Closed jhunt closed 2 years ago
The other benefit of this (for the benefit of others reading this) is that it gets away from having users have to maintain their own collection of .bosh/config aliases and having different names all over the place.
Would this also mean genesis new some-env
would lookup bosh creds under secret/genesis/some-env-bosh
or would I need to do a genesis login
first?
The genesis login
would be for users to be able to create and use a local alias from the bosh creds stored in vault. Genesis itself would use these creds independently for its own purposes, not requiring a bosh env alias.
As an aside, the genesis login
functionality is already a reality using the latest version of genesis and the bosh-genesis-kit, using the genesis do <env> login
incantation.
Delivered in v2.8.0
As an operator, I would like to spend less time configuring Genesis CI/CD pipelines, and minimize the amount of duplicated data in said configuration.
To achieve this, we believe the following should suffice:
secret/genesis
. For example, BOSH director deployments will want to provide their path into the Vault (to handleparams.vault
customizations), as well as the URL of the director:This will allow other deployments to reference this director, and its secrets, as needed. In effect, this is an extension of the core BOSH "links" concept, using Vault as a configuration server, but operating across BOSH deployments.
genesis deploy
will be responsible for updating the entry undersecret/genesis
after every successful deployment, whether by interactive operator use, or by concourse pipeline.Each kit will be responsible for populating other keys, besides
base
(which Genesis will get fromparams.vault
, defaulting to the normal default). These values will be placed in the new manifest top-levelgenesis
key:This will be imported into Vault via
safe import
, so the keys undergenesis
should only be a single level deep (no nesting!). If the kit supplies agenesis.base
key, it will be overwritten by genesis.params.bosh
, which will be interpreted as a tertiary path component insecret/genesis/$env-bosh
. For example:would be interpreted as
secret/genesis/us-east-1-prod-bosh
for lookups.genesis login
that will do the requiredbosh
CLI calls to set up an alias, using the correct parameters:This will make life easier on operators, who are tired of dealing with BOSH's quirks on the command-line.
bosh_client
(orbosh-client
, whatever is consistenter) that will identify the name of the UAA client to use when talking to BOSH. It will default toconcourse
.For each BOSH environment that concourse has to deal with (via the env's
params.bosh
) it will look up the client secret in Vault by finding thebase
undersecret/genesis/$env-bosh
, and then look up$base/users/$user:password
This should remove a fair amount of logic from
repipe
and move it into the CI commands themselves (ci-pipeline-deploy
)