Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
Jun 25, 2021
Mar 7, 2017
Mar 7, 2017


This repository is intended to serve as a reference and starting point for developer-friendly configuration of the Bosh Director. Consume the master branch. Any changes should be made against the develop branch (it will be automatically promoted once it passes tests).

Important notice for users of bosh-deployment and Bosh DNS versions older than 1.28

As of Bosh DNS version 1.28, Bosh DNS is now built with Go 1.15. This version of Go demands that TLS certificates be created with a SAN field, in addition to the usual CN field.

The following certificates are affected by this change and will need to be regenerated:

  • /dns_healthcheck_server_tls
  • /dns_healthcheck_client_tls
  • /dns_api_server_tls
  • /dns_api_client_tls

If you're using Credhub or another external variable store, then you will need to use update_mode: converge as documented here:
If you are not using Credhub or another external variable store, then you will need to follow the usual procedure for regenerating your certificates.

Jammy stemcells

We deploy using Jammy stemcells; however, if you would prefer to use the Bionic stemcells, append the ops files [IAAS]/use-bionic.yml and misc/source-releases/bosh.yml after the ops file [IAAS]/cpi.yml.

How is bosh-deployment updated?

An automatic process updates Bosh, and other releases within bosh-deployment

  1. A new release of bosh is created.
  2. A CI pipeline updates bosh-deployment on develop with a compiled bosh release.
  3. Smoke tests are performed to ensure create-env works with this potential collection of resources and the new release.
  4. A commit to master is made.

Other releases such as UAA, CredHub, and various CPIs are also updated automatically.

Using bosh-deployment

Ops files

  • bosh.yml: Base manifest that is meant to be used with different CPI configurations
  • [alicloud|aws|azure|docker|gcp|openstack|softlayer|vcloud|vsphere|virtualbox]/cpi.yml: CPI configuration
  • [alicloud|aws|azure|docker|gcp|openstack|softlayer|vcloud|vsphere|virtualbox]/cloud-config.yml: Simple cloud configs
  • [alicloud|aws|azure|docker|gcp|openstack|vcloud|virtualbox|vsphere|warden]/use-bionic.yml: use Bionic stemcell instead of Jammy stemcell
  • jumpbox-user.yml: Adds user jumpbox for SSH-ing into the Director (see Jumpbox User)
  • uaa.yml: Deploys UAA and enables UAA user management in the Director
  • credhub.yml: Deploys CredHub and enables CredHub integration in the Director
  • bosh-lite.yml: Configures Director to use Garden CPI within the Director VM (see BOSH Lite)
  • syslog.yml: Configures syslog to forward logs to some destination
  • local-dns.yml: Enables Director DNS beta functionality
  • misc/config-server.yml: Deploys config-server (see credhub.yml)
  • misc/proxy.yml: Configure HTTP proxy for Director and CPI
  • runtime-configs/syslog.yml: Runtime config to enable syslog forwarding

See tests/ for example usage of different ops files.

Security Groups

Please ensure you have security groups setup correctly. i.e:

Type                 Protocol Port Range  Source                     Purpose
SSH                  TCP      22          <IP you run bosh CLI from> SSH (if Registry is used)
Custom TCP Rule      TCP      6868        <IP you run bosh CLI from> Agent for bootstrapping
Custom TCP Rule      TCP      25555       <IP you run bosh CLI from> Director API
Custom TCP Rule      TCP      8443        <IP you run bosh CLI from> UAA API (if UAA is used)
Custom TCP Rule      TCP      8844        <IP you run bosh CLI from> CredHub API (if CredHub is used)
SSH                  TCP      22          <((internal_cidr))>        BOSH SSH (optional)
Custom TCP Rule      TCP      4222        <((internal_cidr))>        NATS
Custom TCP Rule      TCP      25250       <((internal_cidr))>        Blobstore
Custom TCP Rule      TCP      25777       <((internal_cidr))>        Registry if enabled


Collection of BOSH manifests referenced by cloudfoundry/docs-bosh



Security policy





No releases published


No packages published