Merge pull request #3129 from cloudfoundry/autoscaler-775/enable-post…

…gres-ssl autoscaler 775/enable postgres ssl
cloudfoundry · Aug 16, 2024 · f1d305c · f1d305c
2 parents 4392a7b + 5b35050
commit f1d305c
Show file tree

Hide file tree

Showing 9 changed files with 169 additions and 83 deletions.
diff --git a/ci/autoscaler/pipeline.yml b/ci/autoscaler/pipeline.yml
@@ -31,10 +31,8 @@ anchors:
       operations/set-release-version.yml
       operations/enable-metricsforwarder-via-syslog-agent.yml
       operations/enable-scheduler-logging.yml
-      operations/disable-postgres-tls-config.yml
       operations/use-cf-services.yml
 
-
   app-autoscaler-ops-files-upgrade: &app-autoscaler-ops-files-upgrade
     OPS_FILES: |
       operations/add-releases.yml

diff --git a/ci/autoscaler/scripts/common.sh b/ci/autoscaler/scripts/common.sh
@@ -95,7 +95,7 @@ function unset_vars() {
 
 function find_or_create_org(){
   local org_name="$1"
-  if ! cf orgs | grep --quiet --regexp="${org_name}"; then
+  if ! cf orgs | grep --quiet --regexp="^${org_name}$"; then
     cf create-org "${org_name}"
   fi
   echo "targeting org ${org_name}"
@@ -104,7 +104,7 @@ function find_or_create_org(){
 
 function find_or_create_space(){
   local space_name="$1"
-  if ! cf spaces | grep --quiet --regexp="${space_name}"; then
+  if ! cf spaces | grep --quiet --regexp="^${space_name}$"; then
     cf create-space "${space_name}"
   fi
   echo "targeting space ${space_name}"

diff --git a/ci/autoscaler/scripts/deploy-autoscaler.sh b/ci/autoscaler/scripts/deploy-autoscaler.sh
@@ -88,7 +88,12 @@ function create_manifest(){
       -v system_domain="${system_domain}" \
       -v deployment_name="${deployment_name}" \
       -v app_autoscaler_version="${bosh_release_version}" \
-      -v admin_password="$(credhub get -n /bosh-autoscaler/cf/cf_admin_password -q)" \
+      -v admin_password="$(credhub get -n /bosh-autoscaler/cf/cf_admin_password -q)"\
+      -v routing_api_ca_certs="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
+      -v routing_api_client_secret="$(credhub get -n /bosh-autoscaler/cf/uaa_clients_routing_api_client_secret --quiet)"\
+      -v routing_api_tls_client_cert="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key certificate --quiet)"\
+      -v routing_api_tls_client_private_key="$(credhub get -n /bosh-autoscaler/cf/routing_api_tls_client --key private_key --quiet)"\
+      -v routing_api_server_ca_cert="$(credhub get -n /bosh-autoscaler/cf/router_ssl --key ca --quiet)"\
       -v cf_client_id=autoscaler_client_id \
       -v cf_client_secret=autoscaler_client_secret \
       -v log_cache_syslog_tls_ca="$(credhub get -n /bosh-autoscaler/cf/log_cache_syslog_tls --key ca --quiet)"\

diff --git a/ci/autoscaler/set-pipeline.sh b/ci/autoscaler/set-pipeline.sh
@@ -83,7 +83,6 @@ function main(){
       export PIPELINE_NAME="app-autoscaler-release-${current_branch_without_slashes}"
       set_pipeline "$PIPELINE_NAME"
       pause_jobs "$PIPELINE_NAME"
-      unpause_job "$PIPELINE_NAME/set-pipeline"
     fi
 
   popd > /dev/null

diff --git a/devbox.json b/devbox.json
@@ -39,7 +39,8 @@
     "swagger-cli":                                "latest",
     "temurin-bin-17":                             "latest",
     "which":                                      "latest",
-    "yq-go":                             "4.44.2"
+    "yq-go":                             "4.44.2",
+    "postgresql":                        "latest"
   },
   "shell": {
     "init_hook": [

diff --git a/devbox.lock b/devbox.lock
@@ -1386,6 +1386,115 @@
         }
       }
     },
+    "postgresql@latest": {
+      "last_modified": "2024-08-02T23:16:43Z",
+      "plugin_version": "0.0.2",
+      "resolved": "github:NixOS/nixpkgs/81610abc161d4021b29199aa464d6a1a521e0cc9#postgresql",
+      "source": "devbox-search",
+      "version": "15.7",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/j063gkab0kj312p0r5wlwh8hhs3ivmmv-postgresql-15.7",
+              "default": true
+            },
+            {
+              "name": "man",
+              "path": "/nix/store/83zyb6qnvn85ilfb4g03yr8zjnc4kw5c-postgresql-15.7-man",
+              "default": true
+            },
+            {
+              "name": "doc",
+              "path": "/nix/store/w98l40gkbw15cxjajs9wr9aaz1zqq8pv-postgresql-15.7-doc"
+            },
+            {
+              "name": "lib",
+              "path": "/nix/store/2lqmjj3nwingqsajwgwym4jjl1plqrxd-postgresql-15.7-lib"
+            }
+          ],
+          "store_path": "/nix/store/j063gkab0kj312p0r5wlwh8hhs3ivmmv-postgresql-15.7"
+        },
+        "aarch64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/bm08f8k2gyndfq1mszvdm07jnmwr6nlf-postgresql-15.7",
+              "default": true
+            },
+            {
+              "name": "man",
+              "path": "/nix/store/yd6qvs38zm55271230hfn4j0rd4029ca-postgresql-15.7-man",
+              "default": true
+            },
+            {
+              "name": "debug",
+              "path": "/nix/store/m8kdahlx418v1x8pvbjja5zbl8ix4hff-postgresql-15.7-debug"
+            },
+            {
+              "name": "doc",
+              "path": "/nix/store/nw2ng4sh1vzih1rrfzlivd2c7ifh9zm2-postgresql-15.7-doc"
+            },
+            {
+              "name": "lib",
+              "path": "/nix/store/fvs07mhcygpwy41jhw34kq7ghlcnv4nf-postgresql-15.7-lib"
+            }
+          ],
+          "store_path": "/nix/store/bm08f8k2gyndfq1mszvdm07jnmwr6nlf-postgresql-15.7"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/qvhjnll3n3d1va7rxlh1yd348gqwy4v1-postgresql-15.7",
+              "default": true
+            },
+            {
+              "name": "man",
+              "path": "/nix/store/5mmzk97ppd9b6m2239b4xkwc853116mf-postgresql-15.7-man",
+              "default": true
+            },
+            {
+              "name": "doc",
+              "path": "/nix/store/jwp1aqs6fkbygfg9gpcx99lhc2dlalgc-postgresql-15.7-doc"
+            },
+            {
+              "name": "lib",
+              "path": "/nix/store/sngcqjdypd1bwxz6rs3hwy8jbjb9k690-postgresql-15.7-lib"
+            }
+          ],
+          "store_path": "/nix/store/qvhjnll3n3d1va7rxlh1yd348gqwy4v1-postgresql-15.7"
+        },
+        "x86_64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/8gr5ybhmdkafii5idcg57p66nk1qd6sf-postgresql-15.7",
+              "default": true
+            },
+            {
+              "name": "man",
+              "path": "/nix/store/0j6lskwq3imd8gdwy5rz9sjmn3c41qbc-postgresql-15.7-man",
+              "default": true
+            },
+            {
+              "name": "doc",
+              "path": "/nix/store/01snq9n6ka7zkb4dp7k639mbb5p0v5qi-postgresql-15.7-doc"
+            },
+            {
+              "name": "lib",
+              "path": "/nix/store/9xj29q1wf5wazv63hn5dxlwsp8k3h5lc-postgresql-15.7-lib"
+            },
+            {
+              "name": "debug",
+              "path": "/nix/store/xw1fhj72fzrlkvapaf1spx19ixqm7394-postgresql-15.7-debug"
+            }
+          ],
+          "store_path": "/nix/store/8gr5ybhmdkafii5idcg57p66nk1qd6sf-postgresql-15.7"
+        }
+      }
+    },
     "pre-commit@latest": {
       "last_modified": "2024-08-01T02:09:53Z",
       "resolved": "github:NixOS/nixpkgs/799bc8d7b16e6779f0105713e6794899133c4a38#pre-commit",

diff --git a/operations/disable-postgres-tls-config.yml b/operations/disable-postgres-tls-config.yml
diff --git a/operations/use-cf-services.yml b/operations/use-cf-services.yml
@@ -8,3 +8,48 @@
 - type: replace
   path: /instance_groups/name=metricsforwarder/jobs/name=route_registrar/properties/route_registrar/routes/name=autoscaler_metricsforwarder_health/port
   value: 6201
+
+  ## add router tcp route for postgres
+- type: replace
+  path: /instance_groups/name=postgres/jobs/-
+  value:
+    name: route_registrar
+    release: routing
+    consumes:
+      nats-tls: { from: nats-tls, deployment: cf }
+    properties:
+      nats:
+        tls:
+          enabled: true
+          client_cert: ((/bosh-autoscaler/cf/nats_client_cert.certificate))
+          client_key: ((/bosh-autoscaler/cf/nats_client_cert.private_key))
+      route_registrar:
+        routing_api:
+          ca_certs:
+          - ((!routing_api_ca_certs))
+          client_cert: ((!routing_api_tls_client_cert))
+          client_secret: ((routing_api_client_secret))
+          client_private_key: ((!routing_api_tls_client_private_key))
+          server_ca_cert: ((!routing_api_server_ca_cert))
+          api_url: "https://api.((system_domain)):443"
+          oauth_url: "https://uaa.((system_domain)):443"
+        routes:
+          - name: autoscaler_postgres
+            registration_interval: 20s
+            port: 5432
+            external_port: 5432
+            type: tcp
+            router_group: default-tcp
+            tags:
+              component: autoscaler_postgres
+            uris:
+              - ((deployment_name))-postgres.tcp.((system_domain))
+
+
+- type: replace
+  path: /variables/name=postgres_server/options/alternative_names/-
+  value: ((deployment_name))-postgres.tcp.((system_domain))
+
+- type: replace
+  path: /variables/name=postgres_client/options/alternative_names/-
+  value: ((deployment_name))-postgres.tcp.((system_domain))
diff --git a/src/autoscaler/metricsforwarder/Makefile b/src/autoscaler/metricsforwarder/Makefile
@@ -1,18 +1,17 @@
 PR_NUMBER ?= $(shell gh pr view --json number --jq '.number')
 DEPLOYMENT_NAME ?= autoscaler-$(PR_NUMBER)
+SYSTEM_DOMAIN ?=autoscaler.app-runtime-interfaces.ci.cloudfoundry.org
 METIRCSFORWARDER_VM := $(shell bosh -d $(DEPLOYMENT_NAME) vms --json | jq '.Tables | .[] | .Rows | .[] | select(.instance|test("metricsforwarder")) | .instance')
-POSTGRES_IP := $(shell bosh -d ${DEPLOYMENT_NAME} vms --json | jq -r '.Tables | .[] | .Rows  | .[] | select(.instance|test("postgres")) | .ips' )
+POSTGRES_ADDRESS := $(DEPLOYMENT_NAME)-postgres.tcp.$(SYSTEM_DOMAIN)
 LOG_CACHE_IP := $(shell bosh -d cf vms --json | jq -r '.Tables | .[] | .Rows  | .[] | select(.instance|test("log-cache")) | .ips' )
 MAKEFILE_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
 
-
-
 .PHONY: fetch-config
 fetch-config: start-metricsforwarder-vm
 	# how to define variables in deployment name
 	mkdir -p build/assets/certs/policy_db build/assets/certs/storedprocedure_db build/assets/certs/syslog_client
 
-	echo "POSTGRES IP: $(POSTGRES_IP)"
+	echo "POSTGRES ADDRESS: $(POSTGRES_ADDRESS)"
 	echo "LOG_CACHE IP: $(LOG_CACHE_IP)"
 
 	@echo "Pulling metricforwarder config from $(METIRCSFORWARDER_VM)..."
@@ -37,7 +36,8 @@ fetch-config: start-metricsforwarder-vm
 	cp build/assets/metricsforwarder.yml build/metricsforwarder.yml
 
 	sed -i'' -e 's|\/var\/vcap\/jobs\/metricsforwarder\/config|\/home\/vcap\/app/assets|g' build/metricsforwarder.yml
-	sed -i'' -e 's|$(DEPLOYMENT_NAME).autoscalerpostgres.service.cf.internal|$(POSTGRES_IP)|g' build/metricsforwarder.yml
+	sed -i'' -e 's|$(DEPLOYMENT_NAME).autoscalerpostgres.service.cf.internal|$(POSTGRES_ADDRESS)|g' build/metricsforwarder.yml
+
 
 
 PHONY: set-security-group