This is the README for Ops-files. To learn more about cf-deployment
, go to the main README.
- For experimental Ops-files, check out the Experimental Ops-file README.
- For Community Ops-files, checkout the Community Ops-file README.
- For Addons Ops-files that can be applied to manifests or runtime configs, check out the Addons Ops-file README.
- For Backup and Restore Ops-files (for configuring your deployment for use with BBR), checkout the Backup and Restore Ops-files README.
Name | Purpose | Notes | Currently validated in Release Integration CI pipelines? |
---|---|---|---|
GCP | |||
use-gcs-blobstore-service-account.yml |
Enables service account credentials for Google blobstore. | Requires use-external-blobstore.yml . Introduces new variables for gcp service account email/json-key and bucket names. |
YES |
use-gcs-blobstore-access-key.yml |
Enables access key credentials for Google blobstore. | Requires use-external-blobstore.yml . Introduces new variables for access key/secret and bucket names. |
NO |
AWS | |||
aws.yml |
Overrides the loggregator endpoint port to 4443. | It is required to have a separate port from the standard HTTPS port (443) for loggregator traffic in order to use "classic" AWS ELBs. Newer "Application Load Balancers" and "Network Load Balancers" (as setup by bbl >= v7.0.0) should not require this port override, so no need to use this ops-file if you're using the newer load balancer. | YES |
use-s3-blobstore.yml |
Configures external blobstore to use Amazon S3. | Requires use-external-blobstore.yml . Introduces new variables for s3 credentials and bucket names. |
YES |
Azure | * Not validated or supported by the Release Integration team | ||
azure.yml |
Sets gorouter's frontend_idle_timeout to value appropriate for Azure load balancers. |
Any value below 240 should work. | NO |
use-azure-storage-blobstore.yml |
Configures external blobstore to use Azure Storage. | Requires use-external-blobstore.yml . Introduces new variables for Azure credentials and container names. |
NO |
Openstack | * Not validated or supported by the Release Integration team | ||
openstack.yml |
Used for deploying Cloud Foundry on OpenStack with BOSH | See OpenStack documentation. | NO |
use-swift-blobstore.yml |
Replaces local WebDAV blobstore with OpenStack swift blobstore. Used for deploying Cloud Foundry on OpenStack with BOSH | Requires use-external-blobstore.yml . Introduces new variables for OpenStack credentials and directory names. If you plan using the Swift ops file to enable Swift as blobstore for the Cloud Controller, you should also run the Swift extension. |
NO |
Alibaba Cloud | * Not validated or supported by the Release Integration team | ||
use-alicloud-oss-blobstore.yml |
Configures external blobstore to use Alibaba Cloud OSS blobstore. | Requires use-external-blobstore.yml . Introduces new variables for oss credentials and bucket names. |
NO |
use-alicloud-oss-blobstore-to-multi-bucket.yml |
Configures external blobstore to use Alibaba Cloud OSS blobstore. Each blobstore is in one alone OSS bucket. | Requires use-external-blobstore.yml . Introduces new variables for oss credentials and bucket names. |
NO |
Name | Purpose | Notes | Currently validated in Release Integration CI pipelines? |
---|---|---|---|
add-persistent-isolation-segment-diego-cell.yml |
Deployes an isolation segment Diego cell. | See isolation segment documentation. | YES |
add-persistent-isolation-segment-router.yml |
Deployes an isolation segment router. | See isolation segment documentation. | YES |
bosh-lite.yml |
Enables cf-deployment to be deployed on bosh-lite . |
See bosh-lite documentation. | YES |
configure-default-router-group.yml |
Allows deployer to configure reservable ports for default tcp router group by passing variable default_router_group_ reservable_ports . |
NO | |
disable-router-tls-termination.yml |
Eliminates keys related to performing TLS termination within the gorouter job. | Useful for deployments where TLS termination is performed prior to the gorouter - for instance, on AWS, such termination is commonly done at the ELB. This also eliminates the need to specify ((router_ssl.certificate)) and ((router_ssl.private_key)) in the var files. |
NO |
disable-http2.yml |
Prevent gorouter from accepting and forwarding HTTP/2 requests. | NO | |
disable-dynamic-asgs.yml |
Disable dynamic updates for security groups. | NO | |
disable-tls-tcp-routing-stage-1-unproxied-ports.yml |
Stage 1 deployment for disabling TLS for TCP Routes on. See configuring TCP routes for more info. | **NO ** | |
disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml |
Stage 2 deployment for disabling TLS for TCP Routes on. See configuring TCP routes for more info. | **NO ** | |
disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml |
Stage 1 deployment for disabling TLS for TCP Routes on isolation segments. See configuring TCP routes for more info. | **NO ** | |
disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml |
Stage 2 deployment for disabling TLS for TCP Routes on isolation segments. See configuring TCP routes for more info. | **NO ** | |
enable-cc-rate-limiting.yml |
Enable rate limiting for UAA-authenticated endpoints. | Introduces variables cc_rate_limiter_general_limit and cc_rate_limiter_unauthenticated_limit |
NO |
enable-cc-v2-rate-limiting.yml |
Enable V2 API rate limiting for UAA-authenticated endpoints. | Introduces variables cc_v2_rate_limiter_general_limit , cc_v2_rate_limiter_admin_limit and cc_v2_rate_limiter_reset_interval_in_minutes |
NO |
enable-cpu-throttling.yml |
Configure Garden containers with CPU entitlement. | This ops file requires set-cpu-weight.yml . |
YES |
enable-nfs-ldap.yml |
Enables LDAP authentication for NFS volume services | Requires enable-nfs-volume-service.yml . Introduces new variables |
NO |
enable-nfs-volume-service.yml |
Enables volume support and deploys an NFS broker and volume driver | As of cf-deployment v2, you must use the nfsbrokerpush errand to cf push the nfs broker after bosh deploy completes. |
YES |
enable-privileged-container-support.yml |
Enables Diego privileged container support. | NO | |
enable-service-discovery.yml |
Enables application service discovery | YES | |
enable-smb-volume-service.yml |
Enables volume support and deploys an SMB broker and volume driver | As of cf-deployment v2, you must use the smbbrokerpush errand to cf push the smb broker after bosh deploy completes. |
NO |
enable-tls-on-file-server.yml |
Enables TLS on file-server for assets | Enables downloading lifecycle assets over HTTPS | NO |
override-app-domains.yml |
Switches from using the system domain as a shared app domain; allows the configuration of one or more shared app domains instead. | Adds new variables. CAUTION: Seeding domains with a router group name (including TCP domains) may cause problems deploying. Please use the cf CLI to add shared domains with router group names. |
NO |
rename-network-and-deployment.yml |
Allows a deployer to rename the network and deployment by passing a variables network_name and deployment_name |
CAUTION: If you are using this ops file along with another ops file that increases the number of instance groups (e.g. perm-services.yml ), this ops file will not rename the network for those instance groups. |
YES |
scale-database-cluster.yml |
Scales cf-deployment database to 3 nodes across 3 zones (z1, z2, z3). | Cannot be used with postgres as it will not scale. | YES |
scale-to-one-az.yml |
Scales cf-deployment down to a single instance per instance group, placing them all into a single AZ. | Effectively halves the deployment's footprint. Should be applied before other ops files. | NO |
set-bbs-active-key.yml |
Allows a deployer to set the bbs active key label by passing a variable diego_bbs_active_key_label |
YES | |
set-cpu-weight.yml |
CPU shares for each garden container are proportional to its memory limits. | YES | |
set-router-static-ips.yml |
Allows a deployer to set the static IPs for the router VMs by passing a variable router_static_ips |
router_static_ips variable must be provided as a compacted YAML array, e.g. -v router_static_ips=[10.0.16.4,10.0.47.5] |
NO |
stop-skipping-tls-validation.yml |
Enforces TLS validation for all components which skip it in the base cf-deployment.yml manifest. |
See the base README for details. | YES |
use-absolute-cpu-entitlement-persistent-isolation-segment.yml |
Switches Diego to emit deprecated absolute CPU entitlement metrics within an Isolation Segment. | NO | |
use-absolute-cpu-entitlement-windows2019.yml |
Switches Diego to emit deprecated absolute CPU entitlement metrics on Windows. | NO | |
use-absolute-cpu-entitlement.yml |
Switches Diego to emit deprecated absolute CPU entitlement metrics. | NO | |
use-blobstore-cdn.yml |
Adds support for accessing the droplets and resource_pool blobstore buckets via signed urls over a cdn. |
This assumes that you are using the same keypair for both buckets. Introduces new variables | NO |
use-compiled-releases.yml |
Instead of having your BOSH Director compile each release, use this ops-file to use pre-compiled releases for a deployment speed improvement. | These releases are compiled against a specific stemcell version that is listed in the opsfile. Note that no Windows releases are currently compiled. | YES |
use-external-blobstore.yml |
Removes the singleton-blobstore instance group, and adds fog_connection properties for components that use the blobstore. Warning: this does not migrate data, and will delete any existing singleton-blobstore groups. |
This requires an external data store. Introduces new variables for blobstore connection details which will need to be provided at deploy time. | YES |
use-external-dbs.yml |
Removes the database instance group, pxc release, and all MySQL variables. Warning: this does not migrate data, and will delete existing database instance groups. |
This requires an external data store. Introduces new variables for DB connection details which will need to be provided at deploy time. This must be applied before any ops files that removes jobs that use a database, such as the ops file to remove the routing API. | YES |
use-haproxy.yml |
Deploys a single haproxy instance to be used as a load balancer. | This opsfile doesn't depend on use of an IaaS VIP and doesn't use keepalived property of the haproxy-boshrelease. |
NO |
use-haproxy-public-network.yml |
Puts haproxy instance on a public network with a static IP assigned to it. | Requires use-haproxy.yml . This ops file also requires your BOSH cloud-config to have a vm_extension called cf-haproxy-network-properties , which configures firewall rules to allow public traffic on the necessary ports (You will need to allow at least the default HTTP and HTTPS ports (80 and 443 ), port 4443 for doppler , as well as the port range configured for the TCP Routing). |
NO |
use-internal-lookup-for-route-services.yml |
Configure the gorouter to prefer internal lookup of route services. Warning: This enables a potential exploit detailed under CVE-2019-3789 | NO | |
use-latest-stemcell.yml |
Use the latest stemcell available on your BOSH director instead of the one in cf-deployment.yml . Caution: This ops-file should not be used in conjunction with use-compiled-releases.yml , since the latter relies on a specific stemcell version being used. |
NO | |
use-latest-windows2019-stemcell.yml |
Use the latest windows2019 stemcell available on your BOSH director instead of the one in windows2019-cell.yml |
Requires windows2019-cell.yml |
NO |
use-metric-store.yml |
Adds a single-node metric store. | NO | |
use-operator-provided-router-tls-certificates.yml |
Allows an operator to provide their own certificates for the gorouter by providing variables router_ssl_pem |
This is required if using AWS Network Load Balancers. | YES |
use-postgres.yml |
Replaces the MySQL instance group with a postgres instance group. Warning: this will lead to total data loss if applied to an existing deployment with MySQL or removed from an existing deployment with postgres. | YES | |
use-trusted-ca-cert-for-apps.yml |
Injects the CA specified with trusted_cert_for_apps into the Diego rep job's trust store and cf-deployment's default root filesystem |
Applications that explicitly look in the canonical location (/etc/cf-system-certificates ) will trust certificates signed by the given CA, regardless of filesystem. Applications that use the default root filesystem will trust certificates signed by the given CA implicitly. Please see the documentation for information about configuring additional trusted CA certificates. |
NO |
use-offline-windows2019fs.yml |
Use the offline version of windows2019fs-release | Requires windows2019-cell.yml . Suitable for environments without internet access. Follow instructions here to upload the release prior to deploying. |
NO |
use-online-windows2019fs.yml |
Use the windows2019fs job from the online version of windowsfs-release | Requires windows2019-cell.yml . Requires environment to have internet access. |
YES |
windows2019-cell.yml |
Deploys a windows2019 cell. | Requires that a windows2019 stemcell is uploaded to the Bosh director, and be used together with use-online-windows2019fs.yml or a suitable opsfile. |
YES |
use-cflinuxfs4-compat.yml |
Use the cflinuxfs4 compatibility release instead of the default cflinuxfs4 release. | YES |