Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Whether to allow SSH access to application instances
allow_app_ssh_access: true
# Change to anything other than 'wipe' to bypass the wipe-env job
arg_wipe: wipe
authentication_mode: internal
# If the azure_storage_account_name is empty "", ERT will use internal storage. If you want ERT to use Azure blob store, provide a valid storage account name.
azure_storage_account_name: CHANGEME #<--- This has to be created manually. Please see instructions on the blog
# Required if Azure blob storage is used as external storage by ERT, which is determined by azure_storage_account_name being not null. This setting is used to specify the container where the buildpacks will be stored. It is similar to the S3 bucket in AWS.
azure_buildpacks_container: CHANGEME # <-- my sample value is buildpacks-az-c2s-com
azure_client_id: CHANGEME
azure_client_secret: CHANHGEME
# Required if Azure blob storage is used as external storage by ERT, which is determined by azure_storage_account_name being not null. This setting is used to specify the container where the droplets will be stored. It is similar to the S3 bucket in AWS.
azure_droplets_container: CHANGEME # <-- my sample value is droplets-az-c2s-com
# Required if using c0-azure-multi-res-group - An existing network for your Azure environment
azure_multi_resgroup_network:
# Required if using c0-azure-multi-res-group - The resource group name for your Azure environment
azure_multi_resgroup_pcf:
# Private IP for the Operations Manager VM
azure_opsman_priv_ip: 192.168.0.4
# Required if Azure blob storage is used as external storage by ERT, which is determined by azure_storage_account_name being not null. This setting is used to specify the container where the packages will be stored. It is similar to the S3 bucket in AWS.
azure_packages_container: CHANGEME # <-- my sample value is packages-az-c2s-com
# The set of terraform templates and opsman configuration to use in the pipeline (c0-azure-base|c0-azure-multi-res-group)
azure_pcf_terraform_template: c0-azure-base
# a valid Azure region.
azure_region: westus
# Required if Azure blob storage is used as external storage by ERT, which is determined by azure_storage_account_name being not null. This setting is used to specify the container where the resources will be stored. It is similar to the S3 bucket in AWS.
azure_resources_container: CHANGEME # <-- my sample value is resources-az-c2s-com
azure_subscription_id: CHANGEME
azure_tenant_id: CHANGEME
# Prefix to use for Terraform-managed infrastructure, e.g. 'pcf-terraform'
# Must be globally unique.
azure_terraform_prefix: CHANGEME # <-- my sample value is c2s
# ERT-specific network configurations. Leave these as default unless you need to make changes to align with existing infrastructure.
azure_terraform_subnet_dynamic_services_cidr: "192.168.12.0/22"
azure_terraform_subnet_dynamic_services_dns: "168.63.129.16,8.8.8.8"
azure_terraform_subnet_dynamic_services_gateway: "192.168.12.1"
azure_terraform_subnet_dynamic_services_reserved: "192.168.12.1-192.168.12.9"
azure_terraform_subnet_ert_cidr: "192.168.4.0/22"
azure_terraform_subnet_ert_dns: "168.63.129.16,8.8.8.8"
azure_terraform_subnet_ert_gateway: "192.168.4.1"
azure_terraform_subnet_ert_reserved: "192.168.4.1-192.168.4.9"
azure_terraform_subnet_infra_cidr: "192.168.0.0/26"
azure_terraform_subnet_infra_dns: "168.63.129.16,8.8.8.8"
azure_terraform_subnet_infra_gateway: "192.168.0.1"
azure_terraform_subnet_infra_reserved: "192.168.0.1-192.168.0.9"
azure_terraform_subnet_services1_cidr: "192.168.8.0/22"
azure_terraform_subnet_services1_dns: "168.63.129.16,8.8.8.8"
azure_terraform_subnet_services1_gateway: "192.168.8.1"
azure_terraform_subnet_services1_reserved: "192.168.8.1-192.168.8.9"
azure_terraform_vnet_cidr: "192.168.0.0/20"
# azure_vm_admin value should match with user ID used to create the certs pcf_ssh_key_pub.
# The user ID will appear towards the end of the public key.
azure_vm_admin: ubuntu
# Ciphers
# An ordered, colon-delimited list of Golang supported TLS cipher suites in OpenSSL format.
# Operators should verify that these are supported by any clients or downstream components that will initiate TLS handshakes with the Router/HAProxy.
# The recommended settings are filled in below, change as necessary.
router_tls_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
haproxy_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
# Company Name for Apps Manager
company_name: CHANGEME # <-- my sample value is Clue2solve Inc
# c2c networking network cidr
container_networking_nw_cidr: 10.255.0.0/16
# For credhub integration, Set the number of credhub instances in resource config to 2
# Primary Encryption Name MUST match one of the encryption key names provided
# Encryption keys 2 and 3 are optional
credhub_primary_encryption_name: key1
credhub_encryption_key_name1: key1
credhub_encryption_key_secret1: abcdefghijklmnopqrstuvwxyz123456789123456789
credhub_encryption_key_name2: # Optional Name 2
credhub_encryption_key_secret2: # Optional Secret 2
credhub_encryption_key_name3: # Optional Name 3
credhub_encryption_key_secret3: # Optional Secret 2
default_quota_max_number_services: 1000
default_quota_memory_limit_mb: 10240
# Domain Names for ERT
pcf_ert_domain: CHANGEME # <-- my sample value is pas.cf.az.clue2solve.com # This is the domain you will access ERT with
system_domain: CHANGEME # <-- my sample value is sys.pas.cf.az.clue2solve.com # This is usually sys.${pcf_ert_domain}
apps_domain: CHANGEME # <-- my sample value is cfapps.pas.cf.az.clue2solve.com # This is usually cfapps.${pcf_ert_domain}
# This defines the deployment network name within PCF.
deployment_network_name: "ert"
# Disable HTTP on gorouters (true|false)
disable_http_proxy: false
# If true, disable insecure cookies on the router.
disable_insecure_cookies: false
# PCF Elastic Runtime minor version to track
ert_major_minor_version: ^2\.1\.[0-9]+$ # ERT minor version to track (e.g ^2\.0\.[0-9]+$ will track 2.0.x versions)
# Optional. Duration in seconds to maintain an open connection when client supports keep-alive.
frontend_idle_timeout: 239
# Optional - if your git repo requires an SSH key.
git_private_key: |
-----BEGIN RSA PRIVATE KEY-----
CHANGEME
-----END RSA PRIVATE KEY-----
# Required if haproxy_forward_tls is enabled - HAProxy will use the CA provided to verify the certificates provided by the router.
haproxy_backend_ca:
# If enabled HAProxy will forward all requests to the router over TLS (enable|disable)
haproxy_forward_tls: disable
# The lb value can be obtained by prepending "web-lb" with "azure_terraform_prefix". For example, if your "azure_terraform_prefix" is "test", then the "ha_proxy_lb_name" is "test-web-lb".
ha_proxy_lb_name: CHANGEME # <-- my sample value is c2s-web-lb
# Instances
## These resources can take any parameter made available in
## the ops manager API ( https://your-ops-man/docs#configuring-resources-for-a-job)
backup_prepare_instances: 0
clock_global_instances: 1
cloud_controller_instances: 2
cloud_controller_worker_instances: 2
consul_server_instances: 3
credhub_instances: 0
diego_brain_instances: 3
diego_cell_instances: 3
diego_database_instances: 3
doppler_instances: 3
ha_proxy_instances: 1
loggregator_trafficcontroller_instances: 1
mysql_instances: 1
mysql_monitor_instances: 0
mysql_proxy_instances: 1
nats_instances: 2
nfs_server_instances: 1
router_instances: 3
syslog_adapter_instances: 3
syslog_scheduler_instances: 2
tcp_router_instances: 0
uaa_instances: 2
# Whether or not the ERT VMs are internet connected.
internet_connected: false
# IPs
# Leave blank if you don't need to make changes to existing network infrastructure configs.
ha_proxy_ips: # Comma-separated list of static IPs
router_static_ips: # Comma-separated list of static IPs
tcp_router_static_ips: # Comma-separated list of static IPs
ssh_static_ips: # Comma-separated list of static IPs
mysql_static_ips: # Comma-separated list of static IPs
# Loggegrator Port. Default is 443
loggregator_endpoint_port:
# Email address for sending mysql monitor notifications
mysql_monitor_recipient_email: CHANGEME # <-- my sample value is anand@clue2solve.com
# opsman_admin_username/opsman_admin_password needs to be specified
# These define the login values for the OpsMan UI.
opsman_admin_username: admin
opsman_admin_password: CHANGEME
# Opsman Settings
opsman_domain_or_ip_address: opsman.pas.cf.az.clue2solve.com # This should be your pcf_ert_domain with "opsman." as a prefix
# PCF Ops Manager minor version to track
opsman_major_minor_version: ^2\.1\.[0-9]+$ # Ops Manager minor version to track (e.g ^2\.0\.[0-9]+$ will track 2.0.x versions)
# SAML Service Credential provider Cert and Key, if the string is blank, then the pipeline will auto generate certs
pcf_ert_saml_cert:
pcf_ert_saml_key:
pcf_opsman_disk_size_in_gb: 120
# SSH keys for Operations Manager director
# More information can be found in these locations.
# 1. https://docs.pivotal.io/pivotalcf/2-0/customizing/pcf_azure.html#getting-started
# 2. https://docs.pivotal.io/pivotalcf/2-0/customizing/azure-om-config.html#azure-config
pcf_ssh_key_pub: CHANGEME
pcf_ssh_key_priv: |
-----BEGIN RSA PRIVATE KEY-----
CHANGEME
-----END RSA PRIVATE KEY-----
# Pivnet token for downloading resources from Pivnet. Find this token at https://network.pivotal.io/users/dashboard/edit-profile
pivnet_token: CHANGEME # Pivnet token for downloading resources from Pivnet. Find this token at https://network.pivotal.io/users/dashboard/edit-profile
# Optional. If blank the cert(s) will be generated
poe_ssl_name1:
poe_ssl_cert1:
poe_ssl_key1:
poe_ssl_name2:
poe_ssl_cert2:
poe_ssl_key2:
poe_ssl_name3:
poe_ssl_cert3:
poe_ssl_key3:
# Request timeout for gorouter
# It is recommended by both Pivotal and Microsoft that this value remain under 240 due to timeout configurations in Azure.
router_request_timeout_in_seconds: 239
# Optional - these certificates can be used to validate the certificates from incoming client requests.
# All CA certificates should be appended together into a single collection of PEM-encoded entries.
routing_custom_ca_certificates:
# Support for the X-Forwarded-Client-Cert header. Possible values: (load_balancer|ha_proxy|router)
routing_tls_termination: load_balancer
# Setting appropriate Application Security Groups is critical for a secure
# deployment. Change the value of the param below to "X" to acknowledge that
# once the Elastic Runtime deployment completes, you will review and set the
# appropriate application security groups.
# See https://docs.pivotal.io/pivotalcf/opsguide/app-sec-groups.html
security_acknowledgement: X
# Whether to disable SSL cert verification for this environment.
skip_cert_verify: true
# If smtp_address is configured, smtp_from, smtp_port, smtp_user, smtp_pwd,
# smtp_enable_starttls_auto, and smtp_auth_mechanism must also be set.
smtp_address:
smtp_auth_mechanism: # (none|plain|cram-md5)
smtp_enable_starttls_auto: true
smtp_from:
smtp_port:
smtp_pwd:
smtp_user:
## Syslog endpoint configuration goes here
# Optional. If syslog_host is specified, syslog_port, syslog_protocol,
# syslog_drain_buffer_size, and enable_security_event_logging must be set.
enable_security_event_logging: false
syslog_drain_buffer_size: 10000
syslog_host:
syslog_port:
syslog_protocol:
## TCP routing and routing services
ignore_ssl_cert_verification: false # Whether to disable SSL cert verification for route services
route_services: enable # Enable/disable route services (enable|disable)
tcp_routing: disable # Enable/disable TCP routing (enable|disable)
tcp_routing_ports: # A comma-separated list of ports and hyphen-separated port ranges, e.g. 52135,34000-35000,23478
# Optional PEM-encoded certificates to add to BOSH VMs
trusted_certificates:
# The storage account and container that will be used for your terraform state
terraform_azure_storage_account_name: CHANGEME # <-- my sample value is araoc2sterraform
terraform_azure_storage_access_key: CHANGEME <-- See the blog for extracting this value from the Azure portal
azure_storage_container_name: CHANGEME # <-- my sample value is terraformstate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment