From 551ac1037f3808765ae20f77cb754919af21eb8b Mon Sep 17 00:00:00 2001 From: Eric Malm Date: Sun, 5 Jun 2016 11:00:22 -0700 Subject: [PATCH] examples/aws: deploy script imports cert contents * Deploy script imports contents of cert and key files into stubs * Update auto-generated warning header in stubs to match docs * Minor style fixes in deploy script --- examples/aws/README.md | 14 ++- examples/aws/deploy_aws_environment | 105 +++++++++++++++--- examples/aws/stubs/cf/properties.yml | 18 --- .../aws/stubs/diego/property-overrides.yml | 72 ------------ examples/aws/templates/cf/stub-internal.yml | 17 +++ examples/aws/templates/cf/stub.yml | 15 +++ .../diego/property-overrides-internal.yml | 20 ++++ .../templates/diego/property-overrides.yml | 58 ++++++++++ 8 files changed, 209 insertions(+), 110 deletions(-) delete mode 100644 examples/aws/stubs/diego/property-overrides.yml create mode 100644 examples/aws/templates/diego/property-overrides-internal.yml create mode 100644 examples/aws/templates/diego/property-overrides.yml diff --git a/examples/aws/README.md b/examples/aws/README.md index fb4c39d054..63c084826f 100644 --- a/examples/aws/README.md +++ b/examples/aws/README.md @@ -577,15 +577,17 @@ After deploying Cloud Foundry, you can now deploy Diego. ### Fill in the Property-Overrides Stub -To generate a manifest for the Diego deployment, replace the properties in +To generate a manifest for the Diego deployment, replace the properties in the `$DEPLOYMENT_DIR/stubs/diego/property-overrides.yml` file that are prefixed with `REPLACE_WITH_`. -Here is a summary of the properties that need to be changed: +Here is a summary of the properties that must be changed: -- Replace REPLACE_WITH_ACTIVE_KEY_LABEL with any desired key name (such as `key-a`). -- Replace REPLACE_WITH_A_SECURE_PASSPHRASE with a unique passphrase associated with the active key label. -- Replace the BBS and etcd certificate placeholders with the contents of the files generated in [Configuring Security](#configuring-security). -- Replace the SSH-Proxy host key with the [host key generated](#generating-ssh-proxy-host-key) above. +- Replace `REPLACE_WITH_ACTIVE_KEY_LABEL` with any desired key name (such as `key-a`). +- Replace `REPLACE_WITH_A_SECURE_PASSPHRASE` with a unique passphrase associated with the active key label. + +Component log levels and other deployment properties may also be overridden in this stub file. + +This stub file also contains the contents of the BBS, etcd, and SSH-Proxy certificates and keys generated above. If those files are regenerated, the `deploy_aws_environment` script will update the property-overrides stub with their new contents. ### Edit the Instance-Count-Overrides Stub diff --git a/examples/aws/deploy_aws_environment b/examples/aws/deploy_aws_environment index cf7b56300a..82fa52a5f2 100755 --- a/examples/aws/deploy_aws_environment +++ b/examples/aws/deploy_aws_environment @@ -22,6 +22,65 @@ EOF exit 1 } + +indent() { + sed -e 's/^/ /' +} + +indent_contents_of() { + indent < "$1" +} + +block() { + cat <<-EOF +$1: | +$(indent_contents_of "$2") +EOF +} + +cf_credentials() { + cat <<-EOF +# GENERATED: NO TOUCHING +--- +cf_credentials: + ssh_host_key_fingerprint: "$(cat keypair/ssh-proxy-host-key-fingerprint)" + consul: +$(block ca_cert certs/consul-certs/server-ca.crt | indent | indent) +$(block agent_cert certs/consul-certs/agent.crt | indent | indent) +$(block agent_key certs/consul-certs/agent.key | indent | indent) +$(block server_cert certs/consul-certs/server.crt | indent | indent) +$(block server_key certs/consul-certs/server.key | indent | indent) + uaa: +$(block signing_key keypair/uaa | indent | indent) +$(block verification_key keypair/uaa.pub | indent | indent) + +EOF +} + +diego_credentials() { + cat <<-EOF +# GENERATED: NO TOUCHING +--- +diego_credentials: +$(block diego_ca certs/diego-ca.crt | indent) +$(block ssh_proxy_host_key keypair/ssh-proxy-host-key.pem | indent) + bbs: +$(block client_cert certs/bbs-certs/client.crt | indent | indent) +$(block client_key certs/bbs-certs/client.key | indent | indent) +$(block server_cert certs/bbs-certs/server.crt | indent | indent) +$(block server_key certs/bbs-certs/server.key | indent | indent) + etcd: +$(block client_cert certs/etcd-certs/client.crt | indent | indent) +$(block client_key certs/etcd-certs/client.key | indent | indent) +$(block server_cert certs/etcd-certs/server.crt | indent | indent) +$(block server_key certs/etcd-certs/server.key | indent | indent) +$(block peer_ca certs/etcd-peer-ca.crt | indent | indent) +$(block peer_cert certs/etcd-certs/peer.crt | indent | indent) +$(block peer_key certs/etcd-certs/peer.key | indent | indent) +EOF +} + + if [ "$1" == "create" ]; then UPDATE_OR_CREATE=create-stack elif [ "$1" == "update" ]; then @@ -66,7 +125,7 @@ fi # generate stub to be fed into template for cloudformation cat > stubs/infrastructure/certificates.yml < stubs/aws-resources.yml <> stubs/aws-resources.yml cat > deployments/bosh-init/bosh-init.yml <> deployments/bosh-init/bosh-init.yml bosh-init deploy deployments/bosh-init/bosh-init.yml -bosh -n target `cat stubs/aws-resources.yml | grep BoshInit | awk '{ gsub(/"/, "", $NF); print $NF }'` +bosh -n target $(cat stubs/aws-resources.yml | grep BoshInit | awk '{ gsub(/"/, "", $NF); print $NF }') # generate director uuid stub for template to create deployment stub cat > stubs/director-uuid.yml < stubs/cf/domain.yml <> stubs/cf/domain.yml + stubs/domain.yml \ + >> stubs/cf/domain.yml # generate deployment stub -touch stubs/cf/stub.yml - cat > stubs/cf/stub.yml <> stubs/cf/stub.yml +# copy CF property stub if not already present if [ ! -f stubs/cf/properties.yml ]; then cp $SCRIPT_DIR/stubs/cf/properties.yml stubs/cf/properties.yml fi mkdir -p stubs/diego -if [ ! -f stubs/diego/property-overrides.yml ]; then - cp $SCRIPT_DIR/stubs/diego/property-overrides.yml stubs/diego/property-overrides.yml +# generate Diego property-override stub with certs +if [ -f stubs/diego/property-overrides.yml ]; then + # update BBS, etcd certs and keys in existing property-overrides stub + temp_property_overrides=$(mktemp stubs/diego/property-overrides.yml.XXXXX) + + spiff merge \ + stubs/diego/property-overrides.yml \ + $SCRIPT_DIR/templates/diego/property-overrides-internal.yml \ + <(diego_credentials) \ + > "${temp_property_overrides}" + + mv "${temp_property_overrides}" stubs/diego/property-overrides.yml +else + # create new property-overrides stub with default overrides + spiff merge \ + $SCRIPT_DIR/templates/diego/property-overrides.yml \ + $SCRIPT_DIR/templates/diego/property-overrides-internal.yml \ + <(diego_credentials) \ + > stubs/diego/property-overrides.yml fi +# generate Diego IaaS-settings stub spiff merge \ $SCRIPT_DIR/../../manifest-generation/misc-templates/aws-iaas-settings.yml \ $SCRIPT_DIR/templates/diego/iaas-settings-internal.yml \ diff --git a/examples/aws/stubs/cf/properties.yml b/examples/aws/stubs/cf/properties.yml index d6c2fdb391..6fefc0f314 100644 --- a/examples/aws/stubs/cf/properties.yml +++ b/examples/aws/stubs/cf/properties.yml @@ -4,9 +4,6 @@ meta: environment: REPLACE_WITH_CF_DEPLOYMENT_NAME properties: - app_ssh: - host_key_fingerprint: REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/keypair/ssh-proxy-host-key-fingerprint) - cc: staging_upload_password: REPLACE_WITH_STAGING_UPLOAD_PASSWORD staging_upload_user: REPLACE_WITH_STAGING_UPLOAD_USER @@ -14,16 +11,6 @@ properties: db_encryption_key: REPLACE_WITH_DATABASE_ENCRYPTION_KEY consul: - ca_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/consul-certs/server-ca.crt) - server_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/consul-certs/server.crt) - server_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/consul-certs/server.key) - agent_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/consul-certs/agent.crt) - agent_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/consul-certs/agent.key) encrypt_keys: - REPLACE_WITH_CONSUL_ENCRYPTION_KEY @@ -66,11 +53,6 @@ properties: secret: REPLACE_WITH_SSH_PROXY_PASSWORD tcp_router: secret: REPLACE_WITH_TCP_ROUTER_PASSWORD - jwt: - signing_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/keypair/uaa) - verification_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/keypair/uaa.pub) scim: users: - admin|REPLACE_WITH_ADMIN_PASSWORD|scim.write,scim.read,openid,cloud_controller.admin,doppler.firehose diff --git a/examples/aws/stubs/diego/property-overrides.yml b/examples/aws/stubs/diego/property-overrides.yml deleted file mode 100644 index 42e4535c0f..0000000000 --- a/examples/aws/stubs/diego/property-overrides.yml +++ /dev/null @@ -1,72 +0,0 @@ -property_overrides: - bbs: - active_key_label: REPLACE_WITH_ACTIVE_KEY_LABEL - encryption_keys: - - label: REPLACE_WITH_ACTIVE_KEY_LABEL - passphrase: REPLACE_WITH_A_SECURE_PASSPHRASE - require_ssl: true - - # If bbs.require_ssl is set to false, the following certs and keys must be set - # to nil. - ca_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/diego-ca.crt) - client_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/bbs-certs/client.crt) - client_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/bbs-certs/client.key) - server_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/bbs-certs/server.crt) - server_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/bbs-certs/server.key) - log_level: debug - etcd: - heartbeat_interval_in_milliseconds: 200 - election_timeout_in_milliseconds: 2000 - require_ssl: true - peer_require_ssl: true - # if etcd.require_ssl and etcd.peer_require_ssl are set to false, the following certs - # and keys must be set to nil. - ca_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/diego-ca.crt) - client_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/client.crt) - client_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/client.key) - peer_ca_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-peer-ca.crt) - peer_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/peer.crt) - peer_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/peer.key) - server_cert: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/server.crt) - server_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/certs/etcd-certs/server.key) - log_level: debug - nsync: - log_level: debug - converger: - log_level: debug - auctioneer: - log_level: debug - cc_uploader: - log_level: debug - file_server: - log_level: debug - executor: - log_level: debug - tps: - log_level: debug - route_emitter: - log_level: debug - stager: - log_level: debug - rep: - log_level: debug - garden: - log_level: debug - skip_cert_verify: true - ssh_proxy: - enable_cf_auth: true - host_key: | - REPLACE_WITH_CONTENTS_OF_(DEPLOYMENT_DIR/keypair/ssh-proxy-host-key.pem) diff --git a/examples/aws/templates/cf/stub-internal.yml b/examples/aws/templates/cf/stub-internal.yml index 528c3ec453..96111b786f 100644 --- a/examples/aws/templates/cf/stub-internal.yml +++ b/examples/aws/templates/cf/stub-internal.yml @@ -87,6 +87,9 @@ properties: availability_zone2: (( meta.zones.z2 )) availability_zone3: (( meta.zones.z3 )) + app_ssh: + host_key_fingerprint: (( cf_credentials.ssh_host_key_fingerprint )) + cc: resource_pool: resource_directory_key: (( Resources.Bucket.AppResources )) @@ -100,13 +103,27 @@ properties: ccdb: address: (( properties.databases.address )) + uaa: + jwt: + signing_key: (( cf_credentials.uaa.signing_key )) + verification_key: (( cf_credentials.uaa.verification_key )) + uaadb: address: (( properties.databases.address )) databases: address: (( jobs.postgres_z1.networks.cf1.static_ips.