Merge pull request #875 from cloud-gov/main

update branch

.gitignore

@@ -25,8 +25,9 @@ jwt_*
 # Python
 __pycache__/
 *.py[cod]
+venv
 
 # Python Environments
 .venv
 .terraform
-.terraform.lock.hcl
+.terraform.lock.hcl

CODEOWNERS

@@ -0,0 +1,2 @@
+* @cloud-gov/platform-ops
+

bosh/opsfiles/clients.yml

@@ -67,7 +67,7 @@
     authorized-grant-types: authorization_code,client_credentials
     authorities: scim.read,password.write,uaa.admin,uaa.resource
     access-token-validity: 600
-    refresh-token-validity: 259200
+    refresh-token-validity: 43200
     redirect-uri: https://account.((system_domain))/oauth/login
     name: Invite Users
     autoapprove: true
@@ -134,7 +134,7 @@
     scope: cloud_controller.read,oauth.approvals,openid,scim.userids
     authorized-grant-types: authorization_code,refresh_token
     access-token-validity: 600
-    refresh-token-validity: 259200
+    refresh-token-validity: 43200
     name: Logsearch
     redirect-uri: https://logs.((system_domain))/login
     autoapprove: true
@@ -149,7 +149,7 @@
     authorized-grant-types: authorization_code,client_credentials,refresh_token
     authorities: uaa.none
     access-token-validity: 600
-    refresh-token-validity: 259200
+    refresh-token-validity: 43200
     name: "Dashboard"
     autoapprove: true
     show-on-homepage: true
@@ -175,10 +175,25 @@
     authorities: scim.userids,scim.invite,scim.read
     redirect-uri: https://cg-ui.((system_domain))/auth/login/callback
 
+- type: replace
+  path: /variables/-
+  value:
+    name: external-domain-broker-client-secret
+    type: password
+
+- type: replace
+  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/external-domain-broker?
+  value:
+    override: true
+    authorized-grant-types: client_credentials,refresh_token
+    secret: ((external-domain-broker-client-secret))
+    scope: uaa.none
+    authorities: cloud_controller.global_auditor
+
 # Update existing clients
 - type: replace
   path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/cf/access-token-validity
   value: 600
 - type: replace
   path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/cf/refresh-token-validity
-  value: 259200
+  value: 43200

bosh/opsfiles/diego-cell-consumes-provides.yml

@@ -0,0 +1,34 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
+# Needed because the isolation segment(s) exist
+# Use distinct vxlan policy links for tenant cells
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/provides?/vpa
+  value: {as: vpa-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/vpa
+  value: {from: vpa-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=silk-cni/consumes?/vpa
+  value: {from: vpa-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/iptables
+  value: {from: iptables-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=silk-daemon/consumes?/iptables
+  value: {from: iptables-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=netmon/consumes?/iptables
+  value: {from: iptables-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=garden/provides?/iptables
+  value: {as: iptables-tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/consumes?/cni_config
+  value: {from: cni_config_tenant}
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=silk-cni/provides?/cni_config
+  value: {as: cni_config_tenant}
+

bosh/opsfiles/diego-cell-disk.yml

@@ -1,3 +1,7 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
 - type: replace
   path: /instance_groups/name=diego-cell/vm_extensions/0
   value: 300GB_ephemeral_disk

bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml

@@ -0,0 +1,14 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
+### This makes sure that absolute-cpu-entitlement is still emitting in addition to newer cpu_entitlement
+- type: remove
+  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/loggregator/app_metric_exclusion_filter
+
+- type: remove
+  path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/loggregator/app_metric_exclusion_filter
+
+- type: remove
+  path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/properties/loggregator/app_metric_exclusion_filter
+

bosh/opsfiles/diego-cpu-entitlement.yml

@@ -1,12 +1,4 @@
 ---
-- type: remove
-  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/loggregator/app_metric_exclusion_filter
-
-- type: remove
-  path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/loggregator/app_metric_exclusion_filter
-
-- type: remove
-  path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/properties/loggregator/app_metric_exclusion_filter
 
 - type: remove
   path: /instance_groups/name=diego-api/jobs/name=bbs/properties/loggregator/app_metric_exclusion_filter

bosh/opsfiles/diego-rds-certs.yml → bosh/opsfiles/diego-rds-certs-diego-cell.yml

@@ -1,6 +1,10 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
 - type: replace
   path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs?/trusted_certs/-
-  value: &rds-ca |-
+  value: |-
     # rds-ca-2015-root.pem - expired 3/2020 but still in use some instances
     -----BEGIN CERTIFICATE-----
     MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx
@@ -258,6 +262,4 @@
     -----END CERTIFICATE-----
 
 
-- type: replace
-  path: /instance_groups/name=diego-platform-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs?/trusted_certs/-
-  value: *rds-ca
+

bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml

@@ -0,0 +1,18 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
+# This file exists to remove CredHub Secured Service Credential Delivery which
+# is now on by default in cf-deployment >=4.x.
+
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates
+  value:
+    - ((diego_instance_identity_ca.ca))
+    - ((uaa_ssl.ca))
+
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs/trusted_certs
+  value:
+    - ((diego_instance_identity_ca.ca))
+    - ((uaa_ssl.ca))

bosh/opsfiles/disable-secure-service-credentials.yml

@@ -31,24 +31,6 @@
 - type: remove
   path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/credhub_api
 
-- type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates
-  value:
-    - ((application_ca.certificate))
-    - ((uaa_ca.certificate))
-
 - type: remove
   path: /variables/name=uaa_clients_cc_service_key_client_secret
 
-####This shouldn't have ever been here?
-####- type: replace
-####  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/cflinuxfs3-rootfs/trusted_certs
-####  value:
-####    - ((diego_instance_identity_ca.ca))
-####    - ((uaa_ssl.ca))
-
-- type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates
-  value:
-    - ((diego_instance_identity_ca.ca))
-    - ((uaa_ssl.ca))

bosh/opsfiles/log-levels-diego-cell.yml

@@ -0,0 +1,15 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/log_level?
+  value: error
+
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/log_level?
+  value: error
+
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego/route_emitter/log_level?
+  value: error

bosh/opsfiles/log-levels.yml

@@ -1,15 +1,3 @@
-- type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/log_level?
-  value: error
-
-- type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/log_level?
-  value: error
-
-- type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego/route_emitter/log_level?
-  value: error
-
 - type: replace
   path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/security_event_logging?/enabled
   value: true

bosh/opsfiles/meta-data-v2-diego-cell.yml

@@ -0,0 +1,7 @@
+# NOTES:
+# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh
+# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/`
+
+- type: replace
+  path: /instance_groups/name=diego-cell/vm_extensions/-
+  value: meta-data-v2

bosh/opsfiles/pin-capi.yml

@@ -0,0 +1,18 @@
+# Pin CAPI because of valkey
+- type: replace
+  path: /releases/name=capi
+  value:
+    name: capi
+    version: 1.183.0
+    url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.183.0
+    sha1: fceb5095f6ffc975fe12e0cc36daca00a3cf4db4
+
+# Switch to Redis
+- type: remove
+  path: /instance_groups/name=api/jobs/name=valkey
+
+- type: replace
+  path: /instance_groups/name=api/jobs/-
+  value:
+    name: redis
+    release: capi