role-manifest.yml

instance_groups:
- name: nats                       # The name of the role
  jobs:                            # BOSH jobs this role will have
  - name: global-properties
    release: scf-helper
  - name: bpm
    release: bpm
  - name: nats
    release: nats                  # The name of the BOSH release this is from
    properties:
      bosh_containerization:
        run:                             # Runtime configuration
          scaling:                       # Auto-scaling limits
            min: 1
            max: 3
          capabilities: [ALL]
          memory: 256                    # Memory request for each instance (MB)
          virtual-cpus: 4                # CPU request for each instance
        ports:
        - name: nats
          protocol: TCP                # TCP or UDP
          external: 4333               # Port visible outside the container
          internal: 4333               # Port inside the container
          public: true                 # Whether to expose to outside the cluster
        - name: nats-routes
          protocol: TCP
          internal: 4334
          public: false
  tags:
  - sequential-startup
- name: secret-generation
  type: bosh-task
  jobs:
  - name: generate-secrets
    release: scf-helper
    properties:
      bosh_containerization:
        run:
          scaling:
            min: 1
            max: 1
          flight-stage: pre-flight
          capabilities: []
          memory: 256
          virtual-cpus: 1
          service-account: secret-generator
  configuration:
    templates:
      properties.scf.secrets.cert_expiration: ((CERT_EXPIRATION))
      properties.scf.secrets.cluster_domain: ((KUBERNETES_CLUSTER_DOMAIN))
      properties.scf.secrets.domain: ((DOMAIN))
      properties.scf.secrets.generation: ((KUBE_SECRETS_GENERATION_COUNTER))
      properties.scf.secrets.is_install: ((HELM_IS_INSTALL))
      properties.scf.secrets.name: ((KUBE_SECRETS_GENERATION_NAME))
      properties.scf.secrets.namespace: ((KUBERNETES_NAMESPACE))
configuration:
  templates:
    networks.default.dns_record_name: '"((DNS_RECORD_NAME))"'
    networks.default.ip: '"((IP_ADDRESS))"'
    properties.diego.rep.cell_id: '"((#MY_CERT))((/MY_CERT))"((cacert))((cacert_KEY)) ((MY_CERT_KEY))'
    properties.fissile.monit.password: '"((MONIT_PASSWORD))"'
    properties.nats.password: '"((NATS_PASSWORD))"'
    properties.nats.user: '"((NATS_USER))"' # In BOSH templates, `p('nats.user')`
    # we just need a BOSH release variable to use those
  auth:
    roles:
      configgin-role:
      - apiGroups: [""]
        resources: [pods]
        verbs: [get, list, patch]
      - apiGroups: [""]
        resources: [services]
        verbs: [get]
      - apiGroups: [apps]
        resources: [statefulsets]
        verbs: [get]
      secrets-role:
      - apiGroups: [""]
        resources: [configmaps, secrets]
        verbs: [create, get, list, patch, update, delete]
    accounts:
      default:
        roles: [configgin-role]
      secret-generator:
        roles: [configgin-role, secrets-role]

variables:
- name: CERT_EXPIRATION
  options:
    description: Expiration for generated certificates (in days)
    default: 10950
- name: DOMAIN
  options:
    example: my-scf-cluster.com
    required: true
    description: Base domain of the SCF cluster.
- name: HELM_IS_INSTALL
  options:
    description: >
      This is an environment variable built-in by fissile.
      It's set directly from the Release.IsInstall Helm property.
    type: environment
- name: KUBERNETES_CLUSTER_DOMAIN
  options:
    description: >
      The cluster domain used by Kubernetes.
      If left empty, each container will try to determine the correct value based on /etc/resolv.conf
      You can read more about it in the Kubernetes Documentation https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
    example: cluster.local
    type: environment
    required: true
    description: Base domain of the SCF cluster.
- name: KUBERNETES_NAMESPACE
  options:
    type: environment
    description: >
      The name of the kubernetes namespace all components will run in.
      This parameter cannot be set by the user.
      Its value is supplied by the kubernetes runtime.
    description: Expiration for generated certificates (in days)
    default: 10950
- name: KUBE_SECRETS_GENERATION_COUNTER
  options:
    type: environment
    description: >
      This is an environment variable built-in by fissile.
      It's automatically set to the kube.secrets_generation_counter Helm value, which controls secret rotation.
- name: KUBE_SECRETS_GENERATION_NAME
  options:
    description: >
      This is an environment variable built-in by fissile.
      Its default value is 'secret-1' and cannot be set by the user.
    type: environment
- name: MONIT_PASSWORD
  type: password
  options:
    description: Password for monit
    required: true
    secret: true
- name: MY_CERT
  type: certificate
  options:
    description: A certificate
    secret: true
- name: MY_CERT_KEY
  options:
    description: Entry for accessing the key part of MY_CERT
    type: environment
    secret: true
- name: NATS_PASSWORD
  type: password
  options:
    description: Password for NATS
    secret: true
    required: true
- name: NATS_USER
  options:
    description: User name for NATS
    required: true
    previous_names: [NATS_USR]
- name: cacert
  type: certificate
  options:
    description: The default CA for certificates
    is_ca: true
    secret: true
- name: cacert_KEY
  options:
    description: Entry for accessing the key part of cacert
    secret: true