fix: iso seg ops files (#1109)

* Fixes `operations/test/add-persistent-isolation-segment-diego-cell.yml` and promotes to `operations/add-persistent-isolation-segment-diego-cell.yml`
* Fixes `operations/test/add-persistent-isolation-segment-router.yml` and promotes to `operations/add-persistent-isolation-segment-router.yml`
* Removes `operations/test/add-persistent-isolation-segment-diego-cell-bosh-lite.yml`
* Updates unit tests appropriately
* Uses the promoted ops files in CI in lieu of the old ops files.
* Updates READMEs as appropriate

Author: reneighbor

README.md

@@ -215,18 +215,6 @@ For details, see the [Experimental Ops-file README](operations/experimental/READ
 "Test" ops-files are configurations
 that we run in our testing pipeline
 to enable certain features.
-We include them in the public repository
-(rather than in our private CI repositories)
-for a few reasons,
-depending on the particular ops-file.
-
-Some files are included
-because we suspect that the configurations will be commonly needed
-but not easily generalized.
-For example,
-`add-persistent-isolation-segment.yml` shows how a deployer can add an isolated Diego cell,
-but the ops-file is hard to apply repeatably.
-In this case, the ops-file is an example.
 
 #### [Backup and Restore](operations/backup-and-restore)
 Contains all the ops files utilized to enable and configure [BOSH Backup and Restore](https://github.com/cloudfoundry-incubator/bosh-backup-and-restore) (BBR).

ci/pipelines/cf-deployment.yml

@@ -527,9 +527,9 @@ jobs:
       OPS_FILES: |
         operations/rename-network-and-deployment.yml
         operations/set-bbs-active-key.yml
-        operations/test/add-persistent-isolation-segment-diego-cell.yml
+        operations/add-persistent-isolation-segment-diego-cell.yml
         operations/test/use-cflinuxfs4-compat-isolation-segment-diego-cell.yml
-        operations/test/add-persistent-isolation-segment-router.yml
+        operations/add-persistent-isolation-segment-router.yml
         operations/rename-isolation-segment-network.yml
         operations/addons/enable-component-syslog.yml
         operations/addons/add-system-metrics-agent.yml
@@ -799,7 +799,7 @@ jobs:
         operations/use-external-blobstore.yml
         operations/use-gcs-blobstore-service-account.yml
         operations/enable-service-discovery.yml
-        operations/test/add-persistent-isolation-segment-diego-cell.yml
+        operations/add-persistent-isolation-segment-diego-cell.yml
         operations/scale-log-api-to-4.yml
         operations/use-internal-lookup-for-route-services.yml
       VARS_FILES: |
@@ -854,7 +854,7 @@ jobs:
         operations/use-external-blobstore.yml
         operations/use-gcs-blobstore-service-account.yml
         operations/enable-service-discovery.yml
-        operations/test/add-persistent-isolation-segment-diego-cell.yml
+        operations/add-persistent-isolation-segment-diego-cell.yml
         operations/scale-log-api-to-4.yml
         operations/use-internal-lookup-for-route-services.yml
         operations/test/speed-up-dynamic-asgs.yml

operations/README.md

@@ -32,6 +32,8 @@ This is the README for Ops-files. To learn more about `cf-deployment`, go to the
 
 | Name | Purpose | Notes | Currently validated in Release Integration CI pipelines? |
 |:---  |:---     |:---   |:---   |
+| [`add-persistent-isolation-segment-diego-cell.yml`](add-persistent-isolation-segment-diego-cell.yml) | Deployes an isolation segment Diego cell. | See [isolation segment](https://docs.cloudfoundry.org/adminguide/isolation-segments.html) documentation. | **YES** |
+| [`add-persistent-isolation-segment-router.yml`](add-persistent-isolation-segment-router.yml) | Deployes an isolation segment router. | See [isolation segment](https://docs.cloudfoundry.org/adminguide/isolation-segments.html) documentation. | **YES** |
 | [`bosh-lite.yml`](bosh-lite.yml) | Enables `cf-deployment` to be deployed on `bosh-lite`. | See [bosh-lite](../iaas-support/bosh-lite/README.md) documentation. | **YES** |
 | [`configure-default-router-group.yml`](configure-default-router-group.yml) | Allows deployer to configure reservable ports for default tcp router group by passing variable `default_router_group_ reservable_ports`. |  | **NO** |
 | [`disable-router-tls-termination.yml`](disable-router-tls-termination.yml) | Eliminates keys related to performing TLS termination within the gorouter job. | Useful for deployments where TLS termination is performed prior to the gorouter - for instance, on AWS, such termination is commonly done at the ELB. This also eliminates the need to specify `((router_ssl.certificate))` and `((router_ssl.private_key))` in the var files. | **NO** |

operations/test/add-persistent-isolation-segment-diego-cell.yml renamed to operations/add-persistent-isolation-segment-diego-cell.yml

@@ -13,6 +13,15 @@
     networks:
     - name: default
     jobs:
+    - name: bosh-dns-adapter
+      properties:
+        internal_domains: ["apps.internal."]
+        dnshttps:
+          client:
+            tls: ((cf_app_sd_client_tls))
+          server:
+            ca: ((cf_app_sd_client_tls.ca))
+      release: cf-networking
     - name: cflinuxfs4-rootfs-setup
       release: cflinuxfs4
       properties:
@@ -29,11 +38,14 @@
         garden:
           containerd_mode: true
           cleanup_process_dirs_on_wait: true
+          debug_listen_address: 127.0.0.1:17019
           default_container_grace_time: 0
           destroy_containers_on_start: true
-          graph_cleanup_threshold_in_mb: 0
           deny_networks:
           - 0.0.0.0/0
+          network_plugin: /var/vcap/packages/runc-cni/bin/garden-external-networker
+          network_plugin_extra_args:
+          - --configFile=/var/vcap/jobs/garden-cni/config/adapter.json
         logging:
           format:
             timestamp: "rfc3339"
@@ -51,6 +63,10 @@
             - cflinuxfs4:/var/vcap/packages/cflinuxfs4/rootfs.tar
             placement_tags:
             - persistent_isolation_segment
+        trusted_ca_certificates:
+        - ((diego_instance_identity_ca.ca))
+        - ((credhub_tls.ca))
+        - ((uaa_ssl.ca))
         containers:
           proxy:
             enabled: true
@@ -79,6 +95,13 @@
         logging:
           format:
             timestamp: "rfc3339"
+    - name: cfdot
+      release: diego
+      properties:
+        tls: &cfdot_tls_client_properties
+          ca_certificate: "((diego_rep_client.ca))"
+          certificate: "((diego_rep_client.certificate))"
+          private_key: "((diego_rep_client.private_key))"
     - name: route_emitter
       release: diego
       properties:
@@ -111,3 +134,52 @@
         uaa:
           ca_cert: "((uaa_ssl.ca))"
           client_secret: "((uaa_clients_tcp_emitter_secret))"
+    - name: garden-cni
+      release: cf-networking
+      properties:
+        cni_plugin_dir: /var/vcap/packages/silk-cni/bin
+        cni_config_dir: /var/vcap/jobs/silk-cni/config/cni
+    - name: netmon
+      release: silk
+    - name: vxlan-policy-agent
+      release: silk
+      properties:
+        ca_cert: ((network_policy_client.ca))
+        client_cert: ((network_policy_client.certificate))
+        client_key: ((network_policy_client.private_key))
+      provides:
+        vpa: nil
+      loggregator: 
+        use_v2_api: true
+        ca_cert: "((loggregator_tls_agent.ca))"
+        cert: "((loggregator_tls_agent.certificate))"
+        key: "((loggregator_tls_agent.private_key))"
+    - name: silk-daemon
+      release: silk
+      properties:
+        ca_cert: ((silk_daemon.ca))
+        client_cert: ((silk_daemon.certificate))
+        client_key: ((silk_daemon.private_key))
+    - name: silk-cni
+      release: silk
+      properties:
+        dns_servers:
+        - 169.254.0.2
+      provides: 
+        cni_config:
+          nil
+    - name: silk-datastore-syncer
+      release: silk
+    - name: loggr-udp-forwarder
+      release: loggregator-agent
+      properties: &loggr-udp-forwarder-properties
+        loggregator:
+          tls:
+            ca: "((loggregator_tls_agent.ca))"
+            cert: "((loggregator_tls_agent.certificate))"
+            key: "((loggregator_tls_agent.private_key))"
+        metrics:
+          ca_cert: "((loggr_udp_forwarder_tls.ca))"
+          cert: "((loggr_udp_forwarder_tls.certificate))"
+          key: "((loggr_udp_forwarder_tls.private_key))"
+          server_name: loggr_udp_forwarder_metrics

operations/test/add-persistent-isolation-segment-router.yml renamed to operations/add-persistent-isolation-segment-router.yml

@@ -195,15 +195,15 @@ func TestSemantic(t *testing.T) {
 			manifestPath,
 			"",
 			"--path", "/instance_groups/name=isolated-diego-cell/jobs/name=rep/properties",
-			"-o", "test/add-persistent-isolation-segment-diego-cell.yml",
+			"-o", "add-persistent-isolation-segment-diego-cell.yml",
 		)
 
 		if err != nil {
 			t.Errorf("bosh interpolate error: %v", err)
 		}
 
 		if diff, same := diffLeft(string(diegoCellRepProperties), string(isoSegDiegoCellRepProperties)); !same {
-			t.Errorf("rep properties on diego-cell have diverged between cf-deployment.yml and test/add-persistent-isolation-segment-diego-cell.yml.\n%s", diff)
+			t.Errorf("rep properties on diego-cell have diverged between cf-deployment.yml and add-persistent-isolation-segment-diego-cell.yml.\n%s", diff)
 		}
 	})
 

operations/test/add-persistent-isolation-segment-diego-cell-bosh-lite.yml

@@ -1,4 +1,6 @@
 ---
+add-persistent-isolation-segment-diego-cell.yml: {}
+add-persistent-isolation-segment-router.yml: {}
 aws.yml: {}
 azure.yml: {}
 bosh-lite.yml: {}

units/tests/semantic_test/semantic_test.go

@@ -5,15 +5,9 @@ add-datadog-firehose-nozzle.yml:
   - datadog_metric_prefix=foo.bar
   - traffic_controller_external_port=8443
 add-oidc-provider.yml: {}
-add-persistent-isolation-segment-diego-cell-bosh-lite.yml:
-  ops:
-  - add-persistent-isolation-segment-diego-cell.yml
-  - add-persistent-isolation-segment-diego-cell-bosh-lite.yml
-add-persistent-isolation-segment-diego-cell.yml: {}
 use-cflinuxfs4-compat-isolation-segment-diego-cell.yml:
   ops:
-  - add-persistent-isolation-segment-diego-cell.yml
-add-persistent-isolation-segment-router.yml: {}
+  - ../add-persistent-isolation-segment-diego-cell.yml
 alter-ssh-proxy-redirect-uri.yml: {}
 enable-nfs-test-ldapserver.yml:
   ops: