Initial ocfp kit feature from pairing with Pururva. (#30)

[Improvements]

* Added `ocfp` feature which encodes the opensource cloud foundry platform reference architecture. `ocfp` specifies that **inputs for features come from vault**.

  The reference architecture specifies the `network`, `vm_type`, `disk_type`, and `azs` based on `dev` vs `prod` environment scales.

  Naming scheme is entirely based on environment name, and is designed to work with the `ocfp-ops-scripts` `ocfp` cli in order to generate configs, initialize and test environments.

---

Co-authored-by: Pururva Lakkad <[email protected]>
Co-authored-by: Dennis Bell <[email protected]>

hooks/blueprint

@@ -1,25 +1,60 @@
 #!/bin/bash
+
 set -eu
 
-declare -a merge
+declare -a merge opsfiles
+opsfiles=()
+ops_var='merge'
+want_feature "ocfp" && ops_var="opsfiles"
+
+for want in ${GENESIS_REQUESTED_FEATURES}
+do
+  case ${want} in
+    (ocfp|oauth|oauth-provider|proxy|postgres-addon|secure|okta)
+      true
+      ;;
+    (*)
+      if [[ -f "$GENESIS_ROOT/ops/$want.yml" ]]
+      then eval "$ops_var+=( \"$GENESIS_ROOT/ops/$want.yml\" )"
+      else echo "ERROR: Unsupported feature: ${want}" ; exit 1
+      fi
+      ;;
+  esac
+done
 
-validate_features oauth oauth-provider \
-                  proxy postgres-addon secure
+merge=( 
+  "manifests/shield.yml"
+  "manifests/releases/shield.yml"
+)
 
-merge=( manifests/shield.yml manifests/releases/shield.yml )
+want_feature postgres-addon && merge+=( 
+  "manifests/addons/postgres.yml"
+  "manifests/releases/shield-addon-postgres.yml"
+)
 
-want_feature oauth && merge+=( manifests/oauth.yml )
-want_feature postgres-addon && merge+=( manifests/addons/postgres.yml manifests/releases/shield-addon-postgres.yml )
-want_feature secure && merge+=( manifests/addons/secure.yml )
+want_feature okta   && merge+=( "manifests/addons/okta.yml" )
+want_feature secure && merge+=( "manifests/addons/secure.yml" )
+want_feature oauth  && merge+=( "manifests/oauth.yml" )
 
-if want_feature oauth-provider; then
+if want_feature oauth-provider
+then
   echo >&2 "The oauth-provider feature flag is now just called 'oauth'."
-  merge+=( manifests/oauth.yml )
+  merge+=( "manifests/oauth.yml" )
 fi
 
-if want_feature proxy; then
+if want_feature proxy
+then
   echo >&2 "You no longer need to explicitly specify the 'proxy' feature."
   echo >&2 "If you remove it, everything will still work as expected."
 fi
 
+# ocfp feature overide everything except opsfiles.
+want_feature ocfp && merge+=( 
+  "ocfp/meta.yml"
+  "ocfp/ocfp.yml"
+)
+
 echo "${merge[@]}"
+if (( ${#opsfiles[@]} > 0 ))
+then echo "${opsfiles[@]}"
+fi

hooks/check

@@ -2,9 +2,21 @@
 
 # Cloud Config checks
 if [[ -n "$GENESIS_CLOUD_CONFIG" ]] ; then
-  cloud_config_needs vm_type    "$(lookup params.shield_vm_type    small)"
-  cloud_config_needs disk_type  "$(lookup params.shield_disk_pool  shield)"
-  cloud_config_needs network    "$(lookup params.shield_network    shield)"
+  if want_feature ocfp ; then
+    _env_scale="$(lookup --merged meta.ocfp.env.scale)"
+    _vm_type="shield-${_env_scale}"
+    _network="${GENESIS_ENVIRONMENT}-shield"
+    _disk_type="shield-${_env_scale}"
+  else # Legacy was hard coded
+    _vm_type="small"
+    _network="shield"
+    _disk_type="shield"
+  fi
+
+  cloud_config_needs vm_type   "$(lookup params.shield_vm_type   ${_vm_type})"
+  cloud_config_needs network   "$(lookup params.shield_network   ${_network})"
+  cloud_config_needs disk_type "$(lookup params.shield_disk_pool ${_disk_type})"
+
   if check_cloud_config; then
     describe "  cloud config [#G{OK}]"
   else

hooks/info

@@ -1,12 +1,21 @@
 #!/bin/bash
 set -eu
 
-describe "" \
-         "#B{$(lookup params.installation 'S.H.I.E.L.D.')}" \
-         "" \
-         "endpoint information" \
-         "  #C{$(exodus url)}" \
-         "" \
-         "admin credentials" \
-         "  username: #M{$(exodus admin_username)}" \
-         "  password: #G{$(exodus admin_password)}"
+# TODO: Fix lookup params.installation below for ocfp
+
+if want_feature ocfp; then
+  core_name=$(lookup meta.core.name)
+else
+  core_name=$(lookup params.installation 'S.H.I.E.L.D.')
+fi
+
+describe \
+  "" \
+  "#B${core_name}" \
+  "" \
+  "endpoint information" \
+  "  #C{$(exodus url)}" \
+  "" \
+  "admin credentials" \
+  "  username: #M{$(exodus admin_username)}" \
+  "  password: #G{$(exodus admin_password)}"

hooks/post-deploy

@@ -1,24 +1,26 @@
 #!/bin/bash
 set -eu
 
-if [[ $GENESIS_DEPLOY_RC == 0 ]]; then
-
-      echo; echo;
-  describe "#M{$GENESIS_ENVIRONMENT} SHIELD Core deployed!"
-      echo
-      echo "For details about the deployment, run"
-      echo
-  describe "  #G{genesis info $GENESIS_ENVIRONMENT}"
-      echo
-      echo "To access the SHIELD Web UI, run"
-      echo
-  describe "  #G{genesis do $GENESIS_ENVIRONMENT -- visit}"
-      echo
-      echo "You may want to configure your $GENESIS_ENVIRONMENT"
-      echo "BOSH director with an add-on, via runtime configs"
-      echo "To generate a good starting point, run"
-      echo
-  describe "  #G{genesis do $GENESIS_ENVIRONMENT -- runtime-config}"
-      echo
-
+if [[ $GENESIS_DEPLOY_RC == 0 ]]
+then
+  describe \
+    "" \
+    "#M{$GENESIS_ENVIRONMENT} SHIELD Core deployed!" \
+    "" \
+    "For details about the deployment, run" \
+    "" \
+    "  #G{genesis info $GENESIS_ENVIRONMENT}" \
+    "" \
+    "To access the SHIELD Web UI, run" \
+    "" \
+    "  #G{genesis do $GENESIS_ENVIRONMENT -- visit}" \
+    "" \
+    "You may want to configure your $GENESIS_ENVIRONMENT" \
+    "BOSH director with an add-on, via runtime configs" \
+    "To generate a good starting point, run" \
+    "" \
+    "  #G{genesis do $GENESIS_ENVIRONMENT -- runtime-config}" \
+    ""
 fi
+
+exit 0

manifests/addons/okta.yml

@@ -0,0 +1,19 @@
+---
+instance_groups:
+  - name: shield
+    jobs:
+      - name: core
+        properties:
+          auth:
+          - identifier: okta # or whatever you used when registering
+            name:       Okta
+            backend:    okta
+            properties:
+              client_id:            (( vault meta.vault "/okta:client_id" ))
+              client_secret:        (( vault meta.vault "/okta:client_secret" ))
+              # NOTE: domain + auth_server === issuer
+              okta_domain:          (( vault meta.vault "/okta:domain" ))
+              authorization_server: (( vault meta.vault "/okta:auth_server" ))
+              deployment_uri:       (( vault meta.vault "" )) # SHIELD-DEPLOYMENT-URL
+              mapping:  []    # more on this later
+

manifests/shield.yml

@@ -3,17 +3,17 @@ params:
   external_domain: (( grab params.shield_static_ip ))
 
 exodus:
-  url:     (( concat "https://" params.external_domain ))
-  ca_cert: (( vault meta.vault "/certs/ca:certificate" ))
-  pubkey:  (( vault meta.vault "/agent:public" ))
+  url:          (( concat "https://" params.external_domain ))
+  ca_cert:      (( vault meta.vault "/certs/ca:certificate" ))
+  pubkey:       (( vault meta.vault "/agent:public" ))
   admin_username: "admin"
   admin_password: "shield"
 
 instance_groups:
   - name: shield
     instances: 1
     azs: [(( grab params.availability_zone || "z1" ))]
-    persistent_disk_type: (( grab params.shield_disk_pool || "shield" ))
+    persistent_disk_type: (( grab params.shield_disk_type || params.shield_disk_pool || "shield" ))
     vm_type:              (( grab params.shield_vm_type   || "small"  ))
     stemcell: bionic
     networks:

