Skip to content

Latest commit

 

History

History
497 lines (396 loc) · 16.8 KB

README.md

File metadata and controls

497 lines (396 loc) · 16.8 KB

DEPRECATED Commands

Configuration Commands

Global Config

There is global configuration that is managed in cf-mgmt.yml. The following options exist in that configuration.

enable-delete-isolation-segments: false #true/false
enable-unassign-security-groups: false #true/false
running-security-groups: # array of security groups to apply to running
- all_access
- public_networks
- dns
- load_balancer
staging-security-groups: # array of security groups to apply to staging
- all_access
- public_networks
- dns
shared-domains: # map of shared domains and their configuration 1.0.12+
  dev.cfdev.sh: #shared domain name
    internal: false
  dev.cfdev.sh.tcp: #shared domain name
    internal: false
    router-group: default-tcp #router group to associate with domain
enable-remove-shared-domains: true #true/false

enable-service-access: true #true/false

# added in v1.0.31
ignore-legacy-service-access: false #true/false will ignore any service access in orgConfig.yml files
# added in v1.0.31
service-access:
- broker: dedicated-mysql-broker
  services:
  - service: p.mysql
    all_access_plans: # db-small plan is available to all orgs
    - db-small
    # limited_access_plans:# db-medium is only available to cfdev-org as well as any org that is in `protected` orgs list
    - plan: db-medium
      orgs:
      - cfdev-org
    no_access_plans: # disables db-large plan for all orgs
    - db-large
- broker: rabbitmq-odb
  services:
  - service: p.rabbitmq
    all_access_plans:
    - single-node-3.7
- broker: p-rabbitmq
  services:
  - service: p-rabbitmq
    all_access_plans:
    - standard

# added in 1.0.38+ adds ability to have a list of user(s) or patterns to exclude from removal. Uses re2 syntax: https://github.com/google/re2/wiki/Syntax
protected-users:
- ci_cd_user
- abcd_123_*

Org Configuration

There is a orgs.yml that contains list of orgs that will be created. This should have a corresponding folder with name of the orgs cf-mgmt is managing. orgs.yml also can be configured with a list of protected orgs which would never be deleted when using the the delete-orgs command. An example of how orgs.yml could be configured is seen below.

orgs:
- foo-org
- bar-org
# added in 0.0.63+ which will remove orgs not configured in cf-mgmt
enable-delete-orgs: true
# added in 0.0.63+ which allows configuration of orgs to 'ignore'. Uses re2 syntax: https://github.com/google/re2/wiki/Syntax
protected_orgs:
- ^system$ # will match only system
- system   # will match system at any place within the org name. For example: my-system-org will be protected.
- ^p-      # matches any org beginning with "p-" and any characters following

This will contain a orgConfig.yml and folder for each space. Each orgConfig.yml consists of the following.

# org name
org: test

# added in 1.0.9+ to allow renaming orgs
original-org: foo

org-billingmanager:
  # list of ldap users that will be created in cf and given billing manager role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given billing manager role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]


  # ldap group that contains users that will be added to cf and given billing manager role
  ldap_group: test_billing_managers

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_billing_managers_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_billing_managers_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]
org-manager:
  # list of ldap users that will be created in cf and given org manager role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given org manager role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]

  # ldap group that contains users that will be added to cf and given org manager role
  ldap_group: test_org_managers

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_org_managers_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_org_managers_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]
org-auditor:
  # list of ldap users that will be created in cf and given org manager role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given org auditor role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]

  # ldap group that contains users that will be added to cf and given org auditor role
  ldap_group: test_org_auditors

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_org_auditors_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_org_auditors_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]
# if you wish to enable custom org quotas
enable-org-quota: true
# 10 GB limit
memory-limit: 10240
# unlimited
instance-memory-limit: -1
total-routes: 10
# unlimited
total-services: -1
paid-service-plans-allowed: true

# added in 0.0.48+ which will remove users from roles if not configured in cf-mgmt
enable-remove-users: true/false

# added in 0.0.64+ which will remove users from roles if not configured in cf-mgmt
private-domains: ["test.com", "test2.com"]
enable-remove-private-domains: true/false

# added in 1.0.12+ allows specifying a named quota, cannot be used with enable-org-quota
named_quota:

# added in 1.0.26+ allows adding metadata to orgs and spaces (requires cf v3 3.66.0 or greater)
metadata:
  labels:
    foo: bar
  annotations:
    hello: world

Space Configuration

There will be a spaces.yml that will list all the spaces for each org. There will also be a folder for each space with the same name. Each folder will contain a spaceConfig.yml and security-group.json file with an empty json file.

Each spaceConfig.yml will have the following configuration options:

  • allow ssh at space level
  • map ldap group names to SpaceDeveloper, SpaceManager, SpaceAuditor role
  • setup quotas at a space level (if enabled)
  • apply application security group config at space level (if enabled)
# org that is space belongs to
org: test

# space name
space: space1

# added in 1.0.9+ to allow renaming spaces
original-space: old-space1

# if cf ssh is allowed for space
allow-ssh: yes

# to temporarily grant ssh access added in 1.0.13+, use cf-mgmt-config to specify time as field needs to be in RFC3339 format
allow-ssh-until: "2019-01-13T18:09:16-07:00"

space-manager:
  # list of ldap users that will be created in cf and given space manager role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given space manager role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]

  # ldap group that contains users that will be added to cf and given space manager role
  ldap_group: test_space1_managers

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_space1_managers_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_space1_managers_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]
space-auditor:
  # list of ldap users that will be created in cf and given space auditor role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given space auditor role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]

  # ldap group that contains users that will be added to cf and given space auditor role
  ldap_group: test_space1_auditors

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_space1_auditors_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_space1_auditors_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]

space-developer:
  # list of ldap users that will be created in cf and given space developer role
  ldap_users:
    - cwashburn1
    - cwashburn2

  # list of users that would be given space developer role (must already be a user created via cf create-user)
  users:
    - [email protected]
    - [email protected]

  # ldap group that contains users that will be added to cf and given space developer role
  ldap_group: test_space1_developers

  # added in 0.0.62+ which will allow configuration of a list of groups works with ldap_group
  ldap_groups:
    - test_space1_developers_2

  # Added in this Rabobank version of cf-mgmt
  aad_groups:
    - test_space1_developers_2

  # added in 0.0.66+ which will allow configuration of a list of saml user email addresses
  saml_users:
    - [email protected]
    - [email protected]
# to enable custom quota at space level
enable-space-quota: true
# 10 GB limit
memory-limit: 10240
# unlimited
instance-memory-limit: -1
total-routes: 10
# unlimited
total-services: -1
paid-service-plans-allowed: true

# to enable custom asg for the space.  If true will deploy asg defined in security-group.json within space folder
enable-security-group: false

# added in 0.0.48+ which will remove users from roles if not configured in cf-mgmt
enable-remove-users: true/false

# allowing security groups to be applied that are defined globally
named-security-groups: []

# added in 1.0.12+ allows specifying a named quota, cannot be used with enable-space-quota
named_quota:

# added in 1.0.26+ allows unassigning named security groups that are not in configuration
enable-unassign-security-group: true/false

# added in 1.0.26+ allows adding metadata to orgs and spaces (requires cf v3 3.66.0 or greater - PCF 2.5+)
metadata:
  labels:
    foo: bar
  annotations:
    hello: world

Space Default Configuration

The file spaceDefaults.yml can be used to specify a default set of roles for user and groups to be applied to all spaces. This will be merged with the space-specific roles. Note that this is actually processed at runtime, not when spaces are added to the config.

LDAP Configuration

LDAP configuration file ldap.yml is located under the config folder. By default, LDAP is disabled and you can enable it by setting enabled: true. Once this is enabled, all other LDAP configuration properties are required.

enabled: true

# IP address or DNS Record (without ldap:// protocol)
ldapHost: 127.0.0.1
ldapPort: 10389
#true/false (default false)
use_tls: true

bindDN: uid=admin,ou=system
userSearchBase: ou=users,dc=example,dc=com
userNameAttribute: uid
# optional added in v1.0.20+
userObjectClass: <object class that matches your ldap/active directory configuration for users (inetOrgPerson, organizationalPerson)>
userMailAttribute: mail

groupSearchBase: ou=groups,dc=example,dc=com
groupAttribute: member
# optional added in v1.0.20+
groupObjectClass: <object class that matches your ldap/active directory configuration for groups (group, groupOfNames)>
origin: ldap

# optional added in 1.0.11+ - true/false
insecure_skip_verify: false
# optional added in 1.0.11+ if ldap server is signed by non-public CA provide ca pem here
ca_cert: |

# optional added in 1.0.47+ if omitted 1.0 is min, 1.3 is max.  Valid values 1.0, 1.1, 1.2, 1.3 or blank
minTLSVersion: 1.0
maxTLSVersion: 1.3

When using LDAP with Active Directory, the uid for userNameAttribute should be a sAMAccountName

SAML Configuration with ldap group lookups

LDAP configuration file ldap.yml is located under the config folder. To have cf-mgmt create SAML users in UAA need to enable ldap to lookup the user information from an LDAP source to properly create the SAML users. In orgConfig.yml and spaceConfig.yml leverage either/or ldap_users or ldap_group(s)

enabled: true
ldapHost: 127.0.0.1
ldapPort: 10389
#true/false (default false)
use_tls: true
bindDN: uid=admin,ou=system
userSearchBase: ou=users,dc=example,dc=com
userNameAttribute: uid
# optional added in v1.0.20+
userObjectClass: <object class that matches your ldap/active directory configuration for users (inetOrgPerson, organizationalPerson)>
userMailAttribute: mail
groupSearchBase: ou=groups,dc=example,dc=com
groupAttribute: member
# optional added in v1.0.20+
groupObjectClass: <object class that matches your ldap/active directory configuration for groups (group, groupOfNames)>
origin: <needs to match origin configured for elastic runtime>

# optional added in 1.0.11+ - true/false
insecure_skip_verify: false
# optional added in 1.0.11+ if ldap server is signed by non-public CA provide ca pem here
ca_cert: |

# optional added in 1.0.37 - true/false.  If true it will use userid from ldap group lookup vs email address for userid
useIDForSAMLUser: false

# optional added in 1.0.47+ if omitted 1.0 is min, 1.3 is max.  Valid values 1.0, 1.1, 1.2, 1.3 or blank
minTLSVersion: 1.0
maxTLSVersion: 1.3

SAML Configuration with Azure Active Directory group lookups

Azure AD configuration file azureAD.yml is located under the config folder. To have cf-mgmt create SAML users in UAA you can choose between ldap and azure Active Directory groups. To enable Azure AD, create a file azureAD.yml in the config directory and set enabled: true In orgConfig.yml and spaceConfig.yml leverage aad_groups Note:

enabled: true

# Your Azure Active Directory Tenant ID
tenant-id:
# The client id of your Active Directory Enterprise application or App registration
# NOTE: the enterprise app / app regisatration needs the following API permissions: 
# Microsoft Graph   Permission            permission-type
# Microsoft Graph   Group.Read.All        Application
# Microsoft Graph   User.Read.All         Application
# Microsoft Graph   GroupMember.Read.All  Application
client-id:
# User the same origin as for your SAML users
origin: 

SAML Configuration

LDAP configuration file ldap.yml is located under the config folder. To have cf-mgmt create SAML users you can disable ldap integration for looking up users in ldap groups with v0.0.66+ as orgConfig.yml and spaceConfig.yml now includes a saml_users array attribute which can contain a list of email addresses.

enabled: false
origin: <needs to match origin configured for elastic runtime>
ldapHost:
ldapPort: 389
bindDN:
userSearchBase:
userNameAttribute:
userMailAttribute:
groupSearchBase:
groupAttribute:

Enable Temporary Application SSH Access

With 1.0.13+ there is ability to grant applicaiton ssh access for a specific duration. Durations supported are in number of Days (D), Hours (H) or Minutes (M). Use the cf-mgmt-config cli to update a given space with one of these metrics. This will generate the timestamp in the correct format for you. You must also use the latest generated concourse pipeline as this places update-space command on a timer to run every 15m (by default) to check to see if time has elapsed to re-disable application ssh access

The following will enable for 2 days:

cf-mgmt-config update-space --config-dir <your directory> --org <org> --space <space> --allow-ssh false --allow-ssh-until 2D

The following will enable for 5 hours:

cf-mgmt-config update-space --config-dir <your directory> --org <org> --space <space> --allow-ssh false --allow-ssh-until 5H

The following will enable for 95 minutes:

cf-mgmt-config update-space --config-dir <your directory> --org <org> --space <space> --allow-ssh false --allow-ssh-until 95M