Re: Cloud foundry deployment on vSphere : help on stub file parameters
ML D
Hi,
Thank you very much.
1. What do you mean : To deploy 1 network, you'll need to put something strange in your stub ? What is the strange thing to add ?
2. I also go forward in the stub file building with : URL http://docs.cloudfoundry.org/deploying/common/vsphere-vcloud-cf-stub.html
Adding all the certificate is painfull. So I decided to write a code to automate the inserts of the cert/keys in the stub. I share it at the end of this mail. The script read a data file with the key=filepath to insert them with the right indent. As I'm a newbie I don't dare to put it in Github... :-)
About the URL
- In http://docs.cloudfoundry.org/deploying/common/consul-security.html, it is said to use scripts/generate-consul-certs. But theses scripts are not presents in the cf-release. I found them here
https://github.com/cloudfoundry-incubator/consul-release/archive/45e03acbbb993ac0cb93c1996406a31c5682ce39.zip
I don't know if I'm rigth to use them or if I miss something.
- For jwt, it is said to create the key using this command : openssl rsa -in jwt-key.pem -pubout > key.pub, But the private jw-key.pem do not exists. So I did
openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
openssl rsa -in key.pem -pubout > key.pub
Right ?
- For hm9000: doc says to setup theses,
ca_cert: HM9000_CA_CERT
server_cert: HM9000_SERVER_CERT
server_key: HM9000_SERVER_KEY
agent_cert: HM9000_AGENT_CERT
agent_key: HM9000_AGENT_KEY
But the stub sample file have something different :
hm9000:
server_key: HM9000_SERVER_KEY
server_cert: HM9000_SERVER_CERT
client_key: HM9000_CLIENT_KEY
client_cert: HM9000_CLIENT_CERT
ca_cert: HM9000_CA_CERT
Do I need to setup all CERT/KEY of the sample stub (including HM9000_CLIENT_*) as stated in the sample stub file or setup only those documented and remove the HM9000_CLIENT_* entries ?
- etcd : in the sample stub file, there is
But nothing is said about thes CERT/KEY in the url. cf-release have a script to generate them. But do I need to use it and put the certificates in the stub ??
etcd:
require_ssl: true
ca_cert: ETCD_CA_CERT
client_cert: ETCD_CLIENT_CERT
client_key: ETCD_CLIENT_KEY
peer_ca_cert: ETCD_PEER_CA_CERT
peer_cert: ETCD_PEER_CERT
peer_key: ETC_PEER_KEY
server_cert: ETCD_SERVER_CERT
server_key: ETCD_SERVER_KEY
- Same for
statsd_injector: (script to create certs exists)
cert: LOGGREGATOR_STATSDINJECTOR_CERT
key: LOGGREGATOR_STATSDINJECTOR_KEY
uaa:
admin: (script to create certs exists)
client_secret: ADMIN_SECRET
ca_cert: UAA_CA_CERT
scim
sslCertificate: UAA_SERVER_CERT
sslPrivateKey: UAA_SERVER_KEY
___________________________
SCRIPT :
# Make a backup
DATE=`date +%Y-%m-%d-%H%M%S`
stubfile=~/automation/CfManifestStub.yml
cp $stubfile $stubfile.$DATE.yml
stubfile=$stubfile.$DATE.yml
echo $stubfile
#cp ~/CfManifestStub.yml ~/CfManifestStub.yml.bak
# Generate certificates
cd ~/cf-release
#./cf-release-master/scripts/generate-cf-diego-certs
#./consul-release/consul-release-45e03acbbb993ac0cb93c1996406a31c5682ce39/scripts/generate-certs
#./cf-release-master/scripts/generate-loggregator-certs cf-diego-certs/cf-diego-ca.crt cf-diego-certs/cf-diego-ca.key
#mkdir ~/cf-release/http;cd ~/cf-release/http
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
# leave everything as default. You get 2 files cert.pem and key.pem
#mkdir ~/cf-release/jwt;cd ~/cf-release/jwt
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
#openssl rsa -in key.pem -pubout > key.pub
#./cf-release-master/scripts/generate-hm9000-certs
#mkdir jobs;cd jobs
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
# enter for hostname *.cff.pocx86.tstwinx.net
cd ~/automation
while read line ; do
IFS='='; entry=($line); unset IFS
echo "Adding data for ${entry[0]}"
#get the number of leading spaces of the lines with the tag to replace by cert/key then add 2 spaces for json
blanks=$(grep "${entry[0]}" $stubfile | awk -F'[^ ]' '{print length($1)}')
blanks=$(($blanks+2))
#add the number of blanks to the file of the cert/key
temp=${entry[1]}
echo "temp=$temp"
awk '{printf "%"'$blanks'"s%s\n", "", $0}' "${entry[1]}" > /tmp/entry.tmp
cat /tmp/entry.tmp
#insert the file in the stub file under the tag to replace
sed -i '/'${entry[0]}'/r /tmp/entry.tmp' $stubfile
# remove the tag and add the |
sed -i 's/'${entry[0]}'/|/' $stubfile
done < tag-files.txt
# Adding the 2 last keys
# First removing the comments
head --lines=-6 $stubfile > /tmp/file.tmp
mv /tmp/file.tmp $stubfile
cat $stubfile
# Adding the keys
awk '{printf "%"'8'"s%s\n", "", $0}' ../cf-release/jobs/key.pem > /tmp/entry1.tmp
awk '{printf "%"'8'"s%s\n", "", $0}' ../cf-release/jobs/cert.pem > /tmp/entry2.tmp
cat $stubfile /tmp/entry1.tmp /tmp/entry2.tmp > /tmp/file.tmp
rm /tmp/entry1.tmp;rm /tmp/entry2.tmp
mv /tmp/file.tmp $stubfile
echo $stubfile updated with certificates/keys
[bosh(a)jumpboxcf automation]$ cat tag-files.txt
CC_MUTUAL_TLS_CA_CERT=../cf-release/cf-diego-certs/cf-diego-ca.crt
CC_MUTUAL_TLS_PUBLIC_CERT=../cf-release/cf-diego-certs/cloud-controller.crt
CC_MUTUAL_TLS_PRIVATE_KEY=../cf-release/cf-diego-certs/cloud-controller.key
CONSUL_CA_CERT=../cf-release/consul-certs/server-ca.crt
CONSUL_SERVER_CERT=../cf-release/consul-certs/server.crt
CONSUL_SERVER_KEY=../cf-release/consul-certs/server.key
CONSUL_AGENT_CERT=../cf-release/consul-certs/agent.crt
CONSUL_AGENT_KEY=../cf-release/consul-certs/agent.key
LOGGREGATOR_CA_CERT=../cf-release/loggregator-certs/loggregator-ca.crt
LOGGREGATOR_DOPPLER_CERT=../cf-release/loggregator-certs/doppler.crt
LOGGREGATOR_DOPPLER_KEY=../cf-release/loggregator-certs/doppler.key
LOGGREGATOR_TRAFFICCONTROLLER_CERT=../cf-release/loggregator-certs/trafficcontroller.crt
LOGGREGATOR_TRAFFICCONTROLLER_KEY=../cf-release/loggregator-certs/trafficcontroller.key
LOGGREGATOR_METRON_CERT=../cf-release/loggregator-certs/metron.crt
LOGGREGATOR_METRON_KEY=../cf-release/loggregator-certs/metron.key
LOGGREGATOR_SYSLOGDRAINBINDER_CERT=../cf-release/loggregator-certs/syslogdrainbinder.crt
LOGGREGATOR_SYSLOGDRAINBINDER_KEY=../cf-release/loggregator-certs/syslogdrainbinder.key
SERVICE_PROVIDER_PRIVATE_KEY=../cf-release/http/key.pem
JWT_VERIFICATION_KEY=../cf-release/jwt/key.pem
JWT_SIGNING_KEY=../cf-release/jwt/key.pub
HM9000_CA_CERT=../cf-release/hm9000-certs/hm9000_ca.crt
HM9000_SERVER_CERT=../cf-release/hm9000-certs/hm9000_server.crt
HM9000_SERVER_KEY=../cf-release/hm9000-certs/hm9000_server.key
HM9000_AGENT_CERT=../cf-release/hm9000-certs/hm9000_client.crt
HM9000_AGENT_KEY=../cf-release/hm9000-certs/hm9000_client.key
[bosh(a)jumpboxcf automation]$
Thank you very much.
1. What do you mean : To deploy 1 network, you'll need to put something strange in your stub ? What is the strange thing to add ?
2. I also go forward in the stub file building with : URL http://docs.cloudfoundry.org/deploying/common/vsphere-vcloud-cf-stub.html
Adding all the certificate is painfull. So I decided to write a code to automate the inserts of the cert/keys in the stub. I share it at the end of this mail. The script read a data file with the key=filepath to insert them with the right indent. As I'm a newbie I don't dare to put it in Github... :-)
About the URL
- In http://docs.cloudfoundry.org/deploying/common/consul-security.html, it is said to use scripts/generate-consul-certs. But theses scripts are not presents in the cf-release. I found them here
https://github.com/cloudfoundry-incubator/consul-release/archive/45e03acbbb993ac0cb93c1996406a31c5682ce39.zip
I don't know if I'm rigth to use them or if I miss something.
- For jwt, it is said to create the key using this command : openssl rsa -in jwt-key.pem -pubout > key.pub, But the private jw-key.pem do not exists. So I did
openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
openssl rsa -in key.pem -pubout > key.pub
Right ?
- For hm9000: doc says to setup theses,
ca_cert: HM9000_CA_CERT
server_cert: HM9000_SERVER_CERT
server_key: HM9000_SERVER_KEY
agent_cert: HM9000_AGENT_CERT
agent_key: HM9000_AGENT_KEY
But the stub sample file have something different :
hm9000:
server_key: HM9000_SERVER_KEY
server_cert: HM9000_SERVER_CERT
client_key: HM9000_CLIENT_KEY
client_cert: HM9000_CLIENT_CERT
ca_cert: HM9000_CA_CERT
Do I need to setup all CERT/KEY of the sample stub (including HM9000_CLIENT_*) as stated in the sample stub file or setup only those documented and remove the HM9000_CLIENT_* entries ?
- etcd : in the sample stub file, there is
But nothing is said about thes CERT/KEY in the url. cf-release have a script to generate them. But do I need to use it and put the certificates in the stub ??
etcd:
require_ssl: true
ca_cert: ETCD_CA_CERT
client_cert: ETCD_CLIENT_CERT
client_key: ETCD_CLIENT_KEY
peer_ca_cert: ETCD_PEER_CA_CERT
peer_cert: ETCD_PEER_CERT
peer_key: ETC_PEER_KEY
server_cert: ETCD_SERVER_CERT
server_key: ETCD_SERVER_KEY
- Same for
statsd_injector: (script to create certs exists)
cert: LOGGREGATOR_STATSDINJECTOR_CERT
key: LOGGREGATOR_STATSDINJECTOR_KEY
uaa:
admin: (script to create certs exists)
client_secret: ADMIN_SECRET
ca_cert: UAA_CA_CERT
scim
sslCertificate: UAA_SERVER_CERT
sslPrivateKey: UAA_SERVER_KEY
___________________________
SCRIPT :
# Make a backup
DATE=`date +%Y-%m-%d-%H%M%S`
stubfile=~/automation/CfManifestStub.yml
cp $stubfile $stubfile.$DATE.yml
stubfile=$stubfile.$DATE.yml
echo $stubfile
#cp ~/CfManifestStub.yml ~/CfManifestStub.yml.bak
# Generate certificates
cd ~/cf-release
#./cf-release-master/scripts/generate-cf-diego-certs
#./consul-release/consul-release-45e03acbbb993ac0cb93c1996406a31c5682ce39/scripts/generate-certs
#./cf-release-master/scripts/generate-loggregator-certs cf-diego-certs/cf-diego-ca.crt cf-diego-certs/cf-diego-ca.key
#mkdir ~/cf-release/http;cd ~/cf-release/http
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
# leave everything as default. You get 2 files cert.pem and key.pem
#mkdir ~/cf-release/jwt;cd ~/cf-release/jwt
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
#openssl rsa -in key.pem -pubout > key.pub
#./cf-release-master/scripts/generate-hm9000-certs
#mkdir jobs;cd jobs
#openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem
# enter for hostname *.cff.pocx86.tstwinx.net
cd ~/automation
while read line ; do
IFS='='; entry=($line); unset IFS
echo "Adding data for ${entry[0]}"
#get the number of leading spaces of the lines with the tag to replace by cert/key then add 2 spaces for json
blanks=$(grep "${entry[0]}" $stubfile | awk -F'[^ ]' '{print length($1)}')
blanks=$(($blanks+2))
#add the number of blanks to the file of the cert/key
temp=${entry[1]}
echo "temp=$temp"
awk '{printf "%"'$blanks'"s%s\n", "", $0}' "${entry[1]}" > /tmp/entry.tmp
cat /tmp/entry.tmp
#insert the file in the stub file under the tag to replace
sed -i '/'${entry[0]}'/r /tmp/entry.tmp' $stubfile
# remove the tag and add the |
sed -i 's/'${entry[0]}'/|/' $stubfile
done < tag-files.txt
# Adding the 2 last keys
# First removing the comments
head --lines=-6 $stubfile > /tmp/file.tmp
mv /tmp/file.tmp $stubfile
cat $stubfile
# Adding the keys
awk '{printf "%"'8'"s%s\n", "", $0}' ../cf-release/jobs/key.pem > /tmp/entry1.tmp
awk '{printf "%"'8'"s%s\n", "", $0}' ../cf-release/jobs/cert.pem > /tmp/entry2.tmp
cat $stubfile /tmp/entry1.tmp /tmp/entry2.tmp > /tmp/file.tmp
rm /tmp/entry1.tmp;rm /tmp/entry2.tmp
mv /tmp/file.tmp $stubfile
echo $stubfile updated with certificates/keys
[bosh(a)jumpboxcf automation]$ cat tag-files.txt
CC_MUTUAL_TLS_CA_CERT=../cf-release/cf-diego-certs/cf-diego-ca.crt
CC_MUTUAL_TLS_PUBLIC_CERT=../cf-release/cf-diego-certs/cloud-controller.crt
CC_MUTUAL_TLS_PRIVATE_KEY=../cf-release/cf-diego-certs/cloud-controller.key
CONSUL_CA_CERT=../cf-release/consul-certs/server-ca.crt
CONSUL_SERVER_CERT=../cf-release/consul-certs/server.crt
CONSUL_SERVER_KEY=../cf-release/consul-certs/server.key
CONSUL_AGENT_CERT=../cf-release/consul-certs/agent.crt
CONSUL_AGENT_KEY=../cf-release/consul-certs/agent.key
LOGGREGATOR_CA_CERT=../cf-release/loggregator-certs/loggregator-ca.crt
LOGGREGATOR_DOPPLER_CERT=../cf-release/loggregator-certs/doppler.crt
LOGGREGATOR_DOPPLER_KEY=../cf-release/loggregator-certs/doppler.key
LOGGREGATOR_TRAFFICCONTROLLER_CERT=../cf-release/loggregator-certs/trafficcontroller.crt
LOGGREGATOR_TRAFFICCONTROLLER_KEY=../cf-release/loggregator-certs/trafficcontroller.key
LOGGREGATOR_METRON_CERT=../cf-release/loggregator-certs/metron.crt
LOGGREGATOR_METRON_KEY=../cf-release/loggregator-certs/metron.key
LOGGREGATOR_SYSLOGDRAINBINDER_CERT=../cf-release/loggregator-certs/syslogdrainbinder.crt
LOGGREGATOR_SYSLOGDRAINBINDER_KEY=../cf-release/loggregator-certs/syslogdrainbinder.key
SERVICE_PROVIDER_PRIVATE_KEY=../cf-release/http/key.pem
JWT_VERIFICATION_KEY=../cf-release/jwt/key.pem
JWT_SIGNING_KEY=../cf-release/jwt/key.pub
HM9000_CA_CERT=../cf-release/hm9000-certs/hm9000_ca.crt
HM9000_SERVER_CERT=../cf-release/hm9000-certs/hm9000_server.crt
HM9000_SERVER_KEY=../cf-release/hm9000-certs/hm9000_server.key
HM9000_AGENT_CERT=../cf-release/hm9000-certs/hm9000_client.crt
HM9000_AGENT_KEY=../cf-release/hm9000-certs/hm9000_client.key
[bosh(a)jumpboxcf automation]$