Skip to content
/ controlplane-jump-azure Public

deploy Pivotal Control Plane and secure JumpHost for PCF automation

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bottkars/controlplane-jump-azure

BranchesTags

Repository files navigation

controlplane-jump-azure

This Repo set´s up the a secure provisioned Jumphost to deploy "Control Plane" for Pivotal Platform Automation. This is a privately maintained Repo for testing and training and no official Pivotal Repo

in Addition to the Documentation, Azure KeyVault an System managed identities are used to Store Secrets and Credentials

You will need

  • An Azure Subscription
  • A Service Principal
  • A Pivotal Network Refresh Token
  • Access to Pivotal Automation Control Plane Components on Pivnet
  • local machine with azure az cli
  • a Hosted (Sub)domain for the DNS Zone for Control Plane ( e.g. Google Domain )
  • jq package

With this Guide you Create

  • a Key Vault
  • A JumpHost on Azure with Sytem Managed Identity to Access the Vault
  • An PCF Operations Manager
  • PCF Control Plane based on Control Plane Private Repo ( requires restricted access from PivNet )

This Repo will Provide

  • an Azure (nested) Arm Template to create a Linux JumpBox
  • assign System Managed Identities to the JumpHost

getting started

the next steps are to be performed on your local host

Prepare Azure Key Vault

use your existing or new key-vault to store secrets. The Template to deploy the JumpBox assumes that the Key-Vault is in the Same subscription but different ResourceGroup

create the KeyVault

set -u
AZURE_VAULT=<your vaultname, name must be unique for AZURE_VAULT.vault.azure.com>
VAULT_RG=<your Vault Resource Group>
AZURE_REGION=<azure location, e.g. westus, westeurope>
## Create RG to set your KeyVault
az group create --name ${VAULT_RG} --location ${AZURE_REGION}
## Create keyVault
az keyvault create --name ${AZURE_VAULT} --resource-group ${VAULT_RG} --location ${AZURE_REGION}

create SP and assign values to the vault secrets

## Set temporary Variables
PIVNET_UAA_TOKEN=<your pivnet refresh token>
SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --name ServicePrincipalforControlPlane --output json)
## SET the Following Secrets from the temporary Variables
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .appId) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURETENANTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .tenant) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTSECRET" --value $(echo $SERVICE_PRINCIPAL | jq -r .password) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "PIVNETUAATOKEN" --value ${PIVNET_UAA_TOKEN} --output none
## unset the temporary variables
unset SERVICE_PRINCIPAL

Prepare local env file

we will need local env file or a template parameter file variables to store names parameters used during deployment

example minimum .env file:

AZURE_VAULT=<your vault name>
VAULT_RG=<your vault rg>
IAAS=azure
JUMPBOX_RG=<your resource group for the jumpbox>
JUMPBOX_NAME=<your dns name for the jumpbox e.g. myccjumpbox>
ADMIN_USERNAME=<admin username for the jumpox>
ENV_NAME=control
ENV_SHORT_NAME=cckb
CONTROLPLANE_DOMAIN_NAME=<your domain, e.g. domain.com>
CONTROLPLANE_SUBDOMAIN_NAME=<your subdomain for control plane, e.g.control>
BRANCH=master # the version of controlplane-jump-azure to use

you might also add some optional Parameters to override default values:

CONTROLPLANE_AUTOPILOT=<TRUE or FALSE> to start automatic install of Control Plane from BosH Release
USE_SELF_CERTS=<TRUE or FALSE> set tu False to use Let´s Encrypt

source the env file with

source ~/.env

create ssh key for the jumpbox

ssh-keygen -t rsa -f ~/${JUMPBOX_NAME} -C ${ADMIN_USERNAME}

start deployment

image

validate all things

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment validate --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

deploy all things using standard Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

deploy all using custom Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri https://raw.githubusercontent.com/bottkars/controlplane-jump-azure/$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    CONTROLPLANEDomainName=${CONTROLPLANE_DOMAIN_NAME} \
    CONTROLPLANESubdomainName=${CONTROLPLANE_SUBDOMAIN_NAME} \
    CONTROLPLANEAutopilot=${CONTROLPLANE_AUTOPILOT} \
    useSelfCerts=${USE_SELF_CERTS} \
    keyVaultName=${AZURE_VAULT} \
    keyVaultRG=${VAULT_RG}

after Provisioning finished

the base provisioning of the VM takes 5 to 10 Minutes on Azure. when provisioning is done, ssh into the Jumphost:

ssh -i ~/${JUMPBOX_NAME} ${ADMIN_USERNAME}@${JUMPBOX_NAME}.${AZURE_REGION}.cloudapp.azure.com

tail the installation log in the root directory

tail -f install.log

the log file will log the base provisioning once finisehd, the Opsman Bosh Director and Control Plane Installation Starts. the log will instruct you to

tail -f /home/bottkars/conductor/logs/om_init.sh.*.log

you will get login credential for you controlplane at the end of he log, or by using: from the jumphost

source .env.sh
eval "$(om --skip-ssl-validation --env om_meetup.env bosh-env --ssh-private-key opsman)"
credhub get -n $(credhub find | grep uaa_users_admin | awk '{print $3}')

clean/delete deployment

use this to delete the keyvault policy and remove all deployed resources

az keyvault delete-policy --name ${AZURE_VAULT} --object-id $(az vm identity show --resource-group ${JUMPBOX_RG} --name controlplanejumphost --query principalId --output tsv)
az group delete --name ${JUMPBOX_RG} --yes
az group delete --name ${ENV_NAME} --yes
ssh-keygen -R "${JUMPBOX_NAME}.${AZURE_REGION}.cloudapp.azure.com"

TBD

  • deployment script for control plane is in an early stage and does no error checkings
  • documentation
  • Azure Zones vs Aset Selector ( currently deployed in zones)
  • custom vm types

About

deploy Pivotal Control Plane and secure JumpHost for PCF automation

Topics

automation azure terraform pivotal controlplane keyvault msi pcf managed-identity pcf-automation

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages