Name: cf-deployment-transition
Owner: Cloud Foundry
Description: null
Created: 2017-05-18 18:39:41.0
Updated: 2018-05-21 16:26:45.0
Pushed: 2018-03-28 21:48:59.0
Homepage: null
Size: 108
Language: Shell
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
cf-release to cf-deploymentThis repo contains tools for migrating from cf-release to cf-deployment.
Notice: cf-release is now end-of-life. The final version of cf-release is
v287.
The included tools are:
extract-vars-store-from-manifests.sh: Extracts credentials from your existing deployment manifests
to build a vars-store for cf-deployment.cfr-to-cfd.yml: An ops-file that enables the migration from cf-release to cf-deployment.remove-cf-networking-for-transition.yml: Opts out of cf-networking
so that deployers can migrate without also adding the new networking stack.remove-routing-components-for-transition.yml: Opts out of the Routing applied
so that deployers can migration without also adding the Routing API and TCP Router
or their dependencies.keep-etcd-for-transition.yml: Adds a single instance
of etcd
to cf-deployment
for the purpose of transition.
This opsfile pins loggregator to version 99.x and
also holds etcd at a static IP address.
Deployers must provide the IP address.enable-doppler-announce.yml: Configures doppler
to announce presence via etcd.
Requires keep-etcd-for-transition.yml.rename-etcd-network.yml: Allows renaming
of the etcd
instance's network
added by using keep-etcd-for-transition.yml.
Deployers must provide the name.keep-syslog-drain-binder-for-transition.yml: Retains the syslog_drain_binder job
on the doppler instance_group
and properties.
Requires keep-etcd-for-transition.yml.opt-out-of-cf-syslog-drain-release-for-transition.yml: Removes cf-syslog-drain components
from cf-deployment. Intended to be used in conjunction with keep-syslog-drain-binder-for-transition.yml
to continue using syslog drain
while minimizing the number of duplicate messages logged
during the transition deployments.migrate-postgres.yml: Migrates the
postgres_z1 instance_group
of cf-release
to the database instance_group
of cf-deployment.migrate-webdav.yml: Migrates the webdav
blobstore_z1 instance_group
of cf-release
to the singleton-blobstore instance_group
of cf-deployment.migrate-haproxy.yml: Migrates the ha_proxy_z1 instance_group
of cf-release
to the haproxy instance_group
of cf-deployment.extract-vars-store-from-manifests.sh: Credential extractione: extract-vars-store-from-manifests.sh [required arguments]
quired arguments:
-ca, --ca-keys Path to your created CA Keys file
-cf, --cf-manifest Path to your existing Cloud Foundry Manifest
-d, --diego-manifest Path to your existing Diego Manifest
tional arguments:
-N, --cf-networking Flag to extract cf-networking creds from the Diego Manifest
-r, --routing Flag to extract routing deployment creds from the Cloud Foundry Manifest
The output of extract-vars-store-from-manifests.sh
in a vars-store file you can use
with the --vars-store option
when deploying with cf-deployment
and the new bosh CLI.
extract-vars-store-from-manifests.sh uses spiff
under the hood to build the vars-store.
To install spiff,
download the latest binary here,
extract it from its tarball,
and put it on your path.
If you already have spiff installed,
please check that you have at least version 1.0.8.
You can use spiff --version to check
if an upgrade is necessary.
cf-deployment-based deployments use
the v2 bosh CLI or Credhub
to manage deployment credentials,
including CA private keys.
If cf-deployment adds new certificates,
they'll need to be signed by a CA,
and so credential management tools like Credhub
will need access to the CA private key.
Because CA private keys aren't included in the CF or Diego manifests,
we'll need your help to fill out those values in the vars-store or Credhub.
Users must provide a Private Key Stub using the -ca flag.
We've included an example stub below:
_user:
ego_ca:
private_key: |
multi
line
example
key
cd_ca:
private_key: |
cd_peer_ca:
private_key: |
nsul_agent_ca:
private_key: |
ggregator_ca:
private_key: |
a_ca:
private_key: |
cfr-to-cfd.yml: Transition ops-fileThis is an ops file
to be used when deploying using cf-deployment
for the first time
while targeting an existing cf-release-based deployment.
It should be applied after all other appropriate ops-files and in conjunction with the ops-file to scale down etcd for cluster changes.
To migrate to cf-deployment with the tools and process we've designed and tested so far, you'll need to fulfill a number of requirements:
v2.0.42
or higher of the bosh clicf-release
and
diego-release.postgres job.blobstore job.remove-routing-components-for-transition.yml
ops file from this repository. See the database section below for details.remove-cf-networking-for-transition.yml
ops file from this repository. See the database section below for details.The following sections discuss these prerequisites and their relationships to our tools in more depth.
cf-deployment enables TLS validation
in most places,
which may be a more strict configuration
than cf-release provided in its manifest generation scripts.
You'll need to configure jobs
to trust the certificate authorities
used to sign one another's certs.
Getting these relationships right is complicated,
and there is more than one possible working arrangement.
cf-deployment expects a particular arrangement,
documented below.
If you have a different certificate topology, you'll need to either migrate to ours, or manage the transition on your own.
Below is a list of Certificate Authorities with indented lists of certificates that must share an authority. More-shared/permissive topologies will also work as long as all members of the sub-lists share CAs.
The tools in this repo assume that production deployers are using an external database service, such as RDS, or a BOSH-deployed Postgres.
Deployers using an external database service
must use the use-external-dbs.yml ops file.
This ops file requires a number of variables
be provided in vars-files,
as documented in the cf-deployment readme.
Deployers using a BOSH-deployed Postgres
must use the use-postgres.yml ops file
to build the target cf-deployment manifest.
During the transition deploy
they must also use the cf-deployment-transition/migrate-postgres.yml ops-file
to ensure their data is transferred to the new instance.
If you haven't already deployed the Routing API,
and decide to add it as part of the transition to cf-deployment,
you'll need to set up a new external database for it.
The information for accessing the database,
like the address or password,
will need to be provided to use-external-dbs.yml.
Similarly, you may decide to deploy the CF Networking stack as part of your transition. In that case, you'll need another external database for the CF Networking jobs.
We're happy to accept feedback
in the form of issues and pull-requests.
If you make a change,
please run our tests
with transition/test-suite.sh,
and update the fixtures appropriately.