Sunday, 19 November 2017

Using Spring Boot Actuator endpoint for Spring Boot application health check type on PCF

An application health check is a monitoring process that continually checks the status of a running Cloud Foundry application. When deploying an app, a developer can configure the health check type (port, process, or HTTP), a timeout for starting the application, and an endpoint (for HTTP only) for the application health check.

To use the HTTP option your manifest.yml would look like this

---
applications:
- name: pas-cf-manifest
  memory: 756M
  instances: 1
  hostname: pas-cf-manifest
  path: ./target/demo-0.0.1-SNAPSHOT.jar
  health-check-type: http
  health-check-http-endpoint: /health
  stack: cflinuxfs2
  timeout: 80
  env:
    JAVA_OPTS: -Djava.security.egd=file:///dev/urandom
    NAME: Apples

Using a HTTP endpoint such as "/health" is possible once you add the Spring Boot Actuator maven dependency as follows

  
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

More Information

https://docs.run.pivotal.io/devguide/deploy-apps/healthchecks.html

Saturday, 28 October 2017

Testing network connectivity from Cloud Foundry Application Instances

This app below simply tests whether a host:port is accessible from a CF app instance. For example can my application instance access my Oracle Database Instance running outside of PCF given application instances need network access to the database database for example.

You can use bosh2 ssh to get to the Diego Cells if you have access to the environment or even "cf ssh" if that has been enabled.

GitHub URL:

https://github.com/papicella/cloudfoundry-socket-test

Success


pasapicella@pas-macbook:~$ http http://pas-cf-sockettest.cfapps.io/www.google.com.au/80
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 81
Content-Type: application/json;charset=UTF-8
Date: Wed, 25 Oct 2017 08:38:33 GMT
X-Vcap-Request-Id: 8fd05c77-f680-4966-558b-c45e71825fa0

{
    "errorMessage": "N/A",
    "hostname": "www.google.com.au",
    "port": "80",
    "res": "SUCCESS"
}

Failure

pasapicella@pas-macbook:~$ http http://pas-cf-sockettest.cfapps.io/10.0.0.10/8080
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 110
Content-Type: application/json;charset=UTF-8
Date: Wed, 25 Oct 2017 11:52:18 GMT
X-Vcap-Request-Id: 91ad2359-7d95-49c6-4538-548e480b7820

{
    "errorMessage": "Connection refused (Connection refused)",
    "hostname": "10.0.0.10",
    "port": "8080",
    "res": "FAILED"
}

Sunday, 22 October 2017

Just installed Pivotal Cloud Foundry, what's next should I login to Apps Manager?

I get this question often from customers. Pivotal Cloud Foundry has just been installed and the API endpoint to target the instance is working fine. In short we want to do the following before we get developers onto the platform to ensure we no longer using the UAA server admin login details from the CLI or Apps Manager UI.

  • Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers
  • Create an ORG
  • Create at least one Quota maybe more to control memory limit and application instances within an ORG
  • Assign the quota to your ORG
Steps

--> Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers

1. Login to Ops Manager VM using SSH for example
2. Target the UAA server as shown below

Eg: $ uaac target uaa.YOUR-DOMAIN

ubuntu@opsmanager-pcf:~$ uaac target uaa.system.YYYY --skip-ssl-validation
Unknown key: Max-Age = 2592000

Target: https://uaa.system.YYYY

3. Authenticate and obtain an access token for the admin client from the UAA server

Note: Record the uaa:admin:client_secret from your deployment manifest

ubuntu@opsmanager-pcf:~$ uaac token client get admin -s PASSWD

Successfully fetched token via client credentials grant.
Target: https://uaa.system.YYYY
Context: admin, from client admin

4. Use the uaac contexts command to display the users and applications authorized by the UAA server, and the permissions granted to each user and application. Ensure in the "scope" field that "scim.write" exists

ubuntu@opsmanager-pcf:~$ uaac contexts

[0]*[https://uaa.system.YYYY]
  skip_ssl_validation: true

  [0]*[admin]
      client_id: admin
      access_token: .....
      token_type: bearer
      expires_in: 43199
      scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
      jti: b1bf094a5c4640dbac4abc5f3bf15b08

5. Run the following command to create an admin user

ubuntu@opsmanager-pcf:~$ uaac user add apples -p PASSWD --emails papicella@pivotal.io
user account successfully added

6. Run uaac member add GROUP NEW-ADMIN-USERNAME to add the new admin to the groups cloud_controller.admin, uaa.admin, scim.read, and scim.write

ubuntu@opsmanager-pcf:~$ uaac member add cloud_controller.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add uaa.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.read apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.write apples
success

--> Create an ORG

1. Login using the new admin user "apples"

pasapicella@pas-macbook:~$ cf login -u apples -p PASSWD -o system -s system
API endpoint: https://api.system.YYYY
Authenticating...
OK

Targeted org system

Targeted space system

API endpoint:   https://api.system.YYYY (API version: 2.94.0)
User:           papicella@pivotal.io
Org:            system
Space:          system

2. Create an ORG as follows

pasapicella@pas-macbook:~$ cf create-org myfirst-org
Creating org myfirst-org as apples...
OK

Assigning role OrgManager to user apples in org myfirst-org ...
OK

TIP: Use 'cf target -o "myfirst-org"' to target new org

--> Create at least one Quota maybe more to control memory limit and application instances within an ORG

1. Here we create what I call a medium-quota which allows 20G of memory, 2 service instances, each application instance can be no more then 1G of memory and only 20 Application Instances can be created using this quota.

pasapicella@pas-macbook:~$ cf create-quota medium-quota -m 20G -i 1G -a 20 -s 2 -r 1000 --allow-paid-service-plans
Creating quota medium-quota as apples...
OK

pasapicella@pas-macbook:~$ cf quota medium-quota
Getting quota medium-quota info as apples...
OK

Total Memory           20G
Instance Memory        1G
Routes                 1000
Services               2
Paid service plans     allowed
App instance limit     20
Reserved Route Ports   0

--> Assign the quota to your ORG

1. