diff --git a/bosh/opsfiles/diego-cell-consumes-provides.yml b/bosh/opsfiles/diego-cell-consumes-provides.yml index 58a7c3bc..60ac239a 100644 --- a/bosh/opsfiles/diego-cell-consumes-provides.yml +++ b/bosh/opsfiles/diego-cell-consumes-provides.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + # Needed because the isolation segment(s) exist # Use distinct vxlan policy links for tenant cells - type: replace diff --git a/bosh/opsfiles/diego-cell-disk.yml b/bosh/opsfiles/diego-cell-disk.yml index d964f5de..2f7a151d 100644 --- a/bosh/opsfiles/diego-cell-disk.yml +++ b/bosh/opsfiles/diego-cell-disk.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + - type: replace path: /instance_groups/name=diego-cell/vm_extensions/0 value: 300GB_ephemeral_disk diff --git a/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml b/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml index a93b5822..7878bb01 100644 --- a/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml +++ b/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml @@ -1,4 +1,8 @@ ---- +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + +### This makes sure that absolute-cpu-entitlement is still emitting in addition to newer cpu_entitlement - type: remove path: /instance_groups/name=diego-cell/jobs/name=rep/properties/loggregator/app_metric_exclusion_filter @@ -8,5 +12,3 @@ - type: remove path: /instance_groups/name=diego-cell/jobs/name=vxlan-policy-agent/properties/loggregator/app_metric_exclusion_filter - -### This makes sure that absolute-cpu-entitlement is still emitting in addition to newer cpu_entitlement \ No newline at end of file diff --git a/bosh/opsfiles/diego-rds-certs-diego-cell.yml b/bosh/opsfiles/diego-rds-certs-diego-cell.yml index e746193a..5914e71c 100644 --- a/bosh/opsfiles/diego-rds-certs-diego-cell.yml +++ b/bosh/opsfiles/diego-rds-certs-diego-cell.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + - type: replace path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs?/trusted_certs/- value: |- diff --git a/bosh/opsfiles/diego-rds-certs.yml b/bosh/opsfiles/diego-rds-certs.yml deleted file mode 100644 index 319a3f4b..00000000 --- a/bosh/opsfiles/diego-rds-certs.yml +++ /dev/null @@ -1,260 +0,0 @@ -- type: replace - path: /instance_groups/name=diego-platform-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs?/trusted_certs/- - value: |- - # rds-ca-2015-root.pem - expired 3/2020 but still in use some instances - -----BEGIN CERTIFICATE----- - MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx - EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM - GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx - GzAZBgNVBAMMEkFtYXpvbiBSRFMgUm9vdCBDQTAeFw0xNTAyMDUwOTExMzFaFw0y - MDAzMDUwOTExMzFaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv - bjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNl - cywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEbMBkGA1UEAwwSQW1hem9uIFJE - UyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuD8nrZ8V - u+VA8yVlUipCZIKPTDcOILYpUe8Tct0YeQQr0uyl018StdBsa3CjBgvwpDRq1HgF - Ji2N3+39+shCNspQeE6aYU+BHXhKhIIStt3r7gl/4NqYiDDMWKHxHq0nsGDFfArf - AOcjZdJagOMqb3fF46flc8k2E7THTm9Sz4L7RY1WdABMuurpICLFE3oHcGdapOb9 - T53pQR+xpHW9atkcf3pf7gbO0rlKVSIoUenBlZipUlp1VZl/OD/E+TtRhDDNdI2J - P/DSMM3aEsq6ZQkfbz/Ilml+Lx3tJYXUDmp+ZjzMPLk/+3beT8EhrwtcG3VPpvwp - BIOqsqVVTvw/CwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw - AwEB/zAdBgNVHQ4EFgQUTgLurD72FchM7Sz1BcGPnIQISYMwHwYDVR0jBBgwFoAU - TgLurD72FchM7Sz1BcGPnIQISYMwDQYJKoZIhvcNAQEFBQADggEBAHZcgIio8pAm - MjHD5cl6wKjXxScXKtXygWH2BoDMYBJF9yfyKO2jEFxYKbHePpnXB1R04zJSWAw5 - 2EUuDI1pSBh9BA82/5PkuNlNeSTB3dXDD2PEPdzVWbSKvUB8ZdooV+2vngL0Zm4r - 47QPyd18yPHrRIbtBtHR/6CwKevLZ394zgExqhnekYKIqqEX41xsUV0Gm6x4vpjf - 2u6O/+YE2U+qyyxHE5Wd5oqde0oo9UUpFETJPVb6Q2cEeQib8PBAyi0i6KnF+kIV - A9dY7IHSubtCK/i8wxMVqfd5GtbA8mmpeJFwnDvm9rBEsHybl08qlax9syEwsUYr - /40NawZfTUU= - -----END CERTIFICATE----- - # rds-ca-2012-us-gov-west-1.pem - expired 8/17 but still in use some instances - -----BEGIN CERTIFICATE----- - MIIDQzCCAqygAwIBAgIJAMGs6m/j+u8sMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV - BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw - EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h - bWF6b24uY29tL3Jkcy8wHhcNMTIwODE2MDY0MjAwWhcNMTcwODE1MDY0MjAwWjB1 - MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh - dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD - ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB - gQCnTB7AkRR4xuhfAuOt5foNeCRBPeUujkzmJu1yfnTbtFi+g7zmovQ9BJcRoPYL - 45McnXyaT/7UjhJhCI5gnYlTIyBTRFh7lXFJryypFx8AIh6q3D/ht8b6cVro3sJ2 - k4x1w/c7akKKsZJtf0ZyhbMvNnBz3K3TWVB6c9DChbfyUQIDAQABo4HaMIHXMB0G - A1UdDgQWBBS/OwyfNJHDnAmnZBbq9ACiXz7O1jCBpwYDVR0jBIGfMIGcgBS/Owyf - NJHDnAmnZBbq9ACiXz7O1qF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh - c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x - DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAMGs - 6m/j+u8sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACR37LqHlzjSH - 9gHCaiVJgCb0CCxSg3PHaQuv8h4ugAqQpGxpX3Zo97VgHnjEve21gXA74kzGUUAo - 7YNTZWbF2VkHUDqekXimvL3q1JEvHDKPkLJrxEic1zTU1uazb9uJeb1aVWTq6N8R - bx56xd/e3o7RYcPfLD45y7RRXKz3AmE= - -----END CERTIFICATE----- - # rds-ca-bundle-us-gov-west-1.pem - expires 5/22 - -----BEGIN CERTIFICATE----- - MIIECjCCAvKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT - MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK - DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT - MSQwIgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwHhcNMTcwNTE5 - MjIzMTE5WhcNMjIwNTE4MTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgM - Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBX - ZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMM - G0FtYXpvbiBSRFMgdXMtZ292LXdlc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD - ggEPADCCAQoCggEBAM8YZLKAzzOdNnoi7Klih26Zkj+OCpDfwx4ZYB6f8L8UoQi5 - 8z9ZtIwMjiJ/kO08P1yl4gfc7YZcNFvhGruQZNat3YNpxwUpQcr4mszjuffbL4uz - +/8FBxALdqCVOJ5Q0EVSfz3d9Bd1pUPL7ARtSpy7bn/tUPyQeI+lODYO906C0TQ3 - b9bjOsgAdBKkHfjLdsknsOZYYIzYWOJyFJJa0B11XjDUNBy/3IuC0KvDl6At0V5b - 8M6cWcKhte2hgjwTYepV+/GTadeube1z5z6mWsN5arOAQUtYDLH6Aztq9mCJzLHm - RccBugnGl3fRLJ2VjioN8PoGoN9l9hFBy5fnFgsCAwEAAaNmMGQwDgYDVR0PAQH/ - BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEG7+br8KkvwPd5g - 71Rvh2stclJbMB8GA1UdIwQYMBaAFEkQz6S4NS5lOYKcDjBSuCcVpdzjMA0GCSqG - SIb3DQEBCwUAA4IBAQBMA327u5ABmhX+aPxljoIbxnydmAFWxW6wNp5+rZrvPig8 - zDRqGQWWr7wWOIjfcWugSElYtf/m9KZHG/Z6+NG7nAoUrdcd1h/IQhb+lFQ2b5g9 - sVzQv/H2JNkfZA8fL/Ko/Tm/f9tcqe0zrGCtT+5u0Nvz35Wl8CEUKLloS5xEb3k5 - 7D9IhG3fsE3vHWlWrGCk1cKry3j12wdPG5cUsug0vt34u6rdhP+FsM0tHI15Kjch - RuUCvyQecy2ZFNAa3jmd5ycNdL63RWe8oayRBpQBxPPCbHfILxGZEdJbCH9aJ2D/ - l8oHIDnvOLdv7/cBjyYuvmprgPtu3QEkbre5Hln/ - -----END CERTIFICATE----- - # Amazon RDS GovCloud Root CA - expires 5/22 - -----BEGIN CERTIFICATE----- - MIIEDjCCAvagAwIBAgIJAMM61RQn3/kdMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD - VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi - MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h - em9uIFJEUzEkMCIGA1UEAwwbQW1hem9uIFJEUyBHb3ZDbG91ZCBSb290IENBMB4X - DTE3MDUxOTIyMjkxMVoXDTIyMDUxODIyMjkxMVowgZMxCzAJBgNVBAYTAlVTMRAw - DgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlB - bWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMSQw - IgYDVQQDDBtBbWF6b24gUkRTIEdvdkNsb3VkIFJvb3QgQ0EwggEiMA0GCSqGSIb3 - DQEBAQUAA4IBDwAwggEKAoIBAQDGS9bh1FGiJPT+GRb3C5aKypJVDC1H2gbh6n3u - j8cUiyMXfmm+ak402zdLpSYMaxiQ7oL/B3wEmumIpRDAsQrSp3B/qEeY7ipQGOfh - q2TXjXGIUjiJ/FaoGqkymHRLG+XkNNBtb7MRItsjlMVNELXECwSiMa3nJL2/YyHW - nTr1+11/weeZEKgVbCUrOugFkMXnfZIBSn40j6EnRlO2u/NFU5ksK5ak2+j8raZ7 - xW7VXp9S1Tgf1IsWHjGZZZguwCkkh1tHOlHC9gVA3p63WecjrIzcrR/V27atul4m - tn56s5NwFvYPUIx1dbC8IajLUrepVm6XOwdQCfd02DmOyjWJAgMBAAGjYzBhMA4G - A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJEM+kuDUu - ZTmCnA4wUrgnFaXc4zAfBgNVHSMEGDAWgBRJEM+kuDUuZTmCnA4wUrgnFaXc4zAN - BgkqhkiG9w0BAQsFAAOCAQEAcfA7uirXsNZyI2j4AJFVtOTKOZlQwqbyNducnmlg - /5nug9fAkwM4AgvF5bBOD1Hw6khdsccMwIj+1S7wpL+EYb/nSc8G0qe1p/9lZ/mZ - ff5g4JOa26lLuCrZDqAk4TzYnt6sQKfa5ZXVUUn0BK3okhiXS0i+NloMyaBCL7vk - kDwkHwEqflRKfZ9/oFTcCfoiHPA7AdBtaPVr0/Kj9L7k+ouz122huqG5KqX0Zpo8 - S0IGvcd2FZjNSNPttNAK7YuBVsZ0m2nIH1SLp//00v7yAHIgytQwwB17PBcp4NXD - pCfTa27ng9mMMC2YLqWQpW4TkqjDin2ZC+5X/mbrjzTvVg== - -----END CERTIFICATE----- - # rds-ca-bundle-us-gov-east-1.pem - expires 7/23 - -----BEGIN CERTIFICATE----- - MIIEAjCCAuqgAwIBAgIJANmdqLPF/hNbMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD - VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi - MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h - em9uIFJEUzEeMBwGA1UEAwwVQW1hem9uIFJEUyBDTiBSb290IENBMB4XDTE4MDcy - ODAwNTIyNloXDTIzMDcyNzAwNTIyNlowgY0xCzAJBgNVBAYTAlVTMRAwDgYDVQQH - DAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQKDBlBbWF6b24g - V2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMR4wHAYDVQQD - DBVBbWF6b24gUkRTIENOIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw - ggEKAoIBAQCuwuQHbUOevOTFx49xrBLDXHP9P7LR7n5t18tWLG/dB8ouXcpmUIk8 - XFgN3GXtfuHTheOaXhAZqzTCYza7gUP6KXHCN/dOoXqgaaOJbpVwnitLHHUt5maA - cgwRtLZTteyT92wGG2leb8WgA6MZTGx09In0D31OEwa5NbbAzVBClZgMbV/6D9IE - +/GUuu7qmGXXcj24Vnsem7L6Us8zmEO3sT9hCj1yldHyluwj1eSUaIv1NQ0M4iO5 - 2a1W8TmXGFgGMth2uFax6APVk++pB6kJoKGhgm49+IFLVnSzwMqNut0RC/nTCMXS - hDntHe7QiaWnhrU9zpYh5VmLu37n6lg7AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIB - BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTPi7UAEXJ3JaMf3Yh4didZKro5 - /TAfBgNVHSMEGDAWgBTPi7UAEXJ3JaMf3Yh4didZKro5/TANBgkqhkiG9w0BAQsF - AAOCAQEAgXyl/JSg6D9hnGjhD+cdEIgnKV4L7VVpY396IHFT+m0y3VupAsEC98XY - nB9lWKW0ALj2JxqKQOtJe6ZposMAnWZ+WctPQKdUnDyKT7/uZf/WMo/Lfs+IaiV4 - Dii9HcvdGPMO5qlMzeH4zGCl/QvtVp5mwaxfkqTCWBkxApb0gdhHaMYyH+J//e0O - CS4sR6S95R2d+OXsGEd3Se2BoKaL3KQGpIoI85lwt8l+YRd+O7Ig0taEE1T1SVAY - rirVdtCyK+dEDq2xKoyR79VesgiPKTMcJPou6gXdeezJE1nL8te47yZlJFoAUL6v - EP9EpISn/Jp+QPoFSUFL/FssWEfdLw== - -----END CERTIFICATE----- - # Amazon RDS us-gov-east-1 CA - expires 6/22 - -----BEGIN CERTIFICATE----- - MIIEBDCCAuygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAlVT - MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK - DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT - MR4wHAYDVQQDDBVBbWF6b24gUkRTIENOIFJvb3QgQ0EwHhcNMTgwNzI4MDA1MjMz - WhcNMjIwNjAxMTIwMDAwWjCBkzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hp - bmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2Vy - dmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxJDAiBgNVBAMMG0FtYXpv - biBSRFMgdXMtZ292LWVhc3QtMSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC - AQoCggEBANcmOUZZiG+PdIVFlXpCrWmMrDZaU7tlou3B/bH1ECT/nFkLBncLrXJ/ - VItIsEoiKbjtqikuxfOuTOEtlreH4OCogS1fam1I8IYWTcXe1YwFXVfDRVauw9Mr - Up+Ng0iaoZX4ACjHEgDE5Vr7zh69U3S8+NIWO5mRJQJb3QHXCedp3lKOLXOdEzcZ - VT+IfgpFXTpi7+PXK8RVAFrWV6fKLjFYNzFHcaQz1nH/tH1dQCGm+OMOIaTAQ0vQ - jV1iBwoAbzwayvLCil7sGMsKp8t5gWj08NU4KFY1YlA+vvam3HeZV3xDjKyY0YIO - f47+wL3WBwock/0cz7nJo+zZMSPLxJMCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEG - MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBpaY4ioEu0rZrIPWaevervN - X6s/MB8GA1UdIwQYMBaAFM+LtQARcnclox/diHh2J1kqujn9MA0GCSqGSIb3DQEB - CwUAA4IBAQBvUChSX19imujJHUqoJUfUFj1tSFhgZSm8av4F98KKIoJIxA9bIF9R - 8tSkLWRTZEXaBlmol7UXbMUDQUMmYNuST41bI2/4VQqMHg526Ja/MbfHVrYqiXUK - vmeF525/PTH9H1B2LvUNuwmO0S+tl0jwKL0dMHn62Giz8u6sGgOmwfhbJohUq3CD - KuwHwfZXlg0yiA7OSEUAGe9RK0MpoVppKF/lotEzcIcilStfEZQce4h3q2/rAc5d - e7tNxfZRKhtuGPR5/G0Z3j5z8yQMRZxnCDbq6JvE3vUggWSjBNXoSlhvzj6BiEBy - B4rKazWN1OzrKIX0yoiXx6SgtooVPx0k - -----END CERTIFICATE----- - # Amazon RDS us-gov-east-1 Root CA ECC384 G1 - expires 5/2121 - -----BEGIN CERTIFICATE----- - MIICtjCCAjugAwIBAgIQCojG1Zix0YArC/bBkU7eOjAKBggqhkjOPQQDAzCBmjEL - MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x - EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 - b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM - B1NlYXR0bGUwIBcNMjEwNTI2MjIyODU4WhgPMjEyMTA1MjYyMzI4NThaMIGaMQsw - CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET - MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv - biBSRFMgdXMtZ292LWVhc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH - U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKZfn/XfCIlHTE/YF5lH9D2h - H71kG3RaC92hBPbyncbDMf2Q7JeYwhknKahWmSO/EP0Nj+9iCFimT/Jb9o9ykkKl - gOvv/M6SQAuKsC/24PxwC8QV1miuTMUd7fGhNjQUHKNCMEAwDwYDVR0TAQH/BAUw - AwEB/zAdBgNVHQ4EFgQUniTlDl2igVgummx44YNMd5t4mMgwDgYDVR0PAQH/BAQD - AgGGMAoGCCqGSM49BAMDA2kAMGYCMQCSb8X09cnFdS90i1nqRLhancNU8bCFoI86 - hqyctq0ftvXXmEe0bA+JnpIm5p/UKUUCMQCYYYQFfkeZtD4SOxSIE+WzfghJFaAq - /s17Q6LU2tCl4/csuzsTAl/vCc0JVynH340= - -----END CERTIFICATE----- - # Amazon RDS us-gov-east-1 Root CA RSA4096 G1 - expires 5/2121 - -----BEGIN CERTIFICATE----- - MIIGBjCCA+6gAwIBAgIQaoLp1Iv1/fO7VY8+oWlsgjANBgkqhkiG9w0BAQwFADCB - mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu - Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB - bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD - VQQHDAdTZWF0dGxlMCAXDTIxMDUyNjIyMjMwNloYDzIxMjEwNTI2MjMyMzA2WjCB - mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu - Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB - bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD - VQQHDAdTZWF0dGxlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsiIo - 3SyckN+EuZZLEcIgGyfqlO1AuVh2MF+dCrIxvuX9L+Nv6hLck9ArKVIuGotkp3im - 37BzilxaY+3GI+FkMq7aQo9TLYHKX78ZVqMGBWIuIskm/iwHgFtoscecGEwRekLc - Hswl1Odi4y/vmLTHgZIar8fIEB6OIhUO9q0fT9zY+LX9IuH51NjaePsbMHxksrmm - tbmz1zqUsANu/0bG73B1vMfRs3DmCesm+v8hlBDVawla4zPY9/f8pnpIwfOeEjKw - M+llHdLALFjNV4BCdOuwCl0O2XtSX8450knBxsEA5iXoGkZXc6GrsEq7pK6ZZ/7W - /08ejAMrS36Hi3bEYB/RLiG9X6yGgy5QRn7vnXDxFX9DaZID9k1SUbzP8YidGtDc - UnyeQ7gkJQazrPSn71bnNLiL2H3DW6dPxaZwTotLVpXn4WbNtei9zfP0gl5B86CX - 35Ac4NP/6QAdgUeSJ/1sX+IIf3N65NkXWcOtpDIrvseLXyeNxWne27oUNPJ0wgE2 - /2vNlvbXpNIERNcxCYTzgVHMQ9T2rJdrSeyzRpcGF8NODHGPOmc9XI6WWWvrs9kI - 9sCd6LZZ+ViAZPLAwd4k7vttMX5tAXtRREREaqClr5mG/G/lQ+V3GacBR8Z7/i9Y - St+ETUgxPLoiVtoQmiBigj/u8WeYlMDtw9koUxcCAwEAAaNCMEAwDwYDVR0TAQH/ - BAUwAwEB/zAdBgNVHQ4EFgQUHamNV9Qjt8qSO4R8YI9jX7QABIUwDgYDVR0PAQH/ - BAQDAgGGMA0GCSqGSIb3DQEBDAUAA4ICAQCiqAqTb+r4proOPxDjpuOBLaxhqGkC - aU3uBi8iUBiw/8tgVXVeqIrmUNI3t8cMWySYjPcL3Pkaui6lV2kX3XUV9QrAWaFC - Za+nuZNlmLvV27KrvEh9KhW9kqsudibq7fGYureVuEi1JtCczp6JlBzSA+m1a0Nh - y/rRRHQ0g/uoEnIdQrqdJL4pBBLdgSLOFD/O56obO0uoRq1x60g67+J5d3OGfRSW - kb8lR2Ub6HlcD+WDnpLtxyQDSkyK5pFjRKmljxQIZ9FcQfG4P8tXkef130Kbr6ZA - caMKRUtj4FjozuuHi0E7Tv/vujjhg1vEjK471uM5ZHpEqUQaxLo9MbJZJl5SfFum - RSut5ebM/NQnhF+RES08xOG1UFoIjSZ4cmAaA8ggn+vjsBBZitWJ1jc4pk6MhySA - qRJuMeYVCNK/dNCYk/me+Z8y6KvNl6ih00A2RQDlVFySH3Lvo2MGMX/F3qJTUlWX - YWKEslCGhte7755AFgfa9dMKv5ir8tg6NdOLVgSQVU3rVv0F2XM7URxkNtaczgC+ - rSX682gTqnZcK2hrWy2cuktN1N8i0FqX1n8tNLQwpeDvcJXgoVATsZUb6aDHmTJR - k+8N+RsNwC/hHzKs2Vj4YKNP8MelxWcgtu0/QJAtq1/4YFMRY7qv1pCfcQGfg8Sx - JFiKTJMbfPV2uQ== - -----END CERTIFICATE----- - #New certs 2/22 - #Amazon RDS us-gov-west-1 Root CA RSA4096 G1 - expires 5/2121 - -----BEGIN CERTIFICATE----- - MIIGBzCCA++gAwIBAgIRAOzQCoOR21YG2noWOfFcuNIwDQYJKoZIhvcNAQEMBQAw - gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ - bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr - QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G - A1UEBwwHU2VhdHRsZTAgFw0yMTA1MjYyMTQ0MzlaGA8yMTIxMDUyNjIyNDQzOVow - gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ - bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr - QW1hem9uIFJEUyB1cy1nb3Ytd2VzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4G - A1UEBwwHU2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwY - M2iZdnnlMutI9nfn2fWBICAQHWmMmpPmtSka/ziBFyaCxkHDF8RLmooW+GLe+FEF - 9CQKSVqRa7X5AFiqRFF1KvgxWvazawyScuw88JW6Eqhaw0Rlm2p1Iow3TE8FSCDo - Is1vEV3Brbf26CMiXbqI+aCuTOy0fjRzjl5igViTgZxt2ZXOwyKkF+2T8LQp4b4F - Mh85Ctw1An1DhAemsc3SmcYnPKyFUP90DxGuTjFtfNR01GbBtVYwVvOBgIJe59Zs - OWcEFOO2mU53Ik6oKcLYu4+PmE5aDvQewb6bkQZchClb7Eg0BPYekWwTPsKUTS3H - bgdwVxgzjdAdU9fvaaoQmS9xdHWlonKq8CubJdLUduV3WVmDAg7MQgiT3p8JF9W2 - KbQpUbYxqd7j9OIe3IS3rVPwYA8PVh1hUJ+OBLw61sbGRAuN3H+B1DlJh1smg6bR - g9W+oLRzfjZa32EzFmaQIxtgRfiyjxB/vqAHdl5zPou30X1CyRYquS870O02bvTN - zzWSOfRY4KPmS1YFVsN+m+R4+hSUOAE//bJ25ACP9oDO5w9NWkAux4e0UUAuWCra - jRROYN2J0KCogdru5G7lOQerD12zi3C2iibty6ou4tQX+MIKMMUVq8cfUH7oKv/R - 8mL5PV/NUsgO248llo0lr9QBwQKdiw17wCxFR+8vAgMBAAGjQjBAMA8GA1UdEwEB - /wQFMAMBAf8wHQYDVR0OBBYEFPDYnx2xYIPDDAEjb6UcF29I6DgKMA4GA1UdDwEB - /wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANTrAGs/GpXCADAwMGlrjXTdohp+p - CIp3gbnryVYZBXvO+f8hjJ8bHk0D/DiBrkjE8o0IpNaAadOZa+WvTNMsanPmGf1A - kD0vA9nm4gwEhBbzj9HRYX+dIhZhVWny9Kugm80s0h0hvbwTakUPOdMqkz6wn+xx - Owh7AIwaC5TTCsQyKlv5rjVblvU1XFgBf3Pf3wvMAfjDoAEPTXER/9mLVbXe+EmW - osP1JmgyDd+0WQFVK/LEDW81L5hsV5JvthAAFhGVtRw9ko5Ep28+EQUJE1wmLTdL - PyjB/KfJrTMDq94WolzFv4JpUStHbclkKlXtigjKeiYZ5Yvo+vLMSkXemccSfYn7 - vdaUFD5vqWXvM4xhiYRq/tigw2E1bjmyd9L3XD7XalufZtMGWn7zT8HMPP+/Lch1 - JjZ9LL2Y99VIqhoHcuSa95FtLpYDRQ28K03uwqxqFnOQLyPVmYwsaHKnmmwaZDjF - K1XxLVRLGRWvKEuSoWrsGcs3ehoxX4Knz/BaJzr/ioU1VnItj53tmOSJO0eMA6k+ - egaVEb0FTa2F5xeLCKjgfDDWMz3v0TdL+kt+9z0THMlPWfOzd1C35ZzSIcTcRj22 - SAzsL0t5ZTI4XvoPFF8dga78/KsBRolqdPjs0UzdlKhwh1ADOkTRgLOaaidMEgsT - JS/rbzD4FPbvc/g= - -----END CERTIFICATE----- - #Amazon RDS us-gov-west-1 Root CA ECC384 G1 - expires 5/2121 - -----BEGIN CERTIFICATE----- - MIICtDCCAjugAwIBAgIQPyg+edjKVnM2PB4KZVu66jAKBggqhkjOPQQDAzCBmjEL - MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x - EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6 - b24gUkRTIHVzLWdvdi13ZXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM - B1NlYXR0bGUwIBcNMjEwNTI2MjE1MzI3WhgPMjEyMTA1MjYyMjUzMjdaMIGaMQsw - CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET - MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv - biBSRFMgdXMtZ292LXdlc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH - U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABFaqyIYrbpPfhiKzLEkmzp1j - 3OYO/e1VE3vCf5c62bN5xYKFKH/MnKgsUFNsFpJ1t0p9cexi+607aiYOo1sOWvOj - q3PUu+ltklQdvunU/Se5++qqsh7lylL5OF/F19uqfqNCMEAwDwYDVR0TAQH/BAUw - AwEB/zAdBgNVHQ4EFgQUJHPtPhijPquZxTz2UGh4YV1npYMwDgYDVR0PAQH/BAQD - AgGGMAoGCCqGSM49BAMDA2cAMGQCMHWDFuIZ9LZgysbL4vx/Ox9z8fbegb3352bM - BFr6JV1x8VLbePblHd0V1MwDdRWeAwIwarWfOVdB1ijrwzjROzCwE0uBkHYUPr0Z - vgwdtlsnwDw9TnjsBrTJkQ0aS8c0Ahl1 - -----END CERTIFICATE----- - - diff --git a/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml b/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml index 6d327f40..8c1795b8 100644 --- a/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml +++ b/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + # This file exists to remove CredHub Secured Service Credential Delivery which # is now on by default in cf-deployment >=4.x. diff --git a/bosh/opsfiles/log-levels-diego-cell.yml b/bosh/opsfiles/log-levels-diego-cell.yml index d57f46de..6724e729 100644 --- a/bosh/opsfiles/log-levels-diego-cell.yml +++ b/bosh/opsfiles/log-levels-diego-cell.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + - type: replace path: /instance_groups/name=diego-cell/jobs/name=garden/properties/garden/log_level? value: error diff --git a/bosh/opsfiles/meta-data-v2-diego-cell.yml b/bosh/opsfiles/meta-data-v2-diego-cell.yml index b24f3108..2f0ba7df 100644 --- a/bosh/opsfiles/meta-data-v2-diego-cell.yml +++ b/bosh/opsfiles/meta-data-v2-diego-cell.yml @@ -1,3 +1,7 @@ +# NOTES: +# - This ops file is used for ALL diego cell and isolation segments with ci/create-*-diego-cell.sh +# - This ops file can ONLY contain configurations for `path: /instance_groups/name=diego-cell/` + - type: replace path: /instance_groups/name=diego-cell/vm_extensions/- value: meta-data-v2 diff --git a/bosh/opsfiles/meta-data-v2.yml b/bosh/opsfiles/meta-data-v2.yml deleted file mode 100644 index 39eabc44..00000000 --- a/bosh/opsfiles/meta-data-v2.yml +++ /dev/null @@ -1,3 +0,0 @@ -- type: replace - path: /instance_groups/name=diego-platform-cell/vm_extensions/- - value: meta-data-v2 diff --git a/bosh/opsfiles/platform-cells.yml b/bosh/opsfiles/platform-cells.yml index 0bf8bdbb..d857a935 100644 --- a/bosh/opsfiles/platform-cells.yml +++ b/bosh/opsfiles/platform-cells.yml @@ -1,182 +1,6 @@ -# Copy original diego-cell from https://github.com/cloudfoundry/cf-deployment/blob/master/cf-deployment.yml -- type: replace - path: /instance_groups/- - value: - name: diego-platform-cell - azs: - - z1 - - z2 - instances: 2 - vm_type: small-highmem - vm_extensions: - - 200GB_ephemeral_disk - stemcell: default - networks: - - name: default - jobs: - - name: bosh-dns-adapter - properties: - internal_domains: ["apps.internal."] - dnshttps: - client: - tls: ((cf_app_sd_client_tls)) - server: - ca: ((cf_app_sd_client_tls.ca)) - release: cf-networking - - name: cflinuxfs4-rootfs-setup - release: cflinuxfs4 - properties: - cflinuxfs4-rootfs: - trusted_certs: - - ((diego_instance_identity_ca.ca)) - - ((uaa_ssl.ca)) - - name: garden - release: garden-runc - provides: - iptables: {as: iptables-platform} - properties: - garden: - containerd_mode: true - cleanup_process_dirs_on_wait: true - debug_listen_address: 127.0.0.1:17019 - default_container_grace_time: 0 - destroy_containers_on_start: true - deny_networks: - - 0.0.0.0/0 - network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker - network_plugin_extra_args: - - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json - logging: - format: - timestamp: "rfc3339" - - name: rep - release: diego - properties: - bpm: - enabled: true - diego: - executor: - instance_identity_ca_cert: ((diego_instance_identity_ca.certificate)) - instance_identity_key: ((diego_instance_identity_ca.private_key)) - rep: - preloaded_rootfses: - - cflinuxfs4:/var/vcap/packages/cflinuxfs4/rootfs.tar - containers: - proxy: - enabled: true - require_and_verify_client_certificates: true - trusted_ca_certificates: - - ((gorouter_backend_tls.ca)) - - ((ssh_proxy_backends_tls.ca)) - verify_subject_alt_name: - - gorouter.service.cf.internal - - ssh-proxy.service.cf.internal - trusted_ca_certificates: - - ((diego_instance_identity_ca.ca)) - - ((uaa_ssl.ca)) - enable_consul_service_registration: false - enable_declarative_healthcheck: true - loggregator: &diego_loggregator_client_properties - use_v2_api: true - ca_cert: "((loggregator_tls_agent.ca))" - cert: "((loggregator_tls_agent.certificate))" - key: "((loggregator_tls_agent.private_key))" - tls: - ca_cert: "((diego_rep_agent_v2.ca))" - cert: "((diego_rep_agent_v2.certificate))" - key: "((diego_rep_agent_v2.private_key))" - logging: - format: - timestamp: "rfc3339" - - name: cfdot - release: diego - properties: - tls: - ca_certificate: "((diego_rep_client.ca))" - certificate: "((diego_rep_client.certificate))" - private_key: "((diego_rep_client.private_key))" - - name: route_emitter - release: diego - properties: - bpm: - enabled: true - loggregator: *diego_loggregator_client_properties - diego: - route_emitter: - local_mode: true - bbs: - ca_cert: "((diego_bbs_client.ca))" - client_cert: "((diego_bbs_client.certificate))" - client_key: "((diego_bbs_client.private_key))" - nats: - tls: - enabled: true - client_cert: "((nats_client_cert.certificate))" - client_key: "((nats_client_cert.private_key))" - tcp: - enabled: true - uaa: - ca_cert: "((uaa_ssl.ca))" - client_secret: "((uaa_clients_tcp_emitter_secret))" - logging: - format: - timestamp: "rfc3339" - internal_routes: - enabled: true - - name: garden-cni - release: cf-networking - properties: - cni_plugin_dir: /var/vcap/packages/silk-cni/bin - cni_config_dir: /var/vcap/jobs/silk-cni/config/cni - - name: netmon - release: silk - consumes: - iptables: {from: iptables-platform} - - name: vxlan-policy-agent - release: silk - provides: - vpa: {as: vpa-platform} - consumes: - iptables: {from: iptables-platform} - cni_config: {from: cni_config_platform} - properties: - ca_cert: ((network_policy_client.ca)) - client_cert: ((network_policy_client.certificate)) - client_key: ((network_policy_client.private_key)) - loggregator: *diego_loggregator_client_properties - - name: silk-daemon - release: silk - consumes: - vpa: {from: vpa-platform} - iptables: {from: iptables-platform} - properties: - ca_cert: ((silk_daemon.ca)) - client_cert: ((silk_daemon.certificate)) - client_key: ((silk_daemon.private_key)) - - name: silk-cni - release: silk - properties: - dns_servers: - - 169.254.0.2 - consumes: - vpa: {from: vpa-platform} - provides: - cni_config: {as: cni_config_platform} - - name: silk-datastore-syncer - release: silk - - name: loggr-udp-forwarder - release: loggregator-agent - properties: - loggregator: - tls: - ca: "((loggregator_tls_agent.ca))" - cert: "((loggregator_tls_agent.certificate))" - key: "((loggregator_tls_agent.private_key))" - metrics: - ca_cert: "((loggr_udp_forwarder_tls.ca))" - cert: "((loggr_udp_forwarder_tls.certificate))" - key: "((loggr_udp_forwarder_tls.private_key))" - server_name: loggr_udp_forwarder_metrics +# NOTES: +# - Other than the scaling-*.yml files, this should be the only file to contain configurations for the diego-platform-cell instance group +# - This one is unique from other isolation segments in that it gets a custom identity profile on the vm # Set platform cell instance profile and placement tag - type: replace diff --git a/bosh/opsfiles/scaling-development.yml b/bosh/opsfiles/scaling-development.yml index b80f22d4..ff6ea8d8 100644 --- a/bosh/opsfiles/scaling-development.yml +++ b/bosh/opsfiles/scaling-development.yml @@ -137,7 +137,10 @@ - type: replace path: /instance_groups/name=diego-platform-cell/vm_type value: t3.xlarge - +- type: replace + path: /instance_groups/name=diego-platform-cell/instances + value: 2 + # rotate-cc-database-key - type: replace path: /instance_groups/name=rotate-cc-database-key/vm_type diff --git a/bosh/opsfiles/scaling-staging.yml b/bosh/opsfiles/scaling-staging.yml index f4187cc5..77662eec 100644 --- a/bosh/opsfiles/scaling-staging.yml +++ b/bosh/opsfiles/scaling-staging.yml @@ -138,6 +138,9 @@ - type: replace path: /instance_groups/name=diego-platform-cell/vm_type value: r6i.2xlarge +- type: replace + path: /instance_groups/name=diego-platform-cell/instances + value: 2 # rotate-cc-database-key - type: replace diff --git a/ci/create-diego-cell-iso-seg.sh b/ci/create-diego-cell-iso-seg.sh new file mode 100755 index 00000000..cd68b205 --- /dev/null +++ b/ci/create-diego-cell-iso-seg.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +set -eux + +## Extract current base configuration for the diego-cell instance group from upstream and apply custom ops files +## NOTE: These ops files can only contain remove/replace for the diego-cell instance group for this to work in the future + + +## Create the starting point of a configured diego-cell for cg (minus scaling-*.ymls) +bosh int \ + cf-deployment/cf-deployment.yml \ + -o cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml \ + -o cf-manifests/bosh/opsfiles/diego-cell-disk.yml \ + -o cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/meta-data-v2-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml \ + --path /instance_groups/name=diego-cell > diego-cell_raw.yml + + +## Loop through and create a single iso seg ops file, intermediate files aren't deleted for debugging +for (( iso_seg_number = 1; iso_seg_number <= $NUMBER_OF_ISO_SEGS; iso_seg_number++ )) +do + + ## Create ops file header - Always start with the instance group declaration + cat > diego-cell-iso-seg${iso_seg_number}-header.yml < sed1.yml + sed "s/iptables-tenant/iptables-iso-seg${iso_seg_number}/" sed1.yml > sed2.yml + sed "s/cni_config_tenant/cni_config_iso-seg${iso_seg_number}/" sed2.yml > sed3.yml + sed "s/vpa-tenant/vpa-iso-seg${iso_seg_number}/" sed3.yml > sed4.yml + sed 's/^/ /' sed4.yml > diego-cell_indented-iso-seg${iso_seg_number}.yml + + ## Create ops file footer - All the "replace" that can only be run once the instance group exists (order matters) + cat > diego-cell-iso-seg${iso_seg_number}-footer.yml < diego-cell-iso-seg${iso_seg_number}.yml + + ## Merge this iso-seg into one file which will have all of them at the end of the loop + cat diego-cell-iso-seg${iso_seg_number}.yml >> diego-cell-iso-seg.yml +done + +## Either return the iso-seg file or a comment only file so "bosh deploy" will work in the main pipeline +if [ "$NUMBER_OF_ISO_SEGS" -gt 0 ]; then + cp diego-cell-iso-seg.yml diego-cell-iso-seg/diego-cell-iso-seg.yml +else + cat > diego-cell-iso-seg/diego-cell-iso-seg.yml << EOF +# Intentionally left blank +EOF +fi + +## return: diego-cell-iso-seg/diego-cell-iso-seg.yml \ No newline at end of file diff --git a/ci/create-diego-cell-iso-seg.yml b/ci/create-diego-cell-iso-seg.yml new file mode 100644 index 00000000..aa14a8cb --- /dev/null +++ b/ci/create-diego-cell-iso-seg.yml @@ -0,0 +1,19 @@ +platform: linux + +image_resource: + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: harden-concourse-task + aws_region: us-gov-west-1 + tag: ((harden-concourse-task-tag)) + +inputs: +- name: cf-deployment +- name: cf-manifests +outputs: +- name: diego-cell-iso-seg + +run: + path: cf-manifests/ci/create-diego-cell-iso-seg.sh diff --git a/ci/create-diego-platform-cell.sh b/ci/create-diego-platform-cell.sh new file mode 100755 index 00000000..9f1c71e6 --- /dev/null +++ b/ci/create-diego-platform-cell.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -eux + +## Extract current base configuration for the diego-cell instance group from upstream and apply custom ops files +## NOTE: These ops files can only contain remove/replace for the diego-cell instance group for this to work in the future +bosh int \ + cf-deployment/cf-deployment.yml \ + -o cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml \ + -o cf-manifests/bosh/opsfiles/diego-cell-disk.yml \ + -o cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/meta-data-v2-diego-cell.yml \ + -o cf-manifests/bosh/opsfiles/diego-cpu-entitlement-diego-cell.yml \ + --path /instance_groups/name=diego-cell > diego-cell_raw.yml + +## Create ops file header +cat > diego-platform-cell.yml < sed1.yml +sed 's/iptables-tenant/iptables-platform/' sed1.yml > sed2.yml +sed 's/cni_config_tenant/cni_config_platform/' sed2.yml > sed3.yml +sed 's/vpa-tenant/vpa-platform/' sed3.yml > sed4.yml +sed 's/^/ /' sed4.yml > diego-platform-cell_indented.yml + +## Append the platform-diego-cell yaml to the ops file header +cat diego-platform-cell_indented.yml >> diego-platform-cell.yml +cp diego-platform-cell.yml diego-platform-cell/diego-platform-cell.yml + +## return: diego-platform-cell/diego-platform-cell.yml \ No newline at end of file diff --git a/ci/create-diego-platform-cell.yml b/ci/create-diego-platform-cell.yml new file mode 100644 index 00000000..9b66ed02 --- /dev/null +++ b/ci/create-diego-platform-cell.yml @@ -0,0 +1,21 @@ +platform: linux + +image_resource: + type: registry-image + source: + aws_access_key_id: ((ecr_aws_key)) + aws_secret_access_key: ((ecr_aws_secret)) + repository: harden-concourse-task + aws_region: us-gov-west-1 + tag: ((harden-concourse-task-tag)) + +inputs: +- name: cf-deployment +- name: cf-manifests +outputs: +- name: diego-platform-cell + +run: + path: cf-manifests/ci/create-diego-platform-cell.sh + + diff --git a/ci/pipeline.yml b/ci/pipeline.yml index d6506864..839e52d6 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -27,6 +27,12 @@ jobs: file: cf-manifests/ci/create-router-main.yml - task: router-logstash file: cf-manifests/ci/create-router-logstash.yml + - task: diego-platform-cell + file: cf-manifests/ci/create-diego-platform-cell.yml + - task: diego-cell-iso-seg + file: cf-manifests/ci/create-diego-cell-iso-seg.yml + params: + NUMBER_OF_ISO_SEGS: 0 #((number_of_iso_segs_development)) - put: cf-deployment-development params: &deploy-params manifest: cf-deployment/cf-deployment.yml @@ -64,21 +70,21 @@ jobs: - cf-manifests/bosh/opsfiles/log-levels.yml - cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml - cf-manifests/bosh/opsfiles/instance-profiles.yml + - diego-platform-cell/diego-platform-cell.yml - cf-manifests/bosh/opsfiles/platform-cells.yml + - diego-cell-iso-seg/diego-cell-iso-seg.yml - cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml - cf-manifests/bosh/opsfiles/diego-cell-disk.yml - cf-manifests/bosh/opsfiles/scaling-development.yml - cf-manifests/bosh/opsfiles/cf-networking.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml - - cf-manifests/bosh/opsfiles/diego-rds-certs.yml - cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml - cf-manifests/bosh/opsfiles/smoke-tests.yml - cf-manifests/bosh/opsfiles/routing.yml - cf-manifests/bosh/opsfiles/uaa-rds-ca.yml - cf-manifests/bosh/opsfiles/content-security-policy.yml - cf-manifests/bosh/opsfiles/loggregator.yml - - cf-manifests/bosh/opsfiles/meta-data-v2.yml - cf-manifests/bosh/opsfiles/meta-data-v2-diego-cell.yml - cf-manifests/bosh/opsfiles/router-main.yml - cf-manifests/bosh/opsfiles/router-main-dev.yml @@ -545,6 +551,12 @@ jobs: file: cf-manifests/ci/create-router-main.yml - task: router-logstash file: cf-manifests/ci/create-router-logstash.yml + - task: diego-platform-cell + file: cf-manifests/ci/create-diego-platform-cell.yml + - task: diego-cell-iso-seg + file: cf-manifests/ci/create-diego-cell-iso-seg.yml + params: + NUMBER_OF_ISO_SEGS: 0 - put: cf-deployment-staging params: <<: *deploy-params @@ -578,20 +590,20 @@ jobs: - cf-manifests/bosh/opsfiles/log-levels.yml - cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml - cf-manifests/bosh/opsfiles/instance-profiles.yml + - diego-platform-cell/diego-platform-cell.yml - cf-manifests/bosh/opsfiles/platform-cells.yml + - diego-cell-iso-seg/diego-cell-iso-seg.yml - cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml - cf-manifests/bosh/opsfiles/diego-cell-disk.yml - cf-manifests/bosh/opsfiles/scaling-staging.yml - cf-manifests/bosh/opsfiles/cf-networking.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml - - cf-manifests/bosh/opsfiles/diego-rds-certs.yml - cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml - cf-manifests/bosh/opsfiles/smoke-tests.yml - cf-manifests/bosh/opsfiles/routing.yml - cf-manifests/bosh/opsfiles/uaa-rds-ca.yml - cf-manifests/bosh/opsfiles/loggregator.yml - - cf-manifests/bosh/opsfiles/meta-data-v2.yml - cf-manifests/bosh/opsfiles/meta-data-v2-diego-cell.yml - cf-manifests/bosh/opsfiles/router-main.yml - cf-manifests/bosh/opsfiles/router-logstash.yml @@ -1064,6 +1076,12 @@ jobs: file: cf-manifests/ci/create-router-main.yml - task: router-logstash file: cf-manifests/ci/create-router-logstash.yml + - task: diego-platform-cell + file: cf-manifests/ci/create-diego-platform-cell.yml + - task: diego-cell-iso-seg + file: cf-manifests/ci/create-diego-cell-iso-seg.yml + params: + NUMBER_OF_ISO_SEGS: 0 - put: cf-deployment-production params: &prod-deploy-params <<: *deploy-params @@ -1097,7 +1115,9 @@ jobs: - cf-manifests/bosh/opsfiles/log-levels.yml - cf-manifests/bosh/opsfiles/log-levels-diego-cell.yml - cf-manifests/bosh/opsfiles/instance-profiles.yml + - diego-platform-cell/diego-platform-cell.yml - cf-manifests/bosh/opsfiles/platform-cells.yml + - diego-cell-iso-seg/diego-cell-iso-seg.yml - cf-manifests/bosh/opsfiles/diego-cell-consumes-provides.yml - cf-manifests/bosh/opsfiles/diego-cell-disk.yml - cf-manifests/bosh/opsfiles/scaling-production.yml @@ -1106,11 +1126,9 @@ jobs: - cf-manifests/bosh/opsfiles/smoke-tests.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials.yml - cf-manifests/bosh/opsfiles/disable-secure-service-credentials-diego-cell.yml - - cf-manifests/bosh/opsfiles/diego-rds-certs.yml - cf-manifests/bosh/opsfiles/diego-rds-certs-diego-cell.yml - cf-manifests/bosh/opsfiles/uaa-rds-ca.yml - cf-manifests/bosh/opsfiles/loggregator.yml - - cf-manifests/bosh/opsfiles/meta-data-v2.yml - cf-manifests/bosh/opsfiles/meta-data-v2-diego-cell.yml - cf-manifests/bosh/opsfiles/router-main.yml - cf-manifests/bosh/opsfiles/router-logstash.yml @@ -1165,6 +1183,12 @@ jobs: file: cf-manifests/ci/create-router-main.yml - task: router-logstash file: cf-manifests/ci/create-router-logstash.yml + - task: diego-platform-cell + file: cf-manifests/ci/create-diego-platform-cell.yml + - task: diego-cell-iso-seg + file: cf-manifests/ci/create-diego-cell-iso-seg.yml + params: + NUMBER_OF_ISO_SEGS: 0 - put: cf-deployment-production params: <<: *prod-deploy-params