/name=uaa_ssl/options?/alternative_names?/- 132 | value: '((deployment_name))-uaa' 133 | # --------------------------------------- 134 | - type: replace 135 | path: /variables/name=uaa_login_saml/options?/alternative_names?/- 136 | value: '((deployment_name))-uaa' 137 | # --------------------------------------- 138 | - type: replace 139 | path: /variables/name=cc_tls/options?/alternative_names?/- 140 | value: '((deployment_name))-api' 141 | # --------------------------------------- 142 | - type: replace 143 | path: /variables/name=cc_public_tls/options?/alternative_names?/- 144 | value: '((deployment_name))-api' 145 | # --------------------------------------- 146 | - type: replace 147 | path: /variables/name=cc_tls/options?/alternative_names?/- 148 | value: '((deployment_name))-api.{{ .Release.Namespace }}' 149 | # --------------------------------------- 150 | - type: replace 151 | path: /variables/name=cc_public_tls/options?/alternative_names?/- 152 | value: '((deployment_name))-api.{{ .Release.Namespace }}' 153 | # --------------------------------------- 154 | - type: replace 155 | path: /variables/name=cc_bridge_tps/options?/alternative_names?/- 156 | value: '((deployment_name))-scheduler' 157 | # --------------------------------------- 158 | - type: replace 159 | path: /variables/name=cc_bridge_cc_uploader/options?/alternative_names?/- 160 | value: '((deployment_name))-api' 161 | # --------------------------------------- 162 | - type: replace 163 | path: /variables/name=cc_bridge_cc_uploader_server/options?/alternative_names?/- 164 | value: '((deployment_name))-api' 165 | - type: replace 166 | path: /variables/name=cc_bridge_cc_uploader_server/options?/alternative_names?/- 167 | value: '127.0.0.1' 168 | - type: replace 169 | path: /variables/name=cc_bridge_cc_uploader_server/options?/alternative_names?/- 170 | value: '((deployment_name))-api.{{ .Release.Namespace }}' 171 | 172 | # --------------------------------------- 173 | - type: replace 174 | path: /variables/name=diego_locket_server/options?/alternative_names?/- 175 | value: '((deployment_name))-diego-api' 176 | # --------------------------------------- 177 | - type: replace 178 | path: /variables/name=diego_locket_client/options?/alternative_names?/- 179 | value: '((deployment_name))-api' 180 | # --------------------------------------- 181 | - type: replace 182 | path: /variables/name=gorouter_backend_tls/options?/alternative_names?/- 183 | value: '((deployment_name))-router' 184 | # --------------------------------------- 185 | - type: replace 186 | path: /variables/name=ssh_proxy_backends_tls/options?/alternative_names?/- 187 | value: '((deployment_name))-scheduler' 188 | # --------------------------------------- 189 | - type: replace 190 | path: /variables/name=mysql_server_certificate/options?/alternative_names?/- 191 | value: '((deployment_name))-database' 192 | # --------------------------------------- 193 | - type: replace 194 | path: /variables/name=loggregator_rlp_gateway_tls/options?/alternative_names?/- 195 | value: '((deployment_name))-log-api' 196 | # --------------------------------------- 197 | - type: replace 198 | path: /variables/name=loggregator_trafficcontroller_tls/options?/alternative_names?/- 199 | value: '((deployment_name))-log-api' 200 | # --------------------------------------- 201 | - type: replace 202 | path: /variables/name=network_policy_server/options?/alternative_names?/- 203 | value: '*.((deployment_name))-api' 204 | # --------------------------------------- 205 | - type: replace 206 | path: /variables/name=network_policy_client/options?/alternative_names?/- 207 | value: '*.((deployment_name))-diego-cell' 208 | # --------------------------------------- 209 | - type: replace 210 | path: /variables/name=blobstore_tls/options?/alternative_names?/- 211 | value: '*.((deployment_name))-singleton-blobstore' 212 | - type: replace 213 | path: /variables/name=blobstore_tls/options?/alternative_names?/- 214 | value: '*.((deployment_name))-singleton-blobstore.{{ .Release.Namespace }}' 215 | # --------------------------------------- 216 | - type: replace 217 | path: /variables/name=diego_auctioneer_client/options?/alternative_names?/- 218 | value: '*.((deployment_name))-diego-api' 219 | # --------------------------------------- 220 | - type: replace 221 | path: /variables/name=diego_auctioneer_server/options?/alternative_names?/- 222 | value: '*.((deployment_name))-scheduler' 223 | # --------------------------------------- 224 | - type: replace 225 | path: /variables/name=diego_bbs_client/options?/alternative_names?/- 226 | value: '*.((deployment_name))-diego-cell' 227 | # --------------------------------------- 228 | - type: replace 229 | path: /variables/name=diego_bbs_server/options?/alternative_names?/- 230 | value: '*.((deployment_name))-diego-api' 231 | # --------------------------------------- 232 | - type: replace 233 | path: /variables/name=diego_rep_client/options?/alternative_names?/- 234 | value: '*.((deployment_name))-diego-api' 235 | # --------------------------------------- 236 | - type: replace 237 | path: /variables/name=diego_rep_agent_v2/options?/alternative_names?/- 238 | value: '*.((deployment_name))-diego-cell' 239 | - type: replace 240 | path: /variables/name=diego_rep_agent_v2/options?/alternative_names?/- 241 | value: '127.0.0.1' 242 | - type: replace 243 | path: /variables/name=diego_rep_agent_v2/options?/alternative_names?/- 244 | value: 'localhost' 245 | # --------------------------------------- 246 | - type: replace 247 | path: /variables/name=loggregator_tls_statsdinjector/options?/alternative_names?/- 248 | value: '*.((deployment_name))-uaa' 249 | # --------------------------------------- 250 | - type: replace 251 | path: /variables/name=loggregator_tls_doppler/options?/alternative_names?/- 252 | value: '*.((deployment_name))-doppler' 253 | # --------------------------------------- 254 | - type: replace 255 | path: /variables/name=loggregator_tls_tc/options?/alternative_names?/- 256 | value: '*.((deployment_name))-log-api' 257 | # --------------------------------------- 258 | - type: replace 259 | path: /variables/name=loggregator_tls_cc_tc/options?/alternative_names?/- 260 | value: '*.((deployment_name))-log-api' 261 | # --------------------------------------- 262 | - type: replace 263 | path: /variables/name=loggregator_rlp_gateway_tls_cc/options?/alternative_names?/- 264 | value: '*.((deployment_name))-log-api' 265 | # --------------------------------------- 266 | - type: replace 267 | path: /variables/name=loggregator_tls_rlp/options?/alternative_names?/- 268 | value: '*.((deployment_name))-log-api' 269 | # --------------------------------------- 270 | - type: replace 271 | path: /variables/name=loggregator_rlp_gateway/options?/alternative_names?/- 272 | value: '*.((deployment_name))-log-api' 273 | # --------------------------------------- 274 | - type: replace 275 | path: /variables/name=adapter_rlp_tls/options?/alternative_names?/- 276 | value: '*.((deployment_name))-adapter' 277 | # --------------------------------------- 278 | - type: replace 279 | path: /variables/name=scheduler_api_tls/options?/alternative_names?/- 280 | value: '*.((deployment_name))-scheduler' 281 | # --------------------------------------- 282 | - type: replace 283 | path: /variables/name=adapter_tls/options?/alternative_names?/- 284 | value: '*.((deployment_name))-adapter' 285 | # --------------------------------------- 286 | - type: replace 287 | path: /variables/name=scheduler_client_tls/options?/alternative_names?/- 288 | value: '*.((deployment_name))-scheduler' 289 | # --------------------------------------- 290 | - type: replace 291 | path: /variables/name=logs_provider/options?/alternative_names?/- 292 | value: '*.((deployment_name))-doppler' 293 | # --------------------------------------- 294 | - type: replace 295 | path: /variables/name=log_cache/options?/alternative_names?/- 296 | value: '*.((deployment_name))-doppler' 297 | - type: replace 298 | path: /variables/name=log_cache/options?/alternative_names?/- 299 | value: '*.((deployment_name))-scheduler' 300 | # --------------------------------------- 301 | - type: replace 302 | path: /variables/name=log_cache_to_loggregator_agent/options?/alternative_names?/- 303 | value: '*.((deployment_name))-scheduler' 304 | - type: replace 305 | path: /variables/name=log_cache_to_loggregator_agent/options?/alternative_names?/- 306 | value: '*.((deployment_name))-doppler' 307 | # --------------------------------------- 308 | - type: replace 309 | path: /variables/name=cc_logcache_tls/options?/alternative_names?/- 310 | value: '*.((deployment_name))-api' 311 | # --------------------------------------- 312 | - type: replace 313 | path: /variables/name=logcache_ssl/options?/alternative_names?/- 314 | value: '*.((deployment_name))-doppler' 315 | # --------------------------------------- 316 | - type: replace 317 | path: /variables/name=router_ssl/options?/alternative_names?/- 318 | value: '*.((deployment_name))-router' 319 | # --------------------------------------- 320 | - type: replace 321 | path: /variables/name=uaa_ssl/options?/alternative_names?/- 322 | value: '*.((deployment_name))-uaa' 323 | # --------------------------------------- 324 | - type: replace 325 | path: /variables/name=uaa_login_saml/options?/alternative_names?/- 326 | value: '*.((deployment_name))-uaa' 327 | # --------------------------------------- 328 | - type: replace 329 | path: /variables/name=cc_tls/options?/alternative_names?/- 330 | value: '*.((deployment_name))-api' 331 | # --------------------------------------- 332 | - type: replace 333 | path: /variables/name=cc_public_tls/options?/alternative_names?/- 334 | value: '*.((deployment_name))-api' 335 | # --------------------------------------- 336 | - type: replace 337 | path: /variables/name=cc_bridge_tps/options?/alternative_names?/- 338 | value: '*.((deployment_name))-scheduler' 339 | # --------------------------------------- 340 | - type: replace 341 | path: /variables/name=cc_bridge_cc_uploader/options?/alternative_names?/- 342 | value: '*.((deployment_name))-api' 343 | # --------------------------------------- 344 | - type: replace 345 | path: /variables/name=cc_bridge_cc_uploader_server/options?/alternative_names?/- 346 | value: '*.((deployment_name))-api' 347 | # --------------------------------------- 348 | - type: replace 349 | path: /variables/name=diego_locket_server/options?/alternative_names?/- 350 | value: '*.((deployment_name))-diego-api' 351 | - type: replace 352 | path: /variables/name=diego_locket_server/options?/alternative_names?/- 353 | value: '127.0.0.1' 354 | # --------------------------------------- 355 | - type: replace 356 | path: /variables/name=diego_locket_client/options?/alternative_names?/- 357 | value: '*.((deployment_name))-api' 358 | # --------------------------------------- 359 | - type: replace 360 | path: /variables/name=gorouter_backend_tls/options?/alternative_names?/- 361 | value: '*.((deployment_name))-router' 362 | # --------------------------------------- 363 | - type: replace 364 | path: /variables/name=ssh_proxy_backends_tls/options?/alternative_names?/- 365 | value: '*.((deployment_name))-scheduler' 366 | # --------------------------------------- 367 | - type: replace 368 | path: /variables/name=mysql_server_certificate/options?/alternative_names?/- 369 | value: '*.((deployment_name))-database' 370 | # --------------------------------------- 371 | - type: replace 372 | path: /variables/name=loggregator_rlp_gateway_tls/options?/alternative_names?/- 373 | value: '*.((deployment_name))-log-api' 374 | # --------------------------------------- 375 | - type: replace 376 | path: /variables/name=loggregator_trafficcontroller_tls/options?/alternative_names?/- 377 | value: '*.((deployment_name))-log-api' 378 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/adapter.yaml: -------------------------------------------------------------------------------- 1 | # Disable BOSH DNS and set the logs addr manually. 2 | - type: replace 3 | path: /instance_groups/name=adapter/jobs/name=adapter/properties/scalablesyslog/adapter/bosh_dns? 4 | value: false 5 | - type: replace 6 | path: /instance_groups/name=adapter/jobs/name=adapter/properties/scalablesyslog/adapter/logs?/addr 7 | value: ((deployment-name))-log-api:8082 8 | 9 | # Add quarks properties. 10 | - type: replace 11 | path: /instance_groups/name=adapter/jobs/name=adapter/properties/quarks? 12 | value: 13 | ports: 14 | - name: adapter 15 | protocol: TCP 16 | internal: 4443 17 | run: 18 | healthcheck: 19 | adapter: 20 | readiness: 21 | exec: 22 | command: ['curl', '--fail', '--head', 'http://127.0.0.1:8080/health'] 23 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/api.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks 3 | value: 4 | ## Order is important here 5 | - name: staticfile_buildpack 6 | file: /var/vcap/data/shared-packages/staticfile-buildpack/packages/staticfile-buildpack-cflinuxfs3/staticfile_buildpack-cflinuxfs3-v1.4.40.zip 7 | - name: java_buildpack 8 | file: /var/vcap/data/shared-packages/java-buildpack/packages/java-buildpack-cflinuxfs3/java-buildpack-cflinuxfs3-v4.18.zip 9 | - name: ruby_buildpack 10 | file: /var/vcap/data/shared-packages/ruby-buildpack/packages/ruby-buildpack-cflinuxfs3/ruby_buildpack-cflinuxfs3-v1.7.36.zip 11 | - name: dotnet_core_buildpack 12 | file: /var/vcap/data/shared-packages/dotnet-core-buildpack/packages/dotnet-core-buildpack-cflinuxfs3/dotnet-core_buildpack-cflinuxfs3-v2.2.7.zip 13 | - name: nodejs_buildpack 14 | file: /var/vcap/data/shared-packages/nodejs-buildpack/packages/nodejs-buildpack-cflinuxfs3/nodejs_buildpack-cflinuxfs3-v1.6.45.zip 15 | - name: go_buildpack 16 | file: /var/vcap/data/shared-packages/go-buildpack/packages/go-buildpack-cflinuxfs3/go_buildpack-cflinuxfs3-v1.8.35.zip 17 | - name: python_buildpack 18 | file: /var/vcap/data/shared-packages/python-buildpack/packages/python-buildpack-cflinuxfs3/python_buildpack-cflinuxfs3-v1.6.29.zip 19 | - name: php_buildpack 20 | file: /var/vcap/data/shared-packages/php-buildpack/packages/php-buildpack-cflinuxfs3/php_buildpack-cflinuxfs3-v4.3.72.zip 21 | - name: nginx_buildpack 22 | file: /var/vcap/data/shared-packages/nginx-buildpack/packages/nginx-buildpack-cflinuxfs3/nginx_buildpack-cflinuxfs3-v1.0.9.zip 23 | - name: r_buildpack 24 | file: /var/vcap/data/shared-packages/r-buildpack/packages/r-buildpack-cflinuxfs3/r_buildpack-cflinuxfs3-v1.0.7.zip 25 | - name: binary_buildpack 26 | file: /var/vcap/data/shared-packages/binary-buildpack/packages/binary-buildpack-cflinuxfs3/binary_buildpack-cflinuxfs3-v1.0.31.zip 27 | 28 | # core_file_pattern should be disabled as CC is not running on a VM. 29 | - type: replace 30 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/core_file_pattern? 31 | value: false 32 | 33 | # Disable tuning /proc/sys kernel parameters as file_server is running on a container. 34 | - type: replace 35 | path: /instance_groups/name=api/jobs/name=file_server/properties/set_kernel_parameters? 36 | value: false 37 | 38 | # We don't have a /var/vcap/job/*/packages directory, so we point to all the packages. 39 | - type: replace 40 | path: /instance_groups/name=api/jobs/name=file_server/properties/diego?/file_server/static_directory 41 | value: "/var/vcap/packages/" 42 | 43 | # TODO: Figure out the DB encryption validation. 44 | - type: replace 45 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/database_encryption?/skip_validation? 46 | value: true 47 | 48 | # Don't run migrations in pre-start, it seems flaky. 49 | - type: replace 50 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/run_prestart_migrations? 51 | value: false 52 | 53 | # Override the addresses for the jobs under the api instance group. 54 | - type: replace 55 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/ccdb/address 56 | value: ((deployment-name))-database 57 | - type: replace 58 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/buildpacks?/webdav_config/private_endpoint 59 | value: &blobstore_url https://((deployment-name))-singleton-blobstore.{{ .Release.Namespace }}:4443 60 | - type: replace 61 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/droplets?/webdav_config/private_endpoint 62 | value: *blobstore_url 63 | - type: replace 64 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/packages?/webdav_config/private_endpoint 65 | value: *blobstore_url 66 | - type: replace 67 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/resource_pool?/webdav_config/private_endpoint 68 | value: *blobstore_url 69 | - type: replace 70 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/diego?/bbs/url 71 | value: https://((deployment-name))-diego-api:8889 72 | - type: replace 73 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/diego?/file_server_url 74 | value: http://((deployment-name))-api:8080 75 | - type: replace 76 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/internal_service_hostname? 77 | value: ((deployment-name))-api.{{ .Release.Namespace }} 78 | - type: replace 79 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/logcache?/host 80 | value: ((deployment-name))-doppler 81 | - type: replace 82 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/loggregator?/internal_url 83 | value: https://((deployment-name))-log-api:8081 84 | - type: replace 85 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/credhub_api?/hostname 86 | value: ((deployment-name))-credhub 87 | - type: replace 88 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/uaa?/internal_url 89 | value: ((deployment-name))-uaa 90 | - type: replace 91 | path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/sqldb/host 92 | value: ((deployment-name))-database 93 | - type: replace 94 | path: /instance_groups/name=api/jobs/name=routing-api/properties/routing_api/locket/api_location 95 | value: ((deployment-name))-diego-api:8891 96 | - type: replace 97 | path: /instance_groups/name=api/jobs/name=routing-api/properties/dns_health_check_host? 98 | value: ((deployment-name))-uaa 99 | - type: replace 100 | path: /instance_groups/name=api/jobs/name=routing-api/properties/uaa/token_endpoint? 101 | value: ((deployment-name))-uaa 102 | - type: replace 103 | path: /instance_groups/name=api/jobs/name=route_registrar/properties/nats?/machines 104 | value: 105 | - ((deployment-name))-nats 106 | - type: replace 107 | path: /instance_groups/name=api/jobs/name=route_registrar/properties/route_registrar/routing_api?/api_url 108 | value: http://((deployment-name))-api:3000 109 | - type: replace 110 | path: /instance_groups/name=api/jobs/name=route_registrar/properties/route_registrar/routing_api?/oauth_url 111 | value: https://((deployment-name))-uaa:8443 112 | - type: replace 113 | path: /instance_groups/name=api/jobs/name=policy-server/properties/database/host 114 | value: ((deployment-name))-database 115 | - type: replace 116 | path: /instance_groups/name=api/jobs/name=policy-server/properties/uaa_hostname? 117 | value: ((deployment-name))-uaa 118 | - type: replace 119 | path: /instance_groups/name=api/jobs/name=cc_uploader/properties/internal_hostname? 120 | value: ((deployment-name))-api.{{ .Release.Namespace }} 121 | 122 | # Add empty BPM processes to buildpacks. 123 | - type: replace 124 | path: /instance_groups/name=api/jobs/name=binary-buildpack/properties?/quarks/bpm/processes 125 | value: [] 126 | - type: replace 127 | path: /instance_groups/name=api/jobs/name=dotnet-core-buildpack/properties?/quarks/bpm/processes 128 | value: [] 129 | - type: replace 130 | path: /instance_groups/name=api/jobs/name=go-buildpack/properties?/quarks/bpm/processes 131 | value: [] 132 | - type: replace 133 | path: /instance_groups/name=api/jobs/name=java-buildpack/properties?/quarks/bpm/processes 134 | value: [] 135 | - type: replace 136 | path: /instance_groups/name=api/jobs/name=nodejs-buildpack/properties?/quarks/bpm/processes 137 | value: [] 138 | - type: replace 139 | path: /instance_groups/name=api/jobs/name=nginx-buildpack/properties?/quarks/bpm/processes 140 | value: [] 141 | - type: replace 142 | path: /instance_groups/name=api/jobs/name=r-buildpack/properties?/quarks/bpm/processes 143 | value: [] 144 | - type: replace 145 | path: /instance_groups/name=api/jobs/name=php-buildpack/properties?/quarks/bpm/processes 146 | value: [] 147 | - type: replace 148 | path: /instance_groups/name=api/jobs/name=python-buildpack/properties?/quarks/bpm/processes 149 | value: [] 150 | - type: replace 151 | path: /instance_groups/name=api/jobs/name=ruby-buildpack/properties?/quarks/bpm/processes 152 | value: [] 153 | - type: replace 154 | path: /instance_groups/name=api/jobs/name=staticfile-buildpack/properties?/quarks/bpm/processes 155 | value: [] 156 | 157 | # Add quarks properties for cloud_controller_ng. 158 | - type: replace 159 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/quarks? 160 | value: 161 | ports: 162 | - name: api 163 | protocol: TCP 164 | internal: 9022 165 | - name: api-tls 166 | protocol: TCP 167 | internal: 9023 168 | - name: api-mutual-tls 169 | protocol: TCP 170 | internal: 9024 171 | run: 172 | healthcheck: 173 | cloud_controller_ng: 174 | readiness: &cloud_controller_ng_readiness 175 | exec: 176 | command: [curl, --fail, --head, --silent, http://127.0.0.1:9022/healthz] 177 | post_start: 178 | condition: *cloud_controller_ng_readiness 179 | 180 | # Add quarks properties for routing-api. 181 | - type: replace 182 | path: /instance_groups/name=api/jobs/name=routing-api/properties/quarks? 183 | value: 184 | ports: 185 | - name: routing-api 186 | protocol: TCP 187 | internal: 3000 188 | 189 | # Add quarks properties for cc_uploader. 190 | - type: replace 191 | path: /instance_groups/name=api/jobs/name=cc_uploader/properties/quarks? 192 | value: 193 | ports: 194 | - name: http 195 | protocol: TCP 196 | internal: 9090 197 | - name: https 198 | protocol: TCP 199 | internal: 9091 200 | 201 | # Add quarks properties for file_server. 202 | - type: replace 203 | path: /instance_groups/name=api/jobs/name=file_server/properties/quarks? 204 | value: 205 | ports: 206 | - name: file-server 207 | protocol: TCP 208 | internal: &file-server-port 8080 209 | run: 210 | healthcheck: 211 | file_server: 212 | readiness: 213 | tcpSocket: 214 | port: *file-server-port 215 | 216 | # Add quarks properties for statsd_injector. 217 | - type: replace 218 | path: /instance_groups/name=api/jobs/name=statsd_injector/properties/quarks? 219 | value: 220 | ports: 221 | # TODO: Can we remove this port? 222 | - name: statsd 223 | protocol: TCP 224 | internal: 8125 225 | 226 | # Add quarks properties for policy-server. 227 | - type: replace 228 | path: /instance_groups/name=api/jobs/name=policy-server/properties/quarks? 229 | value: 230 | ports: 231 | - name: policy-server 232 | protocol: TCP 233 | internal: 4002 234 | run: 235 | healthcheck: 236 | policy-server: 237 | readiness: &policy_server_readiness 238 | exec: 239 | command: 240 | - sh 241 | - -c 242 | - ss -nlt | grep "LISTEN.*:4002" 243 | post_start: 244 | condition: *policy_server_readiness 245 | 246 | # Add quarks properties for policy-server-internal. 247 | - type: replace 248 | path: /instance_groups/name=api/jobs/name=policy-server-internal/properties/quarks? 249 | value: 250 | run: 251 | healthcheck: 252 | policy-server: 253 | readiness: &policy_server_internal_readiness 254 | exec: 255 | command: 256 | - sh 257 | - -c 258 | # TODO: Use curl to call port 31946. 259 | - ss -nlt | grep "LISTEN.*:4003" 260 | post_start: 261 | condition: *policy_server_internal_readiness 262 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/bits-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.features.eirini true -}} 2 | 3 | - type: replace 4 | path: /releases/name=bits-service/version 5 | value: 2.28.0 6 | - type: replace 7 | path: /releases/name=bits-service/url 8 | value: ((releases-defaults-url)) 9 | - type: remove 10 | path: /releases/name=bits-service/sha1 11 | - type: replace 12 | path: /releases/name=bits-service/stemcell? 13 | value: 14 | alias: default 15 | os: opensuse-42.3 16 | version: 36.g03b4653-30.80-7.0.0_348.gc8fb3864 17 | 18 | # Add quarks information to the Bits Service jobs. 19 | - type: replace 20 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/quarks? 21 | value: 22 | ports: 23 | - name: bits-tls 24 | protocol: TCP 25 | internal: 443 26 | 27 | - type: replace 28 | path: /variables/name=bits_service_ssl/options?/serviceRef?/- 29 | value: 30 | name: ((deployment-name))-eirini-registry 31 | namespace: {{ .Release.Namespace }} 32 | - type: replace 33 | path: /variables/name=bits_service_ssl/options/signer_type? 34 | value: cluster 35 | - type: replace 36 | path: /variables/name=bits_service_ssl/options/alternative_names/- 37 | value: "*.((deployment-name))-bits" 38 | - type: replace 39 | path: /variables/name=bits_service_ssl/options/alternative_names/- 40 | value: "((deployment-name))-bits" 41 | - type: replace 42 | path: /variables/name=bits_service_ssl/options/alternative_names/- 43 | value: "*.((deployment-name))-bits.{{ .Release.Namespace }}" 44 | - type: replace 45 | path: /variables/name=bits_service_ssl/options/alternative_names/- 46 | value: "((deployment-name))-bits.{{ .Release.Namespace }}" 47 | 48 | - type: replace 49 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service?/private_endpoint 50 | value: https://((deployment-name))-bits.{{ .Release.Namespace }} 51 | - type: replace 52 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/app_stash/webdav_config/private_endpoint 53 | value: &blobstore_url https://((deployment-name))-singleton-blobstore:4443 54 | - type: replace 55 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/buildpacks/webdav_config/private_endpoint 56 | value: *blobstore_url 57 | - type: replace 58 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/droplets/webdav_config/private_endpoint 59 | value: *blobstore_url 60 | - type: replace 61 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/packages/webdav_config/private_endpoint 62 | value: *blobstore_url 63 | 64 | # TODO: check to see where these should actually be public - what are the usecases? 65 | # A proper solution for eirini would be to 66 | - type: replace 67 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service?/public_endpoint 68 | value: https://((deployment-name))-bits.{{ .Release.Namespace }} 69 | - type: replace 70 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/app_stash/webdav_config/public_endpoint 71 | value: &blobstore_url https://((deployment-name))-singleton-blobstore.{{ .Release.Namespace }}:4443 72 | - type: replace 73 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/buildpacks/webdav_config/public_endpoint 74 | value: *blobstore_url 75 | - type: replace 76 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/droplets/webdav_config/public_endpoint 77 | value: *blobstore_url 78 | - type: replace 79 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/packages/webdav_config/public_endpoint 80 | value: *blobstore_url 81 | 82 | - type: replace 83 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/cc_updates?/cc_url 84 | value: https://((deployment-name))-api.{{ .Release.Namespace }}:9023/internal/v4/packages 85 | 86 | - type: replace 87 | path: /instance_groups/name=bits/jobs/name=route_registrar/properties/nats?/machines 88 | value: 89 | - ((deployment-name))-nats 90 | - type: replace 91 | path: /instance_groups/name=bits/jobs/name=route_registrar/properties/route_registrar?/routing_api/api_url 92 | value: http://((deployment-name))-api:3000 93 | - type: replace 94 | path: /instance_groups/name=bits/jobs/name=route_registrar/properties/route_registrar?/routing_api/oauth_url 95 | value: https://((deployment-name))-uaa:8443 96 | 97 | - type: replace 98 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/bits_service?/private_endpoint 99 | value: https://((deployment-name))-bits.{{ .Release.Namespace }} 100 | - type: replace 101 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/bits_service?/private_endpoint 102 | value: https://((deployment-name))-bits.{{ .Release.Namespace }} 103 | - type: replace 104 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/bits_service?/private_endpoint 105 | value: https://((deployment-name))-bits.{{ .Release.Namespace }} 106 | 107 | # Enable Docker registry on bits-service (used by OPI) 108 | - type: replace 109 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/enable_registry? 110 | value: true 111 | - type: replace 112 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/registry_endpoint? 113 | value: "https://registry.((system_domain))" 114 | - type: replace 115 | path: /instance_groups/name=bits/jobs/name=route_registrar/properties/route_registrar/routes/name=bits-service/uris/- 116 | value: registry.((system_domain)) 117 | - type: replace 118 | path: /variables/name=bits_service_ssl/options/alternative_names/- 119 | value: registry.((system_domain)) 120 | - type: replace 121 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/bits-service/rootfs?/blobstore_type? 122 | value: local 123 | 124 | # Attach a persistent disk to bits-service VM to store eirinifs 125 | # TODO: storage class type should be configurable 126 | # - type: replace 127 | # path: /instance_groups/name=bits/persistent_disk_type? 128 | # value: ??? 129 | - type: replace 130 | path: /instance_groups/name=bits/persistent_disk? 131 | value: 20480 # 20GB 132 | 133 | - type: replace 134 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/bits_service?/enabled? 135 | value: false 136 | - type: replace 137 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/bits_service?/enabled? 138 | value: false 139 | - type: replace 140 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/bits_service?/enabled? 141 | value: false 142 | {{- end}} 143 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/cc-worker.yaml: -------------------------------------------------------------------------------- 1 | # Override the addresses for the jobs under the cc-worker instance group. 2 | - type: replace 3 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/ccdb/address 4 | value: ((deployment-name))-database 5 | - type: replace 6 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/buildpacks?/webdav_config/private_endpoint 7 | value: &blobstore_url https://((deployment-name))-singleton-blobstore:4443 8 | - type: replace 9 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/droplets?/webdav_config/private_endpoint 10 | value: *blobstore_url 11 | - type: replace 12 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/packages?/webdav_config/private_endpoint 13 | value: *blobstore_url 14 | - type: replace 15 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/resource_pool?/webdav_config/private_endpoint 16 | value: *blobstore_url 17 | - type: replace 18 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/diego?/bbs/url 19 | value: https://((deployment-name))-diego-api:8889 20 | - type: replace 21 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/diego?/cc_uploader_url 22 | value: http://((deployment-name))-api:9090 23 | - type: replace 24 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/diego?/file_server_url 25 | value: http://((deployment-name))-api:8080 26 | - type: replace 27 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/internal_service_hostname? 28 | value: ((deployment-name))-api 29 | - type: replace 30 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/loggregator?/internal_url 31 | value: http://((deployment-name))-log-api:8081 32 | - type: replace 33 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/uaa?/internal_url 34 | value: ((deployment-name))-uaa 35 | - type: replace 36 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/credhub_api?/hostname 37 | value: ((deployment-name))-credhub 38 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/database.yaml: -------------------------------------------------------------------------------- 1 | # Remove the PXC release and related variables. 2 | - type: remove 3 | path: /releases/name=pxc 4 | - type: remove 5 | path: /variables/name=pxc_galera_ca 6 | - type: remove 7 | path: /variables/name=galera_server_certificate 8 | 9 | # Set the common name for the mysql_server_certificate. 10 | # An alternate name is not enough, the CC specifically looks at the common_name 11 | - type: replace 12 | path: /variables/name=mysql_server_certificate/options/common_name? 13 | value: ((deployment-name))-database 14 | 15 | # Add the cf-mysql-release. 16 | - type: replace 17 | path: /releases/name=cf-mysql? 18 | value: 19 | name: cf-mysql 20 | url: docker.io/cfcontainerization 21 | version: 36.19.0 22 | sha1: ~ 23 | 24 | # Configure the persistent disk in the way that cf-operator can provision. 25 | - type: remove 26 | path: /instance_groups/name=database/persistent_disk_type 27 | - type: replace 28 | path: /instance_groups/name=database/persistent_disk? 29 | value: 20480 # 20GB 30 | 31 | # Replace the jobs using the cf-mysql-release. 32 | - type: replace 33 | path: /instance_groups/name=database/jobs 34 | value: 35 | - name: mysql 36 | release: cf-mysql 37 | properties: 38 | cf_mysql: 39 | mysql: 40 | enable_galera: false 41 | admin_password: "((cf_mysql_mysql_admin_password))" 42 | port: 3306 43 | binlog_enabled: false 44 | cluster_health: 45 | password: "((cf_mysql_mysql_cluster_health_password))" 46 | galera_healthcheck: 47 | db_password: "((cf_mysql_mysql_galera_healthcheck_password))" 48 | endpoint_username: galera_healthcheck 49 | endpoint_password: "((cf_mysql_mysql_galera_healthcheck_endpoint_password))" 50 | seeded_databases: 51 | - name: cloud_controller 52 | username: cloud_controller 53 | password: "((cc_database_password))" 54 | - name: credhub 55 | password: ((credhub_database_password)) 56 | username: credhub 57 | - name: diego 58 | username: diego 59 | password: "((diego_database_password))" 60 | - name: network_connectivity 61 | username: network_connectivity 62 | password: "((network_connectivity_database_password))" 63 | - name: network_policy 64 | username: network_policy 65 | password: "((network_policy_database_password))" 66 | - name: routing-api 67 | username: routing-api 68 | password: "((routing_api_database_password))" 69 | - name: uaa 70 | username: uaa 71 | password: "((uaa_database_password))" 72 | - name: locket 73 | username: locket 74 | password: "((locket_database_password))" 75 | tls: 76 | ca_certificate: "((pxc_server_ca.certificate))" 77 | server_certificate: "((mysql_server_certificate.certificate))" 78 | server_key: "((mysql_server_certificate.private_key))" 79 | 80 | # Add quarks properties. It adds the BPM configuration as cf-mysql-release lacks 81 | # support for it upstream. 82 | - type: replace 83 | path: /instance_groups/name=database/jobs/name=mysql/properties/quarks? 84 | value: 85 | ports: 86 | - name: mysql 87 | protocol: TCP 88 | internal: 3306 89 | run: 90 | healthcheck: 91 | mariadb_ctrl: 92 | readiness: 93 | exec: 94 | command: 95 | - /var/vcap/packages/mariadb/bin/mysqladmin 96 | - --defaults-file=/var/vcap/jobs/mysql/config/mylogin.cnf 97 | - ping 98 | bpm: 99 | processes: 100 | - name: mariadb_ctrl 101 | limits: 102 | open_files: 1048576 103 | persistent_disk: true 104 | executable: /bin/bash 105 | args: 106 | - -c 107 | - | 108 | wait_for_file() { 109 | local file_path="$1" 110 | local timeout="${2:-30}" 111 | until [[ -f "${file_path}" ]] || [[ "$timeout" == "0" ]]; do sleep 1; timeout=$(expr $timeout - 1); done 112 | if [[ "${timeout}" == 0 ]]; then return 1; fi 113 | return 0 114 | } 115 | 116 | /var/vcap/jobs/mysql/bin/mariadb_ctl start 117 | 118 | pid_file="/var/vcap/sys/run/mysql/mysql.pid" 119 | log_file="/var/vcap/sys/log/mysql/mariadb_ctrl.combined.log" 120 | 121 | wait_for_file "${pid_file}" || { 122 | echo "${pid_file} did not get created" 123 | exit 1 124 | } 125 | 126 | wait_for_file "${log_file}" || { 127 | echo "${log_file} did not get created" 128 | exit 1 129 | } 130 | 131 | tail \ 132 | --pid $(cat "${pid_file}") \ 133 | --follow "${log_file}" 134 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/diego-api.yaml: -------------------------------------------------------------------------------- 1 | # Selectively remove jobs temporarily. 2 | - type: remove 3 | path: /instance_groups/name=diego-api/jobs/name=silk-controller 4 | 5 | # Override the addresses for the jobs under the diego-api instance group. 6 | - type: replace 7 | path: /instance_groups/name=diego-api/jobs/name=locket/properties/diego/locket/sql/db_host 8 | value: ((deployment-name))-database 9 | - type: replace 10 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/sql/db_host 11 | value: ((deployment-name))-database 12 | - type: replace 13 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/locket?/api_location 14 | value: 127.0.0.1:8891 15 | - type: replace 16 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/auctioneer?/api_location 17 | value: ((deployment-name))-scheduler:9016 18 | - type: replace 19 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/diego/bbs/advertisement_base_hostname? 20 | value: ((deployment-name))-diego-api 21 | - type: replace 22 | path: /instance_groups/name=diego-api/jobs/name=cfdot/properties/bbs?/hostname 23 | value: 127.0.0.1 24 | - type: replace 25 | path: /instance_groups/name=diego-api/jobs/name=cfdot/properties/locket?/hostname 26 | value: 127.0.0.1 27 | 28 | # Disable tuning /proc/sys kernel parameters as locket and bbs are running on containers. 29 | - type: replace 30 | path: /instance_groups/name=diego-api/jobs/name=locket/properties/set_kernel_parameters? 31 | value: false 32 | - type: replace 33 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/set_kernel_parameters? 34 | value: false 35 | 36 | # Add quarks properties for locket. 37 | - type: replace 38 | path: /instance_groups/name=diego-api/jobs/name=locket/properties/quarks? 39 | value: 40 | ports: 41 | - name: locket 42 | protocol: TCP 43 | internal: 8891 44 | 45 | # Add quarks properties for bbs. 46 | - type: replace 47 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/quarks? 48 | value: 49 | ports: 50 | - name: cell-bbs-api 51 | protocol: TCP 52 | internal: 8889 53 | run: 54 | healthcheck: 55 | bbs: 56 | readiness: &bbs_readiness 57 | exec: 58 | command: 59 | - sh 60 | - -c 61 | - ss -nlt | grep "LISTEN.*:8889" 62 | post_start: 63 | condition: *bbs_readiness 64 | 65 | - type: replace 66 | path: /instance_groups/name=diego-api/jobs/name=cfdot/properties/quarks?/bpm/processes 67 | value: [] 68 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/diego-cell.yaml: -------------------------------------------------------------------------------- 1 | # Selectively remove jobs temporarily. 2 | - type: remove 3 | path: /instance_groups/name=diego-cell/jobs/name=garden-cni 4 | - type: remove 5 | path: /instance_groups/name=diego-cell/jobs/name=netmon 6 | - type: remove 7 | path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent 8 | - type: remove 9 | path: /instance_groups/name=diego-cell/jobs/name=silk-daemon 10 | - type: remove 11 | path: /instance_groups/name=diego-cell/jobs/name=silk-cni 12 | 13 | # Enable BPM on garden. 14 | - type: replace 15 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/bpm?/enabled 16 | value: true 17 | 18 | # Override the addresses for the jobs under the diego-cell instance group. 19 | - type: replace 20 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/uaa/hostname? 21 | value: ((deployment-name))-uaa 22 | - type: replace 23 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego/route_emitter/nats?/machines 24 | value: 25 | - ((deployment-name))-nats 26 | - type: replace 27 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego/route_emitter/bbs/api_location? 28 | value: ((deployment-name))-diego-api:8889 29 | - type: replace 30 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/locks?/locket/hostname 31 | value: ((deployment-name))-diego-api 32 | - type: replace 33 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/routing_api?/url 34 | value: http://((deployment-name))-api 35 | - type: replace 36 | path: /instance_groups/name=diego-cell/jobs/name=cfdot/properties/bbs?/hostname 37 | value: ((deployment-name))-diego-api 38 | - type: replace 39 | path: /instance_groups/name=diego-cell/jobs/name=cfdot/properties/locket?/hostname 40 | value: ((deployment-name))-diego-api 41 | - type: replace 42 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/set_kernel_parameters? 43 | value: false 44 | 45 | # Temporarily remove garden network_plugin. 46 | - type: remove 47 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/network_plugin 48 | - type: remove 49 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/network_plugin_extra_args 50 | 51 | # Add quarks properties for garden. 52 | - type: replace 53 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/quarks? 54 | value: 55 | run: 56 | healthcheck: 57 | garden: 58 | readiness: &garden_readiness 59 | exec: 60 | command: [sh, -c, 'ss -nlt | grep "LISTEN.*:17019"'] 61 | post_start: 62 | condition: *garden_readiness 63 | 64 | # Add quarks properties for route_emitter. 65 | - type: replace 66 | path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/quarks? 67 | value: 68 | run: 69 | healthcheck: 70 | route_emitter: 71 | readiness: &route_emitter_readiness 72 | exec: 73 | command: [curl, --fail, --silent, http://127.0.0.1:17011/ping] 74 | post_start: 75 | condition: *route_emitter_readiness 76 | 77 | # Add quarks properties for rep. 78 | - type: replace 79 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/quarks? 80 | value: 81 | ports: 82 | - name: rep 83 | protocol: TCP 84 | internal: 1800 85 | - name: rep-tls 86 | protocol: TCP 87 | internal: 1801 88 | run: 89 | security_context: 90 | privileged: true 91 | healthcheck: 92 | rep: 93 | readiness: &rep_readiness 94 | exec: 95 | command: [sh, -c, 'ss -nlt | grep "LISTEN.*:1800"'] 96 | post_start: 97 | condition: *rep_readiness 98 | 99 | - type: replace 100 | path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/quarks?