ocfp/meta.yml

@@ -0,0 +1,51 @@
+---
+meta:
+  ocfp:
+    env:
+      scale: (( grab params.ocfp_env_scale || "dev" ))
+
+    vault:
+      tf: (( concat genesis.secrets_mount "tf/" genesis.vault_env ))
+
+    certs:
+      trusted:
+        - (( vault genesis.secrets_mount "certs/org:ca" )) # Organization CA, if exists
+        - (( vault genesis.secrets_mount "certs/dbs:ca" )) # External Databases CA
+
+  stemcell:
+    name:    (( grab params.stemcell_name    || "default" ))
+    os:      (( grab params.stemcell_os      || "ubuntu-bionic" ))
+    version: (( grab params.stemcell_version || "latest" ))
+
+  shield:
+    ip:     (( vault meta.ocfp.vault.tf "/bosh/iaas/subnets/ocfp/0/ips/ocf/reserved:shield_ip" ))
+    az:     (( concat genesis.env "-z1" ))
+    domain: (( vault meta.ocfp.vault.tf "/ocf/fqdns:shield" ))
+    ca:     (( vault meta.vault         "/certs/ca:certificate" ))
+
+    admin:
+      username: (( vault meta.ocfp.vault.tf "/shield/admin:username" ))
+      password: (( vault meta.ocfp.vault.tf "/shield/admin:password" ))
+
+
+    url:        (( concat "https://" meta.shield.domain ))
+    disk_type:  (( concat "shield-" meta.ocfp.env.scale ))
+    vm_type:    (( concat "shield-" meta.ocfp.env.scale ))
+    network:    (( concat genesis.env "-shield" ))
+
+    agent:
+      pub:      (( vault meta.vault "/agent:public" ))
+      key:      (( vault meta.vault "/agent:private" ))
+
+    server:
+      cert:     (( vault meta.vault "/certs/server:certificate" ))
+      key:      (( vault meta.vault "/certs/server:key" ))
+
+    vault:
+      ca:       (( vault meta.vault "/vault/ca:certificate" ))
+      cert:     (( vault meta.vault "/vault/server:certificate" ))
+      key:      (( vault meta.vault "/vault/server:key" ))
+
+    core:
+      name: (( concat genesis.env "-shield" ))
+

ocfp/ocfp.yml

@@ -0,0 +1,92 @@
+---
+params:
+  admin_username:   (( grab meta.shield.admin.username ))
+  external_domain:  (( grab meta.shield.domain ))
+
+  # These two required by `check`:
+  shield_static_ip: (( grab meta.shield.ip ))
+  external_domain: (( grab params.shield_static_ip ))
+
+exodus:
+  ca_cert:        (( grab meta.shield.ca ))
+  pubkey:         (( grab meta.shield.agent.pub ))
+  domain:         (( grab meta.shield.domain )) 
+  agent_ip:       (( grab meta.shield.ip )) 
+  dashboard_url:  (( concat "https://" meta.shield.domain )) 
+  api_url:        (( concat "https://" meta.shield.domain )) 
+  admin_username: (( grab meta.shield.admin.username ))
+  admin_password: (( grab meta.shield.admin.password ))
+
+instance_groups:
+  - name: shield
+    persistent_disk_type: (( concat "shield-" meta.ocfp.env.scale ))
+    instances: 1
+    azs:
+      - (( grab meta.shield.az ))
+
+    persistent_disk_type: (( grab meta.shield.disk_type ))
+    vm_type:              (( grab meta.shield.vm_type ))
+
+    stemcell: default
+
+    networks:
+      - name: (( grab meta.shield.network ))
+        static_ips:
+          - (( grab meta.shield.ip ))
+
+    vm_extensions:
+      - ((replace))
+      - shield-lb
+
+    jobs:
+      - name: shield-agent
+        release: shield
+        consumes:
+          shield: { from: shield }
+        properties:
+          core:
+            ca: (( grab meta.shield.ca ))
+          env:
+            http_proxy:  (( grab params.http_proxy  || "" ))
+            https_proxy: (( grab params.https_proxy || "" ))
+            no_proxy:    (( grab params.no_proxy    || "" ))
+
+      - name: core
+        release: shield
+        provides:
+          shield: { shared: true, as: shield }
+        properties:
+          require-shield-core: true
+          domain: (( grab meta.shield.ip )) # Q: Could this be meta.shield.domain?
+          agent:
+            key: (( grab meta.shield.agent.key ))
+          tls:
+            certificate: (( grab meta.shield.server.cert ))
+            key:         (( grab meta.shield.server.key )) 
+          vault:
+            tls:
+              ca:          (( grab meta.shield.vault.ca ))
+              certificate: (( grab meta.shield.vault.cert ))
+              key:         (( grab meta.shield.vault.key ))
+          core:
+            env: (( grab meta.shield.core.name ))
+          failsafe:
+            username: (( grab meta.shield.admin.username ))
+            password: (( grab meta.shield.admin.password ))
+
+update:
+  canaries: 0
+  max_in_flight: 1
+  serial: true
+  canary_watch_time: 1000-300000
+  update_watch_time: 1000-300000
+
+stemcells:
+- alias:   (( grab meta.stemcell.name ))
+  os:      (( grab meta.stemcell.os   ))
+  version: (( grab meta.stemcell.version ))
+
+---
+- type: remove
+  path: /instance_groups/name=shield/networks/0/static_ips
+