├── .gitignore ├── README.md ├── terraform ├── docs │ ├── dns-structure.png │ └── dns.md ├── eks │ ├── cf-for-k8s │ │ ├── bastion.tf │ │ ├── cf-for-k8s.tf │ │ ├── cluster.tf │ │ ├── controlplane.tf │ │ ├── dns.tf │ │ ├── harbor.tf │ │ ├── infrastructure.tf │ │ ├── kubeconfig.tf │ │ ├── nodes.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── tls.tf │ │ ├── vars.tf │ │ └── vpc.tf │ └── simple-cluster │ │ ├── bastion.tf │ │ ├── cluster.tf │ │ ├── controlplane.tf │ │ ├── dns.tf │ │ ├── infrastructure.tf │ │ ├── kubeconfig.tf │ │ ├── nodes.tf │ │ ├── providers.tf │ │ ├── vars.tf │ │ └── vpc.tf ├── gke │ ├── cf-for-k8s │ │ ├── README.md │ │ ├── cf-for-k8s.tf │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── harbor.tf │ │ ├── infrastructure.tf │ │ ├── kubeconfig.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── tls.tf │ │ └── vars.tf │ └── simple-cluster │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── infrastructure.tf │ │ ├── kubeconfig.tf │ │ ├── providers.tf │ │ └── vars.tf ├── modules │ ├── acme │ │ ├── aws │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ ├── azure │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ └── gcp │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ ├── apply │ │ ├── apply.tf │ │ └── vars.tf │ ├── certmanager │ │ ├── aws │ │ │ ├── certmanager.tf │ │ │ ├── iam.tf │ │ │ ├── outputs.tf │ │ │ ├── templates │ │ │ │ └── prereqs.yml │ │ │ └── vars.tf │ │ └── gcp │ │ │ ├── certmanager.tf │ │ │ ├── outputs.tf │ │ │ ├── templates │ │ │ └── prereqs.yml │ │ │ └── vars.tf │ ├── cf-for-k8s │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── templates │ │ │ ├── cert-secret.yml │ │ │ └── values.yml │ │ ├── tls.tf │ │ └── vars.tf │ ├── dns │ │ ├── aws │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ └── gcp │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ ├── external-dns │ │ ├── aws │ │ │ ├── iam.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ ├── common │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ └── gcp │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ ├── generate-kubeconfig │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── templates │ │ │ └── kubeconfig.tmpl │ │ └── vars.tf │ ├── harbor │ │ ├── harbor.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── templates │ │ │ ├── cert.yml │ │ │ └── values.yml │ │ └── vars.tf │ ├── helm │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── vars.tf │ ├── infrastructure │ │ ├── aws │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ │ └── gcp │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── vars.tf │ ├── nginx-ingress │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── vars.tf │ ├── supply-chain │ │ ├── concourse.tf │ │ ├── grafana.tf │ │ ├── harbor.tf │ │ ├── kpack.tf │ │ ├── main.tf │ │ ├── prometheus.tf │ │ ├── spinnaker.tf1 │ │ ├── templates │ │ │ ├── concourse-values.yml │ │ │ ├── grafana-values.yml │ │ │ ├── harbor-cert.yml │ │ │ ├── harbor-values.yml │ │ │ ├── kpack-harbor-registry-secret.yml │ │ │ ├── kpack-viz.yml │ │ │ ├── kpack.yml │ │ │ ├── prometheus-values.yml │ │ │ ├── spinnaker-values.yml │ │ │ ├── uaa-users.sh │ │ │ └── uaa-values.yml │ │ ├── uaa.tf │ │ ├── vars.tf │ │ └── versions.tf │ └── welcome-app │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── vars.tf └── tmc │ ├── cf-for-k8s │ └── aws │ │ ├── README.md │ │ ├── cf-for-k8s.tf │ │ ├── dns.tf │ │ ├── harbor.tf │ │ ├── infrastructure.tf │ │ ├── kubeconfig.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── tls.tf │ │ ├── tmc.tf │ │ └── vars.tf │ ├── open-privileges │ ├── main.tf │ ├── outputs.tf │ └── vars.tf │ └── simple-cluster │ └── aws │ ├── dns.tf │ ├── infrastructure.tf │ ├── kubeconfig.tf │ ├── providers.tf │ ├── tmc.tf │ └── vars.tf └── ytt-libs ├── cert-manager ├── aws │ ├── issuer.yml │ └── values.yml └── core │ ├── ingress-shim-overlay.yml │ └── values.yml ├── cf-for-k8s ├── patch │ ├── cert-manager-support.yml │ └── external-dns-support.yml ├── vendir.lock.yml ├── vendir.yml └── vendor │ └── github.com │ └── cloudfoundry │ └── cf-for-k8s │ ├── LICENSE │ ├── NOTICE │ └── config │ ├── 0-min-version.star │ ├── _ytt_lib │ ├── eirini │ │ └── rendered.yml │ ├── github.com │ │ ├── GoogleCloudPlatform │ │ │ └── metacontroller │ │ │ │ ├── LICENSE │ │ │ │ └── manifests │ │ │ │ ├── metacontroller-namespace.yaml │ │ │ │ ├── metacontroller-rbac.yaml │ │ │ │ └── metacontroller.yaml │ │ ├── cloudfoundry │ │ │ ├── capi-k8s-release │ │ │ │ ├── templates │ │ │ │ │ ├── api_server_deployment.yml │ │ │ │ │ ├── capi-kpack-watcher-deployment.yml │ │ │ │ │ ├── ccng-config.lib.yml │ │ │ │ │ ├── ccng-configmap.yml │ │ │ │ │ ├── cf-autodetect-builder.yml │ │ │ │ │ ├── clock_deployment.yml │ │ │ │ │ ├── deployment_updater_deployment.yml │ │ │ │ │ ├── nginx-configmap.yml │ │ │ │ │ ├── opi-secrets.yml │ │ │ │ │ ├── service-accounts.yml │ │ │ │ │ ├── service.yml │ │ │ │ │ └── worker_deployment.yml │ │ │ │ └── values.yml │ │ │ ├── cf-k8s-logging │ │ │ │ └── config │ │ │ │ │ ├── 100-logging-metadata-service-account.yaml │ │ │ │ │ ├── 300-fluentd-config.yaml │ │ │ │ │ ├── 400-log-cache-service.yaml │ │ │ │ │ ├── 400-syslog-service.yaml │ │ │ │ │ ├── 401-log-cache-virualservice.yml │ │ │ │ │ ├── 50-secrets.yaml │ │ │ │ │ ├── 500-fluentd-daemonset.yaml │ │ │ │ │ ├── 500-log-cache-deployment.yaml │ │ │ │ │ └── values.yml │ │ │ ├── cf-k8s-networking │ │ │ │ ├── LICENSE │ │ │ │ ├── NOTICE │ │ │ │ ├── cfroutesync │ │ │ │ │ └── crds │ │ │ │ │ │ └── routebulksync.yaml │ │ │ │ └── config │ │ │ │ │ ├── cfroutesync │ │ │ │ │ ├── cfroutesync-configmap.yaml │ │ │ │ │ ├── cfroutesync-secret.yaml │ │ │ │ │ ├── cfroutesync.yaml │ │ │ │ │ ├── istio-cfrequestcount.yaml │ │ │ │ │ ├── istio-gateway.yaml │ │ │ │ │ ├── prometheus-config.yaml │ │ │ │ │ └── values.yaml │ │ │ │ │ └── istio-generated │ │ │ │ │ ├── README.md │ │ │ │ │ └── xxx-generated-istio.yaml │ │ │ └── uaa │ │ │ │ ├── LICENSE │ │ │ │ ├── NOTICE │ │ │ │ └── k8s │ │ │ │ └── templates │ │ │ │ ├── config.yml │ │ │ │ ├── deployment.star │ │ │ │ ├── deployment.yml │ │ │ │ ├── log4j2.properties │ │ │ │ ├── metadata.yml │ │ │ │ ├── service.yml │ │ │ │ ├── service_account.yml │ │ │ │ ├── uaa.lib.star │ │ │ │ ├── uaa.lib.yml │ │ │ │ └── values │ │ │ │ ├── _values.yml │ │ │ │ ├── image.yml │ │ │ │ └── version.yml │ │ └── pivotal │ │ │ └── kpack │ │ │ └── release-0.0.6.yaml │ ├── minio │ │ └── rendered.yml │ └── postgres │ │ └── rendered.yml │ ├── capi.yml │ ├── eirini.yml │ ├── external-routing.yml │ ├── kapp-rebase-rules.yml │ ├── kpack.yml │ ├── logging.yml │ ├── minio.yml │ ├── must_exist.star │ ├── networking.yml │ ├── postgres.yml │ ├── system-namespace.yml │ ├── uaa.yml │ ├── values.yml │ └── workloads-namespace.yml ├── external-dns ├── aws.lib.txt ├── aws.yml ├── core.yml ├── ns.yml ├── overlay.yml ├── validations.star └── values.yml ├── nginx-ingress ├── controller.yml ├── default-backend.yml ├── ns.yml ├── rbac-cluster.yml ├── rbac-ns.yml ├── service-account.yml └── values.yml ├── tmc-privileges └── binding.yml └── welcome-app ├── deployment.yml └── values.yml /.gitignore: -------------------------------------------------------------------------------- 1 | *.tfvars 2 | *.tfstate* 3 | .terraform/ 4 | test 5 | kubeconfig 6 | *.log -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tanzu Playground 2 | 3 | This repository contains various automation scripts and samples related to the various products and technologies in the VMware Tanzu portfolio. It is intended to provide fast, easy, repeatable ways to create test and demo environments. 4 | 5 | If you're interested in exploring how VMware is investing in the Kubernetes ecosystem then theres likely something here for you. 6 | 7 | Some of the technologies showcased are: 8 | - Tanzu Mission Control 9 | - Tanzu Build Service (plus `kpack`) 10 | - Tanzu Application Service (plus `cf-for-k8s`) 11 | - Various uses of the `k14s` toolchain 12 | 13 | ## Terraform Modules 14 | 15 | The Tanzu portfolio is compromised of various compomnents that work in the general Kubernetes ecosystem. The Terraform modules included in this repository are designed to standup not only Tanzu-native Kubernetes distributions, such as via Tanzu Mission Control, but also on GKE, EKS etc. Generally, these modules are designed to build fully functioning systems, and are self-contained in that they create as much of the supporting infrastructure as possible. 