/bpm/processes 101 | value: [] 102 | - type: replace 103 | path: /instance_groups/name=diego-cell/jobs/name=cfdot/properties/quarks?/bpm/processes 104 | value: [] 105 | 106 | - type: replace 107 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/locket?/api_location 108 | value: ((deployment-name))-diego-api:8891 109 | 110 | - type: replace 111 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/bbs?/api_location 112 | value: ((deployment-name))-diego-api:8889 113 | 114 | - type: replace 115 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/advertise_domain? 116 | value: ((deployment-name))-diego-cell 117 | 118 | - type: replace 119 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/preloaded_rootfses 120 | value: 121 | - cflinuxfs3:/var/vcap/data/rep/cflinuxfs3/rootfs.tar 122 | 123 | - type: replace 124 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/network_pool? 125 | value: 10.38.0.0/16 126 | 127 | - type: replace 128 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/apparmor_profile? 129 | value: "" 130 | 131 | - type: replace 132 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/containerd_mode 133 | value: false 134 | 135 | - type: replace 136 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/cleanup_process_dirs_on_wait 137 | value: false 138 | 139 | - type: replace 140 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties?/garden?/disable_swap_limit? 141 | value: true 142 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/doppler.yaml: -------------------------------------------------------------------------------- 1 | # Override the addresses for the jobs under the doppler instance group. 2 | - type: replace 3 | path: /instance_groups/name=doppler/jobs/name=route_registrar/properties/nats?/machines 4 | value: 5 | - ((deployment-name))-nats 6 | - type: replace 7 | path: /instance_groups/name=doppler/jobs/name=route_registrar/properties/route_registrar?/routing_api/api_url 8 | value: http://((deployment-name))-api:3000 9 | - type: replace 10 | path: /instance_groups/name=doppler/jobs/name=route_registrar/properties/route_registrar?/routing_api/oauth_url 11 | value: https://((deployment-name))-uaa:8443 12 | 13 | # Change the log_cache_ca CN to avoid clashing with the other log-cache certificate CNs. 14 | - type: replace 15 | path: /variables/name=log_cache_ca/options/common_name 16 | value: log-cache-ca 17 | 18 | # Add quarks properties for doppler. 19 | - type: replace 20 | path: /instance_groups/name=doppler/jobs/name=doppler/properties/quarks? 21 | value: 22 | ports: 23 | - name: dropsonde-tcp 24 | protocol: TCP 25 | internal: 3458 26 | - name: doppler-tls 27 | protocol: TCP 28 | internal: 3459 29 | - name: doppler-ws 30 | protocol: TCP 31 | internal: 8081 32 | - name: doppler-grpc 33 | protocol: TCP 34 | internal: 8082 35 | - name: log-cache-proxy # log-cache-cf-auth-proxy 36 | protocol: TCP 37 | internal: 8083 38 | 39 | # Add quarks properties for log-cache. 40 | - type: replace 41 | path: /instance_groups/name=doppler/jobs/name=log-cache/properties/quarks? 42 | value: 43 | ports: 44 | - name: log-cache 45 | protocol: TCP 46 | internal: 8080 47 | 48 | 49 | - type: replace 50 | path: /instance_groups/name=doppler/jobs/name=log-cache-expvar-forwarder/properties/quarks?/envs? 51 | value: 52 | - name: INSTANCE_ADDR 53 | value: ((deployment-name))-doppler:8080 54 | - name: INSTANCE_ID 55 | value: "0" 56 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/eirini.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.features.eirini true -}} 2 | 3 | - type: replace 4 | path: /instance_groups/- 5 | value: 6 | name: configure-eirini 7 | lifecycle: auto-errand 8 | release: eirini 9 | instances: 1 10 | stemcell: default 11 | env: 12 | bosh: 13 | agent: 14 | settings: 15 | serviceAccountName: ((deployment-name))-eirini 16 | disable_log_sidecar: true 17 | jobs: 18 | - name: configure-eirini-scf 19 | release: eirini 20 | properties: 21 | quarks: 22 | bpm: 23 | processes: 24 | - name: configure-eirini 25 | executable: /bin/bash 26 | args: 27 | - -c 28 | - /var/vcap/jobs/configure-eirini-scf/bin/run 29 | capi: 30 | cc_uploader: 31 | mutual_tls: 32 | server_cert: "((cc_bridge_cc_uploader_server.certificate))" 33 | server_key: "((cc_bridge_cc_uploader_server.private_key))" 34 | eirini: 35 | run_cert_copier: ~ 36 | cert_copier_image: "" 37 | opi: 38 | registry_address: "" 39 | kube_namespace: ((deployment-name))-eirini 40 | certs_secret_name: eirini-staging-secret 41 | cc_cert: ((cc_bridge_tps.certificate)) 42 | cc_key: ((cc_bridge_tps.private_key)) 43 | cc_ca: ((service_cf_internal_ca.certificate)) 44 | 45 | # Add eirini 46 | - type: replace 47 | path: /instance_groups/- 48 | value: 49 | name: eirini 50 | release: eirini 51 | instances: 1 52 | stemcell: default 53 | env: 54 | bosh: 55 | agent: 56 | settings: 57 | serviceAccountName: ((deployment-name))-eirini 58 | jobs: 59 | - name: eirini-loggregator-bridge 60 | release: eirini 61 | properties: 62 | quarks: 63 | envs: 64 | # TODO: this isn't working for some reason - the env var is not present in 65 | # the pod 66 | - name: EIRINI_LOGGREGATOR_BRIDGE_LOGLEVEL 67 | value: debug 68 | eirini-loggregator-bridge: 69 | loggregator_ca: '((loggregator_ca.certificate))' 70 | loggregator_cert: '((loggregator_tls_agent.certificate))' 71 | loggregator_key: '((loggregator_tls_agent.private_key))' 72 | loggregator_endpoint: "((deployment-name))-doppler:8082" 73 | namespace: '((deployment-name))-eirini' 74 | - name: opi 75 | release: eirini 76 | properties: 77 | opi: 78 | kube_namespace: ((deployment-name))-eirini 79 | kube_service_host: "" 80 | kube_service_port: "" 81 | nats_password: ((nats_password)) 82 | nats_ip: ((deployment-name))-nats 83 | certs_secret_name: eirini-staging-secret 84 | cc_internal_api: https://((deployment-name))-api.{{ .Release.Namespace }}:9023 85 | eirini_address: http://((deployment-name))-eirini.{{ .Release.Namespace }}:8085 86 | downloader_image: "eirini/recipe-downloader:0.2.0" 87 | uploader_image: "eirini/recipe-uploader:0.2.0" 88 | executor_image: "eirini/recipe-executor:0.2.0" 89 | # TODO: make this configurable 90 | metrics_source_address: "" 91 | loggregator_address: localhost:3458 92 | loggregator_cert: ((loggregator_tls_agent.certificate)) 93 | loggregator_key: ((loggregator_tls_agent.private_key)) 94 | loggregator_ca: ((loggregator_tls_agent.certificate)) 95 | cc_cert: ((cc_bridge_tps.certificate)) 96 | cc_key: ((cc_bridge_tps.private_key)) 97 | cc_ca: ((service_cf_internal_ca.certificate)) 98 | 99 | # Add eirinifs job to the bits-service to copy the tarball into the bits-service VM 100 | - type: replace 101 | path: /instance_groups/name=bits/jobs/name=eirinifs? 102 | value: 103 | name: eirinifs 104 | release: eirini 105 | 106 | - type: replace 107 | path: /releases/- 108 | value: 109 | name: eirini 110 | version: 0.0.14 111 | url: ((releases-defaults-url)) 112 | stemcell: 113 | alias: default 114 | os: opensuse-42.3 115 | version: 36.g03b4653-30.80-7.0.0_348.gc8fb3864 116 | 117 | # Enable OPI in CC 118 | - type: replace 119 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/opi?/enabled? 120 | value: true 121 | - type: replace 122 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/opi?/url? 123 | value: http://((deployment-name))-eirini:8085 124 | - type: replace 125 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/opi?/opi_staging? 126 | value: true 127 | 128 | - type: replace 129 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/opi?/enabled? 130 | value: true 131 | - type: replace 132 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/opi?/url? 133 | value: http://((deployment-name))-eirini:8085 134 | - type: replace 135 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/opi?/opi_staging? 136 | value: true 137 | 138 | - type: replace 139 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/opi?/enabled? 140 | value: true 141 | - type: replace 142 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/opi?/url? 143 | value: http://((deployment-name))-eirini:8085 144 | - type: replace 145 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/opi?/opi_staging? 146 | value: true 147 | 148 | 149 | # Add quarks information to the Eirini jobs 150 | - type: replace 151 | path: /instance_groups/name=eirini/jobs/name=opi/properties/quarks? 152 | value: 153 | ports: 154 | - name: opi 155 | protocol: TCP 156 | internal: 8085 157 | 158 | - type: replace 159 | path: /instance_groups/name=bits/jobs/name=eirinifs/properties?/quarks? 160 | value: 161 | bpm: 162 | processes: [] 163 | 164 | {{- end }} 165 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/log-api.yaml: -------------------------------------------------------------------------------- 1 | # Override the addresses for the jobs under the log-api instance group. 2 | - type: replace 3 | path: /instance_groups/name=log-api/jobs/name=loggregator_trafficcontroller/properties/cc/internal_service_hostname 4 | value: ((deployment-name))-api 5 | - type: replace 6 | path: /instance_groups/name=log-api/jobs/name=loggregator_trafficcontroller/properties/uaa/internal_url 7 | value: https://((deployment-name))-uaa:8443 8 | - type: replace 9 | path: /instance_groups/name=log-api/jobs/name=reverse_log_proxy_gateway/properties/cc/capi_internal_addr 10 | value: https://((deployment-name))-api:9023 11 | - type: replace 12 | path: /instance_groups/name=log-api/jobs/name=reverse_log_proxy_gateway/properties/cc/common_name 13 | value: ((deployment-name))-api 14 | - type: replace 15 | path: /instance_groups/name=log-api/jobs/name=reverse_log_proxy_gateway/properties/uaa/internal_addr 16 | value: https://((deployment-name))-uaa:8443 17 | - type: replace 18 | path: /instance_groups/name=log-api/jobs/name=route_registrar/properties/nats?/machines 19 | value: 20 | - ((deployment-name))-nats 21 | - type: replace 22 | path: /instance_groups/name=log-api/jobs/name=route_registrar/properties/route_registrar?/routing_api/api_url 23 | value: http://((deployment-name))-api:3000 24 | - type: replace 25 | path: /instance_groups/name=log-api/jobs/name=route_registrar/properties/route_registrar?/routing_api/oauth_url 26 | value: https://((deployment-name))-uaa:8443 27 | 28 | # Add quarks properties for loggregator_trafficcontroller. 29 | - type: replace 30 | path: /instance_groups/name=log-api/jobs/name=loggregator_trafficcontroller/properties/quarks? 31 | value: 32 | envs: 33 | - name: TRAFFIC_CONTROLLER_IP 34 | valueFrom: 35 | fieldRef: 36 | apiVersion: v1 37 | fieldPath: status.podIP 38 | ports: 39 | - name: dropsonde 40 | protocol: TCP 41 | internal: 8081 42 | 43 | # Add quarks properties for reverse_log_proxy. 44 | - type: replace 45 | path: /instance_groups/name=log-api/jobs/name=reverse_log_proxy/properties/quarks? 46 | value: 47 | ports: 48 | - name: grpc-egress 49 | protocol: TCP 50 | internal: 8082 51 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/nats.yaml: -------------------------------------------------------------------------------- 1 | # Add quarks properties. 2 | - type: replace 3 | path: /instance_groups/name=nats/jobs/name=nats/properties/quarks? 4 | value: 5 | ports: 6 | - name: nats 7 | protocol: TCP 8 | internal: 4222 9 | - name: nats-routes 10 | protocol: TCP 11 | internal: 4223 12 | run: 13 | healthcheck: 14 | nats: 15 | readiness: 16 | exec: 17 | command: ['sh', '-c', 'ss -nlt | grep "LISTEN.*:4222" && ss -nlt | grep "LISTEN.*:4223"'] 18 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/router.yaml: -------------------------------------------------------------------------------- 1 | # Override the addresses for the jobs under the router instance group. 2 | - type: replace 3 | path: /instance_groups/name=router/jobs/name=gorouter/properties/router/dns_health_check_host? 4 | value: ((deployment-name))-uaa 5 | - type: replace 6 | path: /instance_groups/name=router/jobs/name=gorouter/properties/uaa/token_endpoint? 7 | value: ((deployment-name))-uaa 8 | - type: replace 9 | path: /instance_groups/name=router/jobs/name=gorouter/properties/routing_api/uri? 10 | value: http://((deployment-name))-api 11 | - type: replace 12 | path: /instance_groups/name=router/jobs/name=gorouter/properties/nats?/machines 13 | value: 14 | - ((deployment-name))-nats 15 | 16 | # Add quarks properties for the gorouter job. 17 | - type: replace 18 | path: /instance_groups/name=router/jobs/name=gorouter/properties/quarks? 19 | value: 20 | ports: 21 | - name: router 22 | protocol: TCP 23 | internal: 8000 24 | public: true 25 | - name: router-ssl 26 | protocol: TCP 27 | internal: 443 28 | run: 29 | healthcheck: 30 | gorouter: 31 | readiness: &gorouter_readiness 32 | exec: 33 | command: ['curl', '--fail', '--head', 'http://127.0.0.1:8080/health'] 34 | post_start: 35 | condition: *gorouter_readiness 36 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/scheduler.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Override the addresses for the jobs under the scheduler instance group. 3 | - type: replace 4 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/ccdb/address? 5 | value: ((deployment-name))-database 6 | - type: replace 7 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego?/bbs/url 8 | value: https://((deployment-name))-diego-api:8889 9 | - type: replace 10 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego?/cc_uploader_url 11 | value: http://((deployment-name))-api:9090 12 | - type: replace 13 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego?/file_server_url 14 | value: http://((deployment-name))-api:8080 15 | - type: replace 16 | path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/locket?/host 17 | value: ((deployment-name))-diego-api 18 | - type: replace 19 | path: /instance_groups/name=scheduler/jobs/name=auctioneer/properties/diego/auctioneer/bbs?/api_location 20 | value: ((deployment-name))-diego-api:8889 21 | - type: replace 22 | path: /instance_groups/name=scheduler/jobs/name=auctioneer/properties/diego/auctioneer/locket?/api_location 23 | value: ((deployment-name))-diego-api:8891 24 | - type: replace 25 | path: /instance_groups/name=scheduler/jobs/name=tps/properties/capi/tps/bbs?/api_location 26 | value: ((deployment-name))-diego-api:8889 27 | - type: replace 28 | path: /instance_groups/name=scheduler/jobs/name=tps/properties/capi/tps/cc/internal_service_hostname? 29 | value: ((deployment-name))-api 30 | - type: replace 31 | path: /instance_groups/name=scheduler/jobs/name=tps/properties/capi/tps/watcher/locket/api_location 32 | value: ((deployment-name))-diego-api:8891 33 | - type: replace 34 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/ccdb/address 35 | value: ((deployment-name))-database 36 | - type: replace 37 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/buildpacks?/webdav_config/private_endpoint 38 | value: &blobstore_url https://((deployment-name))-singleton-blobstore:4443 39 | - type: replace 40 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/droplets?/webdav_config/private_endpoint 41 | value: *blobstore_url 42 | - type: replace 43 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/packages?/webdav_config/private_endpoint 44 | value: *blobstore_url 45 | - type: replace 46 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/resource_pool?/webdav_config/private_endpoint 47 | value: *blobstore_url 48 | - type: replace 49 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/diego?/bbs/url 50 | value: https://((deployment-name))-diego-api:8889 51 | - type: replace 52 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/diego?/cc_uploader_url 53 | value: http://((deployment-name))-api:9090 54 | - type: replace 55 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/diego?/file_server_url 56 | value: http://((deployment-name))-api:8080 57 | - type: replace 58 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/internal_service_hostname? 59 | value: ((deployment-name))-api 60 | - type: replace 61 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/uaa?/internal_url 62 | value: ((deployment-name))-uaa 63 | - type: replace 64 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/credhub_api?/hostname 65 | value: ((deployment-name))-credhub 66 | - type: replace 67 | path: /instance_groups/name=scheduler/jobs/name=cfdot/properties/bbs?/hostname 68 | value: ((deployment-name))-diego-api 69 | - type: replace 70 | path: /instance_groups/name=scheduler/jobs/name=cfdot/properties/locket?/hostname 71 | value: ((deployment-name))-diego-api 72 | - type: replace 73 | path: /instance_groups/name=scheduler/jobs/name=scheduler/properties/scalablesyslog/scheduler/api/url 74 | value: https://((deployment-name))-api:9023 75 | - type: replace 76 | path: /instance_groups/name=scheduler/jobs/name=scheduler/properties/scalablesyslog/scheduler/tls/api/cn 77 | value: ((deployment-name))-api 78 | - type: replace 79 | path: /instance_groups/name=scheduler/jobs/name=ssh_proxy/properties/diego/ssh_proxy/bbs?/api_location 80 | value: ((deployment-name))-diego-api:8889 81 | - type: replace 82 | path: /instance_groups/name=scheduler/jobs/name=ssh_proxy/properties/diego/ssh_proxy/uaa?/url 83 | value: https://((deployment-name))-uaa 84 | 85 | # Add quarks properties for the scheduler job. 86 | - type: replace 87 | path: /instance_groups/name=scheduler/jobs/name=scheduler/properties/quarks? 88 | value: 89 | run: 90 | healthcheck: 91 | scheduler: 92 | readiness: 93 | exec: 94 | command: ['curl', '--fail', '--head', 'http://127.0.0.1:8080/health'] 95 | 96 | # Add quarks properties for the auctioneer job. 97 | - type: replace 98 | path: /instance_groups/name=scheduler/jobs/name=auctioneer/properties/quarks? 99 | value: 100 | ports: 101 | - name: auctioneer 102 | protocol: TCP 103 | internal: 9016 104 | run: 105 | healthcheck: 106 | auctioneer: 107 | readiness: 108 | exec: 109 | command: ['curl', '--fail', '--head', 'http://127.0.0.1:8080/health'] 110 | 111 | # Add quarks properties for the ssh_proxy job. 112 | - type: replace 113 | path: /instance_groups/name=scheduler/jobs/name=ssh_proxy/properties/quarks? 114 | value: 115 | ports: 116 | - name: ssh-proxy 117 | protocol: TCP 118 | internal: 2222 119 | 120 | - type: replace 121 | path: /instance_groups/name=scheduler/jobs/name=cfdot/properties/quarks?/bpm/processes 122 | value: [] 123 | 124 | - type: replace 125 | path: /instance_groups/name=scheduler/jobs/name=log-cache-expvar-forwarder/properties/quarks?/envs? 126 | value: 127 | - name: INSTANCE_ADDR 128 | value: ((deployment-name))-scheduler:8080 129 | - name: INSTANCE_ID 130 | value: "0" 131 | 132 | - type: replace 133 | path: /instance_groups/name=scheduler/jobs/name=log-cache-expvar-forwarder/provides? 134 | value: 135 | log-cache-expvar-forwarder: {as: this_is_not_used} 136 | 137 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/singleton-blobstore.yaml: -------------------------------------------------------------------------------- 1 | # Configure the persistent disk in the way that cf-operator can provision. 2 | - type: remove 3 | path: /instance_groups/name=singleton-blobstore/persistent_disk_type 4 | - type: replace 5 | path: /instance_groups/name=singleton-blobstore/persistent_disk? 6 | value: 102400 # 100GB 7 | 8 | # Override the addresses for the jobs under the singleton-blobstore instance group. 9 | - type: replace 10 | path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/internal_server_name? 11 | value: ((deployment-name))-singleton-blobstore 12 | - type: replace 13 | path: /instance_groups/name=singleton-blobstore/jobs/name=route_registrar/properties/nats?/machines 14 | value: 15 | - ((deployment-name))-nats 16 | - type: replace 17 | path: /instance_groups/name=singleton-blobstore/jobs/name=route_registrar/properties/route_registrar?/routing_api/api_url 18 | value: http://((deployment-name))-api:3000 19 | - type: replace 20 | path: /instance_groups/name=singleton-blobstore/jobs/name=route_registrar/properties/route_registrar?/routing_api/oauth_url 21 | value: https://((deployment-name))-uaa:8443 22 | 23 | - type: replace 24 | path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks? 25 | value: 26 | ports: 27 | - name: http 28 | protocol: TCP 29 | internal: 8080 30 | - name: https 31 | protocol: TCP 32 | internal: 4443 33 | run: 34 | security_context: 35 | runAsUser: 1000 # vcap 36 | healthcheck: 37 | nginx: &nginx_healthcheck 38 | readiness: 39 | exec: 40 | command: ['sh', '-c', 'ss -nlt | grep "LISTEN.*:8080" && ss -nlt | grep "LISTEN.*:4443"'] 41 | url_signer: *nginx_healthcheck 42 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/instance_groups/uaa.yaml: -------------------------------------------------------------------------------- 1 | # Override the database address. 2 | - type: replace 3 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaadb/address? 4 | value: ((deployment-name))-database 5 | 6 | # Override the addresses for the jobs under the uaa instance group. 7 | - type: replace 8 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/zones/internal/hostnames 9 | value: 10 | - ((deployment-name))-uaa 11 | - type: replace 12 | path: /instance_groups/name=uaa/jobs/name=route_registrar/properties/nats?/machines 13 | value: 14 | - ((deployment-name))-nats 15 | - type: replace 16 | path: /instance_groups/name=uaa/jobs/name=route_registrar/properties/route_registrar?/routing_api/api_url 17 | value: http://((deployment-name))-api:3000 18 | - type: replace 19 | path: /instance_groups/name=uaa/jobs/name=route_registrar/properties/route_registrar?/routing_api/oauth_url 20 | value: https://((deployment-name))-uaa:8443 21 | 22 | # Add quarks properties. 23 | - type: replace 24 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/quarks? 25 | value: 26 | ports: 27 | - name: http 28 | protocol: TCP 29 | internal: 8080 30 | - name: https 31 | protocol: TCP 32 | internal: 8443 33 | run: 34 | healthcheck: 35 | uaa: 36 | readiness: &uaa_readiness 37 | exec: 38 | command: ['sh', '-c', '/var/vcap/jobs/uaa/bin/health_check'] 39 | post_start: 40 | condition: *uaa_readiness 41 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_binary-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=binary-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="binary-buildpack" 11 | buildpack="binary-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_binary-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=binary-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="binary-buildpack" 11 | job="binary-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_cc_uploader_patch_pre-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cc_uploader/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/capi/cc_uploader/templates/pre-start.erb" 9 | 10 | # Remove sysctl calls as we are running in containers. 11 | # cc_uploader_ctl in https://github.com/cloudfoundry/capi-release/blob/master/jobs/cc_uploader/templates/cc_uploader_ctl.erb#L26 12 | # also skips setting those parameters. 13 | patch --verbose "${target}" <<'EOT' 14 | @@ -6,6 +6,3 @@ 15 | /var/vcap/jobs/bosh-dns/bin/wait 16 | fi 17 | fi 18 | - 19 | -sysctl -e -w net.ipv4.tcp_fin_timeout=10 20 | -sysctl -e -w net.ipv4.tcp_tw_reuse=1 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_cloud_controller_ng_patch_bpm_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/quarks?/pre_render_scripts/bpm/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/capi/cloud_controller_ng/templates/bpm.yml.erb" 9 | 10 | # Patch a few things on the BPM: 11 | # - DYNO environment variable is not needed. 12 | # - We don't enable New Relic. 13 | # - NGINX maintenance shouldn't run. 14 | patch --verbose "${target}" <<'EOT' 15 | 23d22 16 | < "DYNO" => "#{spec.job.name}-#{spec.index}", 17 | 77,78d75 18 | < nginx_newrelic_plugin_config, 19 | < nginx_maintenance_config, 20 | EOT 21 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_cloud_controller_ng_patch_post-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/capi/cloud_controller_ng/templates/post-start.sh.erb" 9 | 10 | # chown the cc log so that the vcap user can write to it from the post-start script. 11 | patch --verbose "${target}" <<'EOT' 12 | @@ -61,6 +61,7 @@ 13 | } 14 | 15 | function main { 16 | + chown vcap:vcap "/var/vcap/sys/log/cloud_controller_ng/cloud_controller_ng.log" 17 | install_buildpacks 18 | fix_bundler_home_permissions 19 | } 20 | EOT 21 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_cloud_controller_ng_remove_tee_output_to_sys_log_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/capi/cloud_controller_ng/templates/pre-start.sh.erb" 9 | 10 | # TODO: Figure out why tee_output_to_sys_log fails the pre-start. 11 | patch --verbose "${target}" <<'EOT' 12 | 7d6 13 | < tee_output_to_sys_log "cloud_controller_ng.$(basename "$0")" 14 | EOT 15 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_dotnet-core-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=dotnet-core-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="dotnet-core-buildpack" 11 | buildpack="dotnet-core-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_dotnet-core-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=dotnet-core-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="dotnet-core-buildpack" 11 | job="dotnet-core-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_go-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=go-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="go-buildpack" 11 | buildpack="go-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_go-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=go-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="go-buildpack" 11 | job="go-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_java-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=java-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="java-buildpack" 11 | buildpack="java-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_java-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=java-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="java-buildpack" 11 | job="java-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_nginx-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=nginx-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="nginx-buildpack" 11 | buildpack="nginx-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_nginx-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=nginx-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="nginx-buildpack" 11 | job="nginx-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_nodejs-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=nodejs-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="nodejs-buildpack" 11 | buildpack="nodejs-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_nodejs-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=nodejs-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="nodejs-buildpack" 11 | job="nodejs-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_php-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=php-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="php-buildpack" 11 | buildpack="php-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_php-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=php-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="php-buildpack" 11 | job="php-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_python-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=python-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="python-buildpack" 11 | buildpack="python-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_python-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=python-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="python-buildpack" 11 | job="python-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_r-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=r-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="r-buildpack" 11 | buildpack="r-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_r-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=r-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="r-buildpack" 11 | job="r-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_routing-api_patch_bpm_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=routing-api/properties/quarks?/pre_render_scripts/bpm/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/routing/routing-api/templates/bpm.yml.erb" 9 | 10 | patch --binary --unified --verbose "${target}" <<'EOT' 11 | @@ -11,7 +11,7 @@ 12 | - -timeFormat 13 | - rfc3339 14 | - -ip 15 | - - <%= spec.ip %> 16 | + - 0.0.0.0 17 | <% if p("routing_api.auth_disabled") == true %>- -devMode <% end %> 18 | 19 | hooks: 20 | EOT 21 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_ruby-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=ruby-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="ruby-buildpack" 11 | buildpack="ruby-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_ruby-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=ruby-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="ruby-buildpack" 11 | job="ruby-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_staticfile-buildpack_create_bosh_pre_start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=staticfile-buildpack/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Create the pre-start script that copies the buildpack package to /var/vcap/data/shared-packages/. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="staticfile-buildpack" 11 | buildpack="staticfile-buildpack" 12 | 13 | pre_start="/var/vcap/all-releases/jobs-src/${release}/${buildpack}/templates/bin/pre-start" 14 | copy_dst="/var/vcap/data/shared-packages/${buildpack}/" 15 | mkdir -p "$(dirname "${pre_start}")" 16 | cat < "${pre_start}" 17 | #!/usr/bin/env bash 18 | set -o errexit 19 | mkdir -p "${copy_dst}" 20 | cp -r /var/vcap/packages "${copy_dst}" 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/api_staticfile-buildpack_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api/jobs/name=staticfile-buildpack/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | # Add bin/pre-start to the buildpack job templates. 7 | 8 | set -o errexit -o nounset 9 | 10 | release="staticfile-buildpack" 11 | job="staticfile-buildpack" 12 | 13 | job_mf="/var/vcap/all-releases/jobs-src/${release}/${job}/job.MF" 14 | 15 | sed -i 's|templates: {}||' "${job_mf}" 16 | cat < "${job_mf}" 17 | templates: 18 | bin/pre-start: bin/pre-start 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/bits_bits-service_patch_bits_config_yml_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=bits/jobs/name=bits-service/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | set -o errexit -o nounset 6 | 7 | # Use kube-native service IPs for the Eirini registry 8 | target="/var/vcap/all-releases/jobs-src/bits-service/bits-service/templates/bits_config.yml.erb" 9 | 10 | patch --verbose "${target}" <<'EOT' 11 | 409c409 12 | < registry_endpoint: <%= registry %> 13 | --- 14 | > registry_endpoint: https://<%= ENV["{{ .Values.deployment_name | upper }}_EIRINI_REGISTRY_SERVICE_HOST"] %> 15 | EOT 16 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/database_mysql_patch_pre-start-setup_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=database/jobs/name=mysql/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/cf-mysql/mysql/templates/pre-start-setup.erb" 9 | 10 | # Patch pre-start-setup.erb to play nice with BPM's persistent disk. Instead of checking for the 11 | # existence of the directory /var/vcap/store/mysql, it checks for the existence of the file 12 | # /var/vcap/store/mysql/setup_succeeded, which is also created in a command from this patch. 13 | patch --verbose "${target}" <<'EOT' 14 | 82,84c82,84 15 | < if ! test -d ${datadir}; then 16 | < log "pre-start setup script: making ${datadir} and running /var/vcap/packages/mariadb/scripts/mysql_install_db" 17 | < mkdir -p ${datadir} 18 | --- 19 | > setup_control_file="${datadir}/setup_succeeded" 20 | > if ! test -e "${setup_control_file}"; then 21 | > log "pre-start setup script: running /var/vcap/packages/mariadb/scripts/mysql_install_db" 22 | 89a90 23 | > touch "${setup_control_file}" 24 | EOT 25 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/diego-api_bbs_patch_bbs_json_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-api/jobs/name=bbs/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/diego/bbs/templates/bbs.json.erb" 9 | 10 | # Advertise our spec address. 11 | patch --verbose "${target}" <<'EOT' 12 | 62c62 13 | < "#{scheme}://#{name.gsub('_', '-')}-#{spec.index}.#{base}:#{port}" 14 | --- 15 | > "#{scheme}://#{spec.address}:#{port}" 16 | EOT 17 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/diego-cell_cflinuxfs3-rootfs-setup_patch_pre-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/cflinuxfs3/cflinuxfs3-rootfs-setup/templates/pre-start" 9 | 10 | # Use the ephemeral data directory for the rootfs 11 | patch --verbose "${target}" <<'EOT' 12 | @@ -3,8 +3,8 @@ 13 | 14 | CONF_DIR=/var/vcap/jobs/cflinuxfs3-rootfs-setup/config 15 | ROOTFS_PACKAGE=/var/vcap/packages/cflinuxfs3 16 | -ROOTFS_DIR=$ROOTFS_PACKAGE/rootfs 17 | -ROOTFS_TAR=$ROOTFS_PACKAGE/rootfs.tar 18 | +ROOTFS_DIR=/var/vcap/data/rep/cflinuxfs3/rootfs 19 | +ROOTFS_TAR=/var/vcap/data/rep/cflinuxfs3/rootfs.tar 20 | TRUSTED_CERT_FILE=$CONF_DIR/certs/trusted_ca.crt 21 | CA_DIR=$ROOTFS_DIR/usr/local/share/ca-certificates/ 22 | EOT 23 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/diego-cell_garden_patch_post-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-cell/jobs/name=garden/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/garden-runc/garden/templates/bin/post-start" 9 | 10 | # Patch the post-start script to use netcat instead of curl when performing the ping to a unix 11 | # socket. curl support for unix sockets varies considerably depending on its version. 12 | patch --binary --verbose "${target}" <<'EOT' 13 | @@ -1,19 +1,21 @@ 14 | #!/usr/bin/env bash 15 | set -euo pipefail 16 | 17 | -# shellcheck disable=SC1091 18 | -source /var/vcap/jobs/garden/bin/post-start-env 19 | -curl_args=("${curl_args[@]}") # ensure curl_args is defined 20 | - 21 | start="$( date +%s )" 22 | timeout=120 23 | 24 | echo "$(date): Pinging garden server..." 25 | i=1 26 | 27 | +<% if p("garden.listen_network") == "tcp" -%> 28 | +cmd='curl -s <%= p("garden.listen_address") %>/ping' 29 | +<% else -%> 30 | +cmd='echo -e "GET /ping HTTP/1.1\r\n\r\n" | nc -U <%= p("garden.listen_address") %>' 31 | +<% end -%> 32 | + 33 | while [ $(( $(date +%s) - timeout )) -lt "$start" ]; do 34 | echo "$(date): Attempt $i..." 35 | - if curl -s "${curl_args[@]}"; then 36 | + if sh -c "${cmd}"; then 37 | echo "$(date): Success!" 38 | exit 0 39 | fi 40 | EOT 41 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/diego-cell_rep_patch_pre-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/diego/rep/templates/bpm-pre-start.erb" 9 | 10 | # Use the ephemeral data directory for the rootfs. 11 | patch --verbose "${target}" <<'EOT' 12 | @@ -5,3 +5,7 @@ 13 | $bin_dir/set-rep-kernel-params 14 | 15 | $bin_dir/setup_mounted_data_dirs 16 | + 17 | +mkdir -p /var/vcap/data/shared-packages/ 18 | +cp -r /var/vcap/packages/healthcheck /var/vcap/data/shared-packages/ 19 | +cp -r /var/vcap/packages/proxy /var/vcap/data/shared-packages/ 20 | EOT 21 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/diego-cell_rep_patch_rep_json_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=diego-cell/jobs/name=rep/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/diego/rep/templates/rep.json.erb" 9 | 10 | # Don't share /var/vcap/packages between containers. 11 | patch --verbose "${target}" <<'EOT' 12 | @@ -39,7 +39,7 @@ 13 | disk_mb: p("diego.executor.disk_capacity_mb").to_s, 14 | enable_consul_service_registration: p("enable_consul_service_registration"), 15 | enable_declarative_healthcheck: p("enable_declarative_healthcheck"), 16 | - declarative_healthcheck_path: "/var/vcap/packages/healthcheck", 17 | + declarative_healthcheck_path: "/var/vcap/data/shared-packages/healthcheck", 18 | enable_container_proxy: p("containers.proxy.enabled"), 19 | container_proxy_require_and_verify_client_certs: p("containers.proxy.require_and_verify_client_certificates"), 20 | container_proxy_trusted_ca_certs: p("containers.proxy.trusted_ca_certificates"), 21 | @@ -47,7 +47,7 @@ 22 | container_proxy_ads_addresses: p("containers.proxy.ads_addresses"), 23 | enable_unproxied_port_mappings: p("containers.proxy.enable_unproxied_port_mappings"), 24 | proxy_memory_allocation_mb: p("containers.proxy.additional_memory_allocation_mb"), 25 | - container_proxy_path: "/var/vcap/packages/proxy", 26 | + container_proxy_path: "/var/vcap/data/shared-packages/proxy", 27 | container_proxy_config_path: "/var/vcap/data/rep/shared/garden/proxy_config", 28 | evacuation_polling_interval: "#{p("diego.rep.evacuation_polling_interval_in_seconds")}s", 29 | evacuation_timeout: "#{p("diego.rep.evacuation_timeout_in_seconds")}s", 30 | EOT 31 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/eirini_eirini-loggregator-bridge_patch_bpm_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=eirini/jobs/name=eirini-loggregator-bridge/properties/quarks?/pre_render_scripts/bpm/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/eirini/eirini-loggregator-bridge/templates/bpm.yml.erb" 9 | 10 | # Patch BPM, since we're actually running in-cluster without BPM 11 | patch --verbose "${target}" <<'EOT' 12 | 11,24d10 13 | < env: 14 | < KUBERNETES_SERVICE_HOST: "<%= p("eirini-loggregator-bridge.kube_service_host") %>" 15 | < KUBERNETES_SERVICE_PORT: "<%= p("eirini-loggregator-bridge.kube_service_port") %>" 16 | < <% if properties.opi&.k8s&.host_url.nil? %> 17 | < # The ServiceAccount admission controller has to be enabled. 18 | < # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod 19 | < additional_volumes: 20 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/token 21 | < mount_only: true 22 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 23 | < mount_only: true 24 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace 25 | < mount_only: true 26 | < <% end %> 27 | EOT 28 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/eirini_opi_patch_bpm_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=eirini/jobs/name=opi/properties/quarks?/pre_render_scripts/bpm/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/eirini/opi/templates/bpm.yml.erb" 9 | 10 | # Patch BPM, since we're actually running in-cluster without BPM 11 | patch --verbose "${target}" <<'EOT' 12 | 7,20d6 13 | < env: 14 | < KUBERNETES_SERVICE_HOST: "<%= p("opi.kube_service_host") %>" 15 | < KUBERNETES_SERVICE_PORT: "<%= p("opi.kube_service_port") %>" 16 | < <% if properties.opi&.k8s&.host_url.nil? %> 17 | < # The ServiceAccount admission controller has to be enabled. 18 | < # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod 19 | < additional_volumes: 20 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/token 21 | < mount_only: true 22 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 23 | < mount_only: true 24 | < - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace 25 | < mount_only: true 26 | < <% end %> 27 | EOT 28 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/eirini_opi_patch_opi_yml_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=eirini/jobs/name=opi/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | set -o errexit -o nounset 6 | 7 | # Use kube-native service IPs for the CC Uploader and the 8 | # Eirini registry 9 | target="/var/vcap/all-releases/jobs-src/eirini/opi/templates/opi.yml.erb" 10 | 11 | patch --verbose "${target}" <<'EOT' 12 | 10c10 13 | < cc_uploader_ip: <%= p("opi.cc_uploader_ip") %> 14 | --- 15 | > cc_uploader_ip: <%= ENV["{{ .Values.deployment_name | upper }}_CC_UPLOADER_SERVICE_HOST"] %> 16 | 12c12 17 | < registry_address: <%= p("opi.registry_address") %> 18 | --- 19 | > registry_address: <%= ENV["{{ .Values.deployment_name | upper }}_EIRINI_REGISTRY_SERVICE_HOST"] %> 20 | EOT 21 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/singleton-blobstore_blobstore_patch_blobstore_conf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | # Fix the hardcoded server_name. 9 | 10 | target="/var/vcap/all-releases/jobs-src/capi/blobstore/templates/blobstore.conf.erb" 11 | 12 | patch --binary --unified --verbose "${target}" <<'EOT' 13 | @@ -13,7 +13,7 @@ 14 | # Internal server 15 | server { 16 | listen <%= p('blobstore.tls.port') %> ssl; 17 | - server_name blobstore.service.cf.internal; 18 | + server_name <%= p("internal_server_name") %>; 19 | ssl_certificate /var/vcap/jobs/blobstore/ssl/blobstore.crt; 20 | ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore.key; 21 | EOT 22 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/singleton-blobstore_blobstore_patch_blobstore_pre-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | # Remove /var/vcap/packages from chowing. 9 | 10 | target="/var/vcap/all-releases/jobs-src/capi/blobstore/templates/pre-start.sh.erb" 11 | 12 | patch --binary --unified --verbose "${target}" <<'EOT' 13 | @@ -9,7 +9,6 @@ 14 | local data_dir=/var/vcap/data/blobstore 15 | local store_tmp_dir=$store_dir/tmp/uploads 16 | local data_tmp_dir=$data_dir/tmp/uploads 17 | - local nginx_webdav_dir=/var/vcap/packages/nginx_webdav 18 | 19 | mkdir -p $run_dir 20 | mkdir -p $log_dir 21 | @@ -19,7 +18,7 @@ 22 | mkdir -p $data_tmp_dir 23 | 24 | chown vcap:vcap $store_dir 25 | - local dirs="$run_dir $log_dir $store_tmp_dir $data_dir $data_tmp_dir $nginx_webdav_dir ${nginx_webdav_dir}/.." 26 | + local dirs="$run_dir $log_dir $store_tmp_dir $data_dir $data_tmp_dir" 27 | local num_needing_chown=$(find $dirs -not -user vcap -or -not -group vcap | wc -l) 28 | 29 | if [ $num_needing_chown -gt 0 ]; then 30 | EOT 31 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/singleton-blobstore_blobstore_patch_job_mf_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks?/pre_render_scripts/ig_resolver/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | # Add internal_server_name property so it can be injected. 9 | 10 | target="/var/vcap/all-releases/jobs-src/capi/blobstore/job.MF" 11 | 12 | patch --binary --unified --verbose "${target}" <<'EOT' 13 | @@ -95,2 +95,5 @@ 14 | domain: 15 | description: "DEPRECATED: The system domain. The public server will listen on host 'blobstore.system-domain.tld'" 16 | + 17 | + internal_server_name: 18 | + description: "The internal server_name" 19 | EOT 20 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/uaa_uaa_patch_pre-start_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/uaa/uaa/templates/bin/pre-start.erb" 9 | 10 | # Patch bin/pre-start.erb for the certificates to work with SUSE. 11 | patch --verbose "${target}" <<'EOT' 12 | 24c24 13 | < rm -f /usr/local/share/ca-certificates/uaa_* 14 | --- 15 | > rm -f /etc/pki/trust/anchors/uaa_* 16 | 26,27c26,27 17 | < echo "Adding certificate from manifest to OS certs /usr/local/share/ca-certificates/uaa_<%= i %>.crt" 18 | < echo -n '<%= cert %>' >> "/usr/local/share/ca-certificates/uaa_<%= i %>.crt" 19 | --- 20 | > echo "Adding certificate from manifest to OS certs /etc/pki/trust/anchors/uaa_<%= i %>.crt" 21 | > echo -n '<%= cert %>' >> "/etc/pki/trust/anchors/uaa_<%= i %>.crt" 22 | EOT 23 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/pre_render_scripts/uaa_uaa_patch_uaa_sh.yaml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=uaa/jobs/name=uaa/properties/quarks?/pre_render_scripts/jobs/- 3 | value: | 4 | #!/usr/bin/env bash 5 | 6 | set -o errexit -o nounset 7 | 8 | target="/var/vcap/all-releases/jobs-src/uaa/uaa/templates/bin/uaa.erb" 9 | 10 | # Patch bin/uaa.erb for the certificates to work with SUSE. 11 | patch --verbose "${target}" <<'EOT' 12 | 49c49 13 | < cp /etc/ssl/certs/ca-certificates.crt "$CERT_FILE" 14 | --- 15 | > cp /var/lib/ca-certificates/ca-bundle.pem "$CERT_FILE" 16 | EOT 17 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/set_opensuse_stemcells.yaml: -------------------------------------------------------------------------------- 1 | # This ops file sets the openSUSE stemcells. 2 | 3 | - type: replace 4 | path: /stemcells/alias=default/os 5 | value: opensuse-42.3 6 | 7 | - type: replace 8 | path: /stemcells/alias=default/version 9 | value: 36.g03b4653-30.80-7.0.0_340.g2b599a90 10 | 11 | - type: replace 12 | path: /addons/name=loggregator_agent/include/stemcell/os=ubuntu-xenial/os 13 | value: opensuse-42.3 14 | 15 | - type: replace 16 | path: /addons/name=forwarder_agent/include/stemcell/os=ubuntu-xenial/os 17 | value: opensuse-42.3 18 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/set_release_urls.yaml: -------------------------------------------------------------------------------- 1 | # This ops file sets the Quarks images for the releases. 2 | 3 | - type: replace 4 | path: /releases/name=binary-buildpack/url 5 | value: ((releases-defaults-url)) 6 | - type: remove 7 | path: /releases/name=binary-buildpack/sha1 8 | 9 | - type: replace 10 | path: /releases/name=bpm/url 11 | value: ((releases-defaults-url)) 12 | - type: remove 13 | path: /releases/name=bpm/sha1 14 | 15 | - type: replace 16 | path: /releases/name=capi/url 17 | value: ((releases-defaults-url)) 18 | - type: remove 19 | path: /releases/name=capi/sha1 20 | 21 | - type: replace 22 | path: /releases/name=cf-networking/url 23 | value: ((releases-defaults-url)) 24 | - type: remove 25 | path: /releases/name=cf-networking/sha1 26 | 27 | - type: replace 28 | path: /releases/name=cf-smoke-tests/url 29 | value: ((releases-defaults-url)) 30 | - type: remove 31 | path: /releases/name=cf-smoke-tests/sha1 32 | 33 | - type: replace 34 | path: /releases/name=cf-syslog-drain/url 35 | value: ((releases-defaults-url)) 36 | - type: remove 37 | path: /releases/name=cf-syslog-drain/sha1 38 | 39 | - type: replace 40 | path: /releases/name=cflinuxfs3/url 41 | value: ((releases-defaults-url)) 42 | - type: remove 43 | path: /releases/name=cflinuxfs3/sha1 44 | 45 | - type: replace 46 | path: /releases/name=credhub/url 47 | value: ((releases-defaults-url)) 48 | - type: remove 49 | path: /releases/name=credhub/sha1 50 | 51 | - type: replace 52 | path: /releases/name=diego/url 53 | value: ((releases-defaults-url)) 54 | - type: remove 55 | path: /releases/name=diego/sha1 56 | 57 | - type: replace 58 | path: /releases/name=dotnet-core-buildpack/url 59 | value: ((releases-defaults-url)) 60 | - type: remove 61 | path: /releases/name=dotnet-core-buildpack/sha1 62 | 63 | - type: replace 64 | path: /releases/name=garden-runc/url 65 | value: ((releases-defaults-url)) 66 | - type: remove 67 | path: /releases/name=garden-runc/sha1 68 | 69 | - type: replace 70 | path: /releases/name=go-buildpack/url 71 | value: ((releases-defaults-url)) 72 | - type: remove 73 | path: /releases/name=go-buildpack/sha1 74 | 75 | - type: replace 76 | path: /releases/name=java-buildpack/url 77 | value: ((releases-defaults-url)) 78 | - type: remove 79 | path: /releases/name=java-buildpack/sha1 80 | 81 | - type: replace 82 | path: /releases/name=loggregator/url 83 | value: ((releases-defaults-url)) 84 | - type: remove 85 | path: /releases/name=loggregator/sha1 86 | 87 | - type: replace 88 | path: /releases/name=nats/url 89 | value: ((releases-defaults-url)) 90 | - type: remove 91 | path: /releases/name=nats/sha1 92 | 93 | - type: replace 94 | path: /releases/name=nginx-buildpack/url 95 | value: ((releases-defaults-url)) 96 | - type: remove 97 | path: /releases/name=nginx-buildpack/sha1 98 | 99 | - type: replace 100 | path: /releases/name=r-buildpack/url 101 | value: ((releases-defaults-url)) 102 | - type: remove 103 | path: /releases/name=r-buildpack/sha1 104 | 105 | - type: replace 106 | path: /releases/name=nodejs-buildpack/url 107 | value: ((releases-defaults-url)) 108 | - type: remove 109 | path: /releases/name=nodejs-buildpack/sha1 110 | 111 | - type: replace 112 | path: /releases/name=php-buildpack/url 113 | value: ((releases-defaults-url)) 114 | - type: remove 115 | path: /releases/name=php-buildpack/sha1 116 | 117 | - type: replace 118 | path: /releases/name=python-buildpack/url 119 | value: ((releases-defaults-url)) 120 | - type: remove 121 | path: /releases/name=python-buildpack/sha1 122 | 123 | - type: replace 124 | path: /releases/name=routing/url 125 | value: ((releases-defaults-url)) 126 | - type: remove 127 | path: /releases/name=routing/sha1 128 | 129 | - type: replace 130 | path: /releases/name=ruby-buildpack/url 131 | value: ((releases-defaults-url)) 132 | - type: remove 133 | path: /releases/name=ruby-buildpack/sha1 134 | 135 | - type: replace 136 | path: /releases/name=silk/url 137 | value: ((releases-defaults-url)) 138 | - type: remove 139 | path: /releases/name=silk/sha1 140 | 141 | - type: replace 142 | path: /releases/name=staticfile-buildpack/url 143 | value: ((releases-defaults-url)) 144 | - type: remove 145 | path: /releases/name=staticfile-buildpack/sha1 146 | 147 | - type: replace 148 | path: /releases/name=statsd-injector/url 149 | value: ((releases-defaults-url)) 150 | - type: remove 151 | path: /releases/name=statsd-injector/sha1 152 | 153 | - type: replace 154 | path: /releases/name=uaa/url 155 | value: ((releases-defaults-url)) 156 | - type: remove 157 | path: /releases/name=uaa/sha1 158 | 159 | - type: replace 160 | path: /releases/name=loggregator-agent/url 161 | value: ((releases-defaults-url)) 162 | - type: remove 163 | path: /releases/name=loggregator-agent/sha1 164 | 165 | - type: replace 166 | path: /releases/name=log-cache/url 167 | value: ((releases-defaults-url)) 168 | - type: remove 169 | path: /releases/name=log-cache/sha1 170 | 171 | - type: replace 172 | path: /releases/name=bosh-dns-aliases/url 173 | value: ((releases-defaults-url)) 174 | - type: remove 175 | path: /releases/name=bosh-dns-aliases/sha1 176 | 177 | - type: replace 178 | path: /releases/name=cf-cli/url 179 | value: ((releases-defaults-url)) 180 | - type: remove 181 | path: /releases/name=cf-cli/sha1 182 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/set_release_versions.yaml: -------------------------------------------------------------------------------- 1 | # Set capi-release version explicitly to get the fix for yaml_escape. 2 | # https://github.com/cloudfoundry/capi-release/issues/141 3 | - type: replace 4 | path: /releases/name=capi/version 5 | value: 1.83.0 6 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/temporary/remove_roles.yaml: -------------------------------------------------------------------------------- 1 | # This is a temporary file used for selectively removing instance_groups during the initial 2 | # development. It should go away once all instance_groups work properly with cf-operator. 3 | 4 | - type: remove 5 | path: /instance_groups/name=smoke-tests 6 | - type: remove 7 | path: /instance_groups/name=tcp-router 8 | - type: remove 9 | path: /instance_groups/name=credhub 10 | - type: remove 11 | path: /instance_groups/name=rotate-cc-database-key 12 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/temporary/remove_variables.yaml: -------------------------------------------------------------------------------- 1 | # This is a temporary file used for selectively removing variables during the initial development. 2 | # It should go away once all instance_groups work properly with cf-operator. 3 | 4 | - type: remove 5 | path: /variables/name=silk_ca 6 | - type: remove 7 | path: /variables/name=silk_controller 8 | - type: remove 9 | path: /variables/name=silk_daemon 10 | - type: remove 11 | path: /variables/name=credhub_encryption_password 12 | - type: remove 13 | path: /variables/name=credhub_tls 14 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/operations/zz-remove-diego-if-eirini.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.features.eirini true -}} 2 | # We make the decision here, because this file needs to be applied last 3 | 4 | # Disable Diego 5 | 6 | # Remove the whole diego-cell instance group 7 | - type: remove 8 | path: /instance_groups/name=diego-cell 9 | 10 | 11 | # Remove bbs and silk-controller from diego-api 12 | # TODO: remove bbs in the future - when the clock and worker no longer need it 13 | # - type: remove 14 | # path: /instance_groups/name=diego-api/jobs/name=bbs 15 | 16 | # Remove from auctioneer, tps and ssh_proxy from scheduler 17 | - type: remove 18 | path: /instance_groups/name=scheduler/jobs/name=auctioneer 19 | - type: remove 20 | path: /instance_groups/name=scheduler/jobs/name=tps 21 | - type: remove 22 | path: /instance_groups/name=scheduler/jobs/name=ssh_proxy 23 | 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /resources/eirini/scf/assets/use-bits-service.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=api:before 3 | value: 4 | azs: 5 | - z1 6 | - z2 7 | instances: 2 8 | jobs: 9 | - name: route_registrar 10 | properties: 11 | route_registrar: 12 | routes: 13 | - name: bits-service 14 | registration_interval: 20s 15 | server_cert_domain_san: https://bits.((system_domain)) 16 | tags: 17 | component: bits-service 18 | tls_port: 443 19 | uris: 20 | - bits.((system_domain)) 21 | release: routing 22 | - name: statsd_injector 23 | properties: 24 | loggregator: 25 | tls: 26 | ca_cert: ((loggregator_ca.certificate)) 27 | statsd_injector: 28 | cert: ((loggregator_tls_statsdinjector.certificate)) 29 | key: ((loggregator_tls_statsdinjector.private_key)) 30 | release: statsd-injector 31 | - name: bits-service 32 | properties: 33 | bits-service: 34 | active_signing_key: 35 | key_id: key1 36 | secret: ((bits_service_secret)) 37 | app_stash: 38 | blobstore_type: webdav 39 | directory_key: cc-resources 40 | webdav_config: 41 | ca_cert: ((service_cf_internal_ca.certificate)) 42 | password: ((blobstore_admin_users_password)) 43 | private_endpoint: https://blobstore.service.cf.internal:4443 44 | public_endpoint: https://blobstore.((system_domain)) 45 | username: blobstore-user 46 | buildpacks: 47 | blobstore_type: webdav 48 | directory_key: cc-buildpacks 49 | webdav_config: 50 | ca_cert: ((service_cf_internal_ca.certificate)) 51 | password: ((blobstore_admin_users_password)) 52 | private_endpoint: https://blobstore.service.cf.internal:4443 53 | public_endpoint: https://blobstore.((system_domain)) 54 | username: blobstore-user 55 | cc_updates: 56 | ca_cert: ((service_cf_internal_ca.certificate)) 57 | client_cert: ((cc_tls.certificate)) 58 | client_key: ((cc_tls.private_key)) 59 | droplets: 60 | blobstore_type: webdav 61 | directory_key: cc-droplets 62 | webdav_config: 63 | ca_cert: ((service_cf_internal_ca.certificate)) 64 | password: ((blobstore_admin_users_password)) 65 | private_endpoint: https://blobstore.service.cf.internal:4443 66 | public_endpoint: https://blobstore.((system_domain)) 67 | username: blobstore-user 68 | packages: 69 | blobstore_type: webdav 70 | directory_key: cc-packages 71 | webdav_config: 72 | ca_cert: ((service_cf_internal_ca.certificate)) 73 | password: ((blobstore_admin_users_password)) 74 | private_endpoint: https://blobstore.service.cf.internal:4443 75 | public_endpoint: https://blobstore.((system_domain)) 76 | username: blobstore-user 77 | private_endpoint: https://bits.service.cf.internal 78 | public_endpoint: https://bits.((system_domain)) 79 | signing_users: 80 | - password: ((bits_service_signing_password)) 81 | username: admin 82 | tls: 83 | cert: ((bits_service_ssl.certificate)) 84 | key: ((bits_service_ssl.private_key)) 85 | release: bits-service 86 | name: bits 87 | networks: 88 | - name: default 89 | stemcell: default 90 | vm_extensions: 91 | - 50GB_ephemeral_disk 92 | vm_type: small 93 | - type: replace 94 | path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/bits_service? 95 | value: 96 | ca_cert: ((service_cf_internal_ca.certificate)) 97 | enabled: true 98 | password: ((bits_service_signing_password)) 99 | private_endpoint: https://bits.service.cf.internal 100 | public_endpoint: https://bits.((system_domain)) 101 | username: admin 102 | - type: replace 103 | path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/bits_service? 