From cfa1e1de7c22aaecc1ceb06a47976f4385fa073a Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Mon, 31 Jan 2022 23:01:24 +0000 Subject: [PATCH 1/7] split log-cache from doppler, use syslog ingress Making this change for a few reasons: - The scaling needs of dopplers and log-cache are often different, so grouping them together can be problematic. Dopplers are limited to ~40 instances and some high traffic foundations need larger log-cache instance groups. - Syslog ingress eliminates the load on dopplers and traffic controllers to get envelopes to log-cache. This increases the load slightly on diego cells, and eliminates significant load on dopplers/tc's. It's recommended after deploying this change to evaluate the memory allocated to doppler nodes and switch them to compute heavy instances and deploy log-cache to high memory instances. --- cf-deployment.yml | 101 +++++++++++------- ...se-logcache-syslog-ingress-windows2019.yml | 6 +- .../use-logcache-syslog-ingress.yml | 56 +--------- operations/rename-network-and-deployment.yml | 11 ++ operations/scale-to-one-az.yml | 3 + operations/windows2019-cell.yml | 1 + 6 files changed, 83 insertions(+), 95 deletions(-) diff --git a/cf-deployment.yml b/cf-deployment.yml index 67ba9000a..3acfd59e2 100644 --- a/cf-deployment.yml +++ b/cf-deployment.yml @@ -83,6 +83,7 @@ addons: cert: "((syslog_agent_metrics_tls.certificate))" key: "((syslog_agent_metrics_tls.private_key))" server_name: syslog_agent_metrics + drain_ca_cert: "((log_cache_syslog_tls.ca))" - name: prom_scraper include: @@ -338,7 +339,13 @@ addons: deployment: cf network: default domain: bosh - + - domain: log-cache.service.cf.internal + targets: + - deployment: cf + domain: bosh + instance_group: log-cache + network: default + query: '*' instance_groups: - name: smoke-tests @@ -1317,6 +1324,7 @@ instance_groups: cert: "((loggr_syslog_binding_cache_metrics_tls.certificate))" key: "((loggr_syslog_binding_cache_metrics_tls.private_key))" server_name: loggr_syslog_binding_cache_metrics + aggregate_drains: "syslog-tls://log-cache.service.cf.internal:6067?include-metrics-deprecated=true&ssl-strict-internal=true" - name: loggr-udp-forwarder release: loggregator-agent properties: @@ -1426,27 +1434,16 @@ instance_groups: cert: "((loggr_udp_forwarder_tls.certificate))" key: "((loggr_udp_forwarder_tls.private_key))" server_name: loggr_udp_forwarder_metrics -- name: doppler +- name: log-cache azs: - z1 - z2 - instances: 4 - vm_type: minimal + instances: 1 + vm_type: small-highmem stemcell: default networks: - name: default jobs: - - name: doppler - release: loggregator - provides: - doppler: {as: doppler, shared: true} - properties: - loggregator: - tls: - ca_cert: "((loggregator_tls_doppler.ca))" - doppler: - cert: "((loggregator_tls_doppler.certificate))" - key: "((loggregator_tls_doppler.private_key))" - name: log-cache provides: log-cache: {shared: true} @@ -1473,21 +1470,17 @@ instance_groups: key: "((log_cache_gateway_metrics_tls.private_key))" server_name: log_cache_gateway_metrics release: log-cache - - consumes: - reverse_log_proxy: {from: reverse_log_proxy} - name: log-cache-nozzle + - name: log-cache-syslog-server + release: log-cache properties: + tls: + cert: "((log_cache_syslog_tls.certificate))" + key: "((log_cache_syslog_tls.private_key))" metrics: - ca_cert: ((log_cache_nozzle_metrics_tls.ca)) - cert: ((log_cache_nozzle_metrics_tls.certificate)) - key: ((log_cache_nozzle_metrics_tls.private_key)) - server_name: log_cache_nozzle_metrics - logs_provider: - tls: - ca_cert: ((logs_provider.ca)) - cert: ((logs_provider.certificate)) - key: ((logs_provider.private_key)) - release: log-cache + ca_cert: "((log_cache_syslog_server_metrics_tls.ca))" + cert: "((log_cache_syslog_server_metrics_tls.certificate))" + key: "((log_cache_syslog_server_metrics_tls.private_key))" + server_name: log_cache_syslog_server_metrics - name: route_registrar properties: nats: @@ -1526,6 +1519,27 @@ instance_groups: client_secret: ((uaa_clients_doppler_secret)) internal_addr: https://uaa.service.cf.internal:8443 release: log-cache +- name: doppler + azs: + - z1 + - z2 + instances: 4 + vm_type: minimal + stemcell: default + networks: + - name: default + jobs: + - name: doppler + release: loggregator + provides: + doppler: {as: doppler, shared: true} + properties: + loggregator: + tls: + ca_cert: "((loggregator_tls_doppler.ca))" + doppler: + cert: "((loggregator_tls_doppler.certificate))" + key: "((loggregator_tls_doppler.private_key))" - name: diego-cell azs: - z1 @@ -2244,6 +2258,16 @@ variables: common_name: localhost alternative_names: - localhost +- name: log_cache_syslog_tls + type: certificate + options: + ca: loggregator_ca + common_name: log-cache.service.cf.internal + alternative_names: + - "q-s3.log-cache.default.cf.bosh" + - "log-cache.service.cf.internal" + extended_key_usage: + - server_auth - name: router_ca type: certificate options: @@ -2471,6 +2495,16 @@ variables: common_name: metricScraperCA is_ca: true +- name: log_cache_syslog_server_metrics_tls + type: certificate + update_mode: converge + options: + ca: metric_scraper_ca + common_name: log_cache_syslog_server_metrics + alternative_names: + - log_cache_syslog_server_metrics + extended_key_usage: + - server_auth - name: metrics_agent_tls type: certificate update_mode: converge @@ -2513,17 +2547,6 @@ variables: extended_key_usage: - server_auth -- name: log_cache_nozzle_metrics_tls - type: certificate - update_mode: converge - options: - ca: metric_scraper_ca - common_name: log_cache_nozzle_metrics - alternative_names: - - log_cache_nozzle_metrics - extended_key_usage: - - server_auth - - name: log_cache_cf_auth_proxy_metrics_tls type: certificate update_mode: converge diff --git a/operations/experimental/use-logcache-syslog-ingress-windows2019.yml b/operations/experimental/use-logcache-syslog-ingress-windows2019.yml index d38942581..e9897a361 100644 --- a/operations/experimental/use-logcache-syslog-ingress-windows2019.yml +++ b/operations/experimental/use-logcache-syslog-ingress-windows2019.yml @@ -1,4 +1,4 @@ +# Has been integrated into cf-deployment.yml +# +# Please delete this file in the future --- -- type: replace - path: /instance_groups/name=windows2019-cell/jobs/name=loggr-syslog-agent-windows/properties/drain_ca_cert? - value: "((log_cache_syslog_tls.ca))" diff --git a/operations/experimental/use-logcache-syslog-ingress.yml b/operations/experimental/use-logcache-syslog-ingress.yml index 17077fda8..e9897a361 100644 --- a/operations/experimental/use-logcache-syslog-ingress.yml +++ b/operations/experimental/use-logcache-syslog-ingress.yml @@ -1,54 +1,4 @@ +# Has been integrated into cf-deployment.yml +# +# Please delete this file in the future --- -- type: replace - path: /instance_groups/name=doppler/jobs/name=log-cache-syslog-server? - value: - release: log-cache - name: log-cache-syslog-server - properties: - tls: - cert: "((log_cache_syslog_tls.certificate))" - key: "((log_cache_syslog_tls.private_key))" - metrics: - ca_cert: "((log_cache_syslog_server_metrics_tls.ca))" - cert: "((log_cache_syslog_server_metrics_tls.certificate))" - key: "((log_cache_syslog_server_metrics_tls.private_key))" - server_name: log_cache_syslog_server_metrics - -- type: replace - path: /variables/name=log_cache_syslog_tls? - value: - name: log_cache_syslog_tls - type: certificate - options: - ca: loggregator_ca - common_name: doppler.service.cf.internal - alternative_names: - - "q-s3.doppler.default.cf.bosh" - - "doppler.service.cf.internal" - extended_key_usage: - - server_auth - -- type: remove - path: /instance_groups/name=doppler/jobs/name=log-cache-nozzle? - -- type: replace - path: /instance_groups/name=scheduler/jobs/name=loggr-syslog-binding-cache/properties/aggregate_drains? - value: "syslog-tls://doppler.service.cf.internal:6067?include-metrics-deprecated=true&ssl-strict-internal=true" - -- type: replace - path: /addons/name=loggr-syslog-agent/jobs/name=loggr-syslog-agent/properties/drain_ca_cert? - value: "((log_cache_syslog_tls.ca))" - -- type: replace - path: /variables/name=log_cache_syslog_server_metrics_tls? - value: - name: log_cache_syslog_server_metrics_tls - type: certificate - update_mode: converge - options: - ca: metric_scraper_ca - common_name: log_cache_syslog_server_metrics - alternative_names: - - log_cache_syslog_server_metrics - extended_key_usage: - - server_auth diff --git a/operations/rename-network-and-deployment.yml b/operations/rename-network-and-deployment.yml index 57945c92a..26a0dffe9 100644 --- a/operations/rename-network-and-deployment.yml +++ b/operations/rename-network-and-deployment.yml @@ -12,6 +12,10 @@ path: /instance_groups/name=doppler/networks/name=default/name value: ((network_name)) +- type: replace + path: /instance_groups/name=log-cache/networks/name=default/name + value: ((network_name)) + - type: replace path: /instance_groups/name=database/networks/name=default/name value: ((network_name)) @@ -134,6 +138,13 @@ deployment: ((deployment_name)) network: ((network_name)) domain: bosh + - domain: log-cache.service.cf.internal + targets: + - query: '*' + instance_group: log-cache + deployment: ((deployment_name)) + network: ((network_name)) + domain: bosh - domain: file-server.service.cf.internal targets: - query: '*' diff --git a/operations/scale-to-one-az.yml b/operations/scale-to-one-az.yml index 330a24b85..db09d8907 100644 --- a/operations/scale-to-one-az.yml +++ b/operations/scale-to-one-az.yml @@ -65,6 +65,9 @@ - type: replace path: /instance_groups/name=doppler/azs value: [ z1 ] +- type: replace + path: /instance_groups/name=log-cache/azs + value: [ z1 ] - type: replace path: /instance_groups/name=log-api/azs value: [ z1 ] diff --git a/operations/windows2019-cell.yml b/operations/windows2019-cell.yml index 84e7e53a3..f0a31b534 100644 --- a/operations/windows2019-cell.yml +++ b/operations/windows2019-cell.yml @@ -164,6 +164,7 @@ ca_cert: ((loggregator_tls_agent.ca)) cert: ((loggregator_tls_agent.certificate)) key: ((loggregator_tls_agent.private_key)) + drain_ca_cert: ((log_cache_syslog_tls.ca)) release: loggregator-agent - name: loggr-forwarder-agent-windows properties: From 01589433e7576cdcd41a34bc2a2695d23a94fac8 Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Wed, 2 Feb 2022 17:50:35 +0000 Subject: [PATCH 2/7] remove remove-logging-pipeline-with-danger ops files They didn't seem to be used and would need to be updated to work with the separate log cache instance group. --- operations/test/README.md | 2 - ...gging-pipeline-with-danger-windows2019.yml | 15 -- .../remove-logging-pipeline-with-danger.yml | 150 ------------------ units/tests/test_test/operations.yml | 4 - 4 files changed, 171 deletions(-) delete mode 100644 operations/test/remove-logging-pipeline-with-danger-windows2019.yml delete mode 100644 operations/test/remove-logging-pipeline-with-danger.yml diff --git a/operations/test/README.md b/operations/test/README.md index 02b4e59b4..f8b45b1f9 100644 --- a/operations/test/README.md +++ b/operations/test/README.md @@ -18,5 +18,3 @@ They may change without notice. | [`enable-nfs-test-server.yml`](enable-nfs-test-server.yml) | adds an NFS server to the deployment | nfstestserver can be reached at nfstestserver.service.cf.internal for acceptance testing purposes | | [`enable-nfs-test-ldapserver.yml`](enable-nfs-test-ldapserver.yml) | Adds an LDAP server to the deployment to allow testing of NFS volume services configured with LDAP authentication | Requires enable-nfs-volume-service.yml and enable-nfs-test-server.yml. nfstestldapserver can be reached at nfstestldapserver.service.cf.internal | | [`enable-smb-test-server.yml`](enable-smb-test-server.yml) | adds an SMB server to the deployment | smbtestserver can be reached at smbtestserver.service.cf.internal for acceptance testing purposes | -| [`remove-logging-pipeline-with-danger.yml`](remove-logging-pipeline-with-danger.yml) | Remove logging pipeline v2 jobs. | | -| [`remove-logging-pipeline-with-danger-windows2019.yml`](remove-logging-pipeline-with-danger-windows2019.yml) | Remove logging pipeline v2 jobs from the Windows 2019 Diego Cell. | Requires `remove-logging-pipeline-with-danger.yml` | diff --git a/operations/test/remove-logging-pipeline-with-danger-windows2019.yml b/operations/test/remove-logging-pipeline-with-danger-windows2019.yml deleted file mode 100644 index e017c347e..000000000 --- a/operations/test/remove-logging-pipeline-with-danger-windows2019.yml +++ /dev/null @@ -1,15 +0,0 @@ -- type: replace - path: /instance_groups/name=windows2019-cell/jobs/name=prom_scraper_windows/properties/loggregator_agent? - value: - tls: - ca_cert: "((loggregator_tls_agent.ca))" - cert: "((loggregator_tls_agent.certificate))" - key: "((loggregator_tls_agent.private_key))" - -- type: remove - path: /instance_groups/name=windows2019-cell/jobs/name=loggregator_agent_windows? - -# update syslog agents -- type: replace - path: /addons/name=loggr-syslog-agent-windows2019/jobs/name=loggr-syslog-agent-windows/properties/drain_ca_cert? - value: "((log_cache_syslog_tls.ca))" diff --git a/operations/test/remove-logging-pipeline-with-danger.yml b/operations/test/remove-logging-pipeline-with-danger.yml deleted file mode 100644 index d1f89edd7..000000000 --- a/operations/test/remove-logging-pipeline-with-danger.yml +++ /dev/null @@ -1,150 +0,0 @@ ---- -# Linux -- type: remove - path: /addons/name=loggregator_agent? - -- type: replace - path: /addons/name=prom_scraper/jobs/name=prom_scraper/properties/loggregator_agent? - value: - tls: - ca_cert: "((loggregator_tls_agent.ca))" - cert: "((loggregator_tls_agent.certificate))" - key: "((loggregator_tls_agent.private_key))" - -- type: remove - path: /instance_groups/name=log-api? - -- type: remove - path: /variables/name=loggregator_agent_metrics_tls? - -- type: remove - path: /instance_groups/name=scheduler/jobs/name=loggr-system-metric-scraper? - -- type: remove - path: /instance_groups/name=doppler? - -# metric-store is dependent on Loggregator, it won't work if the v2 firehose is disabled -- type: remove - path: /instance_groups/name=metric-store? - -- type: replace - path: /instance_groups/name=log-cache? - value: - name: log-cache - azs: - - z1 - - z2 - instances: 4 - vm_type: minimal - stemcell: default - networks: - - name: default - jobs: - - name: log-cache-syslog-server - release: log-cache - properties: - tls: - cert: "((log_cache_syslog_tls.certificate))" - key: "((log_cache_syslog_tls.private_key))" - metrics: - ca_cert: "((log_cache_syslog_server_metrics_tls.ca))" - cert: "((log_cache_syslog_server_metrics_tls.certificate))" - key: "((log_cache_syslog_server_metrics_tls.private_key))" - server_name: log_cache_syslog_server_metrics - - name: log-cache - provides: - log-cache: {shared: true} - properties: - metrics: - ca_cert: "((log_cache_metrics_tls.ca))" - cert: "((log_cache_metrics_tls.certificate))" - key: "((log_cache_metrics_tls.private_key))" - server_name: log_cache_metrics - health_addr: localhost:6060 - tls: - ca_cert: ((log_cache.ca)) - cert: ((log_cache.certificate)) - key: ((log_cache.private_key)) - release: log-cache - - name: log-cache-gateway - properties: - gateway_addr: localhost:8081 - proxy_cert: "((log_cache_proxy_tls.certificate))" - proxy_key: "((log_cache_proxy_tls.private_key))" - metrics: - ca_cert: "((log_cache_gateway_metrics_tls.ca))" - cert: "((log_cache_gateway_metrics_tls.certificate))" - key: "((log_cache_gateway_metrics_tls.private_key))" - server_name: log_cache_gateway_metrics - release: log-cache - - name: route_registrar - properties: - route_registrar: - routes: - - name: log-cache-reverse-proxy - port: 8083 - tls_port: 8083 - registration_interval: 20s - server_cert_domain_san: log-cache.