Configuring Cloud Foundry Routing¶
This topic describes how to configure Cloud Foundry to handle routing for Cloud Foundry Container Runtime (CFCR).
You configure Cloud Foundry routing by editing the BOSH configuration files before deploying BOSH for CFCR. The procedure for generating these files and using them to deploy BOSH for CFCR will vary depending on your IaaS.
Consult the following list of prerequisites before performing the procedures in this topic:
You must have a running Cloud Foundry deployment. For more information, see the Deploying Cloud Foundry section of the Cloud Foundry documentation.
You must have completed both the pre-deployment and post-deployment procedures in the Enabling TCP Routing topic of the Cloud Foundry documentation to enable TCP routing in your Cloud Foundry deployment. Ensure that you have created a shared domain for the TCP domain and configured a quota for TCP routes.
You must have installed the UAA Command Line Client (UAAC).
You must have completed the following procedures specific to your IaaS:
- If you are deploying CFCR on GCP, you must have completed Step 1: Set Up Your Shell Environment through Step 4: Generate BOSH Configuration of the Deploying BOSH for CFCR on GCP topic.
- If you are deploying CFCR on vSphere, you must have completed Step 1: Create User Accounts through Step 3: Generate a Configuration Template of the Deploying BOSH for CFCR on vSphere topic.
- If you are deploying CFCR on AWS, you must have completed Step 1: Set Up Your Shell Environment through Step 4: Create IAM User of the Deploying BOSH for CFCR on AWS topic.
- If you are deploying CFCR on OpenStack, you must have completed Step 1: Generate a Configuration Template of the Deploying BOSH for CFCR on OpenStack topic.
Step 1: Enable Internal Communication¶
You must edit your IaaS firewall rules to enable communication between the Cloud Foundry components and the CFCR VMs. The procedures will vary by IaaS, but you must do the following:
- Ensure that the Cloud Foundry routing components can reach your CFCR cluster on the
- Ensure that the Cloud Foundry TCP Router can reach the CFCR master nodes on port 8443 to communicate with the Kubernetes API server.
- Ensure that the CFCR components can reach the Cloud Foundry NATS servers on port 4222.
- Ensure that the CFCR components can reach the Cloud Foundry API and UAA endpoints. Both are HTTPS endpoints in the Cloud Foundry system domain, accessible on port 443.
Step 2: Create a Routing UAA Client¶
Perform the following steps to create a UAA client for CFCR routing:
Target the UAA server of your Cloud Foundry deployment. Run the following command:
uaac target uaa.YOUR-SYS-DOMAIN --skip-ssl-validation
YOUR-SYS-DOMAINis your system domain.
$ uaac target uaa.sys.example.com --skip-ssl-validation
Authenticate and obtain an access token for the admin client. Enter the following command:
$ uaac token client get adminWhen prompted, enter the UAA admin client password. This is uaa:admin:client_secret in your Cloud Foundry deployment manifest.
Add a client for CFCR routing. CFCR will use this client to create routes in Cloud Foundry. Enter the following command:
$ uaac client add routing_api_client \ --authorities "routing.router_groups.read,routing.routes.write,cloud_controller.admin" --authorized_grant_type "client_credentials"When prompted, enter a secret for the new client. Record this secret.
Step 3: Configure CFCR for Cloud Foundry Routing¶
Perform the following steps to configure CFCR for Cloud Foundry routing:
- Navigate to
KUBO_ENVand open the
- Uncomment the
routing-cf-client-secretline and fill in the UAA routing client secret you created above.
routing-cf-nats-passwordline and fill in the NATS password. This is nats: nats: password in your Cloud Foundry deployment manifest.
director-secrets.ymlfile contains sensitive information and should not be under version control.
- Comment out the
IaaS routing mode settingssection.
CF routing mode settingssection, and set appropriate values for your deployment.
kubernetes_master_hostto the TCP router hostname or IP address for Cloud Foundry. This is typically
tcp.YOUR-APPS-DOMAIN, such as
If you are using a domain, ensure that the DNS resolves correctly. For more information, see the Pre-Deployment Steps section of the Enabling TCP Routing topic in the Cloud Foundry documentation.
kubernetes_master_portto an available port on the Cloud Foundry TCP router.
- Set the
routing-cf-api-urlto the Cloud Foundry API URL, such as
- Set the
- Set the
routing-cf-uaa-urlto the Cloud Foundry UAA URL, such as
- Set the
routing-cf-app-domain-nameto the Cloud Foundry apps domain, such as
- Set the
routing-cf-nats-internal-ipsto the array of internal IP addresses used by Cloud Foundry NATS, such as
[192.168.16.13]. To obtain the IP addresses for your NATS instances, log in to the BOSH Director you used to deploy Cloud Foundry and run
bosh -e YOUR-ENV instances.
Deploy BOSH for CFCR by performing the procedures specific to your IaaS: