Merge remote-tracking branch 'origin/develop'

.gitmodules

@@ -16,3 +16,6 @@
 [submodule "src/scf-release/src/acceptance-tests-brain/test-resources/cf-redis-example-app"]
 	path = src/scf-release/src/acceptance-tests-brain/test-resources/cf-redis-example-app
 	url = https://github.com/scf-samples/cf-redis-example-app
+[submodule "src/scf-release/src/acceptance-tests-brain/test-resources/pong_matcher_go"]
+	path = src/scf-release/src/acceptance-tests-brain/test-resources/pong_matcher_go
+	url = https://github.com/cloudfoundry-samples/pong_matcher_go.git

Jenkinsfile

@@ -25,7 +25,7 @@ boolean areIgnoredFiles(HashSet<String> changedFiles) {
     "README.md"
   ]
 
-  // An empty set is considered to be contained by ignoredFiles, but if we 
+  // An empty set is considered to be contained by ignoredFiles, but if we
   // have an empty list, it's from a replay of a previous build, so we
   // should run it.
   if (changedFiles.size() == 0) {
@@ -330,7 +330,7 @@ pipeline {
                         done
                         # Only return the namespaces we want
                         for ns in "${all_ns[@]}" ; do
-                            if [[ "${ns}" =~ scf|uaa ]] ; then
+                            if [[ "${ns}" =~ cf|uaa ]] ; then
                                 echo "${ns}"
                             fi
                         done

Makefile

@@ -26,7 +26,6 @@ run:
 	make/uaa/run
 	make/wait uaa
 	make/run
-	make/stratos/run
 
 upgrade:
 	make/uaa/upgrade
@@ -40,7 +39,6 @@ validate:
 	make/validate
 
 stop:
-	make/stratos/stop
 	make/stop
 	make/uaa/stop
 	make/wait cf
@@ -77,6 +75,20 @@ cats:
 scaler-smoke:
 	make/tests autoscaler-smoke
 
+stratos-run:
+	make/stratos/run
+	make/stratos/metrics/run
+
+stratos-stop:
+	make/stratos/stop
+	make/stratos/metrics/stop
+
+istio-run:
+	make/istio/run
+
+istio-stop:
+	make/istio/stop
+
 ########## SIDECAR SERVICE TARGETS ##########
 
 mysql:

README.md

@@ -838,21 +838,47 @@ be dropped until all references to it are removed from the database.
 
 Updating these secrets is a manual process:
 
-* Generate the new secret data as a YAML map, and base64 encode it:
-```bash
-SECRET_DATA=$(echo "{key0: abc-123}" | base64)
-```
+* Create a file `new-key-values.yaml` with content of the form:
 
-  The secret data can be any valid YAML key / value.
-* Replace the secret data:
-```bash
-kubectl -n cf get secret secrets -o yaml | sed 's/cc-db-encryption-keys: .*/cc-db-encryption-keys: ${SECRET_DATA}/' | kubectl replace -f -
+```yaml
+env:
+  CC_DB_CURRENT_KEY_LABEL: new_key
+
+secrets:
+  CC_DB_ENCRYPTION_KEYS:
+    new_key: "<new-key-value-goes-here>"
 ```
-* Update the `CC_DB_CURRENT_KEY_LABEL` environment variable. This will restart any pods that use this variable.
-```bash
-./make/upgrade --set env.CC_DB_CURRENT_KEY_LABEL=key0
+
+* Use
+  `helm upgrade "${CF_NAMESPACE}" "${CF_CHART}" ... --values new-key-values.yaml`
+  to import the above data into the cluster. This restarts relevant
+  pods with the new information from step 1.
+
+      - The variable `CF_NAMESPACE` contains the name of the namespace
+        the SCF chart was deployed into.
+
+      - The variable `CF_CHART` contains the name of the SCF chart.
+
+      - The `...` placeholder stands for the standard set of options
+        needed to properly upgrade an SCF deployment, as per the main
+        documentation.
+
+* Perform the actual rotation via
+
+```shell
+# Change the encryption key in the config file:
+$ kubectl exec --namespace cf api-group-0 -- bash -c 'sed -i "/db_encryption_key:/c\\db_encryption_key: \"$(echo $CC_DB_ENCRYPTION_KEYS | jq -r .new_key)\"" /var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml'
+
+# Run the rotation for the encryption keys:
+$ kubectl exec --namespace cf api-group-0 -- bash -c 'export PATH=/var/vcap/packages/ruby-2.4/bin:$PATH ; export CLOUD_CONTROLLER_NG_CONFIG=/var/vcap/jobs/cloud_controller_ng/config/cloud_controller_ng.yml ; cd /var/vcap/packages/cloud_controller_ng/cloud_controller_ng ; /var/vcap/packages/ruby-2.4/bin/bundle exec rake rotate_cc_database_key:perform'
 ```
 
+When everything works correctly the first command will not generate
+any output, while the second command will dump a series of
+(json-formatted) log entries describing its progress in rotation the
+keys for the various CC models.
+
+
 Note that keys should be **appended** to the existing secret to be sure existing
 environment variables can be decoded. Any operator can check which keys are in
 use by accessing the `ccdb`. If the `encryption_key_label` is empty, the

Vagrantfile

@@ -21,9 +21,20 @@ end
 Vagrant.configure(2) do |config|
   vm_memory = ENV.fetch('SCF_VM_MEMORY', ENV.fetch('VM_MEMORY', 10 * 1024)).to_i
   vm_cpus = ENV.fetch('SCF_VM_CPUS', ENV.fetch('VM_CPUS', 4)).to_i
-  vm_box_version = ENV.fetch('SCF_VM_BOX_VERSION', ENV.fetch('VM_BOX_VERSION', '2.0.15'))
+  vm_box_version = ENV.fetch('SCF_VM_BOX_VERSION', ENV.fetch('VM_BOX_VERSION', '2.0.16'))
   vm_registry_mirror = ENV.fetch('SCF_VM_REGISTRY_MIRROR', ENV.fetch('VM_REGISTRY_MIRROR', ''))
 
+  HOME = "/home/vagrant"
+
+  # Set this environment variable pointing to a directory containing shell scripts to be executed as
+  # part of the provisioning of the Vagrant machine. If the directory contains a subdirectory called
+  # `provision.d`, every script inside this folder will be executed as part of the provisioning of
+  # the Vagrant VM.
+  custom_setup_scripts_env = "SCF_VM_CUSTOM_SETUP_SCRIPTS"
+  # The target directory where the custom setup scripts are mounted if the custom config scripts env
+  # is set.
+  mounted_custom_setup_scripts = "#{HOME}/.config/custom_vagrant_setup_scripts"
+
   config.vm.provider "virtualbox" do |vb, override|
     # Need to shorten the URL for Windows' sake.
     override.vm.box = "https://cf-opensusefs2.s3.amazonaws.com/vagrant/scf-virtualbox-v#{vm_box_version}.box"
@@ -42,8 +53,13 @@ Vagrant.configure(2) do |config|
     vb.customize ['modifyvm', :id, '--paravirtprovider', 'minimal']
 
     # https://github.com/mitchellh/vagrant/issues/351
-    override.vm.synced_folder ".fissile/.bosh", "/home/vagrant/.bosh", type: "nfs"
-    override.vm.synced_folder ".", "/home/vagrant/scf", type: "nfs"
+    override.vm.synced_folder ".fissile/.bosh", "#{HOME}/.bosh", type: "nfs"
+    override.vm.synced_folder ".", "#{HOME}/scf", type: "nfs"
+
+    if ENV.include? custom_setup_scripts_env
+      override.vm.synced_folder ENV.fetch(custom_setup_scripts_env),
+        mounted_custom_setup_scripts, type: "nfs"
+    end
   end
 
   config.vm.provider "libvirt" do |libvirt, override|
@@ -64,10 +80,21 @@ Vagrant.configure(2) do |config|
     libvirt.cpus = vm_cpus
     libvirt.random model: 'random'
 
-    override.vm.synced_folder ".fissile/.bosh", "/home/vagrant/.bosh", type: "nfs"
-    override.vm.synced_folder ".", "/home/vagrant/scf", type: "nfs"
+    override.vm.synced_folder ".fissile/.bosh", "#{HOME}/.bosh", type: "nfs"
+    override.vm.synced_folder ".", "#{HOME}/scf", type: "nfs"
+
+    if ENV.include? custom_setup_scripts_env
+      override.vm.synced_folder ENV.fetch(custom_setup_scripts_env),
+        mounted_custom_setup_scripts, type: "nfs"
+    end
   end
 
+  # Adds the loop kernel module for loading on system startup, as well as loads it immediately.
+  config.vm.provision :shell, privileged: true, inline: <<-SHELL
+    echo "loop" > /etc/modules-load.d/loop.conf
+    modprobe loop
+  SHELL
+
   config.ssh.forward_env = ["FISSILE_COMPILATION_CACHE_CONFIG"]
 
   # Make sure we can pass FISSILE_* env variables from the host.
@@ -97,8 +124,8 @@ Vagrant.configure(2) do |config|
   # Install common and dev tools.
   config.vm.provision :shell, privileged: true, inline: <<-SHELL
     set -o errexit -o xtrace -o verbose
-    export HOME=/home/vagrant
-    export PATH=$PATH:/home/vagrant/bin
+    export HOME="#{HOME}"
+    export PATH="${PATH}:#{HOME}/bin"
     export SCF_BIN_DIR=/usr/local/bin
 
     if [ -n "#{vm_registry_mirror}" ]; then
@@ -146,7 +173,8 @@ Vagrant.configure(2) do |config|
 
   # Wait for the pods to be ready.
   config.vm.provision :shell, privileged: false, inline: <<-'SHELL'
-    set -o errexit -o nounset -o xtrace
+    set -o errexit -o nounset
+    echo "Waiting for pods to be ready..."
     for selector in k8s-app=kube-dns name=tiller ; do
       while ! kubectl get pods --namespace=kube-system --selector "${selector}" 2> /dev/null | grep -Eq '([0-9])/\1 *Running' ; do
         sleep 5
@@ -160,15 +188,28 @@ Vagrant.configure(2) do |config|
     set -o errexit
     echo 'if test -e /mnt/hgfs ; then /mnt/hgfs/scf/bin/dev/setup_vmware_mounts.sh ; fi' >> .profile
 
-    echo 'export PATH=$PATH:/home/vagrant/scf/container-host-files/opt/scf/bin/' >> .profile
-    echo 'test -f /home/vagrant/scf/personal-setup && . /home/vagrant/scf/personal-setup' >> .profile
+    echo 'export PATH="${PATH}:#{HOME}/scf/container-host-files/opt/scf/bin/"' >> .profile
 
-    echo -e '\nexport HISTFILE=/home/vagrant/scf/output/.bash_history' >> .profile
+    echo -e '\nexport HISTFILE="#{HOME}/scf/output/.bash_history"' >> .profile
 
     # Check that the cluster is reasonable.
-    /home/vagrant/scf/bin/dev/kube-ready-state-check.sh
+    #{HOME}/scf/bin/dev/kube-ready-state-check.sh
+
+    direnv exec #{HOME}/scf make -C #{HOME}/scf copy-compile-cache
+  SHELL
+
+  # Provision the custom config scripts and personal setup.
+  config.vm.provision "shell", privileged: false, inline: <<-SHELL
+    set -o errexit
+
+    if [ -d "#{mounted_custom_setup_scripts}/provision.d" ]; then
+      scripts=($(find "#{mounted_custom_setup_scripts}/provision.d" -iname "*.sh" -executable -print | sort))
+      for script in "${scripts[@]}"; do
+        "${script}"
+      done
+    fi
 
-    direnv exec /home/vagrant/scf make -C /home/vagrant/scf copy-compile-cache
+    echo 'test -f "#{HOME}/scf/personal-setup" && . "#{HOME}/scf/personal-setup"' >> .profile
 
     echo -e "\n\nAll done - you can \e[1;96mvagrant ssh\e[0m\n\n"
   SHELL

bin/common/install_tools.sh

@@ -53,8 +53,18 @@ if systemctl list-unit-files kube-apiserver.service | grep --quiet enabled ; the
     sleep 1
   done
 
-  echo "Installing tiller for helm ..."
-  ${do_as_vagrant} helm init
+  echo "Installing tiller for helm with service account ..."
+  tiller_sa_namespace="kube-system"
+  tiller_sa_name="tiller"
+  if ! kubectl get serviceaccount "${tiller_sa_name}" --namespace "${tiller_sa_namespace}" 1> /dev/null 2> /dev/null; then
+    kubectl create serviceaccount "${tiller_sa_name}" --namespace "${tiller_sa_namespace}"
+  fi
+  tiller_crb_name="tiller"
+  if ! kubectl get clusterrolebinding "${tiller_crb_name}" 1> /dev/null 2> /dev/null; then
+    kubectl create clusterrolebinding "${tiller_crb_name}" --clusterrole cluster-admin --serviceaccount="${tiller_sa_namespace}:${tiller_sa_name}"
+  fi
+  ${do_as_vagrant} helm init --upgrade --service-account tiller
+  ${do_as_vagrant} helm repo add suse https://kubernetes-charts.suse.com/
 else
   echo "Skipping tiller installation for helm; no local kube found"
 fi

bin/common/versions.sh

@@ -18,6 +18,10 @@ export K_VERSION="0.0.12"
 export STAMPY_VERSION="0.0.0.22.gbb93bf3"
 export UBUNTU_VERSION="14.04"
 
+# Used in: make/install-istio
+
+export ISTIO_VERSION="1.0.5"
+
 # For stampy we need the major+minor+patch as a separate value.
 export STAMPY_MAJOR=$(echo "$STAMPY_VERSION" | sed -e 's/\.g.*//' -e 's/\.[^.]*$//')
 
@@ -39,10 +43,6 @@ export GOLANG_VERSION=1.7
 export PRODUCT_VERSION="1.13.1"
 export CF_VERSION=3.6.0
 
-# Used in: make/stratos/...
-
-: "${STRATOS_URL:=https://github.com/cloudfoundry-incubator/stratos/releases/download/2.1.1/console-helm-chart-2.1.1-74090ba.tgz}"
-
 # Show versions, if called on its own.
 # # ## ### ##### ######## ############# #####################
 
@@ -61,5 +61,6 @@ then
     echo stampy '       =' $STAMPY_VERSION
     echo stemcell '     =' $FISSILE_STEMCELL_VERSION
     echo ubuntu '       =' $UBUNTU_VERSION
+    echo istio '        =' $ISTIO_VERSION
     echo
 fi

container-host-files/etc/scf/config/opinions-opensuse42.yml

@@ -4,20 +4,25 @@ the-stack-name: &the-stack-name opensuse42
 the-bundles: &the-bundles
   'buildpack/opensuse42': "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
   'buildpack/cflinuxfs2': "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
+  'buildpack/cflinuxfs3': "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
   docker:                 "docker_app_lifecycle/docker_app_lifecycle.tgz"
 
 the-stacks: &the-stacks
   - name: cflinuxfs2
     description: "Cloud Foundry Linux-based filesystem"
+  - name: cflinuxfs3
+    description: "Cloud Foundry Linux-based filesystem"
   - name: opensuse42
     description: "openSUSE-based filesystem"
 
 the-rootfses: &the-rootfses
   - "opensuse42:/var/vcap/packages/opensuse42/rootfs.tar"
   - "cflinuxfs2:/var/vcap/packages/cflinuxfs2/rootfs.tar"
+  - "cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar"  
 
 the-images: &the-images
   - "/var/vcap/packages/opensuse42/rootfs.tar"
   - "/var/vcap/packages/cflinuxfs2/rootfs.tar"
+  - "/var/vcap/packages/cflinuxfs3/rootfs.tar"
 
 # Append common parts here

container-host-files/etc/scf/config/opinions-sle12.yml

@@ -4,20 +4,25 @@ the-stack-name: &the-stack-name sle12
 the-bundles: &the-bundles
   'buildpack/sle12':      "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
   'buildpack/cflinuxfs2': "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
+  'buildpack/cflinuxfs3': "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
   docker:                 "docker_app_lifecycle/docker_app_lifecycle.tgz"
 
 the-stacks: &the-stacks
   - name: "cflinuxfs2"
     description: "Cloud Foundry Linux-based filesystem"
+  - name: "cflinuxfs3"
+    description: "Cloud Foundry Linux-based filesystem"
   - name: "sle12"
     description: "SLE-based filesystem"
 
 the-rootfses: &the-rootfses
   - "sle12:/var/vcap/packages/cf-sle12/rootfs.tar"
   - "cflinuxfs2:/var/vcap/packages/cflinuxfs2/rootfs.tar"
+  - "cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar"
 
 the-images: &the-images
   - "/var/vcap/packages/cf-sle12/rootfs.tar"
   - "/var/vcap/packages/cflinuxfs2/rootfs.tar"
+  - "/var/vcap/packages/cflinuxfs3/rootfs.tar"
 
 # Append common parts here