((system_domain)) - uris: - - log-cache.((system_domain)) - - '*.log-cache.((system_domain))' - release: routing - - name: log-cache-cf-auth-proxy - properties: - metrics: - ca_cert: "((log_cache_cf_auth_proxy_metrics_tls.ca))" - cert: "((log_cache_cf_auth_proxy_metrics_tls.certificate))" - key: "((log_cache_cf_auth_proxy_metrics_tls.private_key))" - server_name: log_cache_cf_auth_proxy_metrics - cc: - ca_cert: ((cc_tls.ca)) - common_name: cloud-controller-ng.service.cf.internal - proxy_ca_cert: "((log_cache.ca))" - proxy_port: 8083 - external_cert: ((logcache_ssl.certificate)) - external_key: ((logcache_ssl.private_key)) - uaa: - ca_cert: ((uaa_ssl.ca)) - client_id: doppler - client_secret: ((uaa_clients_doppler_secret)) - internal_addr: https://uaa.service.cf.internal:8443 - release: log-cache - -# Variables -- type: replace - path: /variables/name=log_cache_syslog_tls? - value: - name: log_cache_syslog_tls - type: certificate - update_mode: converge - options: - ca: loggregator_ca - common_name: q-s3.log-cache.default.cf.bosh - alternative_names: - - q-s3.log-cache.default.cf.bosh - extended_key_usage: - - server_auth - -- type: replace - path: /variables/name=log_cache_syslog_server_metrics_tls? - value: - name: log_cache_syslog_server_metrics_tls - type: certificate - update_mode: converge - options: - ca: metric_scraper_ca - common_name: log_cache_syslog_server_metrics - alternative_names: - - log_cache_syslog_server_metrics - extended_key_usage: - - server_auth - -# update syslog agents -- type: replace - path: /instance_groups/name=scheduler/jobs/name=loggr-syslog-binding-cache/properties/aggregate_drains? - value: "syslog-tls://q-s3.log-cache.default.cf.bosh:6067" - -- type: replace - path: /addons/name=loggr-syslog-agent/jobs/name=loggr-syslog-agent/properties/drain_ca_cert? - value: "((log_cache_syslog_tls.ca))" diff --git a/units/tests/test_test/operations.yml b/units/tests/test_test/operations.yml index 760bae537..58e3b1e5d 100644 --- a/units/tests/test_test/operations.yml +++ b/units/tests/test_test/operations.yml @@ -22,7 +22,3 @@ enable-smb-test-server.yml: vars: - smb-password=FOO.PASS - smb-username=BAR.USER -remove-logging-pipeline-with-danger.yml: {} -remove-logging-pipeline-with-danger-windows2019.yml: - ops: - - ../windows2019-cell.yml From 6c4c0a0257ee0f209d2b6da6475ded58d220ce2b Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Thu, 3 Feb 2022 18:04:37 +0000 Subject: [PATCH 3/7] Remove use-log-cache-syslog-ingress ops files We had made these ops files no-ops in an earlier commit, here we are removing them. --- ci/pipelines/cf-deployment.yml | 2 -- operations/experimental/README.md | 2 -- .../use-logcache-syslog-ingress-windows2019.yml | 4 ---- operations/experimental/use-logcache-syslog-ingress.yml | 4 ---- units/tests/experimental_test/operations.yml | 8 -------- 5 files changed, 20 deletions(-) delete mode 100644 operations/experimental/use-logcache-syslog-ingress-windows2019.yml delete mode 100644 operations/experimental/use-logcache-syslog-ingress.yml diff --git a/ci/pipelines/cf-deployment.yml b/ci/pipelines/cf-deployment.yml index 3bae02839..4c9e331fc 100644 --- a/ci/pipelines/cf-deployment.yml +++ b/ci/pipelines/cf-deployment.yml @@ -1079,7 +1079,6 @@ jobs: operations/experimental/set-cpu-weight.yml operations/experimental/enable-cpu-throttling.yml operations/experimental/enable-containerd-for-processes.yml - operations/experimental/use-logcache-syslog-ingress.yml operations/increase-doppler-vm-type-from-minimal-to-small.yml VARS_FILES: | environments/test/hermione/bbl-state/vars/director-vars-file.yml @@ -1133,7 +1132,6 @@ jobs: operations/experimental/enable-cpu-throttling.yml operations/experimental/enable-oci-phase-1.yml operations/experimental/enable-containerd-for-processes.yml - operations/experimental/use-logcache-syslog-ingress.yml operations/increase-doppler-vm-type-from-minimal-to-small.yml VARS_FILES: | environments/test/hermione/bbl-state/vars/director-vars-file.yml diff --git a/operations/experimental/README.md b/operations/experimental/README.md index e2275e054..4aea6ef42 100644 --- a/operations/experimental/README.md +++ b/operations/experimental/README.md @@ -38,8 +38,6 @@ This is the README for Experimental Ops-files. To learn more about `cf-deploymen | [`set-cpu-weight-windows2019.yml`](set-cpu-weight-windows2019.yml) | CPU shares for each garden container are proportional to its memory limits. | Requires `../windows2019-cell.yml` and `../use-online-windows2019fs.yml` | **NO** | | [`use-compiled-releases-windows.yml`](use-compiled-releases-windows.yml) | Reverts to source version of releases required for Windows cells | Intended for use with `use-compiled-releases.yml` and any of `windows*-cell.yml` | **YES** | | [`use-create-swap-delete-vm-strategy.yml`](use-create-swap-delete-vm-strategy.yml) | Configures the default [`vm_strategy`](https://bosh.io/docs/changing-deployment-vm-strategy/) to be `create-swap-delete`. | Requires BOSH director `v267.7+` | **NO** | -| [`use-logcache-syslog-ingress.yml`](use-logcache-syslog-ingress.yml) | Uses syslog ingress for Log Cache in place of Loggregator | | **YES** | -| [`use-logcache-syslog-ingress-windows2019.yml`](use-logcache-syslog-ingress-windows2019.yml) | Uses syslog ingress for Log Cache in place of Loggregator for Windows cells | Requires `use-logcache-syslog-ingress.yml` | **NO** | | [`disable-v2-api.yml`](disable-v2-api.yml) | Disable v2 Cloud Controller API endpoints | | **NO** | | [`disable-logs-in-firehose.yml`](disable-logs-in-firehose.yml) | Logs are not sent to dopplers, only metrics | | **NO** | | [`disable-logs-in-firehose-windows2019.yml`](disable-logs-in-firehose-windows-2019.yml) | Logs are not sent to dopplers, only metrics | | **NO** | diff --git a/operations/experimental/use-logcache-syslog-ingress-windows2019.yml b/operations/experimental/use-logcache-syslog-ingress-windows2019.yml deleted file mode 100644 index e9897a361..000000000 --- a/operations/experimental/use-logcache-syslog-ingress-windows2019.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Has been integrated into cf-deployment.yml -# -# Please delete this file in the future ---- diff --git a/operations/experimental/use-logcache-syslog-ingress.yml b/operations/experimental/use-logcache-syslog-ingress.yml deleted file mode 100644 index e9897a361..000000000 --- a/operations/experimental/use-logcache-syslog-ingress.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Has been integrated into cf-deployment.yml -# -# Please delete this file in the future ---- diff --git a/units/tests/experimental_test/operations.yml b/units/tests/experimental_test/operations.yml index 21ecdd808..9e7b0c8b6 100644 --- a/units/tests/experimental_test/operations.yml +++ b/units/tests/experimental_test/operations.yml @@ -57,12 +57,4 @@ use-compiled-releases-windows.yml: - ../windows2019-cell.yml - use-compiled-releases-windows.yml use-create-swap-delete-vm-strategy.yml: {} -use-logcache-syslog-ingress-windows2019.yml: - ops: - - ../windows2019-cell.yml - - use-logcache-syslog-ingress.yml - - use-logcache-syslog-ingress-windows2019.yml -use-logcache-syslog-ingress.yml: - ops: - - use-logcache-syslog-ingress.yml use-native-garden-runc-runner.yml: {} From 0e2e1e62ecab0f66bace54366f780eb7fa45bb18 Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Fri, 4 Feb 2022 00:25:35 +0000 Subject: [PATCH 4/7] update cc log-cache url --- cf-deployment.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cf-deployment.yml b/cf-deployment.yml index 3acfd59e2..5c20d5a00 100644 --- a/cf-deployment.yml +++ b/cf-deployment.yml @@ -949,6 +949,8 @@ instance_groups: staging_upload_user: staging_user staging_upload_password: "((cc_staging_upload_password))" temporary_use_logcache: true + logcache: + host: log-cache.service.cf.internal logcache_tls: private_key: "((cc_logcache_tls.private_key))" certificate: "((cc_logcache_tls.certificate))" From bc57c8c4119c4677977e1d0168952be0810c6152 Mon Sep 17 00:00:00 2001 From: Rebecca Roberts Date: Wed, 9 Feb 2022 19:56:57 +0000 Subject: [PATCH 5/7] Remove log_provider cert, scale down dopplers --- cf-deployment.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/cf-deployment.yml b/cf-deployment.yml index 5c20d5a00..8977d2339 100644 --- a/cf-deployment.yml +++ b/cf-deployment.yml @@ -341,11 +341,11 @@ addons: domain: bosh - domain: log-cache.service.cf.internal targets: - - deployment: cf - domain: bosh + - query: '*' instance_group: log-cache + deployment: cf network: default - query: '*' + domain: bosh instance_groups: - name: smoke-tests @@ -1525,7 +1525,7 @@ instance_groups: azs: - z1 - z2 - instances: 4 + instances: 3 vm_type: minimal stemcell: default networks: @@ -2194,17 +2194,6 @@ variables: - rlp_gateway extended_key_usage: - client_auth -- name: logs_provider - type: certificate - update_mode: converge - options: - ca: loggregator_ca - common_name: log-cache - alternative_names: - - log-cache - extended_key_usage: - - client_auth - - server_auth - name: log_cache_ca type: certificate options: From 926dcb9919b15b4d09302b21dc11060fd872a76b Mon Sep 17 00:00:00 2001 From: Rebecca Roberts Date: Thu, 10 Feb 2022 00:05:27 +0000 Subject: [PATCH 6/7] Include ops files for using RLP ingress instead of syslog --- operations/README.md | 2 + .../use-log-cache-nozzle-windows2019.yml | 4 ++ operations/use-log-cache-nozzle.yml | 64 +++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 operations/use-log-cache-nozzle-windows2019.yml create mode 100644 operations/use-log-cache-nozzle.yml diff --git a/operations/README.md b/operations/README.md index 4b277767f..834413658 100644 --- a/operations/README.md +++ b/operations/README.md @@ -61,6 +61,8 @@ This is the README for Ops-files. To learn more about `cf-deployment`, go to the | [`use-internal-lookup-for-route-services.yml`](use-internal-lookup-for-route-services.yml) | Configure the gorouter to prefer internal lookup of route services. **Warning**: This enables a potential exploit detailed under [CVE-2019-3789](https://www.cloudfoundry.org/blog/cve-2019-3789/) | | **NO** | | [`use-latest-stemcell.yml`](use-latest-stemcell.yml) | Use the latest stemcell available on your BOSH director instead of the one in `cf-deployment.yml`. **Caution**: This ops-file should not be used in conjunction with `use-compiled-releases.yml`, since the latter relies on a specific stemcell version being used. | | **NO** | | [`use-latest-windows2019-stemcell.yml`](use-latest-windows2019-stemcell.yml) | Use the latest `windows2019` stemcell available on your BOSH director instead of the one in `windows2019-cell.yml` | Requires `windows2019-cell.yml` | **NO** | +| [`use-log-cache-nozzle.yml`](use-log-cache-nozzle.yml) | Use RLP ingress for Log Cache in place of syslog | | **NO** | +| [`use-log-cache-nozzle-windows2019.yml`](use-log-cache-nozzle-windows2019.yml) | Use RLP ingress for Log Cache in place of syslog for Windows cells | Requires `windows2019-cell.yml` | **NO** | | [`use-metric-store.yml`](use-metric-store.yml) | Adds a single-node metric store. | | **NO** | | [`use-operator-provided-router-tls-certificates.yml`](use-operator-provided-router-tls-certificates.yml) | Allows an operator to provide their own certificates for the gorouter by providing variables [`router_ssl_pem`](example-vars-files/vars-use-operator-provided-router-tls-certificates.yml) | This is required if using AWS Network Load Balancers. | **YES** | | [`use-postgres.yml`](use-postgres.yml) | Replaces the MySQL instance group with a postgres instance group. **Warning**: this will lead to total data loss if applied to an existing deployment with MySQL or removed from an existing deployment with postgres. | | **YES** | diff --git a/operations/use-log-cache-nozzle-windows2019.yml b/operations/use-log-cache-nozzle-windows2019.yml new file mode 100644 index 000000000..ecdc00ce3 --- /dev/null +++ b/operations/use-log-cache-nozzle-windows2019.yml @@ -0,0 +1,4 @@ +--- +- type: remove + path: /instance_groups/name=windows2019-cell/jobs/name=loggr-syslog-agent-windows/properties/drain_ca_cert? + diff --git a/operations/use-log-cache-nozzle.yml b/operations/use-log-cache-nozzle.yml new file mode 100644 index 000000000..5da7c4ec7 --- /dev/null +++ b/operations/use-log-cache-nozzle.yml @@ -0,0 +1,64 @@ +--- +- type: replace + path: /instance_groups/name=log-cache/jobs/name=log-cache-nozzle? + value: + consumes: + reverse_log_proxy: {from: reverse_log_proxy} + name: log-cache-nozzle + properties: + metrics: + ca_cert: ((log_cache_nozzle_metrics_tls.ca)) + cert: ((log_cache_nozzle_metrics_tls.certificate)) + key: ((log_cache_nozzle_metrics_tls.private_key)) + server_name: log_cache_nozzle_metrics + logs_provider: + tls: + ca_cert: ((logs_provider.ca)) + cert: ((logs_provider.certificate)) + key: ((logs_provider.private_key)) + release: log-cache + +- type: replace + path: /variables/name=log_cache_nozzle_metrics_tls? + value: + name: log_cache_nozzle_metrics_tls + type: certificate + update_mode: converge + options: + ca: metric_scraper_ca + common_name: log_cache_nozzle_metrics + alternative_names: + - log_cache_nozzle_metrics + extended_key_usage: + - server_auth + +- type: replace + path: /variables/name=logs_provider? + value: + name: logs_provider + type: certificate + update_mode: converge + options: + ca: loggregator_ca + common_name: log-cache + alternative_names: + - log-cache + extended_key_usage: + - client_auth + - server_auth + +- type: remove + path: /variables/name=log_cache_syslog_tls? + +- type: remove + path: /instance_groups/name=log-cache/jobs/name=log-cache-syslog-server? + +- type: remove + path: /instance_groups/name=scheduler/jobs/name=loggr-syslog-binding-cache/properties/aggregate_drains? + +- type: remove + path: /addons/name=loggr-syslog-agent/jobs/name=loggr-syslog-agent/properties/drain_ca_cert? + +- type: remove + path: /variables/name=log_cache_syslog_server_metrics_tls? + From 9a7ce81de0c69514ef0e611d5f4002a65808911d Mon Sep 17 00:00:00 2001 From: Rebecca Roberts Date: Thu, 10 Feb 2022 21:41:57 +0000 Subject: [PATCH 7/7] Add ops files for log cache nozzle to unit tests --- units/tests/standard_test/operations.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/units/tests/standard_test/operations.yml b/units/tests/standard_test/operations.yml index 57054b3b0..4b54c6751 100644 --- a/units/tests/standard_test/operations.yml +++ b/units/tests/standard_test/operations.yml @@ -106,6 +106,14 @@ use-latest-windows2019-stemcell.yml: pathvalidator: path: /stemcells/alias=windows2019/version expectedvalue: latest +use-log-cache-nozzle-windows2019.yml: + ops: + - windows2019-cell.yml + - use-log-cache-nozzle.yml + - use-log-cache-nozzle-windows2019.yml +use-log-cache-nozzle.yml: + ops: + - use-log-cache-nozzle.yml use-metric-store.yml: {} use-offline-windows2019fs.yml: ops: