mminges/cf-secrets.yml

## cf-secrets.yml
meta:
  admin_secret: (( merge || c1oudc0wc1oudc0w ))
  secret: (( merge || defaults.secret ))
  secrets:
    loggregator_secret: (( merge || meta.secret ))
    cc_bulk_api_password: (( merge || meta.secret ))
    cc_staging_upload_password: (( merge || meta.secret ))
    cc_admin_password: (( merge || meta.secret ))
    cc_db_encryption_key: (( merge || meta.secret ))
    cc_db_password: (( merge || meta.secret ))
    uaa_db_password: (( merge || meta.secret ))
    uaa_secrets:
      login: (( merge || meta.secret ))
      portal: (( merge || meta.secret ))
      billing: (( merge || meta.secret ))
      app-direct: (( merge || meta.secret ))
      support-services: (( merge || meta.secret ))
      servicesmgmt: (( merge || meta.secret ))
      space-mail: (( merge || meta.secret ))
      developer_console: (( merge || meta.secret ))
      batch: (( merge || meta.secret ))
      cc: (( merge || meta.secret ))
      admin: (( merge || meta.secret ))
      cc-service-dashboards: (( merge || meta.secret ))
      notifications: (( merge || meta.secret ))
      doppler: (( merge || meta.secret ))
      cloud_controller_username_lookup: (( merge || meta.secret ))
      gorouter: (( merge || meta.secret ))
    nats_password: (( merge || meta.secret ))
    router_status_password: (( merge || meta.secret ))

  uaa_signing_key: (( merge || defaults.uaa_signing_key ))
  uaa_verification_key: (( merge || defaults.uaa_verification_key ))

properties:
  <<: (( merge ))
  loggregator_endpoint:
    shared_secret: (( meta.secrets.loggregator_secret ))
  cc:
    staging_upload_user: staging
    bulk_api_password: (( meta.secrets.cc_bulk_api_password ))
    staging_upload_password: (( meta.secrets.cc_staging_upload_password ))
    db_encryption_key: (( meta.secrets.cc_db_encryption_key ))
  uaa:
    scim:
      users:
        - (( "admin|" meta.admin_secret "|scim.write,scim.read,openid,cloud_controller.admin,clients.read,clients.write,doppler.firehose" ))
    clients:
      <<: (( merge || nil ))
      admin: # This admin section can be removed once cf v196 is released
        authorized-grant-types: client_credentials
        authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,password.write,scim.write
        id: admin
        secret: (( meta.secrets.uaa_secrets.admin ))
      login:
        secret: (( meta.secrets.uaa_secrets.login ))
      portal:
        secret: (( meta.secrets.uaa_secrets.portal ))
      billing:
        secret: (( meta.secrets.uaa_secrets.billing ))
      app-direct:
        secret: (( meta.secrets.uaa_secrets.app-direct ))
      notifications:
        secret: (( meta.secrets.uaa_secrets.notifications ))
      doppler:
        secret: (( meta.secrets.uaa_secrets.doppler ))
      support-services:
        secret: (( meta.secrets.uaa_secrets.support-services ))
      servicesmgmt:
        secret: (( meta.secrets.uaa_secrets.servicesmgmt ))
      space-mail:
        secret: (( meta.secrets.uaa_secrets.space-mail ))
      developer_console:
        secret: (( meta.secrets.uaa_secrets.developer_console ))
      cc-service-dashboards:
        secret: (( meta.secrets.uaa_secrets.cc-service-dashboards ))
        scope: openid,cloud_controller_service_permissions.read
      doppler:
        secret: (( meta.secrets.uaa_secrets.doppler ))
      cloud_controller_username_lookup:
        secret: (( meta.secrets.uaa_secrets.cloud_controller_username_lookup ))
      gorouter:
        secret: (( meta.secrets.uaa_secrets.gorouter ))
    batch:
      username: batch
      password: (( meta.secrets.uaa_secrets.batch ))
    cc:
      client_secret: (( meta.secrets.uaa_secrets.cc ))
    admin:
      client_secret: (( meta.secrets.uaa_secrets.admin ))
    jwt:
      signing_key: (( meta.uaa_signing_key ))
      verification_key: (( meta.uaa_verification_key ))
  nats:
    user: nats
    password: (( meta.secrets.nats_password ))
  router:
    status:
      user: router
      password: (( meta.secrets.router_status_password ))
  ccdb:
    roles:
      - name: ccadmin
        password: (( meta.secrets.cc_db_password ))
  uaadb:
    roles:
      - name: uaaadmin
        password: (( meta.secrets.uaa_db_password ))
  databases:
    roles:
      - name: ccadmin
        password: (( meta.secrets.cc_db_password ))
      - name: uaaadmin
        password: (( meta.secrets.uaa_db_password ))

defaults:
  secret: c1oudc0w
  uaa_signing_key: |
  ...
	meta:
	admin_secret: (( merge \|\| c1oudc0wc1oudc0w ))
	secret: (( merge \|\| defaults.secret ))
	secrets:
	loggregator_secret: (( merge \|\| meta.secret ))
	cc_bulk_api_password: (( merge \|\| meta.secret ))
	cc_staging_upload_password: (( merge \|\| meta.secret ))
	cc_admin_password: (( merge \|\| meta.secret ))
	cc_db_encryption_key: (( merge \|\| meta.secret ))
	cc_db_password: (( merge \|\| meta.secret ))
	uaa_db_password: (( merge \|\| meta.secret ))
	uaa_secrets:
	login: (( merge \|\| meta.secret ))
	portal: (( merge \|\| meta.secret ))
	billing: (( merge \|\| meta.secret ))
	app-direct: (( merge \|\| meta.secret ))
	support-services: (( merge \|\| meta.secret ))
	servicesmgmt: (( merge \|\| meta.secret ))
	space-mail: (( merge \|\| meta.secret ))
	developer_console: (( merge \|\| meta.secret ))
	batch: (( merge \|\| meta.secret ))
	cc: (( merge \|\| meta.secret ))
	admin: (( merge \|\| meta.secret ))
	cc-service-dashboards: (( merge \|\| meta.secret ))
	notifications: (( merge \|\| meta.secret ))
	doppler: (( merge \|\| meta.secret ))
	cloud_controller_username_lookup: (( merge \|\| meta.secret ))
	gorouter: (( merge \|\| meta.secret ))
	nats_password: (( merge \|\| meta.secret ))
	router_status_password: (( merge \|\| meta.secret ))

	uaa_signing_key: (( merge \|\| defaults.uaa_signing_key ))
	uaa_verification_key: (( merge \|\| defaults.uaa_verification_key ))

	properties:
	<<: (( merge ))
	loggregator_endpoint:
	shared_secret: (( meta.secrets.loggregator_secret ))
	cc:
	staging_upload_user: staging
	bulk_api_password: (( meta.secrets.cc_bulk_api_password ))
	staging_upload_password: (( meta.secrets.cc_staging_upload_password ))
	db_encryption_key: (( meta.secrets.cc_db_encryption_key ))
	uaa:
	scim:
	users:
	- (( "admin\|" meta.admin_secret "\|scim.write,scim.read,openid,cloud_controller.admin,clients.read,clients.write,doppler.firehose" ))
	clients:
	<<: (( merge \|\| nil ))
	admin: # This admin section can be removed once cf v196 is released
	authorized-grant-types: client_credentials
	authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,password.write,scim.write
	id: admin
	secret: (( meta.secrets.uaa_secrets.admin ))
	login:
	secret: (( meta.secrets.uaa_secrets.login ))
	portal:
	secret: (( meta.secrets.uaa_secrets.portal ))
	billing:
	secret: (( meta.secrets.uaa_secrets.billing ))
	app-direct:
	secret: (( meta.secrets.uaa_secrets.app-direct ))
	notifications:
	secret: (( meta.secrets.uaa_secrets.notifications ))
	doppler:
	secret: (( meta.secrets.uaa_secrets.doppler ))
	support-services:
	secret: (( meta.secrets.uaa_secrets.support-services ))
	servicesmgmt:
	secret: (( meta.secrets.uaa_secrets.servicesmgmt ))
	space-mail:
	secret: (( meta.secrets.uaa_secrets.space-mail ))
	developer_console:
	secret: (( meta.secrets.uaa_secrets.developer_console ))
	cc-service-dashboards:
	secret: (( meta.secrets.uaa_secrets.cc-service-dashboards ))
	scope: openid,cloud_controller_service_permissions.read
	doppler:
	secret: (( meta.secrets.uaa_secrets.doppler ))
	cloud_controller_username_lookup:
	secret: (( meta.secrets.uaa_secrets.cloud_controller_username_lookup ))
	gorouter:
	secret: (( meta.secrets.uaa_secrets.gorouter ))
	batch:
	username: batch
	password: (( meta.secrets.uaa_secrets.batch ))
	cc:
	client_secret: (( meta.secrets.uaa_secrets.cc ))
	admin:
	client_secret: (( meta.secrets.uaa_secrets.admin ))
	jwt:
	signing_key: (( meta.uaa_signing_key ))
	verification_key: (( meta.uaa_verification_key ))
	nats:
	user: nats
	password: (( meta.secrets.nats_password ))
	router:
	status:
	user: router
	password: (( meta.secrets.router_status_password ))
	ccdb:
	roles:
	- name: ccadmin
	password: (( meta.secrets.cc_db_password ))
	uaadb:
	roles:
	- name: uaaadmin
	password: (( meta.secrets.uaa_db_password ))
	databases:
	roles:
	- name: ccadmin
	password: (( meta.secrets.cc_db_password ))
	- name: uaaadmin
	password: (( meta.secrets.uaa_db_password ))

	defaults:
	secret: c1oudc0w
	uaa_signing_key: \|
	...