Skip to content

Latest commit

 

History

History
82 lines (75 loc) · 18.1 KB

README.md

File metadata and controls

82 lines (75 loc) · 18.1 KB

Ops-files

This is the README for Ops-files. To learn more about cf-deployment, go to the main README.

IaaS-required Ops-files

Name Purpose Notes Currently validated in Release Integration CI pipelines?
GCP
use-gcs-blobstore-service-account.yml Enables service account credentials for Google blobstore. Requires use-external-blobstore.yml. Introduces new variables for gcp service account email/json-key and bucket names. YES
use-gcs-blobstore-access-key.yml Enables access key credentials for Google blobstore. Requires use-external-blobstore.yml. Introduces new variables for access key/secret and bucket names. NO
AWS
aws.yml Overrides the loggregator endpoint port to 4443. It is required to have a separate port from the standard HTTPS port (443) for loggregator traffic in order to use "classic" AWS ELBs. Newer "Application Load Balancers" and "Network Load Balancers" (as setup by bbl >= v7.0.0) should not require this port override, so no need to use this ops-file if you're using the newer load balancer. YES
use-s3-blobstore.yml Configures external blobstore to use Amazon S3. Requires use-external-blobstore.yml. Introduces new variables for s3 credentials and bucket names. YES
Azure * Not validated or supported by the Release Integration team
azure.yml Sets gorouter's frontend_idle_timeout to value appropriate for Azure load balancers. Any value below 240 should work. NO
use-azure-storage-blobstore.yml Configures external blobstore to use Azure Storage. Requires use-external-blobstore.yml. Introduces new variables for Azure credentials and container names. NO
Openstack * Not validated or supported by the Release Integration team
openstack.yml Used for deploying Cloud Foundry on OpenStack with BOSH See OpenStack documentation. NO
use-swift-blobstore.yml Replaces local WebDAV blobstore with OpenStack swift blobstore. Used for deploying Cloud Foundry on OpenStack with BOSH Requires use-external-blobstore.yml. Introduces new variables for OpenStack credentials and directory names. If you plan using the Swift ops file to enable Swift as blobstore for the Cloud Controller, you should also run the Swift extension. NO
Alibaba Cloud * Not validated or supported by the Release Integration team
use-alicloud-oss-blobstore.yml Configures external blobstore to use Alibaba Cloud OSS blobstore. Requires use-external-blobstore.yml. Introduces new variables for oss credentials and bucket names. NO
use-alicloud-oss-blobstore-to-multi-bucket.yml Configures external blobstore to use Alibaba Cloud OSS blobstore. Each blobstore is in one alone OSS bucket. Requires use-external-blobstore.yml. Introduces new variables for oss credentials and bucket names. NO

Feature-based Ops-files

Name Purpose Notes Currently validated in Release Integration CI pipelines?
add-persistent-isolation-segment-diego-cell.yml Deployes an isolation segment Diego cell. See isolation segment documentation. YES
add-persistent-isolation-segment-router.yml Deployes an isolation segment router. See isolation segment documentation. YES
bosh-lite.yml Enables cf-deployment to be deployed on bosh-lite. See bosh-lite documentation. YES
configure-default-router-group.yml Allows deployer to configure reservable ports for default tcp router group by passing variable default_router_group_ reservable_ports. NO
disable-router-tls-termination.yml Eliminates keys related to performing TLS termination within the gorouter job. Useful for deployments where TLS termination is performed prior to the gorouter - for instance, on AWS, such termination is commonly done at the ELB. This also eliminates the need to specify ((router_ssl.certificate)) and ((router_ssl.private_key)) in the var files. NO
disable-http2.yml Prevent gorouter from accepting and forwarding HTTP/2 requests. NO
disable-dynamic-asgs.yml Disable dynamic updates for security groups. NO
disable-tls-tcp-routing-stage-1-unproxied-ports.yml Stage 1 deployment for disabling TLS for TCP Routes on. See configuring TCP routes for more info. **NO **
disable-tls-tcp-routing-stage-2-tcp-router-and-route-emitter.yml Stage 2 deployment for disabling TLS for TCP Routes on. See configuring TCP routes for more info. **NO **
disable-tls-tcp-routing-isolation-segment-stage-1-unproxied-ports.yml Stage 1 deployment for disabling TLS for TCP Routes on isolation segments. See configuring TCP routes for more info. **NO **
disable-tls-tcp-routing-isolation-segment-stage-2-route-emitter.yml Stage 2 deployment for disabling TLS for TCP Routes on isolation segments. See configuring TCP routes for more info. **NO **
enable-cc-rate-limiting.yml Enable rate limiting for UAA-authenticated endpoints. Introduces variables cc_rate_limiter_general_limit and cc_rate_limiter_unauthenticated_limit NO
enable-cc-v2-rate-limiting.yml Enable V2 API rate limiting for UAA-authenticated endpoints. Introduces variables cc_v2_rate_limiter_general_limit, cc_v2_rate_limiter_admin_limit and cc_v2_rate_limiter_reset_interval_in_minutes NO
enable-cpu-throttling.yml Configure Garden containers with CPU entitlement. This ops file requires set-cpu-weight.yml. YES
enable-nfs-ldap.yml Enables LDAP authentication for NFS volume services Requires enable-nfs-volume-service.yml. Introduces new variables NO
enable-nfs-volume-service.yml Enables volume support and deploys an NFS broker and volume driver As of cf-deployment v2, you must use the nfsbrokerpush errand to cf push the nfs broker after bosh deploy completes. YES
enable-privileged-container-support.yml Enables Diego privileged container support. NO
enable-service-discovery.yml Enables application service discovery YES
enable-smb-volume-service.yml Enables volume support and deploys an SMB broker and volume driver As of cf-deployment v2, you must use the smbbrokerpush errand to cf push the smb broker after bosh deploy completes. NO
enable-tls-on-file-server.yml Enables TLS on file-server for assets Enables downloading lifecycle assets over HTTPS NO
override-app-domains.yml Switches from using the system domain as a shared app domain; allows the configuration of one or more shared app domains instead. Adds new variables.
CAUTION: Seeding domains with a router group name (including TCP domains) may cause problems deploying. Please use the cf CLI to add shared domains with router group names.
NO
rename-network-and-deployment.yml Allows a deployer to rename the network and deployment by passing a variables network_name and deployment_name CAUTION: If you are using this ops file along with another ops file that increases the number of instance groups (e.g. perm-services.yml), this ops file will not rename the network for those instance groups. YES
scale-database-cluster.yml Scales cf-deployment database to 3 nodes across 3 zones (z1, z2, z3). Cannot be used with postgres as it will not scale. YES
scale-to-one-az.yml Scales cf-deployment down to a single instance per instance group, placing them all into a single AZ. Effectively halves the deployment's footprint. Should be applied before other ops files. NO
set-bbs-active-key.yml Allows a deployer to set the bbs active key label by passing a variable diego_bbs_active_key_label YES
set-cpu-weight.yml CPU shares for each garden container are proportional to its memory limits. YES
set-router-static-ips.yml Allows a deployer to set the static IPs for the router VMs by passing a variable router_static_ips router_static_ips variable must be provided as a compacted YAML array, e.g. -v router_static_ips=[10.0.16.4,10.0.47.5] NO
stop-skipping-tls-validation.yml Enforces TLS validation for all components which skip it in the base cf-deployment.yml manifest. See the base README for details. YES
