These are the inputs that can be provided to the tasks.
Each task can only take a specific set, indicated under the inputs property of the YAML.
director config
The config director will set the bosh tile (director) on Ops Manager.
The config input for a director task expects to have a director.yml file.
The configuration of the director.yml is IAAS specific for some properties -- i.e. networking.
There are two ways to build a director config.
Using an already deployed Ops Manager, you can extract the config using staged-director-config.
Deploying a brand new Ops Manager requires more effort for a director.yml.
The configuration of director is variables based on the features enabled.
For brevity, this director.yml is a basic example for vsphere.
The IAAS specific configuration can be found in the Ops Manager API documentation.
Included below is a list of properties that can be set in the director.yml
and a link to the API documentation explaining any IAAS specific properties.
az-configuration - a list of availability zones Ops Manager API
network-assignment - the network the bosh director is deployed to Ops Manager API
networks-configuration - a list of named networks Ops Manager API
properties-configuration
iaas_configuration - configuration for the bosh IAAS CPI Ops Manager API
director_configuration - properties for the bosh director Ops Manager API
security_configuration - security properties for the bosh director Ops Manager API
syslog_configuration - configure the syslog sinks for the bosh director Ops Manager API
resource-configuration - IAAS VM flavor for the bosh director Ops Manager API
vmextensions-configuration - create/update/delete vm extensions Ops Manager API
GCP Shared VPC
Support for Shared VPC is done via configuring the iaas_identifier path for the infrastructure subnet,
which includes the host project id, region of the subnet, and the subnet name.
For example:
[HOST_PROJECT_ID]/[NETWORK]/[SUBNET]/[REGION]
download-product-config
The config input for a download product task
can be used with a download-config.yml file to download a tile.
The configuration of the download-config.yml looks like this:
---pivnet-api-token:token## Note that file globs must be quoted if they start with *;## otherwise they'll be interpreted as a YAML anchor.pivnet-file-glob:"*.pivotal"pivnet-product-slug:product-slugs## defaults to false and should be excluded if not set to true# pivnet-disable-ssl: true## Either product-version OR product-version-regex is required# product-version: 1.2.3## Note that the regex mustn't be quoted,## as escape characters for the regex will confuse yaml parsers.# product-version-regex: ^1\.2\..*$## If set, will attempt to download the latest stemcell for the product.## Ignored if the specified file is not a `.pivotal` file.## Valid options are: aws, azure, google, openstack, vsphere.# stemcell-iaas: google## The following are required only if using download-product-s3.## Any key marked required above is still required when using S3.## If s3-bucket is set,## downloaded product files will have their slug and version prepended.s3-bucket:s3-buckets3-region-name:us-west-1# required; sufficient for AWSs3-endpoint:s3.endpoint.com# if not using AWS, this is required## Required unless `s3-auth-method` is `iam`s3-access-key-id:aws-or-minio-key-ids3-secret-access-key:aws-or-minio-secret-key## Optional paths for both the product and the associated stemcell## defaults to the root path of the specified bucket# s3-product-path: /path/to/product# s3-stemcell-path: /path/to/stemcell## defaults to false and should be excluded if not set to true# s3-disable-ssl: true## defaults to false;## made available only because sometimes necessary for compatibility# s3-enable-v2-signing: true## defaults to accesskey;## allows use of AWS instance IAM creds, if available# s3-auth-type: iam
download-stemcell-product-config
The config input for a download product task
can be used with a download-config.yml file to download a stemcell.
The configuration of the download-config.yml looks like this:
---pivnet-api-token:token## Note that file globs must be quoted if they start with *;## otherwise they'll be interpreted as a YAML anchor.pivnet-file-glob:"*vsphere*"pivnet-product-slug:stemcells-ubuntu-xenial## defaults to false and should be excluded if not set to true# pivnet-disable-ssl: true## Either product-version OR product-version-regex is required# product-version: "250.82"## Note that the regex mustn't be quoted,## as escape characters for the regex will confuse yaml parsers.# product-version-regex: ^250\..*$## The following are required only if using download-product-s3.## Any key marked required above is still required when using S3.## If s3-bucket is set,## downloaded product files will have their slug and version prepended.s3-bucket:s3-buckets3-region-name:us-west-1# required; sufficient for AWSs3-endpoint:s3.endpoint.com# if not using AWS, this is required## Required unless `s3-auth-method` is `iam`s3-access-key-id:aws-or-minio-key-ids3-secret-access-key:aws-or-minio-secret-key## Optional paths for both the product and the associated stemcell## defaults to the root path of the specified bucket# s3-product-path: /path/to/product# s3-stemcell-path: /path/to/stemcell## defaults to false and should be excluded if not set to true# s3-disable-ssl: true## defaults to false;## made available only because sometimes necessary for compatibility# s3-enable-v2-signing: true## defaults to accesskey;## allows use of AWS instance IAM creds, if available# s3-auth-type: iam
env
The env input for a task expects to have a env.yml file.
This file contains properties for targeting and logging into the Ops Manager API.
basic authentication
1 2 3 4 5 6 7 8 9101112131415
---target:https://pcf.example.comconnect-timeout:30# default 5request-timeout:1800# default 1800skip-ssl-validation:false# default falseusername:usernamepassword:password# decryption-passphrase is optional,# except for use with `import-installation`.# OpsMan depends on the passphrase# to decrypt the imported installation.# For other commands, providing this key allows# decryption of the OpsMan VM after reboot,# which would otherwise need to be done manually.decryption-passphrase:passphrase
uaa authentication
1 2 3 4 5 6 7 8 9101112131415
---target:https://pcf.example.comconnect-timeout:30# default 5request-timeout:1800# default 1800skip-ssl-validation:false# default falseclient-id:client_idclient-secret:client_secret# decryption-passphrase is optional,# except for use with `import-installation`.# OpsMan depends on the passphrase# to decrypt the imported installation.# For other commands, providing this key allows# decryption of the OpsMan VM after reboot,# which would otherwise need to be done manually.decryption-passphrase:passphrase
Getting the client-id and client-secret
Ops Manager will by preference use Client ID and Client Secret if provided.
To create a Client ID and Client Secret
uaac target https://YOUR_OPSMANAGER/uaa
uaac token sso get if using SAML or uaac token owner get if using basic auth. Specify the Client ID as opsman and leave Client Secret blank.
The file contains the information to restore an Ops Manager VM.
The installation input for a opsman VM task expects to have a installation.zip file.
This file can be exported from an Ops Manager VM using the export-installation.
This file can be imported to an Ops Manager VM using the import-installation.
Warning
This file cannot be manually created. It is a file that must be generated via the export function of Ops Manager.
Ops Manager config
The config for an Ops Manager described IAAS specific information for creating the VM -- i.e. VM flavor (size), IP addresses
The config input for opsman task expects to have a opsman.yml file.
The configuration of the opsman.yml is IAAS specific.
---opsman-configuration:aws:region:us-west-2vpc_subnet_id:subnet-0292bc845215c2cbfsecurity_group_ids:[sg-0354f804ba7c4bc41]key_pair_name:ops-manager-key# used to ssh to VMiam_instance_profile_name:env_ops_manager# At least one IP address (public or private) needs to be assigned to the# VM. It is also permissible to assign both.public_ip:1.2.3.4# Reserved Elastic IPprivate_ip:10.0.0.2# Optional# vm_name: ops-manager-vm # default - ops-manager-vm# boot_disk_size: 100 # default - 200 (GB)# instance_type: m5.large # default - m5.large# NOTE - not all regions support m5.large# assume_role: "arn:aws:iam::..." # necessary if a role is needed to authorize# the OpsMan VM instance profile# Omit if using instance profiles# And instance profile OR access_key/secret_access_key is required# access_key_id: sample-access-id# secret_access_key: sample-secret-access-key# security_group_id: sg-123 # DEPRECATED - use security_group_ids# use_instance_profile: true # DEPRECATED - will use instance profile for# execution VM if access_key_id and# secret_access_key are not set
Info
At least one IP address (public or private) must be assigned to the Ops Manager VM.
Both can be assigned, too.
Using instance_profile to Avoid Secrets
For authentication you must either set use_instance_profile: true
or provide a secret_key_id and secret_access_key.
