From 297d04574f053a31b523b8a664e11d6ce9557366 Mon Sep 17 00:00:00 2001 From: "Wayne E. Seguin" Date: Tue, 13 Dec 2022 23:05:04 -0500 Subject: [PATCH] Initial ocfp kit feature from pairing with Pururva. (#30) [Improvements] * Added `ocfp` feature which encodes the opensource cloud foundry platform reference architecture. `ocfp` specifies that **inputs for features come from vault**. The reference architecture specifies the `network`, `vm_type`, `disk_type`, and `azs` based on `dev` vs `prod` environment scales. Naming scheme is entirely based on environment name, and is designed to work with the `ocfp-ops-scripts` `ocfp` cli in order to generate configs, initialize and test environments. --- Co-authored-by: Pururva Lakkad Co-authored-by: Dennis Bell --- hooks/blueprint | 55 ++++++++++++++++++----- hooks/check | 18 ++++++-- hooks/info | 27 ++++++++---- hooks/post-deploy | 42 +++++++++--------- manifests/addons/okta.yml | 19 ++++++++ manifests/shield.yml | 8 ++-- ocfp/meta.yml | 51 ++++++++++++++++++++++ ocfp/ocfp.yml | 92 +++++++++++++++++++++++++++++++++++++++ 8 files changed, 266 insertions(+), 46 deletions(-) create mode 100644 manifests/addons/okta.yml create mode 100644 ocfp/meta.yml create mode 100644 ocfp/ocfp.yml diff --git a/hooks/blueprint b/hooks/blueprint index ff43b8f..f2ca8fe 100755 --- a/hooks/blueprint +++ b/hooks/blueprint @@ -1,25 +1,60 @@ #!/bin/bash + set -eu -declare -a merge +declare -a merge opsfiles +opsfiles=() +ops_var='merge' +want_feature "ocfp" && ops_var="opsfiles" + +for want in ${GENESIS_REQUESTED_FEATURES} +do + case ${want} in + (ocfp|oauth|oauth-provider|proxy|postgres-addon|secure|okta) + true + ;; + (*) + if [[ -f "$GENESIS_ROOT/ops/$want.yml" ]] + then eval "$ops_var+=( \"$GENESIS_ROOT/ops/$want.yml\" )" + else echo "ERROR: Unsupported feature: ${want}" ; exit 1 + fi + ;; + esac +done -validate_features oauth oauth-provider \ - proxy postgres-addon secure +merge=( + "manifests/shield.yml" + "manifests/releases/shield.yml" +) -merge=( manifests/shield.yml manifests/releases/shield.yml ) +want_feature postgres-addon && merge+=( + "manifests/addons/postgres.yml" + "manifests/releases/shield-addon-postgres.yml" +) -want_feature oauth && merge+=( manifests/oauth.yml ) -want_feature postgres-addon && merge+=( manifests/addons/postgres.yml manifests/releases/shield-addon-postgres.yml ) -want_feature secure && merge+=( manifests/addons/secure.yml ) +want_feature okta && merge+=( "manifests/addons/okta.yml" ) +want_feature secure && merge+=( "manifests/addons/secure.yml" ) +want_feature oauth && merge+=( "manifests/oauth.yml" ) -if want_feature oauth-provider; then +if want_feature oauth-provider +then echo >&2 "The oauth-provider feature flag is now just called 'oauth'." - merge+=( manifests/oauth.yml ) + merge+=( "manifests/oauth.yml" ) fi -if want_feature proxy; then +if want_feature proxy +then echo >&2 "You no longer need to explicitly specify the 'proxy' feature." echo >&2 "If you remove it, everything will still work as expected." fi +# ocfp feature overide everything except opsfiles. +want_feature ocfp && merge+=( + "ocfp/meta.yml" + "ocfp/ocfp.yml" +) + echo "${merge[@]}" +if (( ${#opsfiles[@]} > 0 )) +then echo "${opsfiles[@]}" +fi diff --git a/hooks/check b/hooks/check index 035aa27..7966d44 100755 --- a/hooks/check +++ b/hooks/check @@ -2,9 +2,21 @@ # Cloud Config checks if [[ -n "$GENESIS_CLOUD_CONFIG" ]] ; then - cloud_config_needs vm_type "$(lookup params.shield_vm_type small)" - cloud_config_needs disk_type "$(lookup params.shield_disk_pool shield)" - cloud_config_needs network "$(lookup params.shield_network shield)" + if want_feature ocfp ; then + _env_scale="$(lookup --merged meta.ocfp.env.scale)" + _vm_type="shield-${_env_scale}" + _network="${GENESIS_ENVIRONMENT}-shield" + _disk_type="shield-${_env_scale}" + else # Legacy was hard coded + _vm_type="small" + _network="shield" + _disk_type="shield" + fi + + cloud_config_needs vm_type "$(lookup params.shield_vm_type ${_vm_type})" + cloud_config_needs network "$(lookup params.shield_network ${_network})" + cloud_config_needs disk_type "$(lookup params.shield_disk_pool ${_disk_type})" + if check_cloud_config; then describe " cloud config [#G{OK}]" else diff --git a/hooks/info b/hooks/info index 4e47db7..2c89a85 100755 --- a/hooks/info +++ b/hooks/info @@ -1,12 +1,21 @@ #!