-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfig.yaml
121 lines (104 loc) · 5.2 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
project: cf-deployments-wg
region: europe-west3
zone: europe-west3-a
secondary_zone: europe-west3-b
# gcs_prefix builds root folder for tf state for the entire stack
gcs_bucket: terraform-ard-wg-ci
gcs_prefix: concourse
# DNS record for your Concourse URL https://<dns_record>.<dns_zone>.dns_domain
dns_record: concourse
dns_zone: wg-ard
dns_domain: ci.cloudfoundry.org
# Project's resource names are build off GKE name for scaling purposes
# k8s cluster, SQL instance, vpc, IAM groups, cloud nat router, service accounts
gke_name: wg-ci
# Concourse teams
concourse_github_mainTeam: "cloudfoundry:wg-app-runtime-deployments"
concourse_github_mainTeamUser: ""
# Concourse helm chart
concourse_helm_version: "17.1.0"
# Module sources for the stack - git or local
# ie.
# infra: "[email protected]:cloudfoundry/app-autoscaler-release.git//ci/terraform-modules/concourse/infra?ref=new-concourse"
# infra: "../../..//terraform-modules//concourse/infra"
tf_modules:
infra: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/infra?ref=1.5.0"
backend: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/backend?ref=1.5.0"
app: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/app?ref=1.5.0"
dr_create: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/dr_create?ref=1.5.0"
dr_restore: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/dr_restore?ref=1.5.0"
e2e_test: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/e2e_test?ref=1.5.0"
secret_rotation_postgresql: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/secret_rotation_postgresql?ref=1.5.0"
automatic_certificate_regeneration: "[email protected]:cloudfoundry/app-runtime-interfaces-infrastructure.git//terraform-modules/concourse/automatic_certificate_regeneration?ref=1.5.0"
# ---------------------------------------------------------
# In most cases settings below are safe to keep as defaults
# ---------------------------------------------------------
# SQL
sql_instance_tier: db-custom-1-4096
sql_instance_backup_location: eu
sql_instance_disk_size: 38
# Other GKE vars
# gke versions: see https://cloud.google.com/kubernetes-engine/docs/release-notes
gke_controlplane_version: 1.24.8-gke.2000
gke_cluster_ipv4_cidr: 10.104.0.0/14
gke_services_ipv4_cidr_block: 10.108.0.0/20
gke_master_ipv4_cidr_block: 172.16.0.32/28
gke_subnet_cidr: 10.10.0.0/24
gke_default_pool_machine_type: e2-standard-4
gke_default_pool_node_count: 1
gke_default_pool_autoscaling_max: 3
gke_default_pool_ssd_count: 0
# typical config for concourse worker is n2-standard-4 and ssd_count: 1
# note: economy e2-standard machine can't use local ssd drives
gke_workers_pool_machine_type: n2-standard-4
# note: number of worker pods is constant and equal to number of nodes:
# https://github.com/cloudfoundry/app-runtime-interfaces-infrastructure/blob/0bcc22801133a968259d31a165bb36001b1becfe/terraform-modules/concourse/app/concourse.tf#L34
# wouldn't work well for Concourse workers (deleted pods cause orange jobs)
gke_workers_pool_node_count: 8
# horizontal pod autoscaling is not enabled, so there will be no node autoscaling -> set autoscaling_max to node_count
gke_workers_pool_autoscaling_max: 8
gke_workers_pool_ssd_count: 1
# low number of preallocated ports will impact networking for heavy concourse pipelines
gke_cloud_nat_min_ports_per_vm: 16384
# provisioning of loadbalancers
gke_http_load_balancing_disabled: false
# IAM
wg_ci_human_account_permissions: [
"container.clusterRoles.bind",
"container.clusterRoles.create",
"container.clusterRoles.delete",
"container.clusterRoles.escalate",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusterRoles.update",
"container.clusterRoleBindings.create",
"container.clusterRoleBindings.delete",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoleBindings.update",
"container.configMaps.get",
# *Note* iam.roles allow to esalate privileges to any account
"iam.roles.create",
"iam.roles.update",
"iam.roles.delete",
"iam.roles.undelete",
"iam.serviceAccounts.setIamPolicy",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.setIamPolicy",
# TODO: rather give access to particular secret
"secretmanager.versions.access"
]
wg_ci_cnrm_service_account_permissions: [
"cloudsql.users.create",
"cloudsql.users.delete",
"cloudsql.users.get",
"cloudsql.users.list",
"cloudsql.users.update",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.databases.update"
]
# list of certificates that shall be automatically renewed every month
# enter as one string with a comma-separated list of CredHub certificate names
certificates_to_regenerate: "/concourse/main/luna_lb,/concourse/main/luna-iso_lb,/concourse/main/hermione_lb,/concourse/main/snape_lb,/concourse/main/smoke-tests_lb,/concourse/main/bellatrix_lb"