104 | value: 105 | ca_cert: ((service_cf_internal_ca.certificate)) 106 | enabled: true 107 | password: ((bits_service_signing_password)) 108 | private_endpoint: https://bits.service.cf.internal 109 | public_endpoint: https://bits.((system_domain)) 110 | username: admin 111 | - type: replace 112 | path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/bits_service? 113 | value: 114 | ca_cert: ((service_cf_internal_ca.certificate)) 115 | enabled: true 116 | password: ((bits_service_signing_password)) 117 | private_endpoint: https://bits.service.cf.internal 118 | public_endpoint: https://bits.((system_domain)) 119 | username: admin 120 | - type: replace 121 | path: /variables/- 122 | value: 123 | name: bits_service_secret 124 | type: password 125 | - type: replace 126 | path: /variables/- 127 | value: 128 | name: bits_service_signing_password 129 | type: password 130 | - type: replace 131 | path: /variables/name=bits_service_ssl? 132 | value: 133 | name: bits_service_ssl 134 | options: 135 | alternative_names: 136 | - bits.service.cf.internal 137 | - bits-service.service.cf.internal 138 | - ((system_domain)) 139 | - '*.((system_domain))' 140 | ca: service_cf_internal_ca 141 | common_name: bits.service.cf.internal 142 | type: certificate 143 | - type: replace 144 | path: /releases/- 145 | value: 146 | name: bits-service 147 | sha1: f6a6598fbbac233f94c4a0cfe914970ec34db7b3 148 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/bits-service-release?v=2.26.0 149 | version: 2.26.0 150 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "scf.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "scf.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "scf.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Get the metadata name for an ops file. 36 | */}} 37 | {{- define "scf.ops-name" -}} 38 | {{- printf "ops-%s" (base . | trimSuffix (ext .) | lower | replace "_" "-") -}} 39 | {{- end -}} 40 | 41 | {{- /* 42 | Template "scf.dig" takes a dict and a list; it indexes the dict with each 43 | successive element of the list. 44 | 45 | For example, given (using JSON prepresentations) 46 | $a = { foo: { bar: { baz: 1 } } } 47 | $b = [ foo bar baz ] 48 | Then `template "scf.dig" $a $b` will return "1". 49 | 50 | Note that if the key is missing there will be a rendering error. 51 | */ -}} 52 | {{- define "scf.dig" }} 53 | {{- $obj := first . }} 54 | {{- $keys := last . }} 55 | {{- range $key := $keys }}{{ $obj = index $obj $key }}{{ end }} 56 | {{- $obj | quote }} 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/bosh_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $root := . -}} 2 | --- 3 | apiVersion: fissile.cloudfoundry.org/v1alpha1 4 | kind: BOSHDeployment 5 | metadata: 6 | name: {{ .Values.deployment_name }} 7 | labels: 8 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/name: {{ include "scf.fullname" . }} 11 | app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }} 12 | helm.sh/chart: {{ include "scf.chart" . }} 13 | spec: 14 | manifest: 15 | name: cf-deployment 16 | type: configmap 17 | ops: 18 | {{- if eq .Values.features.eirini true}} 19 | - name: ops-use-bits-service 20 | type: configmap 21 | {{- end }} 22 | # Reference all the ConfigMaps created for each ops file under assets/operations. 23 | {{- range $path, $bytes := .Files.Glob "assets/operations/temporary/*" }} 24 | - name: {{ include "scf.ops-name" $path }} 25 | type: configmap 26 | {{- end }} 27 | {{- range $path, $bytes := .Files.Glob "assets/operations/instance_groups/*" }} 28 | - name: {{ include "scf.ops-name" $path }} 29 | type: configmap 30 | {{- end }} 31 | {{- range $path, $bytes := .Files.Glob "assets/operations/pre_render_scripts/*" }} 32 | - name: {{ include "scf.ops-name" $path }} 33 | type: configmap 34 | {{- end }} 35 | {{- if not .Values.sizing.HA }} 36 | - name: ops-single-availability 37 | type: configmap 38 | {{- end }} 39 | {{- range $path, $bytes := .Files.Glob "assets/operations/*" }} 40 | - name: {{ include "scf.ops-name" $path }} 41 | type: configmap 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/cf_deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cf-deployment 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/name: {{ include "scf.fullname" . }} 9 | app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }} 10 | helm.sh/chart: {{ include "scf.chart" . }} 11 | data: 12 | manifest: |- 13 | {{- .Files.Get "assets/cf-deployment.yml" | nindent 4 }} 14 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/eirini.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.features.eirini true -}} 2 | 3 | # A service for the cc uploader 4 | --- 5 | apiVersion: v1 6 | kind: Service 7 | metadata: 8 | name: {{ .Values.deployment_name }}-cc-uploader 9 | spec: 10 | type: ClusterIP 11 | selector: 12 | fissile.cloudfoundry.org/instance-group-name: api 13 | fissile.cloudfoundry.org/deployment-name: {{ .Values.deployment_name }} 14 | ports: 15 | - protocol: TCP 16 | name: "http" 17 | port: 9090 18 | targetPort: 9090 19 | - protocol: TCP 20 | name: "https" 21 | port: 9091 22 | targetPort: 9091 23 | # A service for the eirini image registry 24 | --- 25 | apiVersion: v1 26 | kind: Service 27 | metadata: 28 | name: {{ .Values.deployment_name }}-eirini-registry 29 | spec: 30 | type: ClusterIP 31 | selector: 32 | fissile.cloudfoundry.org/instance-group-name: bits 33 | fissile.cloudfoundry.org/deployment-name: {{ .Values.deployment_name }} 34 | ports: 35 | - protocol: TCP 36 | port: 443 37 | targetPort: 443 38 | --- 39 | # A namespace where eirini apps are created 40 | apiVersion: v1 41 | kind: Namespace 42 | metadata: 43 | name: {{ .Values.deployment_name }}-eirini 44 | --- 45 | # A godlike ServiceAccount for Eirini 46 | # TODO: this can be restricted 47 | apiVersion: v1 48 | kind: ServiceAccount 49 | metadata: 50 | name: {{ .Values.deployment_name }}-eirini 51 | namespace: {{ .Release.Namespace | quote }} 52 | --- 53 | # A godlike Role for Eirini 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | kind: ClusterRoleBinding 56 | metadata: 57 | name: {{ .Values.deployment_name }}-eirini 58 | roleRef: 59 | apiGroup: rbac.authorization.k8s.io 60 | kind: ClusterRole 61 | name: cluster-admin 62 | subjects: 63 | - kind: ServiceAccount 64 | name: {{ .Values.deployment_name }}-eirini 65 | namespace: {{ .Release.Namespace | quote }} 66 | 67 | {{- end }} 68 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/implicit_vars.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Template "scf.implicit-var" generates the kube secret declaration for a 3 | variable. It takes a list of two arguments: the context, and the variable 4 | name. 5 | */ -}} 6 | {{- define "scf.implicit-var" }} 7 | {{- $variable_name := (last .) }} 8 | {{- with (first .) }} 9 | --- 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | name: {{ .Values.deployment_name }}.var-{{ $variable_name | replace "_" "-" | replace "." "-" }} 14 | labels: 15 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 17 | app.kubernetes.io/name: {{ include "scf.fullname" . }} 18 | app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }} 19 | helm.sh/chart: {{ include "scf.chart" . }} 20 | type: Opaque 21 | stringData: 22 | value: {{ template "scf.dig" (list .Values ( splitList "." $variable_name )) }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{ include "scf.implicit-var" (list . "system_domain") }} 27 | {{ include "scf.implicit-var" (list . "deployment_name") }} 28 | {{ include "scf.implicit-var" (list . "k8s-host-url") }} 29 | {{ include "scf.implicit-var" (list . "k8s-service-token") }} 30 | {{ include "scf.implicit-var" (list . "k8s-service-username") }} 31 | {{ include "scf.implicit-var" (list . "k8s-node-ca") }} 32 | {{ include "scf.implicit-var" (list . "releases.defaults.url") }} 33 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/ops-use-bits-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.features.eirini true -}} 2 | 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: ops-use-bits-service 7 | labels: 8 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/name: {{ include "scf.fullname" . }} 11 | app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }} 12 | helm.sh/chart: {{ include "scf.chart" . }} 13 | data: 14 | ops: |- 15 | {{- .Files.Get "assets/use-bits-service.yml" | nindent 4 }} 16 | 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/ops.yaml: -------------------------------------------------------------------------------- 1 | # This template creates a ConfigMap for each ops file under assets/operations. 2 | {{- define "scf.ops" -}} 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ include "scf.ops-name" .Path }} 8 | labels: 9 | app.kubernetes.io/component: operations 10 | app.kubernetes.io/instance: {{ .Root.Release.Name | quote }} 11 | app.kubernetes.io/managed-by: {{ .Root.Release.Service | quote }} 12 | app.kubernetes.io/name: {{ include "scf.fullname" .Root }} 13 | app.kubernetes.io/version: {{ default .Root.Chart.Version .Root.Chart.AppVersion | quote }} 14 | helm.sh/chart: {{ include "scf.chart" .Root }} 15 | data: 16 | ops: |- 17 | {{- tpl (.Root.Files.Get .Path) .Root | nindent 4 -}} 18 | {{- end -}} 19 | 20 | {{- $root := . -}} 21 | {{- range $path, $bytes := .Files.Glob "assets/operations/temporary/*" }} 22 | {{ include "scf.ops" (dict "Root" $root "Path" $path) }} 23 | {{- end }} 24 | {{- range $path, $bytes := .Files.Glob "assets/operations/instance_groups/*" }} 25 | {{ include "scf.ops" (dict "Root" $root "Path" $path) }} 26 | {{- end }} 27 | {{- range $path, $bytes := .Files.Glob "assets/operations/pre_render_scripts/*" }} 28 | {{ include "scf.ops" (dict "Root" $root "Path" $path) }} 29 | {{- end }} 30 | {{- range $path, $bytes := .Files.Glob "assets/operations/*" }} 31 | {{ include "scf.ops" (dict "Root" $root "Path" $path) }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /resources/eirini/scf/templates/single_availability.yaml: -------------------------------------------------------------------------------- 1 | {{ if not .Values.sizing.HA -}} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: ops-single-availability 7 | labels: 8 | app.kubernetes.io/component: operations 9 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 11 | app.kubernetes.io/name: {{ include "scf.fullname" . }} 12 | app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }} 13 | helm.sh/chart: {{ include "scf.chart" . }} 14 | data: 15 | ops: | 16 | - type: replace 17 | path: /instance_groups/name=nats/instances 18 | value: 1 19 | - type: replace 20 | path: /instance_groups/name=adapter/instances 21 | value: 1 22 | - type: replace 23 | path: /instance_groups/name=database/instances 24 | value: 1 25 | - type: replace 26 | path: /instance_groups/name=diego-api/instances 27 | value: 1 28 | - type: replace 29 | path: /instance_groups/name=uaa/instances 30 | value: 1 31 | - type: replace 32 | path: /instance_groups/name=singleton-blobstore/instances 33 | value: 1 34 | - type: replace 35 | path: /instance_groups/name=api/instances 36 | value: 1 37 | - type: replace 38 | path: /instance_groups/name=cc-worker/instances 39 | value: 1 40 | - type: replace 41 | path: /instance_groups/name=scheduler/instances 42 | value: 1 43 | - type: replace 44 | path: /instance_groups/name=router/instances 45 | value: 1 46 | - type: replace 47 | path: /instance_groups/name=doppler/instances 48 | value: 1 49 | - type: replace 50 | path: /instance_groups/name=diego-cell/instances 51 | value: 1 52 | - type: replace 53 | path: /instance_groups/name=log-api/instances 54 | value: 1 55 | - type: replace 56 | path: /instance_groups/name=eirini/instances 57 | value: 1 58 | - type: replace 59 | path: /instance_groups/name=bits/instances 60 | value: 1 61 | - type: remove 62 | path: /instance_groups/name=nats/azs? 63 | - type: remove 64 | path: /instance_groups/name=adapter/azs? 65 | - type: remove 66 | path: /instance_groups/name=database/azs? 67 | - type: remove 68 | path: /instance_groups/name=diego-api/azs? 69 | - type: remove 70 | path: /instance_groups/name=uaa/azs? 71 | - type: remove 72 | path: /instance_groups/name=singleton-blobstore/azs? 73 | - type: remove 74 | path: /instance_groups/name=api/azs? 75 | - type: remove 76 | path: /instance_groups/name=cc-worker/azs? 77 | - type: remove 78 | path: /instance_groups/name=scheduler/azs? 79 | - type: remove 80 | path: /instance_groups/name=router/azs? 81 | - type: remove 82 | path: /instance_groups/name=doppler/azs? 83 | - type: remove 84 | path: /instance_groups/name=diego-cell/azs? 85 | - type: remove 86 | path: /instance_groups/name=log-api/azs? 87 | - type: remove 88 | path: /instance_groups/name=eirini/azs? 89 | - type: remove 90 | path: /instance_groups/name=bits/azs? 91 | {{- end }} 92 | -------------------------------------------------------------------------------- /resources/eirini/scf/values.yaml: -------------------------------------------------------------------------------- 1 | system_domain: ~ 2 | deployment_name: scf 3 | 4 | releases: 5 | # The defaults for all releases, where we do not otherwise override them. 6 | defaults: 7 | url: docker.io/cfcontainerization 8 | 9 | sizing: 10 | HA: false 11 | 12 | features: 13 | eirini: true 14 | 15 | k8s-host-url: "" 16 | k8s-service-token: "" 17 | k8s-service-username: "" 18 | k8s-node-ca: "" 19 | -------------------------------------------------------------------------------- /resources/kpack/builder-bionic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: build.pivotal.io/v1alpha1 2 | kind: Builder 3 | metadata: 4 | name: cf-bionic-builder 5 | spec: 6 | image: cloudfoundry/cnb:bionic 7 | updatePolicy: polling -------------------------------------------------------------------------------- /resources/kpack/builder-cflinuxfs3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: build.pivotal.io/v1alpha1 2 | kind: Builder 3 | metadata: 4 | name: cflinuxfs3-builder 5 | spec: 6 | image: cloudfoundry/cnb:cflinuxfs3 7 | updatePolicy: polling --------------------------------------------------------------------------------