diff --git a/.gitignore b/.gitignore index 9bcb12d..0238eed 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ *state.json deploy-*.sh .DS_Store +/.idea/ diff --git a/cluster/operations/aws-ssm-instance-profile.yml b/cluster/operations/aws-ssm-instance-profile.yml new file mode 100644 index 0000000..3c4f401 --- /dev/null +++ b/cluster/operations/aws-ssm-instance-profile.yml @@ -0,0 +1,13 @@ +# +# This operations file will use remove the AWS SSM +# Access and Secret Access Key to instead use the instance +# profile of the web node. +# +# Requires the aws-ssm-manager.yml ops file + +--- +- type: remove + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/access_key + +- type: remove + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/secret_key diff --git a/cluster/operations/aws-ssm-manager.yml b/cluster/operations/aws-ssm-manager.yml new file mode 100644 index 0000000..92bdf88 --- /dev/null +++ b/cluster/operations/aws-ssm-manager.yml @@ -0,0 +1,17 @@ +# +# This operations file will add AWS SSM Secrets Manager Support to +# the web node + +--- +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm? + value: + access_key: ((aws_ssm.access_key)) + secret_key: ((aws_ssm.secret_key)) + region: ((aws_ssm.region)) + + pipeline_secret_template: ((aws_ssm.pipeline_secret_template)) + # default value is /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}} + + team_secret_template: ((aws_ssm.team_secret_template)) + # default value is /concourse/{{.Team}}/{{.Secret}} diff --git a/cluster/operations/aws-ssm-session-token.yml b/cluster/operations/aws-ssm-session-token.yml new file mode 100644 index 0000000..828f734 --- /dev/null +++ b/cluster/operations/aws-ssm-session-token.yml @@ -0,0 +1,16 @@ +# +# This operations file will use a Session Token instead of +# a pair of Access and Secret Access Keys +# +# Requires the aws-ssm-manager.yml ops file + +--- +- type: remove + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/access_key + +- type: remove + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/secret_key + +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/session_token + value: ((aws_ssm_session_token)) diff --git a/cluster/operations/aws-ssm-shared-path.yml b/cluster/operations/aws-ssm-shared-path.yml new file mode 100644 index 0000000..a79fb45 --- /dev/null +++ b/cluster/operations/aws-ssm-shared-path.yml @@ -0,0 +1,10 @@ +# +# This operations file will add a shared path route +# in order to define secrets accessible by all teams. +# +# Requires the aws-ssm-manager.yml ops file + +--- +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/aws_ssm/shared_path? + value: ((aws_ssm_shared_path)) diff --git a/cluster/operations/ipv6_networking.yml b/cluster/operations/ipv6_networking.yml new file mode 100644 index 0000000..47ee892 --- /dev/null +++ b/cluster/operations/ipv6_networking.yml @@ -0,0 +1,13 @@ +# +# This operations file will configure workers to communicate over +# the IPv6 Protocol in addition to existing IPv4 +# +# Requires the runtime-containerd.yml ops file + +--- +- type: replace + path: /instance_groups/name=worker/containerd/ipv6? + value: + enabled: ((ipv6.enabled)) + pool: ((ipv6.pool)) + disable_masquerade: ((ipv6.disable_masquerade)) diff --git a/cluster/operations/postgres-binary-parameters.yml b/cluster/operations/postgres-binary-parameters.yml new file mode 100644 index 0000000..44ad959 --- /dev/null +++ b/cluster/operations/postgres-binary-parameters.yml @@ -0,0 +1,8 @@ +# +# This operations file will allow the option for the +# PostgreSQL Driver to use Binary Parameters for Prepared Statements. + +--- +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/binary_parameters? + value: ((postgres_binary)) \ No newline at end of file diff --git a/cluster/operations/resource-type-checking-interval.yml b/cluster/operations/resource-type-checking-interval.yml new file mode 100644 index 0000000..ff5c72f --- /dev/null +++ b/cluster/operations/resource-type-checking-interval.yml @@ -0,0 +1,9 @@ +# +# This operations file will override the default Resource Type +# Check Interval on the web node +# + +--- +- type: replace + path: /instance_groups/name=web/default_resource_type_check_interval + value: ((resource_check_interval)) \ No newline at end of file diff --git a/cluster/operations/vault-client-token-path.yml b/cluster/operations/vault-client-token-path.yml new file mode 100644 index 0000000..41ea2d1 --- /dev/null +++ b/cluster/operations/vault-client-token-path.yml @@ -0,0 +1,15 @@ +# +# This operations file will configure web to accept the Vault Client +# Token from a file +# +# Requires the vault.yml ops file +# + +--- +- type: remove + path: /instance_groups/name=web/jobs/name=web/properties/vault/auth/client_token + +- type: replace + path: /instance_groups/name=web/jobs/name=web/properties/vault/auth? + value: + client_token_path: ((vault.client_token_path)) \ No newline at end of file