/bin/bash set -eu -describe "" \ - "#B{$(lookup params.installation 'S.H.I.E.L.D.')}" \ - "" \ - "endpoint information" \ - " #C{$(exodus url)}" \ - "" \ - "admin credentials" \ - " username: #M{$(exodus admin_username)}" \ - " password: #G{$(exodus admin_password)}" +# TODO: Fix lookup params.installation below for ocfp + +if want_feature ocfp; then + core_name=$(lookup meta.core.name) +else + core_name=$(lookup params.installation 'S.H.I.E.L.D.') +fi + +describe \ + "" \ + "#B${core_name}" \ + "" \ + "endpoint information" \ + " #C{$(exodus url)}" \ + "" \ + "admin credentials" \ + " username: #M{$(exodus admin_username)}" \ + " password: #G{$(exodus admin_password)}" diff --git a/hooks/post-deploy b/hooks/post-deploy index fd562d9..3aa9308 100755 --- a/hooks/post-deploy +++ b/hooks/post-deploy @@ -1,24 +1,26 @@ #!/bin/bash set -eu -if [[ $GENESIS_DEPLOY_RC == 0 ]]; then - - echo; echo; - describe "#M{$GENESIS_ENVIRONMENT} SHIELD Core deployed!" - echo - echo "For details about the deployment, run" - echo - describe " #G{genesis info $GENESIS_ENVIRONMENT}" - echo - echo "To access the SHIELD Web UI, run" - echo - describe " #G{genesis do $GENESIS_ENVIRONMENT -- visit}" - echo - echo "You may want to configure your $GENESIS_ENVIRONMENT" - echo "BOSH director with an add-on, via runtime configs" - echo "To generate a good starting point, run" - echo - describe " #G{genesis do $GENESIS_ENVIRONMENT -- runtime-config}" - echo - +if [[ $GENESIS_DEPLOY_RC == 0 ]] +then + describe \ + "" \ + "#M{$GENESIS_ENVIRONMENT} SHIELD Core deployed!" \ + "" \ + "For details about the deployment, run" \ + "" \ + " #G{genesis info $GENESIS_ENVIRONMENT}" \ + "" \ + "To access the SHIELD Web UI, run" \ + "" \ + " #G{genesis do $GENESIS_ENVIRONMENT -- visit}" \ + "" \ + "You may want to configure your $GENESIS_ENVIRONMENT" \ + "BOSH director with an add-on, via runtime configs" \ + "To generate a good starting point, run" \ + "" \ + " #G{genesis do $GENESIS_ENVIRONMENT -- runtime-config}" \ + "" fi + +exit 0 diff --git a/manifests/addons/okta.yml b/manifests/addons/okta.yml new file mode 100644 index 0000000..1016ada --- /dev/null +++ b/manifests/addons/okta.yml @@ -0,0 +1,19 @@ +--- +instance_groups: + - name: shield + jobs: + - name: core + properties: + auth: + - identifier: okta # or whatever you used when registering + name: Okta + backend: okta + properties: + client_id: (( vault meta.vault "/okta:client_id" )) + client_secret: (( vault meta.vault "/okta:client_secret" )) + # NOTE: domain + auth_server === issuer + okta_domain: (( vault meta.vault "/okta:domain" )) + authorization_server: (( vault meta.vault "/okta:auth_server" )) + deployment_uri: (( vault meta.vault "" )) # SHIELD-DEPLOYMENT-URL + mapping: [] # more on this later + diff --git a/manifests/shield.yml b/manifests/shield.yml index 1d222eb..cf499fa 100644 --- a/manifests/shield.yml +++ b/manifests/shield.yml @@ -3,9 +3,9 @@ params: external_domain: (( grab params.shield_static_ip )) exodus: - url: (( concat "https://" params.external_domain )) - ca_cert: (( vault meta.vault "/certs/ca:certificate" )) - pubkey: (( vault meta.vault "/agent:public" )) + url: (( concat "https://" params.external_domain )) + ca_cert: (( vault meta.vault "/certs/ca:certificate" )) + pubkey: (( vault meta.vault "/agent:public" )) admin_username: "admin" admin_password: "shield" @@ -13,7 +13,7 @@ instance_groups: - name: shield instances: 1 azs: [(( grab params.availability_zone || "z1" ))] - persistent_disk_type: (( grab params.shield_disk_pool || "shield" )) + persistent_disk_type: (( grab params.shield_disk_type || params.shield_disk_pool || "shield" )) vm_type: (( grab params.shield_vm_type || "small" )) stemcell: bionic networks: diff --git a/ocfp/meta.yml b/ocfp/meta.yml new file mode 100644 index 0000000..ddfc9f3 --- /dev/null +++ b/ocfp/meta.yml @@ -0,0 +1,51 @@ +--- +meta: + ocfp: + env: + scale: (( grab params.ocfp_env_scale || "dev" )) + + vault: + tf: (( concat genesis.secrets_mount "tf/" genesis.vault_env )) + + certs: + trusted: + - (( vault genesis.secrets_mount "certs/org:ca" )) # Organization CA, if exists + - (( vault genesis.secrets_mount "certs/dbs:ca" )) # External Databases CA + + stemcell: + name: (( grab params.stemcell_name || "default" )) + os: (( grab params.stemcell_os || "ubuntu-bionic" )) + version: (( grab params.stemcell_version || "latest" )) + + shield: + ip: (( vault meta.ocfp.vault.tf "/bosh/iaas/subnets/ocfp/0/ips/ocf/reserved:shield_ip" )) + az: (( concat genesis.env "-z1" )) + domain: (( vault meta.ocfp.vault.tf "/ocf/fqdns:shield" )) + ca: (( vault meta.vault "/certs/ca:certificate" )) + + admin: + username: (( vault meta.ocfp.vault.tf "/shield/admin:username" )) + password: (( vault meta.ocfp.vault.tf "/shield/admin:password" )) + + + url: (( concat "https://" meta.shield.domain )) + disk_type: (( concat "shield-" meta.ocfp.env.scale )) + vm_type: (( concat "shield-" meta.ocfp.env.scale )) + network: (( concat genesis.env "-shield" )) + + agent: + pub: (( vault meta.vault "/agent:public" )) + key: (( vault meta.vault "/agent:private" )) + + server: + cert: (( vault meta.vault "/certs/server:certificate" )) + key: (( vault meta.vault "/certs/server:key" )) + + vault: + ca: (( vault meta.vault "/vault/ca:certificate" )) + cert: (( vault meta.vault "/vault/server:certificate" )) + key: (( vault meta.vault "/vault/server:key" )) + + core: + name: (( concat genesis.env "-shield" )) + diff --git a/ocfp/ocfp.yml b/ocfp/ocfp.yml new file mode 100644 index 0000000..6e73e19 --- /dev/null +++ b/ocfp/ocfp.yml @@ -0,0 +1,92 @@ +--- +params: + admin_username: (( grab meta.shield.admin.username )) + external_domain: (( grab meta.shield.domain )) + + # These two required by `check`: + shield_static_ip: (( grab meta.shield.ip )) + external_domain: (( grab params.shield_static_ip )) + +exodus: + ca_cert: (( grab meta.shield.ca )) + pubkey: (( grab meta.shield.agent.pub )) + domain: (( grab meta.shield.domain )) + agent_ip: (( grab meta.shield.ip )) + dashboard_url: (( concat "https://" meta.shield.domain )) + api_url: (( concat "https://" meta.shield.domain )) + admin_username: (( grab meta.shield.admin.username )) + admin_password: (( grab meta.shield.admin.password )) + +instance_groups: + - name: shield + persistent_disk_type: (( concat "shield-" meta.ocfp.env.scale )) + instances: 1 + azs: + - (( grab meta.shield.az )) + + persistent_disk_type: (( grab meta.shield.disk_type )) + vm_type: (( grab meta.shield.vm_type )) + + stemcell: default + + networks: + - name: (( grab meta.shield.network )) + static_ips: + - (( grab meta.shield.ip )) + + vm_extensions: + - ((replace)) + - shield-lb + + jobs: + - name: shield-agent + release: shield + consumes: + shield: { from: shield } + properties: + core: + ca: (( grab meta.shield.ca )) + env: + http_proxy: (( grab params.http_proxy || "" )) + https_proxy: (( grab params.https_proxy || "" )) + no_proxy: (( grab params.no_proxy || "" )) + + - name: core + release: shield + provides: + shield: { shared: true, as: shield } + properties: + require-shield-core: true + domain: (( grab meta.shield.ip )) # Q: Could this be meta.shield.domain? + agent: + key: (( grab meta.shield.agent.key )) + tls: + certificate: (( grab meta.shield.server.cert )) + key: (( grab meta.shield.server.key )) + vault: + tls: + ca: (( grab meta.shield.vault.ca )) + certificate: (( grab meta.shield.vault.cert )) + key: (( grab meta.shield.vault.key )) + core: + env: (( grab meta.shield.core.name )) + failsafe: + username: (( grab meta.shield.admin.username )) + password: (( grab meta.shield.admin.password )) + +update: + canaries: 0 + max_in_flight: 1 + serial: true + canary_watch_time: 1000-300000 + update_watch_time: 1000-300000 + +stemcells: +- alias: (( grab meta.stemcell.name )) + os: (( grab meta.stemcell.os )) + version: (( grab meta.stemcell.version )) + +--- +- type: remove + path: /instance_groups/name=shield/networks/0/static_ips +