diff --git a/tasks/config-ert/load_cf_properties.sh b/tasks/config-ert/load_cf_properties.sh old mode 100755 new mode 100644 index 115d048d6..a9545eab8 --- a/tasks/config-ert/load_cf_properties.sh +++ b/tasks/config-ert/load_cf_properties.sh @@ -1,142 +1,363 @@ -#!/bin/bash -e - -if [[ -n "$TCP_ROUTING" ]] && [[ "$TCP_ROUTING" == "enable" ]]; then -CF_TCP_ROUTING_PROPERTIES=$(cat <<-EOF - ".properties.tcp_routing": { - "value": "$TCP_ROUTING" - }, - ".properties.tcp_routing.enable.reservable_ports": { - "value": "$TCP_ROUTING_PORTS" - } -EOF -) -else -CF_TCP_ROUTING_PROPERTIES=$(cat <<-EOF - ".properties.tcp_routing": { - "value": "disable" +#!/bin/bash + +echo '{}' | +jq \ + --arg tcp_routing "$TCP_ROUTING" \ + --arg tcp_routing_ports "$TCP_ROUTING_PORTS" \ + --arg loggregator_endpoint_port "$LOGGREGATOR_ENDPOINT_PORT" \ + --arg route_services "$ROUTE_SERVICES" \ + --arg ignore_ssl_cert "$IGNORE_SSL_CERT" \ + --arg security_acknowledgement "$SECURITY_ACKNOWLEDGEMENT" \ + --arg system_domain "$SYSTEM_DOMAIN" \ + --arg apps_domain "$APPS_DOMAIN" \ + --arg default_quota_memory_limit_in_mb "$DEFAULT_QUOTA_MEMORY_LIMIT_IN_MB" \ + --arg default_quota_max_services_count "$DEFAULT_QUOTA_MAX_SERVICES_COUNT" \ + --arg allow_app_ssh_access "$ALLOW_APP_SSH_ACCESS" \ + --arg ha_proxy_ips "$HA_PROXY_IPS" \ + --arg skip_cert_verify "$SKIP_CERT_VERIFY" \ + --arg router_static_ips "$ROUTER_STATIC_IPS" \ + --arg disable_insecure_cookies "$DISABLE_INSECURE_COOKIES" \ + --arg router_request_timeout_seconds "$ROUTER_REQUEST_TIMEOUT_IN_SEC" \ + --arg mysql_monitor_email "$MYSQL_MONITOR_EMAIL" \ + --arg garden_network_pool "$GARDEN_NETWORK_POOL_CIDR" \ + --arg garden_network_mtu "$GARDEN_NETWORK_MTU" \ + --arg tcp_router_static_ips "$TCP_ROUTER_STATIC_IPS" \ + --arg company_name "$COMPANY_NAME" \ + --arg ssh_static_ips "$SSH_STATIC_IPS" \ + --arg cert_pem "$SSL_CERT" \ + --arg private_key_pem "$SSL_PRIVATE_KEY" \ + --arg ssl_termination "$SSL_TERMINATION" \ + --arg smtp_from "$SMTP_FROM" \ + --arg smtp_address "$SMTP_ADDRESS" \ + --arg smtp_port "$SMTP_PORT" \ + --arg smtp_user "$SMTP_USER" \ + --arg smtp_password "$SMTP_PWD" \ + --arg smtp_auth_mechanism "$SMTP_AUTH_MECHANISM" \ + --arg enable_security_event_logging "$ENABLE_SECURITY_EVENT_LOGGING" \ + --arg syslog_host "$SYSLOG_HOST" \ + --arg syslog_drain_buffer_size "$SYSLOG_DRAIN_BUFFER_SIZE" \ + --arg syslog_port "$SYSLOG_PORT" \ + --arg syslog_protocol "$SYSLOG_PROTOCOL" \ + --arg authentication_mode "$AUTHENTICATION_MODE" \ + --arg ldap_url "$LDAP_URL" \ + --arg ldap_user "$LDAP_USER" \ + --arg ldap_password "$LDAP_PWD" \ + --arg ldap_search_base "$SEARCH_BASE" \ + --arg ldap_search_filter "$SEARCH_FILTER" \ + --arg ldap_group_search_base "$GROUP_SEARCH_BASE" \ + --arg ldap_group_search_filter "$GROUP_SEARCH_FILTER" \ + --arg ldap_mail_attr_name "$MAIL_ATTR_NAME" \ + --arg ldap_first_name_attr "$FIRST_NAME_ATTR" \ + --arg ldap_last_name_attr "$LAST_NAME_ATTR" \ + --arg saml_cert_pem "$saml_cert_pem" \ + --arg saml_key_pem "$saml_key_pem" \ + --arg mysql_backups "$MYSQL_BACKUPS" \ + --arg mysql_backups_s3_endpoint_url "$MYSQL_BACKUPS_S3_ENDPOINT_URL" \ + --arg mysql_backups_s3_bucket_name "$MYSQL_BACKUPS_S3_BUCKET_NAME" \ + --arg mysql_backups_s3_bucket_path "$MYSQL_BACKUPS_S3_BUCKET_PATH" \ + --arg mysql_backups_s3_access_key_id "$MYSQL_BACKUPS_S3_ACCESS_KEY_ID" \ + --arg mysql_backups_s3_secret_access_key "$MYSQL_BACKUPS_S3_SECRET_ACCESS_KEY" \ + --arg mysql_backups_s3_cron_schedule "$MYSQL_BACKUPS_S3_CRON_SCHEDULE" \ + --arg mysql_backups_scp_server "$MYSQL_BACKUPS_SCP_SERVER" \ + --arg mysql_backups_scp_port "$MYSQL_BACKUPS_SCP_PORT" \ + --arg mysql_backups_scp_user "$MYSQL_BACKUPS_SCP_USER" \ + --arg mysql_backups_scp_key "$MYSQL_BACKUPS_SCP_KEY" \ + --arg mysql_backups_scp_destination "$MYSQL_BACKUPS_SCP_DESTINATION" \ + --arg mysql_backups_scp_cron_schedule "$MYSQL_BACKUPS_SCP_CRON_SCHEDULE" \ + ' + . + + { + ".properties.system_blobstore": { + "value": "internal" + }, + ".properties.logger_endpoint_port": { + "value": $loggregator_endpoint_port + }, + ".properties.route_services": { + "value": $route_services + }, + ".properties.route_services.enable.ignore_ssl_cert_verification": { + "value": $ignore_ssl_cert + }, + ".properties.security_acknowledgement": { + "value": $security_acknowledgement + }, + ".cloud_controller.system_domain": { + "value": $system_domain + }, + ".cloud_controller.apps_domain": { + "value": $apps_domain + }, + ".cloud_controller.default_quota_memory_limit_mb": { + "value": $default_quota_memory_limit_in_mb + }, + ".cloud_controller.default_quota_max_number_services": { + "value": $default_quota_max_services_count + }, + ".cloud_controller.allow_app_ssh_access": { + "value": $allow_app_ssh_access + }, + ".ha_proxy.static_ips": { + "value": $ha_proxy_ips + }, + ".ha_proxy.skip_cert_verify": { + "value": $skip_cert_verify + }, + ".router.static_ips": { + "value": $router_static_ips + }, + ".router.disable_insecure_cookies": { + "value": $disable_insecure_cookies + }, + ".router.request_timeout_in_seconds": { + "value": $router_request_timeout_seconds + }, + ".mysql_monitor.recipient_email": { + "value": $mysql_monitor_email + }, + ".diego_cell.garden_network_pool": { + "value": $garden_network_pool + }, + ".diego_cell.garden_network_mtu": { + "value": $garden_network_mtu + }, + ".tcp_router.static_ips": { + "value": $tcp_router_static_ips + }, + ".push-apps-manager.company_name": { + "value": $company_name + }, + ".diego_brain.static_ips": { + "value": $ssh_static_ips + } } -EOF -) -fi - -CF_PROPERTIES=$(cat <<-EOF -{ - ".properties.logger_endpoint_port": { - "value": "$LOGGREGATOR_ENDPOINT_PORT" - }, - $CF_TCP_ROUTING_PROPERTIES - , - ".properties.route_services": { - "value": "$ROUTE_SERVICES" - }, - ".properties.route_services.enable.ignore_ssl_cert_verification": { - "value": $IGNORE_SSL_CERT - }, - ".properties.security_acknowledgement": { - "value": "$SECURITY_ACKNOWLEDGEMENT" - }, - ".properties.system_blobstore": { - "value": "internal" - }, - ".properties.mysql_backups": { - "value": "$MYSQL_BACKUPS" - }, - ".cloud_controller.system_domain": { - "value": "$SYSTEM_DOMAIN" - }, - ".cloud_controller.apps_domain": { - "value": "$APPS_DOMAIN" - }, - ".cloud_controller.default_quota_memory_limit_mb": { - "value": $DEFAULT_QUOTA_MEMORY_LIMIT_IN_MB - }, - ".cloud_controller.default_quota_max_number_services": { - "value": $DEFAULT_QUOTA_MAX_SERVICES_COUNT - }, - ".cloud_controller.allow_app_ssh_access": { - "value": $ALLOW_APP_SSH_ACCESS - }, - ".ha_proxy.static_ips": { - "value": "$HA_PROXY_IPS" - }, - ".ha_proxy.skip_cert_verify": { - "value": $SKIP_CERT_VERIFY - }, - ".router.static_ips": { - "value": "$ROUTER_STATIC_IPS" - }, - ".router.disable_insecure_cookies": { - "value": $DISABLE_INSECURE_COOKIES - }, - ".router.request_timeout_in_seconds": { - "value": $ROUTER_REQUEST_TIMEOUT_IN_SEC - }, - ".mysql_monitor.recipient_email": { - "value": "$MYSQL_MONITOR_EMAIL" - }, - ".diego_cell.garden_network_pool": { - "value": "$GARDEN_NETWORK_POOL_CIDR" - }, - ".diego_cell.garden_network_mtu": { - "value": $GARDEN_NETWORK_MTU - }, - ".tcp_router.static_ips": { - "value": "$TCP_ROUTER_STATIC_IPS" - }, - ".push-apps-manager.company_name": { - "value": "$COMPANY_NAME" - }, - ".diego_brain.static_ips": { - "value": "$SSH_STATIC_IPS" + + + + + # TCP Routing + if $tcp_routing == "enable" then + { + ".properties.tcp_routing": { + "value": "enable" + }, + ".properties.tcp_routing.enable.reservable_ports": { + "value": $tcp_routing_ports + } + } + else + { + ".properties.tcp_routing": { + "value": "disable" + } + } + end + + + + + # SSL Termination + if $ssl_termination == "haproxy" then + { + ".properties.networking_point_of_entry": { + "value": "haproxy" + }, + ".properties.networking_point_of_entry.haproxy.ssl_rsa_certificate": { + "value": { + "cert_pem": $cert_pem, + "private_key_pem": $private_key_pem + } + } + } + elif $ssl_termination == "external_ssl" then + { + ".properties.networking_point_of_entry": { + "value": "external_ssl" + }, + ".properties.networking_point_of_entry.external_ssl.ssl_rsa_certificate": { + "value": { + "cert_pem": $cert_pem, + "private_key_pem": $private_key_pem + } + } + } + else + { + ".properties.networking_point_of_entry": { + "value": "external_non_ssl" + } + } + end + + + + + # SMTP Configuration + if $smtp_address != "" then + { + ".properties.smtp_from": { + "value": $smtp_from + }, + ".properties.smtp_address": { + "value": $smtp_address + }, + ".properties.smtp_port": { + "value": $smtp_port + }, + ".properties.smtp_credentials": { + "value": { + "identity": $smtp_user, + "password": $smtp_password + } + }, + ".properties.smtp_enable_starttls_auto": { + "value": true + }, + ".properties.smtp_auth_mechanism": { + "value": $smtp_auth_mechanism + } + } + else + . + end + + + + + # Syslog + if $syslog_host != "" then + { + ".doppler.message_drain_buffer_size": { + "value": $syslog_drain_buffer_size + }, + ".cloud_controller.security_event_logging_enabled": { + "value": $enable_security_event_logging + }, + ".properties.syslog_host": { + "value": $syslog_host + }, + ".properties.syslog_port": { + "value": $syslog_port + }, + ".properties.syslog_protocol": { + "value": $syslog_protocol + } + } + else + . + end + + + + + # Authentication + if $authentication_mode == "internal" then + { + ".properties.uaa": { + "value": "internal" + } + } + elif $authentication_mode == "ldap" then + { + ".properties.uaa": { + "value": "ldap" + }, + ".properties.uaa.ldap.url": { + "value": $ldap_url + }, + ".properties.uaa.ldap.credentials": { + "value": { + "identity": $ldap_user, + "password": $ldap_password + } + }, + ".properties.uaa.ldap.search_base": { + "value": $ldap_search_base + }, + ".properties.uaa.ldap.search_filter": { + "value": $ldap_search_filter + }, + ".properties.uaa.ldap.group_search_base": { + "value": $ldap_group_search_base + }, + ".properties.uaa.ldap.group_search_filter": { + "value": $ldap_group_search_filter + }, + ".properties.uaa.ldap.mail_attribute_name": { + "value": $ldap_mail_attr_name + }, + ".properties.uaa.ldap.first_name_attribute": { + "value": $ldap_first_name_attr + }, + ".properties.uaa.ldap.last_name_attribute": { + "value": $ldap_last_name_attr + } + } + else + . + end + + + + + # UAA SAML Credentials + { + ".uaa.service_provider_key_credentials": { + value: { + "cert_pem": $saml_cert_pem, + "private_key_pem": $saml_key_pem + } + } } -} -EOF -) - -if [[ ${MYSQL_BACKUPS} == "scp" ]]; then - echo "adding scp mysql backup properties" - cat > mysql_filter <<-'EOF' - .".properties.mysql_backups" = {"value": $mysql_backups} | - .".properties.mysql_backups.scp.server" = {"value": $mysql_backups_scp_server} | - .".properties.mysql_backups.scp.port" = {"value": $mysql_backups_scp_port} | - .".properties.mysql_backups.scp.user" = {"value": $mysql_backups_scp_user} | - .".properties.mysql_backups.scp.key" = {"value": $mysql_backups_scp_key} | - .".properties.mysql_backups.scp.destination" = {"value": $mysql_backups_scp_destination} | - .".properties.mysql_backups.scp.cron_schedule" = {"value": $mysql_backups_scp_cron_schedule} -EOF - - echo "${CF_PROPERTIES}" | jq \ - --arg mysql_backups "$MYSQL_BACKUPS" \ - --arg mysql_backups_scp_server "$MYSQL_BACKUPS_SCP_SERVER" \ - --arg mysql_backups_scp_port "$MYSQL_BACKUPS_SCP_PORT" \ - --arg mysql_backups_scp_user "$MYSQL_BACKUPS_SCP_USER" \ - --arg mysql_backups_scp_key "$MYSQL_BACKUPS_SCP_KEY" \ - --arg mysql_backups_scp_destination "$MYSQL_BACKUPS_SCP_DESTINATION" \ - --arg mysql_backups_scp_cron_schedule "$MYSQL_BACKUPS_SCP_CRON_SCHEDULE" \ - --from-file mysql_filter > config.json - CF_PROPERTIES=$(cat config.json) -fi - -if [[ ${MYSQL_BACKUPS} == "s3" ]]; then - echo "adding s3 mysql backup properties" - cat > mysql_filter <<-'EOF' - .".properties.mysql_backups" = {"value": $mysql_backups} | - .".properties.mysql_backups.s3.endpoint_url" = {"value": $mysql_backups_s3_endpoint_url} | - .".properties.mysql_backups.s3.bucket_name" = {"value": $mysql_backups_s3_bucket_name} | - .".properties.mysql_backups.s3.bucket_path" = {"value": $mysql_backups_s3_bucket_path} | - .".properties.mysql_backups.s3.access_key_id" = {"value": $mysql_backups_s3_access_key_id} | - .".properties.mysql_backups.s3.secret_access_key" = {"value": $mysql_backups_s3_secret_access_key} | - .".properties.mysql_backups.s3.cron_schedule" = {"value": $mysql_backups_s3_cron_schedule} -EOF - - echo "${CF_PROPERTIES}" | jq \ - --arg mysql_backups "$MYSQL_BACKUPS" \ - --arg mysql_backups_s3_endpoint_url "$MYSQL_BACKUPS_S3_ENDPOINT_URL" \ - --arg mysql_backups_s3_bucket_name "$MYSQL_BACKUPS_S3_BUCKET_NAME" \ - --arg mysql_backups_s3_bucket_path "$MYSQL_BACKUPS_S3_BUCKET_PATH" \ - --arg mysql_backups_s3_access_key_id "$MYSQL_BACKUPS_S3_ACCESS_KEY_ID" \ - --arg mysql_backups_s3_secret_access_key "$MYSQL_BACKUPS_S3_SECRET_ACCESS_KEY" \ - --arg mysql_backups_s3_cron_schedule "$MYSQL_BACKUPS_S3_CRON_SCHEDULE" \ - --from-file mysql_filter > config.json - CF_PROPERTIES=$(cat config.json) -fi + + + + + # MySQL Backups + if $mysql_backups == "s3" then + { + ".properties.mysql_backups": { + "value": "s3" + }, + ".properties.mysql_backups.s3.endpoint_url": { + "value": $mysql_backups_s3_endpoint_url + }, + ".properties.mysql_backups.s3.bucket_name": { + "value": $mysql_backups_s3_bucket_name + }, + ".properties.mysql_backups.s3.bucket_path": { + "value": $mysql_backups_s3_bucket_path + }, + ".properties.mysql_backups.s3.access_key_id": { + "value": $mysql_backups_s3_access_key_id + }, + ".properties.mysql_backups.s3.secret_access_key": { + "value": $mysql_backups_s3_secret_access_key + }, + ".properties.mysql_backups.s3.cron_schedule": { + "value": $mysql_backups_s3_cron_schedule + } + } + elif $mysql_backups == "scp" then + { + ".properties.mysql_backups": { + "value": "scp" + }, + ".properties.mysql_backups.scp.server": { + "value": $mysql_backups_scp_server + }, + ".properties.mysql_backups.scp.port": { + "value": $mysql_backups_scp_port + }, + ".properties.mysql_backups.scp.user": { + "value": $mysql_backups_scp_user + }, + ".properties.mysql_backups.scp.key": { + "value": $mysql_backups_scp_key + }, + ".properties.mysql_backups.scp.destination": { + "value": $mysql_backups_scp_destination + }, + ".properties.mysql_backups.scp.cron_schedule" : { + "value": $mysql_backups_scp_cron_schedule + } + } + else + . + end + ' > cf_properties + +cf_properties=$(cat cf_properties) diff --git a/tasks/config-ert/task.sh b/tasks/config-ert/task.sh index 08e69fa51..4128b4089 100755 --- a/tasks/config-ert/task.sh +++ b/tasks/config-ert/task.sh @@ -1,338 +1,116 @@ #!/bin/bash -e -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -ERT_AZS=$(echo $DEPLOYMENT_NW_AZS | jq --raw-input 'split(",") | map({name: .})') - -CF_NETWORK=$(cat <<-EOF -{ - "singleton_availability_zone": { - "name": "$ERT_SINGLETON_JOB_AZ" - }, - "other_availability_zones": $ERT_AZS, - "network": { - "name": "$NETWORK_NAME" - } -} -EOF -) - -if [[ -z "$SSL_CERT" ]]; then -DOMAINS=$(cat <<-EOF - {"domains": ["*.$SYSTEM_DOMAIN", "*.$APPS_DOMAIN", "*.login.$SYSTEM_DOMAIN", "*.uaa.$SYSTEM_DOMAIN"] } -EOF -) - - CERTIFICATES=`om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k curl -p "$OPS_MGR_GENERATE_SSL_ENDPOINT" -x POST -d "$DOMAINS"` - - export SSL_CERT=`echo $CERTIFICATES | jq '.certificate'` - export SSL_PRIVATE_KEY=`echo $CERTIFICATES | jq '.key'` - - echo "Using self signed certificates generated using Ops Manager..." - -fi - -source $SCRIPT_DIR/load_cf_properties.sh - -CF_RESOURCES=$(cat <<-EOF -{ - "consul_server": { - "instance_type": {"id": "automatic"}, - "instances" : $CONSUL_SERVER_INSTANCES - }, - "nats": { - "instance_type": {"id": "automatic"}, - "instances" : $NATS_INSTANCES - }, - "etcd_tls_server": { - "instance_type": {"id": "automatic"}, - "instances" : $ETCD_TLS_SERVER_INSTANCES - }, - "nfs_server": { - "instance_type": {"id": "automatic"}, - "instances" : $NFS_SERVER_INSTANCES - }, - "mysql_proxy": { - "instance_type": {"id": "automatic"}, - "instances" : $MYSQL_PROXY_INSTANCES - }, - "mysql": { - "instance_type": {"id": "automatic"}, - "instances" : $MYSQL_INSTANCES - }, - "backup-prepare": { - "instance_type": {"id": "automatic"}, - "instances" : $BACKUP_PREPARE_INSTANCES - }, - "ccdb": { - "instance_type": {"id": "automatic"}, - "instances" : $CCDB_INSTANCES - }, - "uaadb": { - "instance_type": {"id": "automatic"}, - "instances" : $UAADB_INSTANCES - }, - "uaa": { - "instance_type": {"id": "automatic"}, - "instances" : $UAA_INSTANCES - }, - "cloud_controller": { - "instance_type": {"id": "automatic"}, - "instances" : $CLOUD_CONTROLLER_INSTANCES - }, - "ha_proxy": { - "instance_type": {"id": "automatic"}, - "instances" : $HA_PROXY_INSTANCES - }, - "router": { - "instance_type": {"id": "automatic"}, - "instances" : $ROUTER_INSTANCES - }, - "mysql_monitor": { - "instance_type": {"id": "automatic"}, - "instances" : $MYSQL_MONITOR_INSTANCES - }, - "clock_global": { - "instance_type": {"id": "automatic"}, - "instances" : $CLOCK_GLOBAL_INSTANCES - }, - "cloud_controller_worker": { - "instance_type": {"id": "automatic"}, - "instances" : $CLOUD_CONTROLLER_WORKER_INSTANCES - }, - "diego_database": { - "instance_type": {"id": "automatic"}, - "instances" : $DIEGO_DATABASE_INSTANCES - }, - "diego_brain": { - "instance_type": {"id": "automatic"}, - "instances" : $DIEGO_BRAIN_INSTANCES - }, - "diego_cell": { - "instance_type": {"id": "automatic"}, - "instances" : $DIEGO_CELL_INSTANCES - }, - "doppler": { - "instance_type": {"id": "automatic"}, - "instances" : $DOPPLER_INSTANCES - }, - "loggregator_trafficcontroller": { - "instance_type": {"id": "automatic"}, - "instances" : $LOGGREGATOR_TC_INSTANCES - }, - "tcp_router": { - "instance_type": {"id": "automatic"}, - "instances" : $TCP_ROUTER_INSTANCES - } -} -EOF -) - -om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k configure-product -n cf -p "$CF_PROPERTIES" -pn "$CF_NETWORK" -pr "$CF_RESOURCES" - -if [[ "$AUTHENTICATION_MODE" == "internal" ]]; then -echo "Configuring Internal Authentication in ERT..." -CF_AUTH_PROPERTIES=$(cat <<-EOF -{ - ".properties.uaa": { - "value": "$AUTHENTICATION_MODE" - }, - ".uaa.service_provider_key_credentials": { - "value": { - "cert_pem": "", - "private_key_pem": "" - } - } -} -EOF -) - -elif [[ "$AUTHENTICATION_MODE" == "ldap" ]]; then -echo "Configuring LDAP Authentication in ERT..." -CF_AUTH_PROPERTIES=$(cat <<-EOF -{ - ".properties.uaa": { - "value": "ldap" - }, - ".properties.uaa.ldap.url": { - "value": "$LDAP_URL" - }, - ".properties.uaa.ldap.credentials": { - "value": { - "identity": "$LDAP_USER", - "password": "$LDAP_PWD" - } - }, - ".properties.uaa.ldap.search_base": { - "value": "$SEARCH_BASE" - }, - ".properties.uaa.ldap.search_filter": { - "value": "$SEARCH_FILTER" - }, - ".properties.uaa.ldap.group_search_base": { - "value": "$GROUP_SEARCH_BASE" - }, - ".properties.uaa.ldap.group_search_filter": { - "value": "$GROUP_SEARCH_FILTER" - }, - ".properties.uaa.ldap.mail_attribute_name": { - "value": "$MAIL_ATTR_NAME" - }, - ".properties.uaa.ldap.first_name_attribute": { - "value": "$FIRST_NAME_ATTR" - }, - ".properties.uaa.ldap.last_name_attribute": { - "value": "$LAST_NAME_ATTR" - }, - ".uaa.service_provider_key_credentials": { - "value": { - "cert_pem": "", - "private_key_pem": "" - } - } -} -EOF -) - -fi - -saml_cert_domains=$(cat <<-EOF - {"domains": ["*.$SYSTEM_DOMAIN", "*.login.$SYSTEM_DOMAIN", "*.uaa.$SYSTEM_DOMAIN"] } -EOF -) - -saml_cert_response=`om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k curl -p "$OPS_MGR_GENERATE_SSL_ENDPOINT" -x POST -d "$saml_cert_domains"` - -saml_cert_pem=$(echo $saml_cert_response | jq --raw-output '.certificate') -saml_key_pem=$(echo $saml_cert_response | jq --raw-output '.key') - -cat > saml_auth_filters <<'EOF' -.".uaa.service_provider_key_credentials".value = { - "cert_pem": $saml_cert_pem, - "private_key_pem": $saml_key_pem +function generate_cert { + local domains="$1" + + local data=$(echo $domains | jq --raw-input -c '{"domains": (. | split(" "))}') + + local response=$( + om-linux \ + --target "https://${OPS_MGR_HOST}" \ + --username "$OPS_MGR_USR" \ + --password "$OPS_MGR_PWD" \ + --skip-ssl-validation \ + curl \ + --silent \ + --path "$OPS_MGR_GENERATE_SSL_ENDPOINT" \ + -x POST \ + -d $data + ) + + echo "$response" } -EOF - -CF_AUTH_WITH_SAML_CERTS=$(echo $CF_AUTH_PROPERTIES | jq \ - --arg saml_cert_pem "$saml_cert_pem" \ - --arg saml_key_pem "$saml_key_pem" \ - --from-file saml_auth_filters \ - --raw-output) -om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k configure-product -n cf -p "$CF_AUTH_WITH_SAML_CERTS" - -if [[ ! -z "$SYSLOG_HOST" ]]; then - -echo "Configuring Syslog in ERT..." - -CF_SYSLOG_PROPERTIES=$(cat <<-EOF -{ - ".doppler.message_drain_buffer_size": { - "value": $SYSLOG_DRAIN_BUFFER_SIZE - }, - ".cloud_controller.security_event_logging_enabled": { - "value": $ENABLE_SECURITY_EVENT_LOGGING - }, - ".properties.syslog_host": { - "value": "$SYSLOG_HOST" - }, - ".properties.syslog_port": { - "value": "$SYSLOG_PORT" - }, - ".properties.syslog_protocol": { - "value": "$SYSLOG_PROTOCOL" - } -} -EOF -) - -om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k configure-product -n cf -p "$CF_SYSLOG_PROPERTIES" - +if [[ -z "$SSL_CERT" ]]; then + domains=( + "*.${SYSTEM_DOMAIN}" + "*.${APPS_DOMAIN}" + "*.login.${SYSTEM_DOMAIN}" + "*.uaa.${SYSTEM_DOMAIN}" + ) + + certificates=$(generate_cert "${domains[*]}") + SSL_CERT=`echo $certificates | jq --raw-output '.certificate'` + SSL_PRIVATE_KEY=`echo $certificates | jq --raw-output '.key'` fi -if [[ ! -z "$SMTP_ADDRESS" ]]; then - -echo "Configuraing SMTP in ERT..." - -CF_SMTP_PROPERTIES=$(cat <<-EOF -{ - ".properties.smtp_from": { - "value": "$SMTP_FROM" - }, - ".properties.smtp_address": { - "value": "$SMTP_ADDRESS" - }, - ".properties.smtp_port": { - "value": "$SMTP_PORT" - }, - ".properties.smtp_credentials": { - "value": { - "identity": "$SMTP_USER", - "password": "$SMTP_PWD" - } - }, - ".properties.smtp_enable_starttls_auto": { - "value": true - }, - ".properties.smtp_auth_mechanism": { - "value": "$SMTP_AUTH_MECHANISM" - } -} -EOF +saml_cert_domains=( + "*.${SYSTEM_DOMAIN}" + "*.login.${SYSTEM_DOMAIN}" + "*.uaa.${SYSTEM_DOMAIN}" ) -om-linux -t https://$OPS_MGR_HOST -u $OPS_MGR_USR -p $OPS_MGR_PWD -k configure-product -n cf -p "$CF_SMTP_PROPERTIES" - -fi - -if [[ "$SSL_TERMINATION" == "haproxy" ]]; then - -echo "Terminating SSL on HAProxy" -CF_SSL_TERM_PROPERTIES=$(cat <<-EOF -{ - ".properties.networking_point_of_entry": { - "value": "haproxy" - }, - ".properties.networking_point_of_entry.haproxy.ssl_rsa_certificate": { - "value": { - "cert_pem": $SSL_CERT, - "private_key_pem": $SSL_PRIVATE_KEY +saml_certificates=$(generate_cert "${saml_cert_domains[*]}") +saml_cert_pem=$(echo $saml_certificates | jq --raw-output '.certificate') +saml_key_pem=$(echo $saml_certificates | jq --raw-output '.key') + +script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +source $script_dir/load_cf_properties.sh + +cf_network=$( + echo '{}' | + jq \ + --arg network_name "$NETWORK_NAME" \ + --arg other_azs "$DEPLOYMENT_NW_AZS" \ + --arg singleton_az "$ERT_SINGLETON_JOB_AZ" \ + ' + . + + { + "network": { + "name": $network_name + }, + "other_availability_zones": ($other_azs | split(",") | map({name: .})), + "singleton_availability_zone": { + "name": $singleton_az + } } - } -} -EOF + ' ) -elif [[ "$SSL_TERMINATION" == "external_ssl" ]]; then -echo "Terminating SSL on GoRouters" - -CF_SSL_TERM_PROPERTIES=$(cat <<-EOF -{ - ".properties.networking_point_of_entry": { - "value": "external_ssl" - }, - ".properties.networking_point_of_entry.external_ssl.ssl_rsa_certificate": { - "value": { - "cert_pem": $SSL_CERT, - "private_key_pem": $SSL_PRIVATE_KEY - } +cf_resources=$( + read -d'%' -r input <