Customizing the Cloud Foundry Deployment Manifest Stub for OpenStack
Page last updated: December 24, 2015
This topic describes how to customize the Cloud Foundry deployment manifest stub
for OpenStack.
After you complete this task, use the scripts/generate_deployment_manifest script in
the cf-release repository to generate your Cloud Foundry deployment manifest.
Save a copy of the manifest stub as a YAML file in your deployment directory. Follow the editing instructions to customize the manifest stub with information about your environment.
Cloud Foundry Deployment Manifest Stub for OpenStack
---
director_uuid: DIRECTOR_UUID
meta:
environment: ENVIRONMENT
floating_static_ips:
- 173.1.1.1
networks:
- name: floating
type: vip
cloud_properties:
net_id: NET_ID
security_groups: []
- name: cf1
type: manual
subnets:
- range: 10.10.0.0/24
gateway: 10.10.0.1
reserved:
- 10.10.0.2 - 10.10.0.100
- 10.10.0.200 - 10.10.0.254
dns:
- 8.8.8.8
static:
- 10.10.0.125 - 10.10.0.175
cloud_properties:
net_id: NET_ID
security_groups: ["cf"]
properties:
domain: DOMAIN
system_domain: SYSTEM_DOMAIN
system_domain_organization: SYSTEM_DOMAIN_ORGANIZATION
app_domains:
- APP_DOMAIN
ssl:
skip_cert_verify: true
cc:
staging_upload_user: STAGING_UPLOAD_USER
staging_upload_password: STAGING_UPLOAD_PASSWORD
bulk_api_password: BULK_API_PASSWORD
db_encryption_key: DB_ENCRYPTION_KEY
uaa_skip_ssl_validation: true
consul:
encrypt_keys:
- CONSUL_ENCRYPT_KEY
ca_cert: CONSUL_CA_CERT
server_cert: CONSUL_SERVER_CERT
server_key: CONSUL_SERVER_KEY
agent_cert: CONSUL_AGENT_CERT
agent_key: CONSUL_AGENT_KEY
dea_next:
disk_mb: 2048
memory_mb: 1024
loggregator_endpoint:
shared_secret: LOGGREGATOR_ENDPOINT_SHARED_SECRET
login:
protocol: http
nats:
user: NATS_USER
password: NATS_PASSWORD
router:
status:
user: ROUTER_USER
password: ROUTER_PASSWORD
uaa:
admin:
client_secret: ADMIN_SECRET
cc:
client_secret: CC_CLIENT_SECRET
clients:
cc_routing:
secret: CC_ROUTING_SECRET
cloud_controller_username_lookup:
secret: CLOUD_CONTROLLER_USERNAME_LOOKUP_SECRET
doppler:
secret: DOPPLER_SECRET
gorouter:
secret: GOROUTER_SECRET
login:
secret: LOGIN_CLIENT_SECRET
notifications:
secret: NOTIFICATIONS_CLIENT_SECRET
jwt:
verification_key: JWT_VERIFICATION_KEY
signing_key: JWT_SIGNING_KEY
scim:
users:
- admin|ADMIN_PASSWORD|scim.write,scim.read,openid,cloud_controller.admin,doppler.firehose
ccdb:
roles:
- name: ccadmin
password: CCDB_PASSWORD
uaadb:
roles:
- name: uaaadmin
password: UAADB_PASSWORD
databases:
roles:
- name: ccadmin
password: CCDB_PASSWORD
- name: uaaadmin
password: UAADB_PASSWORD
jobs:
- name: ha_proxy_z1
networks:
- name: cf1
default:
- dns
- gateway
properties:
ha_proxy:
ssl_pem: |
-----BEGIN RSA PRIVATE KEY-----
RSA_PRIVATE_KEY
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
SSL_CERTIFICATE_SIGNED_BY_PRIVATE_KEY
-----END CERTIFICATE-----
- name: api_z1
templates:
- name: cloud_controller_ng
release: cf
- name: cloud_controller_clock
release: cf
- name: cloud_controller_worker
release: cf
- name: metron_agent
release: cf
- name: statsd-injector
release: cf
- name: nfs_mounter
release: cf
- name: route_registrar
release: cf
- name: api_worker_z1
instances: 0
- name: clock_global
instances: 0
Editing Instructions
| Deployment Manifest Stub Contents | Editing Instructions |
|---|---|
|
Replace DIRECTOR_UUID with the BOSH Director UUID. Use
bosh status --uuid to view the BOSH Director UUID.
|
|
Replace ENVIRONMENT with an arbitrary name describing your environment, e.g. openstack-prod.
|
|
Replace 173.1.1.1 with an existing static IP address for your
OpenStack floating network. This is assigned to the ha_proxy job
to receive incoming traffic.
|
|
Update the values for range, reserved, static, and gateway to reflect the available networks/IPs in your OpenStack network. Replace NET_ID with the network ID of your OpenStack network.
This also assumes that you have a security group cf suitable for your Cloud Foundry VMs. Change this too if the name of your security group is different.
|
|
Replace DOMAIN and SYSTEM_DOMAIN with the domain you have configured for accessing system components (e.g. the Cloud Controllers will be reachable at api.SYSTEM_DOMAIN).
Pick any name you like for the SYSTEM_DOMAIN_ORGANIZATION, this organization will be created and configured to own the SYSTEM_DOMAIN.
Replace APP_DOMAIN with the default root domain you want associated with applications pushed to your Cloud Foundry installation.
|
|
Replace STAGING_UPLOAD_USER with the account user name used to upload files to the Cloud Controller.
Replace STAGING_UPLOAD_PASSWORD with the password of the account used to upload files to the Cloud Controller.
Replace BULK_API_PASSWORD
with the password used to access the bulk_api.
Replace CCDB_ENCRYPTION_KEY
with a secure key that you generate to encrypt sensitive values in the
Cloud Controller database.
|
|
See the instructions on security configuration for consul. |
|
Replace LOGGREGATOR_ENDPOINT_SHARED_SECRET with any secure secret.
|
|
Replace NATS_USER and
NATS_PASSWORD with a secure username and password. Cloud Foundry components will use this to communicate with each other over the NATS message bus.
|
|
Replace ROUTER_USER and
ROUTER_PASSWORD with a secure username and password.
|
|
Replace all the *_SECRETs with secure secrets.
|
|
Replace JWT_SIGNING_KEY with an RSA private key, and JWT_VERIFICATION_KEY with the corresponding RSA public key.
|
|
Replace ADMIN_PASSWORD with a secure password. This will be the password for the Admin user of your Cloud Foundry installation.
|
|
Replace CCDB_PASSWORD and UAADB_PASSWORD with secure passwords.
|
|
Replace RSA_PRIVATE_KEY and SSL_CERTIFICATE_SIGNED_BY_PRIVATE_KEY with the PEM-encoded private key and certificate associated with the system domain and apps domains you’ve configured to terminate at the floating IP associated with the ha_proxy job.
|