You must remove key information if you're using an instance profile.
Using an instance profile allows you to avoid interpolation,
as this file then contains no secrets.
---opsman-configuration:azure:tenant_id:3e52862f-a01e-4b97-98d5-f31a409df682subscription_id:90f35f10-ea9e-4e80-aac4-d6778b995532client_id:5782deb6-9195-4827-83ae-a13fda90aa0dclient_secret:6Iaue71Lqxfqlocation:westusresource_group:res-groupstorage_account:opsman# account name of containerssh_public_key:ssh-rsa AAAAB3NzaC1yc2EAZ...# ssh key to access VM# Note that there are several environment-specific details in this path# This path can reach out to other resource groups if necessarysubnet_id:/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<VNET>/subnets/<SUBNET># At least one IP address (public or private) needs to be assigned# to the VM. It is also permissible to assign both.private_ip:10.0.0.3public_ip:1.2.3.4# Optional# cloud_name: AzureCloud # default - AzureCloud# storage_key: pEuXDaDK/WWo... # only required if your client does not# have the needed storage permissions# container: opsmanagerimage # storage account container name# default - opsmanagerimage# network_security_group: ops-manager-security-group# vm_name: ops-manager-vm # default - ops-manager-vm# boot_disk_size: 200 # default - 200 (GB)# use_managed_disk: true # this flag is only respected by the# create-vm and upgrade-opsman commands.# set to false if you want to create# the new opsman VM with an unmanaged# disk (not recommended). default - true# vpc_subnet: /subscriptions/... # DEPRECATED - use subnet_id# use_unmanaged_disk: false # DEPRECATED - use use_managed_disk
Info
At least one IP address (public or private) must be assigned to the Ops Manager VM.
Both can be assigned, too.
---opsman-configuration:gcp:# Either gcp_service_account_name or gcp_service_account json is required# You must remove whichever you don't usegcp_service_account_name:user@project-id.iam.gserviceaccount.comgcp_service_account:|{"type": "service_account","project_id": "project-id","private_key_id": "af719b1ca48f7b6ac67ca9c5319cb175","private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n","client_email": "user@project-id.iam.gserviceaccount.com","client_id": "1234567890","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/user%40project-id.iam.gserviceaccount.com"}project:project-idregion:us-central1zone:us-central1-bvpc_subnet:infrastructure-subnet# At least one IP address (public or private) needs to be assigned to the# VM. It is also permissible to assign both.public_ip:1.2.3.4private_ip:10.0.0.2ssh_public_key:ssh-rsa some-public-key...# RECOMMENDED, but not requiredtags:ops-manager# RECOMMENDED, but not required# Optional# vm_name: ops-manager-vm # default - ops-manager-vm# custom_cpu: 2 # default - 2# custom_memory: 8 # default - 8# boot_disk_size: 100 # default - 100# scopes: ["my-scope"]
Info
At least one IP address (public or private) must be assigned to the Ops Manager VM.
Both can be assigned, too.
Using a Service Account Name to Avoid Secrets
For authentication either gcp_service_account or gcp_service_account_name is required.
You must remove the one you are not using
note that using gcp_service_account_name allows you to avoid interpolation,
as this file then contains no secrets.
Support for Shared VPC is done via
configuring the vpc_subnet path
to include the host project id, region of the subnet, and the subnet name.
---opsman-configuration:openstack:project_name:projectauth_url:http://os.example.com:5000/v2.0username:adminpassword:passwordnet_id:26a13112-b6c2-11e8-96f8-529269fb1459security_group_name:opsman-sec-groupkey_pair_name:opsman-keypair# At least one IP address (public or private) needs to be assigned to the VM.public_ip:1.2.3.4# must be an already allocated floating IPprivate_ip:10.0.0.3# Optional# availability_zone: zone-01# project_domain_name: default# user_domain_name: default# vm_name: ops-manager-vm # default - ops-manager-vm# flavor: m1.xlarge # default - m1.xlarge# identity_api_version: 2 # default - 3# insecure: true # default - false
Info
At least one IP address (public or private) must be assigned to the Ops Manager VM.
Both can be assigned, too.
---opsman-configuration:vsphere:vcenter:ca_cert:cert# REQUIRED if insecure = 0 (secure)datacenter:example-dcdatastore:example-ds-1folder:/example-dc/vm/Folder# RECOMMENDED, but not requiredurl:vcenter.example.comusername:adminpassword:passwordresource_pool:/example-dc/host/example-host/Resources/example-res-pool# resource_pool can use a cluster - /example-dc/host/example-cluster# Optional# host: host # DEPRECATED - Platform Automation cannot guarantee# the location of the VM, given the nature of vSphere# insecure: 0 # default - 0 (secure) | 1 (insecure)disk_type:thin# thin|thickdns:8.8.8.8gateway:192.168.10.1hostname:ops-manager.example.comnetmask:255.255.255.192network:example-virtual-networkntp:ntp.ubuntu.comprivate_ip:10.0.0.10ssh_public_key:ssh-rsa ......# REQUIRED Ops Manager >= 2.6# Optional# cpu: 1 # default - 1# memory: 8 # default - 8 (GB)# ssh_password: password # REQUIRED if ssh_public_key not defined# (Ops Manager < 2.6 ONLY)# vm_name: ops-manager-vm # default - ops-manager-vm
opsman image
This file is an artifact from Pivnet,
which contains the VM image for a specific IaaS.
For vsphere and openstack, it's a full disk image.
For AWS, GCP, and Azure, it's a YAML file listing the location
of images that are already available on the IaaS.
These are examples to download the image artifact for each IaaS
using the download-product task.
This file contains that meta-information needed to manage the Ops Manager VM.
The state input for a opsman VM task expects to have a state.yml file.
The state.yml file contains two properties:
iaas is the IAAS the ops manager vm is hosted on. (gcp, vsphere, aws, azure, openstack)
vm_id is the VM unique identifier for the VM. For some IAAS, the vm ID is the VM name.
Different IaaS uniquely identify VMs differently;
here are examples for what this file should look like,
depending on your IAAS:
``` yaml tab="AWS"
iaas: aws
Instance ID of the AWS VM
vm_id: i-12345678987654321
1234
``` yaml tab="Azure"
iaas: azure
# Computer Name of the Azure VM
vm_id: vm_name
``` yaml tab="GCP"
iaas: gcp
Name of the VM in GCP
vm_id: vm_name
1234
``` yaml tab="OpenStack"
iaas: openstack
# Instance ID from the OpenStack Overview
vm_id: 12345678-9876-5432-1abc-defghijklmno
``` yaml tab="vSphere"
iaas: vsphere
Path to the VM in vCenter
vm_id: /datacenter/vm/folder/vm_name
1 2 3 4 5 6 7 8 910111213141516171819
### stemcell
This `stemcell` input requires the stemcell tarball (`.tgz`) as downloaded from Pivnet.
It must be in the original filename as that is used by Ops Manager to parse metadata.
The filename could look like `bosh-stemcell-3541.48-vsphere-esxi-ubuntu-trusty-go_agent.tgz`.
!!! warning
This file cannot be manually created. It is a file that must retrieved from Pivnet.
Here's an example of how to pull the vSphere stemcell
using the [download-product][download-product] task.
#### stemcell.yml
```yaml tab="AWS"
---
pivnet-api-token: token
pivnet-file-glob: "bosh-stemcell-*-aws*.tgz"
pivnet-product-slug: stemcells-ubuntu-xenial
product-version-regex: ^170\..*$
This artifact is an output of download-product
located in the assign-stemcell-config output directory.
This file should resemble the following:
12
product:cfstemcell:"97.190"
telemetry
The config input for the collect-telemetry task
can be used with a telemetry.yml file to collect data for Pivotal
so they can learn and measure results
in order to put customer experience at the forefront of their product decisions.
The configuration of the telemetry.yml looks like this:
1 2 3 4 5 6 7 8 9101112
---env-type:sandbox# sandbox|development|qa|pre-production|production# Usage Service (Recommended)cf-api-url:# UAA authentication to access Usage Serviceusage-service-url:usage-service-client-id:usage-service-client-secret:usage-service-insecure-skip-tls-verify:# CredHub (Optional)# with-credhub-info: # include Credhub certificate expiry information