use-absolute-cpu-entitlement-persistent-isolation-segment.yml Switches Diego to emit deprecated absolute CPU entitlement metrics within an Isolation Segment. NO
use-absolute-cpu-entitlement-windows2019.yml Switches Diego to emit deprecated absolute CPU entitlement metrics on Windows. NO
use-absolute-cpu-entitlement.yml Switches Diego to emit deprecated absolute CPU entitlement metrics. NO
use-blobstore-cdn.yml Adds support for accessing the droplets and resource_pool blobstore buckets via signed urls over a cdn. This assumes that you are using the same keypair for both buckets. Introduces new variables NO
use-compiled-releases.yml Instead of having your BOSH Director compile each release, use this ops-file to use pre-compiled releases for a deployment speed improvement. These releases are compiled against a specific stemcell version that is listed in the opsfile. Note that no Windows releases are currently compiled. YES
use-external-blobstore.yml Removes the singleton-blobstore instance group, and adds fog_connection properties for components that use the blobstore. Warning: this does not migrate data, and will delete any existing singleton-blobstore groups. This requires an external data store. Introduces new variables for blobstore connection details which will need to be provided at deploy time. YES
use-external-dbs.yml Removes the database instance group, pxc release, and all MySQL variables. Warning: this does not migrate data, and will delete existing database instance groups. This requires an external data store. Introduces new variables for DB connection details which will need to be provided at deploy time. This must be applied before any ops files that removes jobs that use a database, such as the ops file to remove the routing API. YES
use-haproxy.yml Deploys a single haproxy instance to be used as a load balancer. This opsfile doesn't depend on use of an IaaS VIP and doesn't use keepalived property of the haproxy-boshrelease. NO
use-haproxy-public-network.yml Puts haproxy instance on a public network with a static IP assigned to it. Requires use-haproxy.yml. This ops file also requires your BOSH cloud-config to have a vm_extension called cf-haproxy-network-properties, which configures firewall rules to allow public traffic on the necessary ports (You will need to allow at least the default HTTP and HTTPS ports (80 and 443), port 4443 for doppler, as well as the port range configured for the TCP Routing). NO
use-internal-lookup-for-route-services.yml Configure the gorouter to prefer internal lookup of route services. Warning: This enables a potential exploit detailed under CVE-2019-3789 NO
use-latest-stemcell.yml Use the latest stemcell available on your BOSH director instead of the one in cf-deployment.yml. Caution: This ops-file should not be used in conjunction with use-compiled-releases.yml, since the latter relies on a specific stemcell version being used. NO
use-latest-windows2019-stemcell.yml Use the latest windows2019 stemcell available on your BOSH director instead of the one in windows2019-cell.yml Requires windows2019-cell.yml NO
use-metric-store.yml Adds a single-node metric store. NO
use-operator-provided-router-tls-certificates.yml Allows an operator to provide their own certificates for the gorouter by providing variables router_ssl_pem This is required if using AWS Network Load Balancers. YES
use-postgres.yml Replaces the MySQL instance group with a postgres instance group. Warning: this will lead to total data loss if applied to an existing deployment with MySQL or removed from an existing deployment with postgres. YES
use-trusted-ca-cert-for-apps.yml Injects the CA specified with trusted_cert_for_apps into the Diego rep job's trust store and cf-deployment's default root filesystem Applications that explicitly look in the canonical location (/etc/cf-system-certificates) will trust certificates signed by the given CA, regardless of filesystem. Applications that use the default root filesystem will trust certificates signed by the given CA implicitly.
Please see the documentation for information about configuring additional trusted CA certificates.
NO
use-offline-windows2019fs.yml Use the offline version of windows2019fs-release Requires windows2019-cell.yml. Suitable for environments without internet access. Follow instructions here to upload the release prior to deploying. NO
use-online-windows2019fs.yml Use the windows2019fs job from the online version of windowsfs-release Requires windows2019-cell.yml. Requires environment to have internet access. YES
windows2019-cell.yml Deploys a windows2019 cell. Requires that a windows2019 stemcell is uploaded to the Bosh director, and be used together with use-online-windows2019fs.yml or a suitable opsfile. YES
use-cflinuxfs4-compat.yml Use the cflinuxfs4 compatibility release instead of the default cflinuxfs4 release. YES