[0] )) + consul: + ca_cert: (( cf_credentials.consul.ca_cert )) + server_cert: (( cf_credentials.consul.server_cert )) + server_key: (( cf_credentials.consul.server_key )) + agent_cert: (( cf_credentials.consul.agent_cert )) + agent_key: (( cf_credentials.consul.agent_key )) + Resources: (( merge )) Region: (( merge )) AccessKeyID: (( merge )) SecretAccessKey: (( merge )) + +cf_credentials: (( merge )) diff --git a/examples/aws/templates/cf/stub.yml b/examples/aws/templates/cf/stub.yml index dd049b3db5..354afd8ba5 100644 --- a/examples/aws/templates/cf/stub.yml +++ b/examples/aws/templates/cf/stub.yml @@ -91,6 +91,9 @@ properties: availability_zone2: (( merge )) availability_zone3: (( merge )) + app_ssh: + host_key_fingerprint: (( merge )) + cc: resource_pool: resource_directory_key: (( merge )) @@ -114,6 +117,11 @@ properties: name: ccdb citext: true + uaa: + jwt: + signing_key: (( merge )) + verification_key: (( merge )) + uaadb: db_scheme: postgresql address: (( merge )) @@ -145,3 +153,10 @@ properties: - tag: uaa name: uaadb citext: true + + consul: + ca_cert: (( merge )) + server_cert: (( merge )) + server_key: (( merge )) + agent_cert: (( merge )) + agent_key: (( merge )) diff --git a/examples/aws/templates/diego/property-overrides-internal.yml b/examples/aws/templates/diego/property-overrides-internal.yml new file mode 100644 index 0000000000..17af8a232c --- /dev/null +++ b/examples/aws/templates/diego/property-overrides-internal.yml @@ -0,0 +1,20 @@ +property_overrides: + bbs: + ca_cert: (( diego_credentials.diego_ca )) + client_cert: (( diego_credentials.bbs.client_cert )) + client_key: (( diego_credentials.bbs.client_key )) + server_cert: (( diego_credentials.bbs.server_cert )) + server_key: (( diego_credentials.bbs.server_key )) + etcd: + ca_cert: (( diego_credentials.diego_ca )) + client_cert: (( diego_credentials.etcd.client_cert )) + client_key: (( diego_credentials.etcd.client_key )) + peer_ca_cert: (( diego_credentials.etcd.peer_ca )) + peer_cert: (( diego_credentials.etcd.peer_cert )) + peer_key: (( diego_credentials.etcd.peer_key )) + server_cert: (( diego_credentials.etcd.server_cert )) + server_key: (( diego_credentials.etcd.server_key )) + ssh_proxy: + host_key: (( diego_credentials.ssh_proxy_host_key )) + +diego_credentials: (( merge )) diff --git a/examples/aws/templates/diego/property-overrides.yml b/examples/aws/templates/diego/property-overrides.yml new file mode 100644 index 0000000000..e400afdea3 --- /dev/null +++ b/examples/aws/templates/diego/property-overrides.yml @@ -0,0 +1,58 @@ +property_overrides: + bbs: + active_key_label: REPLACE_WITH_ACTIVE_KEY_LABEL + encryption_keys: + - label: REPLACE_WITH_ACTIVE_KEY_LABEL + passphrase: REPLACE_WITH_A_SECURE_PASSPHRASE + require_ssl: true + + # If bbs.require_ssl is set to false, the following certs and keys must be set + # to nil. + ca_cert: (( merge )) + client_cert: (( merge )) + client_key: (( merge )) + server_cert: (( merge )) + server_key: (( merge )) + log_level: debug + etcd: + heartbeat_interval_in_milliseconds: 200 + election_timeout_in_milliseconds: 2000 + require_ssl: true + peer_require_ssl: true + # if etcd.require_ssl and etcd.peer_require_ssl are set to false, the following certs + # and keys must be set to nil. + ca_cert: (( merge )) + client_cert: (( merge )) + client_key: (( merge )) + peer_ca_cert: (( merge )) + peer_cert: (( merge )) + peer_key: (( merge )) + server_cert: (( merge )) + server_key: (( merge )) + log_level: debug + nsync: + log_level: debug + converger: + log_level: debug + auctioneer: + log_level: debug + cc_uploader: + log_level: debug + file_server: + log_level: debug + executor: + log_level: debug + tps: + log_level: debug + route_emitter: + log_level: debug + stager: + log_level: debug + rep: + log_level: debug + garden: + log_level: debug + skip_cert_verify: true + ssh_proxy: + enable_cf_auth: true + host_key: (( merge ))