Refactor deployment script and add autoscaler-secrets.yml template

- Add a new autoscaler-secrets.yml.tpl file for managing autoscaler secrets - Streamline secret injection by using `credhub interpolate` with the new secrets template - Remove direct `credhub get` calls for secrets in the deploy-autoscaler.sh script - Comment out Prometheus alert silencing commands in the deploy function
cloudfoundry · Oct 23, 2024 · 699b4d7 · 699b4d7
1 parent 62524ab
commit 699b4d7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 17 deletions.
diff --git a/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl b/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl
@@ -0,0 +1,13 @@
+---
+admin_password: ((/bosh-autoscaler/cf/cf_admin_password))
+routing_api_tls_client_cert: ((/bosh-autoscaler/cf/routing_api_tls_client.certificate))
+routing_api_ca_certs: ((/bosh-autoscaler/cf/router_ssl.ca))
+routing_api_client_secret: ((/bosh-autoscaler/cf/uaa_clients_routing_api_client_secret))
+routing_api_tls_client_private_key: ((/bosh-autoscaler/cf/routing_api_tls_client.private_key))
+routing_api_server_ca_cert: ((/bosh-autoscaler/cf/router_ssl.ca))
+log_cache_syslog_tls_ca: ((/bosh-autoscaler/cf/log_cache_syslog_tls.ca))
+syslog_agent_log_cache_tls_certificate: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.certificate))
+syslog_agent_log_cache_tls_key: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.private_key))
+metricscollector_ca_cert: ((/bosh-autoscaler/cf/log_cache.ca))
+metricscollector_client_cert: ((/bosh-autoscaler/cf/log_cache.certificate))
+metricscollector_client_key: ((/bosh-autoscaler/cf/log_cache.private_key))
diff --git a/ci/autoscaler/scripts/deploy-autoscaler.sh b/ci/autoscaler/scripts/deploy-autoscaler.sh
@@ -20,7 +20,6 @@ ops_files=${OPS_FILES:-"${autoscaler_dir}/operations/add-releases.yml\
   ${autoscaler_dir}/operations/enable-scheduler-logging.yml"}
 
 
-
 case "${cpu_upper_threshold}" in
   "100")
   # default
@@ -89,29 +88,20 @@ function create_manifest(){
   # on MacOS mktemp does not know the --tmpdir option
   tmp_manifest_file="$(mktemp "${tmp_dir}/${deployment_name}.bosh-manifest.yaml.XXX")"
 
+
+  credhub interpolate -f "${autoscaler_dir}/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl" > /tmp/autoscaler-secrets.yml
+
   bosh -n -d "${deployment_name}" \
       interpolate "${deployment_manifest}" \
       ${OPS_FILES_TO_USE} \
       ${bosh_deploy_opts} \
       -v system_domain="${system_domain}" \
       -v deployment_name="${deployment_name}" \
       -v app_autoscaler_version="${bosh_release_version}" \
-      -v admin_password="$(credhub get -n /bosh-autoscaler/cf/cf_admin_password -q)"\
-      -v routing_api_ca_certs="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
-      -v routing_api_client_secret="$(credhub get -n /bosh-autoscaler/cf/uaa_clients_routing_api_client_secret --quiet)"\
-      -v routing_api_tls_client_cert="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key certificate --quiet)"\
-      -v routing_api_tls_client_private_key="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key private_key --quiet)"\
-      -v routing_api_server_ca_cert="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
       -v cf_client_id=autoscaler_client_id \
       -v cf_client_secret=autoscaler_client_secret \
-      -v log_cache_syslog_tls_ca="$(credhub get -n /bosh-autoscaler/cf/log_cache_syslog_tls --key ca --quiet)"\
-      -v syslog_agent_log_cache_tls_certificate="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key certificate --quiet)"\
-      -v syslog_agent_log_cache_tls_key="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key private_key --quiet)"\
-      -v metricscollector_ca_cert="$(credhub get -n /bosh-autoscaler/cf/log_cache --key ca --quiet)"\
-      -v metricscollector_client_cert="$(credhub get -n /bosh-autoscaler/cf/log_cache --key certificate --quiet)"\
-      -v metricsforwarder_host="${metricsforwarder_host}"\
       -v postgres_external_port="$(get_postgres_external_port)"\
-      -v metricscollector_client_key="$(credhub get -n /bosh-autoscaler/cf/log_cache --key private_key --quiet)"\
+			--vars-file=/tmp/autoscaler-secrets.yml \
       -v skip_ssl_validation=true \
       > "${tmp_manifest_file}"
 
@@ -134,9 +124,9 @@ function check_ops_files(){
 
 function deploy() {
   # Try to silence Prometheus but do not fail deployment if there's an error
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobEphemeralDiskPredictWillFill" || true
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobProcessUnhealthy" || true
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobUnhealthy" || true
+# ${script_dir}/silence_prometheus_alert.sh "BOSHJobEphemeralDiskPredictWillFill" || true
+#  ${script_dir}/silence_prometheus_alert.sh "BOSHJobProcessUnhealthy" || true
+#  ${script_dir}/silence_prometheus_alert.sh "BOSHJobUnhealthy" || true
 
   create_manifest