forked from cloudfoundry/cf-for-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample-cf-install-values.yml
139 lines (119 loc) · 5.05 KB
/
sample-cf-install-values.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#@data/values
---
#! Used by any component that has an external interface. It is used for traffic to system components of CF.
#! - usually you'll want to configure a DNS entry for *.<system_domain> to point to the cluster's external load balancer
system_domain: system.cf.example.com
#! The root domains used for apps that are pushed to CF.
#! - you can use the same domain for system and apps if desired
app_domains:
#@overlay/append
- apps.cf.example.com
#! The password for the CF "admin" user.
#! - operators can use the admin user to test `cf push`
cf_admin_password: cfadminpassword
#! The blobstore secret key shared between CAPI and the blobstore.
cf_blobstore:
secret_key: the_blobstore_secret_key
#! The admin password for operators to access the database.
cf_db:
admin_password: the_cf_dbadmin_password
#! The db password shared between CAPI and the database.
capi:
kpack_watcher_client_secret: uaa_capi_kpack_watcher_client_credentials
cc_username_lookup_client_secret: uaa_cloud_controller_lookup_client_credentials
database:
password: ccdb_password
#! Notes about X.509 certificates:
#! - the certificates and keys are base64 encoded
#! - all of the certs should have KeyUsage that includes server and client authentication
#! certificate, private key, and certificate authority used to identify the CF installation (i.e. the ingress gateway).
#! - should be valid for *.system.cf.example.com
system_certificate:
crt: ingress_gateway_certificate
key: ingress_gateway_private_key
ca: ingress_gateway_certificate_ca
#! certificate, private key, and certificate authority used to identify the CF installation (i.e. the ingress gateway).
#! - should be valid for *.apps.cf.example.com
#! - may be the system cert, as long as the system cert is valid for the apps domain as well
workloads_certificate:
crt: workload_certificate
key: workload_private_key
ca: workload_certificate_ca
#! certificate, private key, and certificate authority used internally within the CF installation (i.e. cf-system.svc.cluster.local).
#! - should be valid for *.cf-system.svc.cluster.local
internal_certificate:
crt: &crt internal_certificate
key: &key internal_private_key
ca: internal_certificate_ca
#! Log Cache CA certificate and private key
#! - the common name needs to be log-cache-ca
log_cache_ca:
crt: log_cache_ca_certificate
key: log_cache_ca_private_key
#! Certificate and private key for the Log Cache server
#! - these are used for both server and client mTLS interactions within Log Cache
#! - the common name needs to be log-cache
log_cache:
crt: log_cache_certificate
key: log_cache_private_key
#! Certificate and private key for the metrics component of Log Cache
#! - these are used for both server and client mTLS interactions within Log Cache
#! - the common name needs to be log-cache-metrics
log_cache_metrics:
crt: log_cache_metrics_certificate
key: log_cache_metrics_private_key
#! Certificate and private key for the gateway component of Log Cache
#! - these are used for both server and client mTLS interactions within Log Cache
#! - the common name needs to be log-cache-gateway
#! - the alternative_names list should include localhost
log_cache_gateway:
crt: log_cache_gateway_certificate
key: log_cache_gateway_private_key
#! Certificate and private key for the syslog component of Log Cache
#! - these are used for both server and client mTLS interactions within Log Cache
#! - the common name needs to be log-cache-syslog
log_cache_syslog:
crt: log_cache_syslog_certificate
key: log_cache_syslog_private_key
metric_proxy:
ca:
crt: *crt
key: *key
cert:
#! This certificate should be valid for metric-proxy.cf-system.svc.cluster.local
crt: *crt
key: *key
uaa:
database:
#! The db password shared between UAA and the database.
password: uaadb_password
#! The secret used for the UAA admin client.
admin_client_secret: uaaadminclientsecret
#! JWT policy configuration
jwt_policy:
#! This private key should NOT be base64 encoded
signing_key: jwt_policy_signing_key
#! Encyption key for encrypting data stored in the database
encryption_key:
passphrase: encryption_key_passphrase
#! To push apps from source code, you need to configure the `app_registry` block
#! Example below is for docker hub. For other registry examples, see below.
app_registry:
hostname: https://index.docker.io/v1/
#! often times this is just your `docker_user`
repository_prefix: <docker_hub_repository>
username: <docker_user>
password: <docker_password>
#! example below is for a Google container registry. Make sure to remove other registry blocks if you intend to use GCR
#! app_registry:
#! hostname: gcr.io
#! repository_prefix: <gcr.io/gcp_project_id/cf-workloads>
#! username: _json_key
#! password: |
#! contents_of_service_account_json
#! example below is for a Azure container registry. Make sure to remove other registry blocks if you intend to use ACR
#! app_registry:
#! hostname: <registry-name>.azurecr.io
#! repository_prefix: <registry-name>.azurecr.io
#! username: <username>
#! password: <password>