Skip to content

Common parameters

OpsControl configuration is provided in form of terraform tfvars files. Only part of the fields are mandatory - mainly OpenStack project configuration and things external to the Cloudboostr. For more sophisticated configuration there are optional fields available.

Both required and optional fields are listed in the following paragraphs.

Required fields

Required fields does not provide default value thus it is required to fill them before the deployment.

  • opscontrol_base_domain - Domain on which the opscontrol should be deployed
  • dns_instance_public_ip - IP address where DNS server can be found

Environments configuration

  • config_repository_url - URL to config repository. This repository contains environments configurations
  • config_repository_branch - GIT branch for config repository

Packages and backups storage

  • cb_concourse_deployment_package_bucket - Name of the bucket which holds deployment packages.

  • cb_concourse_deployment_package_target_cloud - Name of the target cloud (aws, openstack, vsphere) - default aws. This is a name of directory in packages bucket.

  • cb_concourse_deployment_package_version - Version of deployment to be installed (latest, 1.0, etc). This is a name of subdirectory in target cloud directory.

  • prometheus_backup_bucket_name - Bucket name for Prometheus backup storage. Will be used with credentials provided in storage_config.yml. Bucket can be shared among multiple deployments.

  • elk_backup_bucket_name - Bucket name for ELK backup storage. Will be used with credentials provided in storage_config.yml. Bucket can be shared among multiple deployments.

Optional fields

  • cacert_file - CA certificate file path (default = "")

  • public_dns_ip - (default = "8.8.8.8")

  • env_name - Prefix appended to the resources names (default = "opscontrol")

  • python_alias - name of the python executable (default = "python3")

  • consul_ip - Consul IP address (default = "10.96.10.4")

  • consul_private_ip - private IP of Prometheus VM

  • bosh_ip - Static IP of bosh director

  • ssh_allowed_hosts - List of hostnames, separated by space, which has StrictHostKeyChecking set to no (default = "ssh.dev.azure.com github.com")

SSH keys

  • sensitive_data_storage_container_name - Container name for keys (default = "sensitive-data")

  • sensitive_data_git_private_key_filename - GIT SSH private key file name uploaded to the sensitive data container (default = "git_private_key")

  • sensitive_data_bosh_public_key_filename - BOSH public key file name uploaded to the sensitive data container (default = "bosh-devops.pub")

  • sensitive_data_bosh_private_key_filename - BOSH private key file name uploaded to the sensitive data container (default = "bosh-devops")

  • sensitive_data_jumpbox_public_key_filename - Jumpbox public key file name uploaded to the sensitive data container (default = "jumpbox-devops.pub")

  • sensitive_data_jumpbox_private_key_filename - Jumpbox private key file name uploaded to the sensitive data container (default = "jumpbox-devops")

SSH keys

Make sure not to upload SSH keys which are password protected.

Networking

  • jumpbox_whitelist - list of IP addresses or CIDRs allwoed to SSH jumpbox

  • network_cidr - CIDR for OpsControl network

  • bosh_private_ip - Fixed private IP for BOSH director

  • jumpbox_private_ip - Fixed private IP for Jumpbox in OpsControl

Subnets:

  • mgmt_subnet_cidr - BOSH subnet CIDR (default = "10.96.1.0/26")

  • mgmt_gateway_ip - IP for BOSH subnet gateway (default = "10.96.1.1")

  • mgmt_reserved_ips - BOSH reserved IP range (default = "10.96.1.2-10.96.1.10")

  • dmz_subnet_cidr - DMZ subnet CIDR (default = "10.96.2.0/24")

  • dmz_reserved_ips - BOSH reserved IPs range in DMZ subnet

  • dmz_static_ips - BOSH static IPs range in DMZ subnet

  • tools_subnet_cidr - Tools subnet CIDR (default = "10.96.10.0/24")

Extension ops

  • extensions_bucket_name - Bucket name for extension ops files (default = "")
  • extensions_bosh_directory - Directory name for bosh extension ops files in extensions bucket (default = "aws/opscontrol/cb-bosh-deployment")
  • extensions_bosh_properties - Properties filename for extension ops (default = "bosh.properties")
  • extensions_dns_directory - Directory name for dns extension ops files in extensions bucket (default = "aws/opscontrol/cb-dns-deployment")
  • extensions_dns_properties - Properties filename for extension ops (default = "dns.properties")
  • extensions_concourse_directory - Directory name for concourse extension ops files in extensions bucket (default = "aws/opscontrol/cb-concourse-deployment")
  • extensions_concourse_properties - Properties filename for extension ops (default = "concourse.properties")
  • extensions_elk_directory - Directory name for elk extension ops files in extensions bucket (default = "aws/opscontrol/cb-elk-deployment")
  • extensions_elk_properties - Properties filename for extension ops (default = "elk.properties"
  • extensions_prometheus_directory - Directory name for prometheus extension ops files in extensions bucket (default = "aws/opscontrol/cb-prometheus-deployment"
  • extensions_prometheus_properties - Properties filename for extension ops (default = "prometheus.properties")

OAuth and LDAP

OAuth

  • oauth_type - Type of identity provider. Should be oauth2.0 or oidc1.0 or empty string
  • oauth_idp_alias - OAuth identity provider alias. Used by uaa to identify users authenticated by this provider.
  • oauth_idp_name - Human readable name of OAuth identity provider.
  • oauth_discovery_url - The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configuration
  • oauth_auth_url - The OAuth/OIDC authorization endpoint URL
  • oauth_token_url - The OAuth/OIDC token endpoint URL
  • oauth_token_key_url - The URL of the token key endpoint which renders a verification key for validating token signatures
  • oauth_issuer - The OAuth/OIDC token issuer.
  • oauth_user_info_url - The URL which provides user info (this can be blank)
  • oauth_link_text - Text to use for the login link to the provider
  • oauth_client_id - The client ID which is registered with the external OAuth provider for use by the UAA
  • oauth_client_secret - The client secret of the relying party at the external OAuth provider
  • oauth_group_name - Name of external provider group that should be mapped in UAA
  • oauth_attribute_mappings - An object that contains the mapping fields from external provider to UAA field names (see example configuration)

SAML

  • saml_idp_alias - A unique alias for the saml provider
  • saml_idp_name - Human-readable name for this saml provider
  • saml_metadata_location - SAML Metadata - either an XML string or a URL that will deliver XML content
  • saml_name_id - The name ID to use for the username, default is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • saml_link_text - Text to use for the login link to the provider
  • saml_group_name - Name of external saml provider group that should be mapped in UAA
  • saml_attribute_mappings - An object that contains the mapping fields from external provider to UAA field names (see example configuration)

LDAP

  • ldap_idp_name - Human-readable name for this LDAP provider
  • ldap_base_url - A URL pointing to the LDAP server, must start with ldap:// or ldaps://
  • ldap_mail_attribute_name - The name of the attribute that contains the user's email address, default value is mail
  • ldap_user_dn_pattern - One or more patterns used to construct DN. If used then simple bind authentication method is used.
  • ldap_user_dn_pattern_delimeter - The delimiter character to break up multiple patterns. Default is semicolon ;
  • ldap_search_user_dn - The DN for the LDAP credentials used to search the directory. Required for search authentication methods.
  • ldap_search_user_password - Password credentials for the above DN to search the directory. Required for search authentication methods
  • ldap_search_base - Specify only if a part of the directory should be searched, for example dc=test,dc=com. Required for search authentication methods.
  • ldap_search_filter - The search filter used for the query. Required for search authentication methods.
  • ldap_password_attribute_name - The name of the LDAP attribute that holds the password. If provided then search and compare method is used. Otherwise search and bind will be used.
  • ldap_local_password_compare - Set to true if the comparison should be done locally. Required for search and compare method. Default is true
  • ldap_password_encoder - A fully qualified Java classname to a password encoder
  • ldap_group_search_base - The search base for the group search.
  • ldap_group_search_filter - Similar to a user filter, most common is member={0}
  • ldap_group_name - Name of LDAP group that should be mapped in UAA