-
Notifications
You must be signed in to change notification settings - Fork 1
Platform Deployment Procedure: bosh deployment
From your local machine log in to box shown as bastion_ip
$ ssh -i ~/.ssh/bosh.pem ubuntu@bastion_ip
Make sure that you have latest gems
$ cd ~/workspace/deployments/cf-boshworkspace/
$ bundle update
Edit deployment file
- for AWS deployments:
$ vi ~/workspace/deployments/cf-boshworkspace/deployments/cf-aws-tiny.yml
- for OpenStack deployments:
$ vi ~/workspace/deployments/cf-boshworkspace/deployments/cf-openstack-tiny.yml
Locate path meta
and fill the following section with your own values:
login_smtp:
host: mail.YOURSMTP.com
port: 25
user: YOURUSER
password: YOURPASS
senderEmail: [email protected]
senderName: Domain
Generate a secure password for uaac_admin_client_secret and note it down.
Locate path meta
and set generated password to secret
. Note that this password should not contain special characters due to the limitations of CloudFoundry, please use characters [0-9A-Za-z].
...
meta:
...
secret: <uaac_admin_client_secret>
...
Deploy changes
$ cd ~/workspace/deployments/cf-boshworkspace/
- for AWS deployments:
$ bosh deployment cf-aws-tiny
- for OpenStack deployments:
$ bosh deployment cf-openstack-tiny
and execute:
$ bosh prepare deployment
$ bosh deploy
Login to Cloud Foundry using admin account and create organization and space
$ cf login -a http://api.<cf_api_id>.xip.io/ -u admin -p <cf_admin_pass> --skip-ssl-validation
$ cf create-org <org_name>
$ cf target -o <org_name>
$ cf create-space <space_name>
$ cf target -s <space_name>
If your smtp server which you plan to use for sending e-mail messages in applications is located in one of private IP address ranges (A: 10.0.0.0/8, B: 172.16.0.0/12 or C: 192.168.0.0/16) please create an additional security group in Cloudfoundry, in below example we have two mailservers (10.0.0.1 and 192.168.0.2) and both are using TCP port 25
$ cf create-security-group smtp <(echo '[{"destination":"10.0.0.1/8","ports":"25","protocol":"tcp"},{"destination":"192.168.0.2/16","ports":"25","protocol":"tcp"}]')
If this security group should be available for applications in all spaces in all orgs it should be binded by below command
$ cf bind-running-security-group smtp
Else if it should be available only for one space (for example seedspace in organisation seedorg)
$ cf bind-running-security-group smtp seedorg seedspace
Update the maximum amount of memory to 30 GB:
$ cf update-quota default -m 30G
Generate a secure password for atk_client_pass and note it down. This password should not contain special characters due to the limitations of CloudFoundry, please use characters [0-9A-Za-z].
$ uaac target https://uaa.<cf_api_id>.xip.io/ --skip-ssl-validation
$ uaac token client get admin -s <uaac_admin_client_secret>
$ uaac client add atk-client \
--scope cloud_controller.read,cloud_controller.write,cloud_controller_service_permissions.read,openid \
--authorized_grant_types authorization_code,password,refresh_token,client_credentials \
--redirect_uri http://atkdash.<cf_api_id>.xip.io/managed/auth/cloudfoundry/callback \
--authorities uaa.none -s <atk_client_pass>
$ uaac client update developer_console \
--scope cloud_controller.admin,cloud_controller.read,cloud_controller.write,console.admin,doppler.firehose,openid,password.write,scim.read,scim.userids,scim.write \
--authorized_grant_types authorization_code,client_credentials,refresh_token \
--redirect_uri http://console.<cf_api_id>.xip.io/oauth/callback,https://console.<cf_api_id>.xip.io/oauth/callback \
--authorities scim.read,uaa.admin,cloud_controller.admin,billing.admin,uaa.resource,password.write,scim.write,cloud_controller.write,cloud_controller.read \
--autoapprove true --access_token_validity 1209600 --refresh_token_validity 1209600
$ uaac group add console.admin
$ uaac member add console.admin admin
$ uaac client update cf \
--scope cloud_controller.admin,cloud_controller.read,cloud_controller.write,doppler.firehose,openid,password.write,scim.read,scim.write,console.admin
Follow procedure in Platform application layer deployment
- Set up and assign to AWS user an appropriate account regional policy, i.e. (please remember to change the
ec2:Region
attribute):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"vpc:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
},
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"*"
]
}
]
}
- [Overview of Trusted Analytics Platform](Overview of Trusted Analytics Platform)
- [Getting Started Guide](Getting Started Guide)
- Space Shuttle Demo Application
- Trusted Analytics JIRA Project
- [Building TAP from sources] (Building-TAP-from-sources)
- PaaS Architecture
- Use-cases
- [High Level Use Case](High Level Use Case)
- [Model Development for Data Scientists](Model Development for Data Scientists)
- Platform Tips and Tricks
- Platform Security Features
- Platform Configurations
- Release Notes
- Additional Deployment Information