Giter Site home page Giter Site logo

bottkars / controlplane-jump-azure Goto Github PK

View Code? Open in Web Editor NEW
1.0 3.0 0.0 111 KB

deploy Pivotal Control Plane and secure JumpHost for PCF automation

Shell 100.00%
azure keyvault msi managed-identity terraform controlplane pcf pivotal automation pcf-automation

controlplane-jump-azure's Introduction

controlplane-jump-azure

This Repo set´s up the a secure provisioned Jumphost to deploy "Control Plane" for Pivotal Platform Automation. This is a privately maintained Repo for testing and training and no official Pivotal Repo

in Addition to the Documentation, Azure KeyVault an System managed identities are used to Store Secrets and Credentials

You will need

  • An Azure Subscription
  • A Service Principal
  • A Pivotal Network Refresh Token
  • Access to Pivotal Automation Control Plane Components on Pivnet
  • local machine with azure az cli
  • a Hosted (Sub)domain for the DNS Zone for Control Plane ( e.g. Google Domain )
  • jq package

With this Guide you Create

  • a Key Vault
  • A JumpHost on Azure with Sytem Managed Identity to Access the Vault
  • An PCF Operations Manager
  • PCF Control Plane based on Control Plane Private Repo ( requires restricted access from PivNet )

This Repo will Provide

  • an Azure (nested) Arm Template to create a Linux JumpBox
  • assign System Managed Identities to the JumpHost

getting started

the next steps are to be performed on your local host

Prepare Azure Key Vault

use your existing or new key-vault to store secrets. The Template to deploy the JumpBox assumes that the Key-Vault is in the Same subscription but different ResourceGroup

create the KeyVault

set -u
AZURE_VAULT=<your vaultname, name must be unique for AZURE_VAULT.vault.azure.com>
VAULT_RG=<your Vault Resource Group>
AZURE_REGION=<azure location, e.g. westus, westeurope>
## Create RG to set your KeyVault
az group create --name ${VAULT_RG} --location ${AZURE_REGION}
## Create keyVault
az keyvault create --name ${AZURE_VAULT} --resource-group ${VAULT_RG} --location ${AZURE_REGION}

create SP and assign values to the vault secrets

## Set temporary Variables
PIVNET_UAA_TOKEN=<your pivnet refresh token>
SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --name ServicePrincipalforControlPlane --output json)
## SET the Following Secrets from the temporary Variables
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .appId) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURETENANTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .tenant) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTSECRET" --value $(echo $SERVICE_PRINCIPAL | jq -r .password) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "PIVNETUAATOKEN" --value ${PIVNET_UAA_TOKEN} --output none
## unset the temporary variables
unset SERVICE_PRINCIPAL

Prepare local env file

we will need local env file or a template parameter file variables to store names parameters used during deployment

example minimum .env file:

AZURE_VAULT=<your vault name>
VAULT_RG=<your vault rg>
IAAS=azure
JUMPBOX_RG=<your resource group for the jumpbox>
JUMPBOX_NAME=<your dns name for the jumpbox e.g. myccjumpbox>
ADMIN_USERNAME=<admin username for the jumpox>
ENV_NAME=control
ENV_SHORT_NAME=cckb
CONTROLPLANE_DOMAIN_NAME=<your domain, e.g. domain.com>
CONTROLPLANE_SUBDOMAIN_NAME=<your subdomain for control plane, e.g.control>
BRANCH=master # the version of controlplane-jump-azure to use

you might also add some optional Parameters to override default values:

CONTROLPLANE_AUTOPILOT=<TRUE or FALSE> to start automatic install of Control Plane from BosH Release
USE_SELF_CERTS=<TRUE or FALSE> set tu False to use Let´s Encrypt

source the env file with

source ~/.env

create ssh key for the jumpbox

ssh-keygen -t rsa -f ~/${JUMPBOX_NAME} -C ${ADMIN_USERNAME}

start deployment

image

validate all things

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment validate --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

deploy all things using standard Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

deploy all using custom Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    CONTROLPLANEAutopilot=${CONTROLPLANE_AUTOPILOT} \
    useSelfCerts=${USE_SELF_CERTS} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

after Provisioning finished

the base provisioning of the VM takes 5 to 10 Minutes on Azure. when provisioning is done, ssh into the Jumphost:

ssh -i ~/${JUMPBOX_NAME} ${ADMIN_USERNAME}@${JUMPBOX_NAME}.${AZURE_REGION}.cloudapp.azure.com

tail the installation log in the root directory

tail -f install.log

the log file will log the base provisioning once finisehd, the Opsman Bosh Director and Control Plane Installation Starts. the log will instruct you to

tail -f /home/bottkars/conductor/logs/om_init.sh.*.log

you will get login credential for you controlplane at the end of he log, or by using: from the jumphost

source .env.sh
eval "$(om --skip-ssl-validation --env om_meetup.env bosh-env --ssh-private-key opsman)"
credhub get -n $(credhub find | grep uaa_users_admin | awk '{print $3}')

clean/delete deployment

use this to delete the keyvault policy and remove all deployed resources

az keyvault delete-policy --name ${AZURE_VAULT} --object-id $(az vm identity show --resource-group ${JUMPBOX_RG} --name controlplanejumphost --query principalId --output tsv)
az group delete --name ${JUMPBOX_RG} --yes
az group delete --name ${ENV_NAME} --yes
ssh-keygen -R "${JUMPBOX_NAME}.${AZURE_REGION}.cloudapp.azure.com"

TBD

  • deployment script for control plane is in an early stage and does no error checkings
  • documentation
  • Azure Zones vs Aset Selector ( currently deployed in zones)
  • custom vm types

controlplane-jump-azure's People

Contributors

bottkars avatar jayonthenet avatar jpluscplusm avatar

Stargazers

avatar

Watchers

avatar avatar avatar

controlplane-jump-azure's Issues

add minio suppoprt

  1. test minio from bosh release
  • minio fs mode
  • minio distributed mode
  1. Add Minio
  • add minio from bosh release

Azure blobstore resource

Use azure blobstore resource for concourse

Investigate impacts on platform automation

Optional deployable from template

Zone Mapper

  • evaluate sku´s for VM types in Zones
  • set automated Zones per Job

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.