Merge pull request #3291 from cloudfoundry/deploy-autoscaler-fetch-se…

…crets-improvement Refactor deployment script and add autoscaler-secrets.yml template
cloudfoundry · Oct 24, 2024 · 8238795 · 8238795
2 parents 62524ab + 6379372
commit 8238795
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 24 deletions.
diff --git a/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl b/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl
@@ -0,0 +1,13 @@
+---
+admin_password: ((/bosh-autoscaler/cf/cf_admin_password))
+routing_api_tls_client_cert: ((/bosh-autoscaler/cf/routing_api_tls_client.certificate))
+routing_api_ca_certs: ((/bosh-autoscaler/cf/router_ssl.ca))
+routing_api_client_secret: ((/bosh-autoscaler/cf/uaa_clients_routing_api_client_secret))
+routing_api_tls_client_private_key: ((/bosh-autoscaler/cf/routing_api_tls_client.private_key))
+routing_api_server_ca_cert: ((/bosh-autoscaler/cf/router_ssl.ca))
+log_cache_syslog_tls_ca: ((/bosh-autoscaler/cf/log_cache_syslog_tls.ca))
+syslog_agent_log_cache_tls_certificate: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.certificate))
+syslog_agent_log_cache_tls_key: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.private_key))
+metricscollector_ca_cert: ((/bosh-autoscaler/cf/log_cache.ca))
+metricscollector_client_cert: ((/bosh-autoscaler/cf/log_cache.certificate))
+metricscollector_client_key: ((/bosh-autoscaler/cf/log_cache.private_key))
diff --git a/ci/autoscaler/scripts/cf-login.sh b/ci/autoscaler/scripts/cf-login.sh
@@ -6,5 +6,7 @@ source "${script_dir}/common.sh"
 
 bosh_login
 cf_login
+cf_target "${AUTOSCALER_ORG}" "${AUTOSCALER_SPACE}"
+
 
 cf autoscaling-api "https://autoscaler-${PR_NUMBER}.${SYSTEM_DOMAIN}"
diff --git a/ci/autoscaler/scripts/deploy-autoscaler.sh b/ci/autoscaler/scripts/deploy-autoscaler.sh
@@ -20,6 +20,11 @@ ops_files=${OPS_FILES:-"${autoscaler_dir}/operations/add-releases.yml\
   ${autoscaler_dir}/operations/enable-scheduler-logging.yml"}
 
 
+## if mtar_deployment_enabled, then apply the use-cf operator file
+if [[  "${enable_mtar}"  == "true" ]]; then
+  echo "Deploying with mtar enabled"
+  ops_files+=" ${autoscaler_dir}/operations/use-cf-services.yml"
+fi
 
 case "${cpu_upper_threshold}" in
   "100")
@@ -89,29 +94,21 @@ function create_manifest(){
   # on MacOS mktemp does not know the --tmpdir option
   tmp_manifest_file="$(mktemp "${tmp_dir}/${deployment_name}.bosh-manifest.yaml.XXX")"
 
+
+  credhub interpolate -f "${autoscaler_dir}/ci/autoscaler/scripts/autoscaler-secrets.yml.tpl" > /tmp/autoscaler-secrets.yml
+
   bosh -n -d "${deployment_name}" \
       interpolate "${deployment_manifest}" \
       ${OPS_FILES_TO_USE} \
       ${bosh_deploy_opts} \
       -v system_domain="${system_domain}" \
       -v deployment_name="${deployment_name}" \
       -v app_autoscaler_version="${bosh_release_version}" \
-      -v admin_password="$(credhub get -n /bosh-autoscaler/cf/cf_admin_password -q)"\
-      -v routing_api_ca_certs="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
-      -v routing_api_client_secret="$(credhub get -n /bosh-autoscaler/cf/uaa_clients_routing_api_client_secret --quiet)"\
-      -v routing_api_tls_client_cert="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key certificate --quiet)"\
-      -v routing_api_tls_client_private_key="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key private_key --quiet)"\
-      -v routing_api_server_ca_cert="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
       -v cf_client_id=autoscaler_client_id \
       -v cf_client_secret=autoscaler_client_secret \
-      -v log_cache_syslog_tls_ca="$(credhub get -n /bosh-autoscaler/cf/log_cache_syslog_tls --key ca --quiet)"\
-      -v syslog_agent_log_cache_tls_certificate="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key certificate --quiet)"\
-      -v syslog_agent_log_cache_tls_key="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key private_key --quiet)"\
-      -v metricscollector_ca_cert="$(credhub get -n /bosh-autoscaler/cf/log_cache --key ca --quiet)"\
-      -v metricscollector_client_cert="$(credhub get -n /bosh-autoscaler/cf/log_cache --key certificate --quiet)"\
-      -v metricsforwarder_host="${metricsforwarder_host}"\
       -v postgres_external_port="$(get_postgres_external_port)"\
-      -v metricscollector_client_key="$(credhub get -n /bosh-autoscaler/cf/log_cache --key private_key --quiet)"\
+			-v metricsforwarder_host="${metricsforwarder_host}"\
+			--vars-file=/tmp/autoscaler-secrets.yml \
       -v skip_ssl_validation=true \
       > "${tmp_manifest_file}"
 
@@ -134,9 +131,9 @@ function check_ops_files(){
 
 function deploy() {
   # Try to silence Prometheus but do not fail deployment if there's an error
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobEphemeralDiskPredictWillFill" || true
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobProcessUnhealthy" || true
-  ${script_dir}/silence_prometheus_alert.sh "BOSHJobUnhealthy" || true
+# ${script_dir}/silence_prometheus_alert.sh "BOSHJobEphemeralDiskPredictWillFill" || true
+#  ${script_dir}/silence_prometheus_alert.sh "BOSHJobProcessUnhealthy" || true
+#  ${script_dir}/silence_prometheus_alert.sh "BOSHJobUnhealthy" || true
 
   create_manifest
 

diff --git a/ci/autoscaler/scripts/vars.source.sh b/ci/autoscaler/scripts/vars.source.sh
@@ -123,3 +123,7 @@ debug "PERFORMANCE_TEARDOWN: ${PERFORMANCE_TEARDOWN}"
 export CPU_UPPER_THRESHOLD=${CPU_UPPER_THRESHOLD:-100}
 debug "CPU_UPPER_THRESHOLD: ${CPU_UPPER_THRESHOLD}"
 cpu_upper_threshold=${CPU_UPPER_THRESHOLD}
+
+export ENABLE_MTAR=${ENABLE_MTAR:-false}
+debug "ENABLE_MTAR: ${ENABLE_MTAR}"
+enable_mtar=${ENABLE_MTAR}
diff --git a/src/autoscaler/build-extension-file.sh b/src/autoscaler/build-extension-file.sh
@@ -19,17 +19,30 @@ export SYSTEM_DOMAIN="autoscaler.app-runtime-interfaces.ci.cloudfoundry.org"
 export POSTGRES_ADDRESS="${DEPLOYMENT_NAME}-postgres.tcp.${SYSTEM_DOMAIN}"
 export POSTGRES_EXTERNAL_PORT="${PR_NUMBER:-5432}"
 
-export METRICSFORWARDER_HEALTH_PASSWORD="$(credhub get -n /bosh-autoscaler/${DEPLOYMENT_NAME}/autoscaler_metricsforwarder_health_password --quiet)"
+cat << EOF > /tmp/extension-file-secrets.yml.tpl
+metricsforwarder_health_password: ((/bosh-autoscaler/${DEPLOYMENT_NAME}/autoscaler_metricsforwarder_health_password))
+policy_db_password: ((/bosh-autoscaler/${DEPLOYMENT_NAME}/database_password))
+policy_db_server_ca: ((/bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server.ca))
+policy_db_client_cert: ((/bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server.certificate))
+policy_db_client_key: ((/bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server.private_key))
+syslog_client_ca: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.ca))
+syslog_client_cert: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.certificate))
+syslog_client_key: ((/bosh-autoscaler/cf/syslog_agent_log_cache_tls.private_key))
+EOF
+
+credhub interpolate -f "/tmp/extension-file-secrets.yml.tpl" > /tmp/mtar-secrets.yml
+
 export METRICSFORWARDER_APPNAME="${METRICSFORWARDER_APPNAME:-"${DEPLOYMENT_NAME}-metricsforwarder"}"
+export METRICSFORWARDER_HEALTH_PASSWORD="$(yq ".metricsforwarder_health_password" /tmp/mtar-secrets.yml)"
 
-export POLICY_DB_PASSWORD="$(credhub get -n /bosh-autoscaler/${DEPLOYMENT_NAME}/database_password --quiet)"
-export POLICY_DB_SERVER_CA="$(credhub get -n /bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server --key ca --quiet )"
-export POLICY_DB_CLIENT_CERT="$(credhub get -n /bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server --key certificate --quiet)"
-export POLICY_DB_CLIENT_KEY="$(credhub get -n /bosh-autoscaler/${DEPLOYMENT_NAME}/postgres_server --key private_key --quiet)"
+export POLICY_DB_PASSWORD="$(yq ".policy_db_password" /tmp/mtar-secrets.yml)"
+export POLICY_DB_SERVER_CA="$(yq ".policy_db_server_ca" /tmp/mtar-secrets.yml)"
+export POLICY_DB_CLIENT_CERT="$(yq ".policy_db_client_cert" /tmp/mtar-secrets.yml)"
+export POLICY_DB_CLIENT_KEY="$(yq ".policy_db_client_key" /tmp/mtar-secrets.yml)"
 
-export SYSLOG_CLIENT_CA="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key ca --quiet)"
-export SYSLOG_CLIENT_CERT="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key certificate --quiet)"
-export SYSLOG_CLIENT_KEY="$(credhub get -n /bosh-autoscaler/cf/syslog_agent_log_cache_tls --key private_key --quiet)"
+export SYSLOG_CLIENT_CA="$(yq ".syslog_client_ca" /tmp/mtar-secrets.yml)"
+export SYSLOG_CLIENT_CERT="$(yq ".syslog_client_cert" /tmp/mtar-secrets.yml)"
+export SYSLOG_CLIENT_KEY="$(yq ".syslog_client_key" /tmp/mtar-secrets.yml)"
 
 cat <<EOF > "${extension_file_path}"
 ID: development

diff --git a/src/autoscaler/metricsforwarder/Makefile b/src/autoscaler/metricsforwarder/Makefile
@@ -6,4 +6,5 @@ set-security-group:
 	$(eval SPACE := $(shell cf target |grep "space\:" |cut -d':' -f2 | xargs))
 
 	cf create-security-group metricsforwarder $(MAKEFILE_DIR)/security-group.json
+	cf update-security-group metricsforwarder $(MAKEFILE_DIR)/security-group.json
 	cf bind-security-group metricsforwarder $(ORG)