16 | 17 | For example: 18 | - Kubernetes clusters 19 | - Configuring DNS (via Route53 etc.) 20 | - Provisioning Lets Encrypt certificates via DNS solvers 21 | - Installing Kubernetes foundational components, like 22 | - Ingress 23 | - external-dns 24 | - cert-manager 25 | - Installing components related to software supply chain like: 26 | - Concourse 27 | - Spinnaker 28 | 29 | There are generally two types of modules included in the repository: 30 | 1. Abstract, self-contained, re-usable modules for specific functions 31 | 2. Aggregated modules that create tangible systems (for example `cf-on-k8s` on GKE) 32 | 33 | Below is a summary of the aggregate modules that may be of immediate use. 34 | 35 | | Module | Purpose | TMC (AWS) | GKE | EKS | 36 | |---|---|---|---|---| 37 | | `simple-cluster` | Basic Kubernetes cluster with ingress, external-dns and certmanager | [Link](terraform/tmc/simple-cluster/aws/README.md) | [Link](terraform/gke/simple-cluster/README.md) | [Link](terraform/eks/simple-cluster/README.md) | 38 | | `cf-for-k8s` | Simple installation of Cloud Foundry on Kubernetes | [Link](terraform/tmc/cf-for-k8s/aws/README.md) | [Link](terraform/gke/cf-for-k8s/README.md) | [Link](terraform/eks/cf-for-k8s/README.md) | 39 | 40 | 41 | ### Providers 42 | 43 | The modules in this repository may use one or more custom Terraform providers: 44 | - A custom [k14s](https://github.com/niallthomson/terraform-provider-k14s) Terraform provider, which can be installed alongside the official one 45 | - A Tanzu Mission Control Terraform provider, which is currently internal to VMware (only required for TMC modules) 46 | 47 | Please carefully study the `README` for each module to understand any corresponding custom module dependencies. -------------------------------------------------------------------------------- /terraform/docs/dns-structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/niallthomson/tanzu-playground/51d59aac6d98919a249adaae924e990e45bb8da5/terraform/docs/dns-structure.png -------------------------------------------------------------------------------- /terraform/docs/dns.md: -------------------------------------------------------------------------------- 1 | # DNS Setup 2 | 3 | Various Terraform modules in this project make some basic assumptions about DNS that allow it to function: 4 | - The DNS entries for each public cloud are managed by their respective DNS services (AWS Route53, GCP Cloud DNS, Azure DNS) 5 | - You have already set up delegation from your root domain registrar to each public cloud you wish to use 6 | - Modules are free to create DNS entries in whatever delegated domain it is to create environments in 7 | - DNS is publicly resolvable so ACME DNS solving can be used for certificates 8 | 9 | For example, this is the structure of the domains used to test the modules: 10 | 11 | ![architecture](dns-structure.png) 12 | 13 | In this setup: 14 | - The root domain `paasify.org` is registered and managed in GoDaddy 15 | - A sub-domain for each cloud has been manually created and delegated via NS records 16 | - The Terraform modules will then create sub-domains, such as `env1.aws.paasify.org` from these cloud-specific zones -------------------------------------------------------------------------------- /terraform/eks/cf-for-k8s/bastion.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group" "provisioner" { 2 | name = "${local.full_environment_prefix}-provisioner-sg" 3 | description = "Allow SSH access to provisioner host and outbound internet access" 4 | vpc_id = module.vpc.vpc_id 5 | 6 | lifecycle { 7 | create_before_destroy = true 8 | } 9 | } 10 | 11 | resource "aws_security_group_rule" "ssh" { 12 | protocol = "TCP" 13 | from_port = 22 14 | to_port = 22 15 | type = "ingress" 16 | cidr_blocks = ["0.0.0.0/0"] 17 | security_group_id = aws_security_group.provisioner.id 18 | } 19 | 20 | resource "aws_security_group_rule" "internet" { 21 | protocol = "-1" 22 | from_port = 0 23 | to_port = 0 24 | type = "egress" 25 | cidr_blocks = ["0.0.0.0/0"] 26 | security_group_id = aws_security_group.provisioner.id 27 | } 28 | 29 | data "aws_ami" "default" { 30 | most_recent = "true" 31 | 32 | filter { 33 | name = "name" 34 | values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] 35 | } 36 | 37 | filter { 38 | name = "virtualization-type" 39 | values = ["hvm"] 40 | } 41 | 42 | owners = ["099720109477"] 43 | } 44 | 45 | locals { 46 | ami_id = data.aws_ami.default.id 47 | disk_size = 64 48 | instance_type = "t3.micro" 49 | username = "ubuntu" 50 | } 51 | 52 | resource "aws_eip" "provisioner" { 53 | vpc = true 54 | instance = aws_instance.provisioner.id 55 | } 56 | 57 | resource "aws_instance" "provisioner" { 58 | ami = local.ami_id 59 | instance_type = local.instance_type 60 | key_name = var.ssh_key_name 61 | subnet_id = module.vpc.public_subnets[0] 62 | vpc_security_group_ids = [aws_security_group.provisioner.id] 63 | 64 | root_block_device { 65 | volume_size = local.disk_size 66 | delete_on_termination = true 67 | } 68 | 69 | lifecycle { 70 | ignore_changes = [ami] 71 | } 72 | 73 | tags = { 74 | Name = "${local.full_environment_prefix}-bastion" 75 | } 76 | } -------------------------------------------------------------------------------- /terraform/eks/cf-for-k8s/cf-for-k8s.tf: -------------------------------------------------------------------------------- 1 | module "cf-for-k8s" { 2 | source = "../../modules/cf-for-k8s" 3 | 4 | ytt_lib_dir = local.ytt_lib_dir 5 | domain = module.dns.base_domain 6 | 7 | tls_cert = module.acme.cert_full_chain 8 | tls_key = module.acme.cert_key 9 | tls_ca_cert = module.acme.cert_ca 10 | 11 | registry_domain = module.harbor.harbor_domain 12 | registry_repository = "${module.harbor.harbor_domain}/library" 13 | registry_username = module.harbor.harbor_admin_username 14 | registry_password = module.harbor.harbor_admin_password 15 | 16 | blocker = module.infrastructure.blocker 17 | } -------------------------------------------------------------------------------- /terraform/eks/cf-for-k8s/cluster.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | full_environment_prefix = "tanzu-eks-cf-${var.environment_name}" 3 | } 4 | 5 | resource "null_resource" "cluster_blocker" { 6 | provisioner "local-exec" { 7 | command = "sleep 30 && echo ${join(",", aws_eks_node_group.managed_workers_a.*.id)}" 8 | } 9 | } 10 | 11 | -------------------------------------------------------------------------------- /terraform/eks/cf-for-k8s/controlplane.tf: -------------------------------------------------------------------------------- 1 | # EKS Control Plane security group 2 | resource "aws_security_group_rule" "vpc_endpoint_eks_cluster_sg" { 3 | 4 | from_port = 443 5 | protocol = "tcp" 6 | security_group_id = aws_security_group.vpc_endpoint.id 7 | source_security_group_id = aws_eks_cluster.cluster.vpc_config.0.cluster_security_group_id 8 | to_port = 443 9 | type = "ingress" 10 | depends_on = [aws_eks_cluster.cluster] 11 | } 12 | 13 | # EKS Cluster 14 | resource "aws_eks_cluster" "cluster" { 15 | enabled_cluster_log_types = [] 16 | name = local.full_environment_prefix 17 | role_arn = aws_iam_role.cluster.arn 18 | //version = var.eks_version 19 | vpc_config { 20 | subnet_ids = flatten([module.vpc.public_subnets, module.vpc.private_subnets]) 21 | security_group_ids = [] 22 | endpoint_private_access = "true" 23 | endpoint_public_access = "true" 24 | } 25 | tags = var.tags 26 | depends_on = [ 27 | aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy, 28 | aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy, 29 | aws_cloudwatch_log_group.cluster 30 | ] 31 | } 32 | 33 | resource "aws_cloudwatch_log_group" "cluster" { 34 | name = "/aws/eks/${local.full_environment_prefix}/cluster" 35 | retention_in_days = 7 36 | } 37 | 38 | resource "aws_iam_role" "cluster" { 39 | name = "${local.full_environment_prefix}-cluster-role" 40 | assume_role_policy = < 12 | @type null 13 | 14 | 15 | 16 | @type tail 17 | @id in_tail_container_logs 18 | path /var/log/containers/*.log 19 | pos_file /var/log/fluentd-containers.log.pos 20 | tag kubernetes.* 21 | refresh_interval 1 22 | 23 | @type multi_format 24 | 25 | format json 26 | time_key time 27 | time_format %Y-%m-%dT%H:%M:%S.%NZ 28 | 29 | 30 | format /^(? 33 | 34 | read_from_head true 35 | 36 | 37 | # Filters 38 | 39 | @type kubernetes_metadata 40 | 41 | 42 | 43 | @type grep 44 | 45 | key $.kubernetes.labels.cloudfoundry_org/app_guid 46 | pattern /.+/ 47 | 48 | 49 | 50 | 51 | @type syslog_rfc5424 52 | host log-cache-syslog 53 | port 8082 54 | transport tls 55 | trusted_ca_path /ca/tls.crt 56 | 57 | @type syslog_rfc5424 58 | proc_id_field kubernetes.pod_id 59 | app_name_field kubernetes.labels.cloudfoundry_org/app_guid 60 | 61 | 62 | 63 | @type memory 64 | flush_mode immediate 65 | 66 | 67 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/400-log-cache-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: log-cache 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | selector: 10 | app: log-cache 11 | ports: 12 | - protocol: TCP 13 | port: 8083 14 | name: http -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/400-syslog-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: log-cache-syslog 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | selector: 10 | app: log-cache 11 | ports: 12 | - protocol: TCP 13 | port: 8082 -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/401-log-cache-virualservice.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: VirtualService 5 | metadata: 6 | name: log-cache-external-virtual-service 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | gateways: 10 | - cf-system/istio-ingressgateway 11 | hosts: 12 | - #@ "log-cache.{}".format(data.values.system_domain) 13 | http: 14 | - route: 15 | - destination: 16 | host: #@ "log-cache.{}.svc.cluster.local".format(data.values.system_namespace) 17 | port: 18 | number: 8083 19 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/50-secrets.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | type: kubernetes.io/tls 6 | metadata: 7 | name: log-cache-ca 8 | namespace: #@ data.values.system_namespace 9 | data: 10 | tls.crt: #@ data.values.log_cache_ca.crt 11 | tls.key: #@ data.values.log_cache_ca.key 12 | 13 | --- 14 | apiVersion: v1 15 | kind: Secret 16 | type: kubernetes.io/tls 17 | metadata: 18 | name: log-cache 19 | namespace: #@ data.values.system_namespace 20 | data: 21 | tls.crt: #@ data.values.log_cache.crt 22 | tls.key: #@ data.values.log_cache.key 23 | 24 | --- 25 | apiVersion: v1 26 | kind: Secret 27 | type: kubernetes.io/tls 28 | metadata: 29 | name: log-cache-metrics 30 | namespace: #@ data.values.system_namespace 31 | data: 32 | tls.crt: #@ data.values.log_cache_metrics.crt 33 | tls.key: #@ data.values.log_cache_metrics.key 34 | 35 | --- 36 | apiVersion: v1 37 | kind: Secret 38 | type: kubernetes.io/tls 39 | metadata: 40 | name: log-cache-gateway 41 | namespace: #@ data.values.system_namespace 42 | data: 43 | tls.crt: #@ data.values.log_cache_gateway.crt 44 | tls.key: #@ data.values.log_cache_gateway.key 45 | 46 | --- 47 | apiVersion: v1 48 | kind: Secret 49 | type: kubernetes.io/tls 50 | metadata: 51 | name: log-cache-syslog 52 | namespace: #@ data.values.system_namespace 53 | data: 54 | tls.crt: #@ data.values.log_cache_syslog.crt 55 | tls.key: #@ data.values.log_cache_syslog.key 56 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/500-fluentd-daemonset.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: fluentd 7 | namespace: #@ data.values.system_namespace 8 | labels: 9 | app: fluentd 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: fluentd 14 | template: 15 | metadata: 16 | labels: 17 | app: fluentd 18 | spec: 19 | serviceAccountName: fluentd-service-account 20 | tolerations: 21 | - key: node-role.kubernetes.io/master 22 | effect: NoSchedule 23 | imagePullSecrets: 24 | - name: image-registry-credentials 25 | containers: 26 | - name: fluentd 27 | image: #@ data.values.images.fluent 28 | resources: 29 | limits: 30 | memory: 200Mi 31 | requests: 32 | cpu: 100m 33 | memory: 200Mi 34 | volumeMounts: 35 | - name: fluentd-config 36 | mountPath: /fluentd/etc 37 | - name: varlog 38 | mountPath: /var/log 39 | - name: varvcapstore 40 | mountPath: /var/vcap/store 41 | - name: dockercontainers 42 | mountPath: /var/lib/docker/containers 43 | - mountPath: /ca 44 | name: ca 45 | readOnly: true 46 | terminationGracePeriodSeconds: 30 47 | volumes: 48 | - name: fluentd-config 49 | configMap: 50 | name: fluentd-config 51 | - name: varlog 52 | hostPath: 53 | path: /var/log 54 | - name: varvcapstore 55 | hostPath: 56 | path: /var/vcap/store 57 | - name: dockercontainers 58 | hostPath: 59 | path: /var/lib/docker/containers 60 | - name: ca 61 | secret: 62 | secretName: log-cache-ca 63 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-logging/config/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | system_domain: "" 4 | system_namespace: "" 5 | 6 | images: 7 | log_cache: "logcache/log-cache@sha256:1074a8a64f56d1967758cf9cbd3d388b2e5bd295768231ebbaa9ae8febb7e90a" 8 | syslog_server: "logcache/syslog-server@sha256:7a6c85226bb0f92e870c1bbe6555261c9946cdcd8fed2aeac854b7ea0b369a99" 9 | log_cache_gateway: "logcache/log-cache-gateway@sha256:845998ef9769d78b43555eb18757b5f24571fefbe4a267c0ffa7e69071b38177" 10 | fluent: "logcache/cf-k8s-logging@sha256:44e20fa761fb67436eabd70a226d88ca7398619aaa2b3b468405017c75fd9607" 11 | cf_auth_proxy: "logcache/log-cache-cf-auth-proxy@sha256:2fa3c3fc7a4d8ed006502aa239ca95a936ec69eb850de5790b057adcc26cb433" 12 | 13 | log_cache_ca: 14 | crt: "" #! Base64-encoded ca for the log cache 15 | key: "" #! Base64-encoded private key for the cert above 16 | 17 | log_cache: 18 | crt: "" #! Base64-encoded cert for the log cache requires CN of log-cache 19 | key: "" #! Base64-encoded private key for the cert above 20 | 21 | log_cache_metrics: 22 | crt: "" #! Base64-encoded cert for the log cache metrics requires CN of log-cache-metrics 23 | key: "" #! Base64-encoded private key for the cert above 24 | 25 | log_cache_gateway: 26 | crt: "" #! Base64-encoded cert for the log cache gateway 27 | key: "" #! Base64-encoded private key for the cert above 28 | 29 | log_cache_syslog: 30 | crt: "" #! Base64-encoded cert for the log cache syslog server requires CN of log-cache-syslog 31 | key: "" #! Base64-encoded private key for the cert above 32 | 33 | client: 34 | id: "" #! client id 35 | secret: "" #! client secret 36 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | 3 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 4 | You may not use this project except in compliance with the License. 5 | 6 | This project may include a number of subcomponents with separate copyright notices 7 | and license terms. Your use of these subcomponents is subject to the terms and 8 | conditions of the subcomponent's license, as noted in the LICENSE file. 9 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/cfroutesync/crds/routebulksync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "apiextensions.k8s.io/v1beta1" 2 | kind: "CustomResourceDefinition" 3 | metadata: 4 | name: routebulksyncs.apps.cloudfoundry.org 5 | spec: 6 | group: apps.cloudfoundry.org 7 | versions: 8 | - name: v1alpha1 9 | served: true 10 | storage: true 11 | scope: Namespaced 12 | names: 13 | plural: routebulksyncs 14 | singular: routebulksync 15 | kind: RouteBulkSync 16 | subresources: 17 | status: {} 18 | validation: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | selector: 26 | type: object 27 | template: 28 | type: object 29 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/cfroutesync/cfroutesync-configmap.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: cfroutesync-config 7 | namespace: #@ data.values.systemNamespace 8 | annotations: 9 | kapp.k14s.io/versioned: "" 10 | kapp.k14s.io/num-versions: "2" 11 | data: 12 | ccBaseURL: #@ data.values.cfroutesync.ccBaseURL 13 | uaaBaseURL: #@ data.values.cfroutesync.uaaBaseURL 14 | ccCA: #@ data.values.cfroutesync.ccCA 15 | uaaCA: #@ data.values.cfroutesync.uaaCA 16 | clientName: #@ data.values.cfroutesync.clientName 17 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/cfroutesync/cfroutesync-secret.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cfroutesync 7 | namespace: #@ data.values.systemNamespace 8 | type: Opaque 9 | stringData: 10 | clientSecret: #@ data.values.cfroutesync.clientSecret 11 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/cfroutesync/istio-gateway.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: Gateway 5 | metadata: 6 | name: istio-ingress 7 | namespace: #@ data.values.workloadsNamespace 8 | spec: 9 | selector: 10 | istio: ingressgateway 11 | servers: 12 | - hosts: 13 | - '*' 14 | port: 15 | name: http 16 | number: #@ data.values.service.externalPort 17 | protocol: HTTP 18 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/cfroutesync/prometheus-config.yaml: -------------------------------------------------------------------------------- 1 | #! This overlay is optional. It will make Prometheus, deployed by Istio to pull metrics from cfroutesync 2 | #! To make this overlay work you have to provide the Prometheus configmap. For example: 3 | #! ```bash 4 | #! ytt -f prometheus.yml=<(kubectl get -n istio-system cm prometheus -o yaml) -f 5 | #! ``` 6 | #! 7 | #! Or you can use this overlay while installing Istio, as Istio YAML will container this configmap, if Prometheu 8 | #! is enabled. 9 | 10 | #@ load("@ytt:yaml", "yaml") 11 | #@ load("@ytt:data", "data") 12 | #@ load("@ytt:overlay", "overlay") 13 | 14 | #@ def additional_conf(): 15 | scrape_configs: 16 | #@overlay/match by="job_name",missing_ok=True 17 | - job_name: cfroutesync 18 | scrape_interval: 10s 19 | #@overlay/replace 20 | kubernetes_sd_configs: 21 | - role: service 22 | namespaces: 23 | names: 24 | - #@ data.values.systemNamespace 25 | #@overlay/replace 26 | relabel_configs: 27 | - source_labels: [__meta_kubernetes_service_name] 28 | action: keep 29 | regex: cfroutesync 30 | #@ end 31 | 32 | #@ def update_scrapes(a,b): 33 | #@ return yaml.encode(overlay.apply(yaml.decode(a), additional_conf())) 34 | #@ end 35 | 36 | #@overlay/match by=overlay.subset({"kind": "ConfigMap", "metadata":{"name": "prometheus", "namespace": "istio-system"}}),expects="0+" 37 | --- 38 | data: 39 | #@overlay/replace via=update_scrapes 40 | prometheus.yml: "" 41 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/cfroutesync/values.yaml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | #! Default values for cf-k8s-networking. 4 | #! This is a YTT-formatted file. 5 | 6 | systemNamespace: cf-system 7 | workloadsNamespace: cf-workloads 8 | 9 | cfroutesync: 10 | image: gcr.io/cf-networking-images/cf-k8s-networking/cfroutesync:latest 11 | 12 | ccCA: 'base64_encoded_cloud_controller_ca' 13 | ccBaseURL: 'https://api.example.com' 14 | uaaCA: 'base64_encoded_uaa_ca' 15 | uaaBaseURL: 'https://uaa.example.com' 16 | clientName: 'uaaClientName' 17 | clientSecret: 'base64_encoded_uaaClientSecret' 18 | 19 | service: 20 | externalPort: 80 21 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/cf-k8s-networking/config/istio-generated/README.md: -------------------------------------------------------------------------------- 1 | # Files in this folder are autogenerated, please do not edit them. 2 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | 3 | This project contains software that is Copyright (c) 2012-2015 Pivotal Software, Inc. 4 | 5 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 6 | 7 | You may not use this project except in compliance with the License. 8 | 9 | This project may include a number of subcomponents with separate copyright notices 10 | and license terms. Your use of these subcomponents is subject to the terms and 11 | conditions of the subcomponent's license, as noted in the LICENSE file. 12 | Contact GitHub API Training Shop Blog About 13 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/config.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:yaml", "yaml") 2 | #@ load("uaa.lib.yml", "config") 3 | #@ load("@ytt:data", "data") 4 | --- 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: uaa-config 9 | data: 10 | uaa.yml: #@ yaml.encode(config()) 11 | log4j2.properties: #@ data.read("log4j2.properties") -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/deployment.star: -------------------------------------------------------------------------------- 1 | def spring_profiles(database_scheme): 2 | if database_scheme in ["postgresql","mysql"]: 3 | return database_scheme 4 | else: 5 | return "default,hsqldb" 6 | end 7 | end 8 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("deployment.star", "spring_profiles") 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: uaa 8 | spec: 9 | selector: 10 | matchLabels: 11 | app: uaa-deployment 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | app: uaa-deployment 17 | spec: #! pod spec 18 | serviceAccountName: uaa 19 | containers: 20 | - name: uaa 21 | image: #@ data.values.image 22 | resources: 23 | requests: 24 | memory: #@ data.values.resources.requests.memory 25 | cpu: #@ data.values.resources.requests.cpu 26 | ports: 27 | - name: http-uaa 28 | containerPort: 8080 29 | protocol: TCP 30 | env: 31 | - name: BPL_TOMCAT_ACCESS_LOGGING 32 | value: #@ data.values.tomcat.accessLoggingEnabled 33 | - name: JAVA_OPTS 34 | value: "-Djava.security.egd=file:/dev/./urandom -Dlogging.config=/etc/config/log4j2.properties -Dlog4j.configurationFile=/etc/config/log4j2.properties" 35 | - name: spring_profiles 36 | value: #@ spring_profiles(data.values.database.scheme) 37 | - name: CLOUDFOUNDRY_CONFIG_PATH 38 | value: /etc/config 39 | volumeMounts: 40 | - name: uaa-config 41 | mountPath: /etc/config 42 | livenessProbe: 43 | httpGet: 44 | path: /healthz 45 | port: http-uaa 46 | failureThreshold: 25 47 | initialDelaySeconds: 60 48 | periodSeconds: 15 49 | readinessProbe: 50 | httpGet: 51 | path: /healthz 52 | port: http-uaa 53 | volumes: 54 | - name: uaa-config 55 | configMap: 56 | name: uaa-config 57 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/log4j2.properties: -------------------------------------------------------------------------------- 1 | status = error 2 | dest = err 3 | name = UaaLog 4 | 5 | property.log_pattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{}%n 6 | 7 | appender.uaaDefaultAppender.type = Console 8 | appender.uaaDefaultAppender.name = UaaDefaultAppender 9 | appender.uaaDefaultAppender.layout.type = PatternLayout 10 | appender.uaaDefaultAppender.layout.pattern = [UAA] ${log_pattern} 11 | 12 | appender.uaaAuditAppender.type = Console 13 | appender.uaaAuditAppender.name = UaaAuditAppender 14 | appender.uaaAuditAppender.layout.type = PatternLayout 15 | appender.uaaAuditAppender.layout.pattern = [UAA_AUDIT] ${log_pattern} 16 | 17 | rootLogger.level = info 18 | rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender 19 | 20 | logger.UAAAudit.name = UAA.Audit 21 | logger.UAAAudit.level = info 22 | logger.UAAAudit.additivity = true 23 | logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender 24 | 25 | logger.cfIdentity.name = org.cloudfoundry.identity 26 | logger.cfIdentity.level = info 27 | logger.cfIdentity.additivity = false 28 | logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/metadata.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@ def metadata_labels(): 5 | app.kubernetes.io/name: "uaa" 6 | app.kubernetes.io/instance: #@ "uaa-" + data.values.labels.instance 7 | app.kubernetes.io/version: #@ data.values.version 8 | app.kubernetes.io/component: "authorization_server" 9 | app.kubernetes.io/part-of: #@ data.values.labels.partOf 10 | app.kubernetes.io/managed-by: #@ data.values.labels.managedBy 11 | #@ end 12 | 13 | #@overlay/match by=overlay.all,expects="1+" 14 | --- 15 | #@overlay/match-child-defaults missing_ok=True 16 | metadata: 17 | namespace: #@ data.values.namespace 18 | labels: #@ metadata_labels() 19 | 20 | #@overlay/match by=overlay.subset({"kind":"Deployment"}),missing_ok=True 21 | --- 22 | spec: 23 | #@overlay/match-child-defaults missing_ok=True 24 | template: 25 | metadata: 26 | namespace: #@ data.values.namespace 27 | labels: #@ metadata_labels() -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: uaa 6 | labels: 7 | app: uaa-deployment 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 8080 12 | name: http-uaa 13 | targetPort: 8080 14 | protocol: TCP 15 | selector: 16 | app: uaa-deployment 17 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/service_account.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: uaa 7 | automountServiceAccountToken: false 8 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/uaa.lib.star: -------------------------------------------------------------------------------- 1 | def signing_keys(jwt_policy): 2 | keys = {} 3 | for k in jwt_policy.keys: 4 | keys[k.keyId] = { 5 | "signingKey": k.signingKey 6 | } 7 | end 8 | 9 | return { 10 | "activeKeyId": jwt_policy.activeKeyId, 11 | "keys": keys, 12 | } 13 | end 14 | 15 | def database_connection_string(database): 16 | if database.scheme == "hsqldb": 17 | return "jdbc:hsqldb:mem:uaa" 18 | end 19 | return "jdbc:{}://{}:{}/{}{}".format( 20 | database.scheme, 21 | database.address, 22 | database.port, 23 | database.name, 24 | database_query_params(database.scheme)) 25 | end 26 | 27 | def database_query_params(scheme): 28 | if scheme == "postgresql": 29 | return "?sslmode=disable" 30 | elif scheme == "mysql": 31 | return "?useSSL=false" 32 | end 33 | return "" 34 | end -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/uaa.lib.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("uaa.lib.star", "signing_keys", "database_connection_string") 3 | #@ def config(): 4 | --- 5 | issuer: 6 | uri: http://localhost:8080/uaa 7 | 8 | encryption: 9 | active_key_label: CHANGE-THIS-KEY 10 | encryption_keys: 11 | - label: CHANGE-THIS-KEY 12 | passphrase: CHANGEME 13 | 14 | login: 15 | serviceProviderKey: | 16 | -----BEGIN RSA PRIVATE KEY----- 17 | MIICXQIBAAKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5 18 | L39WqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vA 19 | fpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQAB 20 | AoGAVOj2Yvuigi6wJD99AO2fgF64sYCm/BKkX3dFEw0vxTPIh58kiRP554Xt5ges 21 | 7ZCqL9QpqrChUikO4kJ+nB8Uq2AvaZHbpCEUmbip06IlgdA440o0r0CPo1mgNxGu 22 | lhiWRN43Lruzfh9qKPhleg2dvyFGQxy5Gk6KW/t8IS4x4r0CQQD/dceBA+Ndj3Xp 23 | ubHfxqNz4GTOxndc/AXAowPGpge2zpgIc7f50t8OHhG6XhsfJ0wyQEEvodDhZPYX 24 | kKBnXNHzAkEAyCA76vAwuxqAd3MObhiebniAU3SnPf2u4fdL1EOm92dyFs1JxyyL 25 | gu/DsjPjx6tRtn4YAalxCzmAMXFSb1qHfwJBAM3qx3z0gGKbUEWtPHcP7BNsrnWK 26 | vw6By7VC8bk/ffpaP2yYspS66Le9fzbFwoDzMVVUO/dELVZyBnhqSRHoXQcCQQCe 27 | A2WL8S5o7Vn19rC0GVgu3ZJlUrwiZEVLQdlrticFPXaFrn3Md82ICww3jmURaKHS 28 | N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB 29 | qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/ 30 | -----END RSA PRIVATE KEY----- 31 | serviceProviderKeyPassword: password 32 | serviceProviderCertificate: | 33 | -----BEGIN CERTIFICATE----- 34 | MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO 35 | MAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO 36 | MAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h 37 | cnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx 38 | CzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM 39 | BgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb 40 | BgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN 41 | ADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W 42 | qS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw 43 | znoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha 44 | MIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc 45 | gBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD 46 | VQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD 47 | VQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh 48 | QGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ 49 | 0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC 50 | KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK 51 | RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0= 52 | -----END CERTIFICATE----- 53 | 54 | #! The secret that an external login server will use to authenticate to the uaa using the id `login` 55 | LOGIN_SECRET: loginsecret 56 | 57 | jwt: 58 | token: 59 | policy: #@ signing_keys(data.values.jwt.policy) 60 | 61 | database: 62 | maxactive: 100 63 | maxidle: 10 64 | minidle: 0 65 | removeabandoned: false 66 | logabandoned: true 67 | abandonedtimeout: 300 68 | url: #@ database_connection_string(data.values.database) 69 | username: #@ data.values.database.username 70 | password: #@ data.values.database.password 71 | #@ end 72 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/values/_values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | #! UAA Deployment Values 4 | version: "" 5 | image: "" 6 | namespace: default 7 | labels: 8 | instance: standalone 9 | partOf: uaa 10 | managedBy: kubectl 11 | 12 | resources: 13 | requests: 14 | memory: 512Mi 15 | cpu: 500m 16 | 17 | tomcat: 18 | accessLoggingEnabled: "y" 19 | 20 | #! UAA Application Values 21 | database: 22 | scheme: hsqldb 23 | address: ~ 24 | port: ~ 25 | name: ~ 26 | username: sa 27 | password: password 28 | 29 | jwt: 30 | policy: 31 | activeKeyId: ~ 32 | keys: [] 33 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/values/image.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | image: "cfidentity/uaa@sha256:016363eba9544ada12c16ac1e66a7e02241b1ec8074d61f5fa8fd6d7edee3d69" 4 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/_ytt_lib/github.com/cloudfoundry/uaa/k8s/templates/values/version.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | version: "74.12.0" 4 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/eirini.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:base64", "base64") 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:json", "json") 4 | #@ load("@ytt:library", "library") 5 | #@ load("@ytt:template", "template") 6 | 7 | #@ eirini = library.get("eirini") 8 | --- #@ template.replace(eirini.eval()) 9 | 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: eirini-internal-tls-certs 15 | namespace: #@ data.values.system_namespace 16 | data: 17 | tls.crt: #@ data.values.eirini.tls.crt 18 | tls.key: #@ data.values.eirini.tls.key 19 | tls.ca: #@ data.values.system_certificate.ca 20 | 21 | #! Allow app traffic from the istio-ingressgateway 22 | --- 23 | apiVersion: networking.k8s.io/v1 24 | kind: NetworkPolicy 25 | metadata: 26 | name: allow-app-ingress-from-ingressgateway 27 | namespace: #@ data.values.workloads_namespace 28 | spec: 29 | podSelector: {} 30 | policyTypes: 31 | - Ingress 32 | ingress: 33 | - from: 34 | - namespaceSelector: 35 | matchLabels: 36 | cf-for-k8s.cloudfoundry.org/istio-system-ns: "" 37 | podSelector: 38 | matchLabels: 39 | istio: ingressgateway 40 | 41 | #! Add Secret to allow K8s to download app images from the provided registry 42 | #! https://github.com/cloudfoundry/cf-for-k8s/issues/74 43 | #! may want to keep this in sync with https://github.com/cloudfoundry-incubator/eirini-release/blob/master/helm/cf/templates/registry-secret.yaml 44 | --- 45 | apiVersion: v1 46 | kind: Secret 47 | metadata: 48 | name: app-registry-credentials 49 | namespace: #@ data.values.workloads_namespace 50 | type: kubernetes.io/dockerconfigjson 51 | data: 52 | #@ docker_auth = base64.encode("{}:{}".format(data.values.app_registry.username, data.values.app_registry.password)) 53 | #@ docker_creds = {"username": data.values.app_registry.username, "password": data.values.app_registry.password, "auth": docker_auth} 54 | .dockerconfigjson: #@ base64.encode(json.encode({"auths": {data.values.app_registry.hostname: docker_creds}})) 55 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/external-routing.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #! this secret contains the certificate/key combo used for the external system domain 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: istio-ingressgateway-certs 10 | namespace: istio-system 11 | annotations: 12 | kapp.k14s.io/change-rule.istio-ingressgateway: "upsert before upserting istio.io/ingressgateway" 13 | data: 14 | tls.key: #@ data.values.system_certificate.key 15 | tls.crt: #@ data.values.system_certificate.crt 16 | 17 | #! the following overlay ensures the above Secret is created before the ingressgateway Deployment since we're not using SDS 18 | #@overlay/match by=overlay.subset({"kind":"DaemonSet","metadata":{"name":"istio-ingressgateway"}}) 19 | --- 20 | metadata: 21 | #@overlay/match missing_ok=True 22 | annotations: 23 | #@overlay/match missing_ok=True 24 | kapp.k14s.io/change-group: istio.io/ingressgateway 25 | 26 | #! this gateway is used to expose CF services in the cluster, externally 27 | --- 28 | apiVersion: networking.istio.io/v1alpha3 29 | kind: Gateway 30 | metadata: 31 | name: istio-ingressgateway 32 | namespace: #@ data.values.system_namespace 33 | spec: 34 | selector: 35 | istio: ingressgateway 36 | servers: 37 | - hosts: 38 | #! TODO: restrict this 39 | - '*' 40 | port: 41 | name: http 42 | number: 80 43 | protocol: HTTP 44 | - hosts: 45 | - '*' 46 | port: 47 | name: https 48 | number: 443 49 | protocol: HTTPS 50 | tls: 51 | mode: SIMPLE 52 | credentialName: istio-ingressgateway-certs 53 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/kapp-rebase-rules.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | 5 | rebaseRules: 6 | - path: [metadata, annotations, pv.kubernetes.io/bind-completed] 7 | type: copy 8 | sources: [existing] 9 | resourceMatchers: &pvcs 10 | - apiVersionKindMatcher: 11 | apiVersion: v1 12 | kind: PersistentVolumeClaim 13 | 14 | - path: [metadata, annotations, pv.kubernetes.io/bound-by-controller] 15 | type: copy 16 | sources: [existing] 17 | resourceMatchers: *pvcs 18 | 19 | - path: [metadata, annotations, volume.beta.kubernetes.io/storage-provisioner] 20 | type: copy 21 | sources: [existing] 22 | resourceMatchers: *pvcs 23 | 24 | - path: [spec, volumeMode] 25 | type: copy 26 | sources: [new, existing] 27 | resourceMatchers: *pvcs 28 | 29 | - path: [webhooks, {allIndexes: true}, rules] 30 | type: copy 31 | sources: [new, existing] 32 | resourceMatchers: &kpack_webhook 33 | - apiVersionKindMatcher: 34 | apiVersion: admissionregistration.k8s.io/v1beta1 35 | kind: MutatingWebhookConfiguration 36 | name: resource.webhook.kpack.pivotal.io 37 | 38 | - path: [metadata, annotations] 39 | type: copy 40 | sources: [new, existing] 41 | resourceMatchers: 42 | - apiVersionKindMatcher: 43 | apiVersion: v1 44 | kind: ServiceAccount 45 | 46 | - path: [metadata, annotations] 47 | type: copy 48 | sources: [new, existing] 49 | resourceMatchers: *kpack_webhook 50 | 51 | - path: [webhooks, {allIndexes: true}, namespaceSelector] 52 | type: copy 53 | sources: [new, existing] 54 | resourceMatchers: *kpack_webhook 55 | 56 | - path: [webhooks, {allIndexes: true}, clientConfig, service, path] 57 | type: copy 58 | sources: [new, existing] 59 | resourceMatchers: *kpack_webhook 60 | 61 | - path: [webhooks, {allIndexes: true}, sideEffects] 62 | type: copy 63 | sources: [new, existing] 64 | resourceMatchers: *kpack_webhook 65 | 66 | - path: [webhooks, {allIndexes: true}, timeoutSeconds] 67 | type: copy 68 | sources: [new, existing] 69 | resourceMatchers: *kpack_webhook 70 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/kpack.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:library", "library") 2 | #@ load("@ytt:template", "template") 3 | 4 | #@ kpack = library.get("github.com/pivotal/kpack") 5 | --- #@ template.replace(kpack.eval()) 6 | --- #! explanation: the blobstore's sidecar needs to accept plain text connections from kpack build init containers. 7 | #! see https://github.com/cloudfoundry/capi-k8s-release/issues/12 8 | apiVersion: "authentication.istio.io/v1alpha1" 9 | kind: "Policy" 10 | metadata: 11 | name: "cf-blobstore-allow-plaintext" 12 | namespace: "cf-blobstore" 13 | spec: 14 | targets: 15 | - name: cf-blobstore-minio 16 | peers: 17 | - mtls: 18 | mode: PERMISSIVE 19 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/logging.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:library", "library") 3 | #@ load("@ytt:overlay", "overlay") 4 | #@ load("@ytt:template", "template") 5 | #@ load("@ytt:base64", "base64") 6 | 7 | #@ def logging_values(): 8 | system_domain: #@ data.values.system_domain 9 | system_namespace: #@ data.values.system_namespace 10 | 11 | log_cache_ca: 12 | crt: #@ data.values.log_cache_ca.crt 13 | key: #@ data.values.log_cache_ca.key 14 | 15 | log_cache: 16 | crt: #@ data.values.log_cache.crt 17 | key: #@ data.values.log_cache.key 18 | 19 | log_cache_metrics: 20 | crt: #@ data.values.log_cache_metrics.crt 21 | key: #@ data.values.log_cache_metrics.key 22 | 23 | log_cache_gateway: 24 | crt: #@ data.values.log_cache_gateway.crt 25 | key: #@ data.values.log_cache_gateway.key 26 | 27 | log_cache_syslog: 28 | crt: #@ data.values.log_cache_syslog.crt 29 | key: #@ data.values.log_cache_syslog.key 30 | 31 | client: 32 | id: #@ data.values.log_cache_client.id 33 | secret: #@ data.values.log_cache_client.secret 34 | #@ end 35 | 36 | #@ logging = library.get("github.com/cloudfoundry/cf-k8s-logging") 37 | --- #@ template.replace(logging.with_data_values(logging_values()).eval()) 38 | 39 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/minio.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:base64", "base64") 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:library", "library") 4 | #@ load("@ytt:overlay", "overlay") 5 | #@ load("@ytt:template", "template") 6 | #@ load("must_exist.star", "must_exist") 7 | 8 | #@ def add_cf_blobstore_namespace(): 9 | #@overlay/match by=overlay.all, expects="1+" 10 | --- 11 | metadata: 12 | #@overlay/match missing_ok=True 13 | namespace: cf-blobstore 14 | #@ end 15 | 16 | --- 17 | apiVersion: v1 18 | kind: Namespace 19 | metadata: 20 | name: cf-blobstore 21 | 22 | #@overlay/match by=overlay.subset({"kind": "Secret", "metadata": {"name": "cf-blobstore-minio"}}) 23 | --- 24 | data: 25 | accesskey: #@ base64.encode(must_exist(data.values, "cf_blobstore.access_key")) 26 | secretkey: #@ base64.encode(must_exist(data.values, "cf_blobstore.secret_key")) 27 | 28 | --- #@ template.replace(overlay.apply(library.get("minio").eval(), add_cf_blobstore_namespace())) 29 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/must_exist.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | def must_exist(data_values, data_value_key): 4 | value = data_values 5 | keys = data_value_key.split(".") 6 | for key in keys: 7 | value = getattr(value, key) 8 | end 9 | if len(value) == 0: 10 | assert.fail(data_value_key + " cannot be empty") 11 | end 12 | return value 13 | end 14 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/networking.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:base64", "base64") 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:library", "library") 4 | #@ load("@ytt:overlay", "overlay") 5 | #@ load("@ytt:template", "template") 6 | 7 | #@ def networking_values(): 8 | systemNamespace: #@ data.values.system_namespace 9 | workloadsNamespace: #@ data.values.workloads_namespace 10 | 11 | cfroutesync: 12 | #@ if/end data.values.images.cfroutesync: 13 | image: #@ data.values.images.cfroutesync 14 | 15 | ccCA: #@ base64.decode(data.values.system_certificate.ca) 16 | ccBaseURL: #@ "http://capi." + data.values.system_namespace + ".svc.cluster.local" 17 | uaaCA: #@ base64.decode(data.values.system_certificate.ca) 18 | uaaBaseURL: #@ "http://uaa." + data.values.system_namespace + ".svc.cluster.local:8080" 19 | clientName: "cf-k8s-networking" 20 | clientSecret: #@ data.values.uaa.admin_client_secret 21 | #@ end 22 | 23 | #@ networking = library.get("github.com/cloudfoundry/cf-k8s-networking") 24 | --- #@ template.replace(networking.with_data_values(networking_values()).eval()) 25 | 26 | #@ metacontroller = library.get("github.com/GoogleCloudPlatform/metacontroller") 27 | --- #@ template.replace(metacontroller.eval()) 28 | 29 | #! Istio Configurations 30 | 31 | #@overlay/match by=overlay.subset({"kind":"Namespace", "metadata":{"name": "istio-system"}}) 32 | --- 33 | metadata: 34 | #@overlay/match missing_ok=True 35 | labels: 36 | #@overlay/match missing_ok=True 37 | cf-for-k8s.cloudfoundry.org/istio-system-ns: "" 38 | 39 | #@ cf_namespaces = [data.values.system_namespace, data.values.workloads_namespace , "cf-db", "cf-blobstore", "metacontroller"] 40 | 41 | #! Enable istio sidecar injection on cf namespaces 42 | #@ for namespace in cf_namespaces: 43 | #@overlay/match by=overlay.subset({"metadata":{"namespace": namespace}}), expects="1+" 44 | --- 45 | metadata: 46 | #@overlay/match missing_ok=True 47 | annotations: 48 | #@overlay/match missing_ok=True 49 | kapp.k14s.io/change-rule.istio-sidecar-injector: "upsert after upserting cf-for-k8s.cloudfoundry.org/istio-sidecar-injector" 50 | #@ end 51 | 52 | #! Because the istio sidecar injector is a mutatingwebhook on pod create, we need to guarantee its creation before we start creating pods 53 | #! in cf namespaces. 54 | 55 | #@ for namespace in cf_namespaces: 56 | #@overlay/match by=overlay.subset({"kind": "MutatingWebhookConfiguration", "metadata":{"name": "istio-sidecar-injector"}}) 57 | --- 58 | metadata: 59 | #@overlay/match missing_ok=True 60 | annotations: 61 | #@overlay/match missing_ok=True 62 | kapp.k14s.io/change-group: cf-for-k8s.cloudfoundry.org/istio-sidecar-injector 63 | 64 | #@overlay/match by=overlay.subset({"kind":"Namespace", "metadata":{"name": namespace}}) 65 | --- 66 | metadata: 67 | #@overlay/match missing_ok=True 68 | labels: 69 | #@overlay/match missing_ok=True 70 | istio-injection: enabled 71 | #@ end 72 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/postgres.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:assert", "assert") 2 | #@ load("@ytt:base64", "base64") 3 | #@ load("@ytt:data", "data") 4 | #@ load("@ytt:library", "library") 5 | #@ load("@ytt:overlay", "overlay") 6 | #@ load("@ytt:template", "template") 7 | 8 | #@ def add_cf_db_namespace(): 9 | #@overlay/match by=overlay.all, expects="1+" 10 | --- 11 | metadata: 12 | #@overlay/match missing_ok=True 13 | namespace: cf-db 14 | #@ end 15 | 16 | --- 17 | apiVersion: v1 18 | kind: Namespace 19 | metadata: 20 | name: cf-db 21 | --- 22 | apiVersion: v1 23 | kind: Secret 24 | metadata: 25 | name: cf-db-admin-secret 26 | namespace: cf-db 27 | data: 28 | #@ if len(data.values.cf_db.admin_password) == 0: 29 | #@ assert.fail("cf_db.admin_password cannot be empty") 30 | #@ end 31 | postgresql-password: #@ base64.encode(data.values.cf_db.admin_password) 32 | 33 | #@overlay/match by=overlay.subset({"kind": "StatefulSet", "metadata":{"name":"cf-db-postgresql"}}) 34 | --- 35 | spec: 36 | template: 37 | spec: 38 | #@overlay/replace 39 | initContainers: [] 40 | 41 | #@overlay/match by=overlay.subset({"kind": "ConfigMap", "metadata":{"name":"cf-db-postgresql-init-scripts"}}) 42 | --- 43 | #@ ccdb = data.values.capi.database 44 | #@ uaadb = data.values.uaa.database 45 | #@yaml/text-templated-strings 46 | data: 47 | #@overlay/match missing_ok=True 48 | setup_db.sql: | 49 | CREATE DATABASE (@= ccdb.name @); 50 | CREATE ROLE (@= ccdb.user @) LOGIN PASSWORD '(@= ccdb.password @)'; 51 | CREATE DATABASE (@= uaadb.name @); 52 | CREATE ROLE (@= uaadb.user @) LOGIN PASSWORD '(@= uaadb.password @)'; 53 | init.sh: | 54 | #!/bin/bash 55 | psql -U postgres -f /docker-entrypoint-initdb.d/setup_db.sql 56 | psql -U postgres -d (@= ccdb.name @) -c "CREATE EXTENSION citext" 57 | psql -U postgres -d (@= uaadb.name @) -c "CREATE EXTENSION citext" 58 | 59 | --- #@ template.replace(overlay.apply(library.get("postgres").eval(), add_cf_db_namespace())) 60 | --- #! explanation: the capi-db's sidecar needs to accept plain text connections from capi's init container. 61 | #! see https://github.com/cloudfoundry/capi-k8s-release/issues/12 62 | apiVersion: "authentication.istio.io/v1alpha1" 63 | kind: "Policy" 64 | metadata: 65 | name: "cf-db-allow-plaintext" 66 | namespace: "cf-db" 67 | spec: 68 | targets: 69 | - name: cf-db-postgresql 70 | - name: cf-db-postgresql-headless 71 | peers: 72 | - mtls: 73 | mode: PERMISSIVE 74 | 75 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/system-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: #@ data.values.system_namespace 8 | -------------------------------------------------------------------------------- /ytt-libs/cf-for-k8s/vendor/github.com/cloudfoundry/cf-for-k8s/config/workloads-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: #@ data.values.workloads_namespace 8 | -------------------------------------------------------------------------------- /ytt-libs/external-dns/aws.lib.txt: -------------------------------------------------------------------------------- 1 | (@ load("@ytt:data", "data") @) 2 | (@ def aws_secret_payload(): -@) 3 | [default] 4 | aws_access_key_id = (@= data.values.aws.accessKey @) 5 | aws_secret_access_key = (@= data.values.aws.secretAccessKey @) 6 | (@- end @) -------------------------------------------------------------------------------- /ytt-libs/external-dns/aws.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:base64", "base64") 4 | 5 | #@ load("aws.lib.txt", "aws_secret_payload") 6 | 7 | #@ if data.values.provider == "aws": 8 | --- 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: external-dns-aws 13 | namespace: #@ data.values.namespace 14 | type: Opaque 15 | data: 16 | credentials: #@ base64.encode(aws_secret_payload()) 17 | 18 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"external-dns"}}) 19 | --- 20 | spec: 21 | template: 22 | spec: 23 | containers: 24 | #@overlay/match by=overlay.subset({"name":"external-dns"}) 25 | #@overlay/match-child-defaults missing_ok=True 26 | - args: 27 | #@overlay/append 28 | - --aws-zone-type=public 29 | env: 30 | #@overlay/append 31 | - name: AWS_SHARED_CREDENTIALS_FILE 32 | value: /.aws/credentials 33 | volumeMounts: 34 | - name: aws-credentials 35 | mountPath: /.aws 36 | readOnly: true 37 | #@overlay/match missing_ok=True 38 | volumes: 39 | - name: aws-credentials 40 | secret: 41 | secretName: external-dns-aws 42 | #@ end -------------------------------------------------------------------------------- /ytt-libs/external-dns/core.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: external-dns 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1beta1 7 | kind: ClusterRole 8 | metadata: 9 | name: external-dns 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["services"] 13 | verbs: ["get","watch","list"] 14 | - apiGroups: [""] 15 | resources: ["pods"] 16 | verbs: ["get","watch","list"] 17 | - apiGroups: ["extensions"] 18 | resources: ["ingresses"] 19 | verbs: ["get","watch","list"] 20 | - apiGroups: [""] 21 | resources: ["nodes"] 22 | verbs: ["list"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1beta1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: external-dns-viewer 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: external-dns 32 | subjects: 33 | - kind: ServiceAccount 34 | name: external-dns 35 | namespace: default 36 | --- 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | metadata: 40 | name: external-dns 41 | spec: 42 | selector: 43 | matchLabels: 44 | app: external-dns 45 | strategy: 46 | type: Recreate 47 | template: 48 | metadata: 49 | labels: 50 | app: external-dns 51 | spec: 52 | serviceAccountName: external-dns 53 | containers: 54 | - name: external-dns 55 | image: registry.opensource.zalan.do/teapot/external-dns:v0.5.18 56 | args: 57 | - --source=service 58 | - --source=ingress 59 | - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones 60 | - --provider=aws 61 | - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization 62 | - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) 63 | - --registry=txt 64 | - --txt-owner-id=my-identifier -------------------------------------------------------------------------------- /ytt-libs/external-dns/ns.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: #@ data.values.namespace -------------------------------------------------------------------------------- /ytt-libs/external-dns/overlay.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@ for/end kind in ["Deployment", "ServiceAccount"]: 5 | #@overlay/match by=overlay.subset({"kind": kind}),expects="1+" 6 | --- 7 | metadata: 8 | #@overlay/match missing_ok=True 9 | namespace: #@ data.values.namespace 10 | 11 | #@overlay/match by=overlay.subset({"kind": "ClusterRoleBinding", "metadata":{"name":"external-dns-viewer"}}) 12 | --- 13 | subjects: 14 | #@overlay/match by=overlay.index(0) 15 | - namespace: #@ data.values.namespace 16 | 17 | #@overlay/match by=overlay.subset({"kind": "ClusterRole", "metadata":{"name":"external-dns"}}) 18 | --- 19 | rules: 20 | #@overlay/append 21 | - apiGroups: [ "networking.istio.io"] 22 | resources: ["gateways"] 23 | verbs: ["get", "watch", "list" ] 24 | 25 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"external-dns"}}) 26 | --- 27 | spec: 28 | template: 29 | spec: 30 | containers: 31 | #@overlay/match by=overlay.subset({"name":"external-dns"}) 32 | #@overlay/match-child-defaults missing_ok=True 33 | - args: 34 | #@overlay/remove 35 | #@overlay/match by=overlay.index(5) 36 | - 37 | #@overlay/remove 38 | #@overlay/match by=overlay.index(2) 39 | - 40 | #@overlay/match by=overlay.index(2) 41 | - #@ "--provider="+data.values.provider 42 | #@overlay/match by=overlay.index(3) 43 | - --policy=sync 44 | #@ if data.values.zoneIdFilter != "": 45 | #@overlay/append 46 | - #@ "--zone-id-filter="+data.values.zoneIdFilter 47 | #@ end 48 | #@ if data.values.domainFilter != "": 49 | #@overlay/append 50 | - #@ "--domain-filter="+data.values.domainFilter 51 | #@ end 52 | #@ if data.values.enableIstio and data.values.enableIstio != "false": 53 | #@overlay/append 54 | - --source=istio-gateway 55 | #@ end -------------------------------------------------------------------------------- /ytt-libs/external-dns/validations.star: -------------------------------------------------------------------------------- 1 | load("@ytt:data", "data") 2 | load("@ytt:assert", "assert") 3 | 4 | data.values.provider or assert.fail("missing provider") 5 | 6 | if data.values.provider == "aws": 7 | data.values.aws.accessKey or assert.fail("missing aws.accessKey") 8 | end -------------------------------------------------------------------------------- /ytt-libs/external-dns/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | namespace: external-dns 4 | domainFilter: "" 5 | provider: "" 6 | zoneIdFilter: "" 7 | enableIstio: false 8 | 9 | aws: 10 | accessKey: "" 11 | secretAccessKey: "" -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/controller.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: nginx-ingress-controller 7 | namespace: #@ data.values.nginx.namespace 8 | spec: 9 | replicas: 1 10 | revisionHistoryLimit: 3 11 | selector: 12 | matchLabels: 13 | app: nginx-ingress-controller 14 | template: 15 | metadata: 16 | labels: 17 | app: nginx-ingress-controller 18 | spec: 19 | serviceAccount: nginx-ingress-sa 20 | containers: 21 | - args: 22 | - /nginx-ingress-controller 23 | - "--publish-service=$(POD_NAMESPACE)/nginx-ingress-controller" 24 | - "--default-backend-service=$(POD_NAMESPACE)/default-http-backend" 25 | env: 26 | - name: POD_NAME 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.name 30 | - name: POD_NAMESPACE 31 | valueFrom: 32 | fieldRef: 33 | fieldPath: metadata.namespace 34 | image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.15.0" 35 | imagePullPolicy: Always 36 | livenessProbe: 37 | httpGet: 38 | path: /healthz 39 | port: 10254 40 | scheme: HTTP 41 | initialDelaySeconds: 10 42 | timeoutSeconds: 5 43 | name: nginx-ingress-controller 44 | ports: 45 | - containerPort: 80 46 | name: http 47 | protocol: TCP 48 | - containerPort: 443 49 | name: https 50 | protocol: TCP 51 | terminationGracePeriodSeconds: 60 52 | --- 53 | apiVersion: v1 54 | kind: Service 55 | metadata: 56 | name: nginx-ingress-controller 57 | namespace: #@ data.values.nginx.namespace 58 | spec: 59 | ports: 60 | - port: 80 61 | name: http 62 | - port: 443 63 | name: https 64 | selector: 65 | app: nginx-ingress-controller 66 | type: "LoadBalancer" -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/default-backend.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: default-http-backend 7 | namespace: #@ data.values.nginx.namespace 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: default-http-backend 13 | template: 14 | metadata: 15 | labels: 16 | app: default-http-backend 17 | spec: 18 | terminationGracePeriodSeconds: 60 19 | containers: 20 | - name: default-http-backend 21 | #! Any image is permissible as long as: 22 | #! 1. It serves a 404 page at / 23 | #! 2. It serves 200 on a /healthz endpoint 24 | image: gcr.io/google_containers/defaultbackend:1.4 25 | livenessProbe: 26 | httpGet: 27 | path: /healthz 28 | port: 8080 29 | scheme: HTTP 30 | initialDelaySeconds: 30 31 | timeoutSeconds: 5 32 | ports: 33 | - containerPort: 8080 34 | resources: 35 | limits: 36 | cpu: 10m 37 | memory: 20Mi 38 | requests: 39 | cpu: 10m 40 | memory: 20Mi 41 | --- 42 | apiVersion: v1 43 | kind: Service 44 | metadata: 45 | name: default-http-backend 46 | namespace: #@ data.values.nginx.namespace 47 | labels: 48 | app: default-http-backend 49 | spec: 50 | ports: 51 | - port: 80 52 | targetPort: 8080 53 | selector: 54 | app: default-http-backend -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/ns.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: #@ data.values.nginx.namespace 7 | labels: 8 | test: test1 -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/rbac-cluster.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: nginx-ingress-cluster-role 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - configmaps 12 | - endpoints 13 | - nodes 14 | - pods 15 | - secrets 16 | verbs: 17 | - list 18 | - watch 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - nodes 23 | verbs: 24 | - get 25 | - apiGroups: 26 | - "" 27 | resources: 28 | - services 29 | verbs: 30 | - get 31 | - list 32 | - watch 33 | - apiGroups: 34 | - extensions 35 | resources: 36 | - ingresses 37 | verbs: 38 | - get 39 | - list 40 | - watch 41 | - apiGroups: 42 | - "" 43 | resources: 44 | - events 45 | verbs: 46 | - create 47 | - patch 48 | - apiGroups: 49 | - extensions 50 | resources: 51 | - ingresses/status 52 | verbs: 53 | - update 54 | --- 55 | apiVersion: rbac.authorization.k8s.io/v1beta1 56 | kind: ClusterRoleBinding 57 | metadata: 58 | name: nginx-ingress-cluster-role-binding 59 | roleRef: 60 | apiGroup: rbac.authorization.k8s.io 61 | kind: ClusterRole 62 | name: nginx-ingress-cluster-role 63 | subjects: 64 | - kind: ServiceAccount 65 | name: nginx-ingress-sa 66 | namespace: #@ data.values.nginx.namespace -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/rbac-ns.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: nginx-ingress-ns-role 7 | namespace: #@ data.values.nginx.namespace 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - configmaps 13 | - pods 14 | - secrets 15 | - namespaces 16 | verbs: 17 | - get 18 | - apiGroups: 19 | - "" 20 | resources: 21 | - configmaps 22 | resourceNames: 23 | #! Defaults to "-" 24 | #! Here: "-" 25 | #! This has to be adapted if you change either parameter 26 | #! when launching the nginx-ingress-controller. 27 | - "ingress-controller-leader-nginx" 28 | verbs: 29 | - get 30 | - update 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - configmaps 35 | verbs: 36 | - create 37 | - apiGroups: 38 | - "" 39 | resources: 40 | - endpoints 41 | verbs: 42 | - get 43 | --- 44 | apiVersion: rbac.authorization.k8s.io/v1beta1 45 | kind: RoleBinding 46 | metadata: 47 | name: nginx-ingress-ns-role-binding 48 | namespace: #@ data.values.nginx.namespace 49 | roleRef: 50 | apiGroup: rbac.authorization.k8s.io 51 | kind: Role 52 | name: nginx-ingress-ns-role 53 | subjects: 54 | - kind: ServiceAccount 55 | name: nginx-ingress-sa 56 | namespace: #@ data.values.nginx.namespace -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/service-account.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: nginx-ingress-sa 7 | namespace: #@ data.values.nginx.namespace -------------------------------------------------------------------------------- /ytt-libs/nginx-ingress/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | nginx: 4 | namespace: default -------------------------------------------------------------------------------- /ytt-libs/tmc-privileges/binding.yml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: privileged-cluster-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: vmware-system-tmc-psp-privileged 9 | subjects: 10 | - apiGroup: rbac.authorization.k8s.io 11 | kind: Group 12 | name: system:authenticated -------------------------------------------------------------------------------- /ytt-libs/welcome-app/deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:assert", "assert") 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: #@ data.values.namespace 8 | --- 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | metadata: 12 | name: nginx-deployment 13 | namespace: #@ data.values.namespace 14 | spec: 15 | selector: 16 | matchLabels: 17 | app: nginx 18 | replicas: 2 19 | template: 20 | metadata: 21 | labels: 22 | app: nginx 23 | spec: 24 | containers: 25 | - name: nginx 26 | image: nginx:1.14.2 27 | ports: 28 | - containerPort: 80 29 | --- 30 | apiVersion: v1 31 | kind: Service 32 | metadata: 33 | name: nginx 34 | namespace: #@ data.values.namespace 35 | spec: 36 | ports: 37 | - port: 80 38 | name: http 39 | selector: 40 | app: nginx 41 | --- 42 | apiVersion: networking.k8s.io/v1beta1 43 | kind: Ingress 44 | metadata: 45 | name: nginx 46 | namespace: #@ data.values.namespace 47 | annotations: 48 | kubernetes.io/ingress.class: "nginx" 49 | spec: 50 | rules: 51 | - host: #@ data.values.ingressDomain or assert.fail("missing ingressDomain") 52 | http: 53 | paths: 54 | - path: / 55 | backend: 56 | serviceName: nginx 57 | servicePort: 80 -------------------------------------------------------------------------------- /ytt-libs/welcome-app/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | namespace: welcome-app 4 | ingressDomain: "" --------------------------------------------------------------------------------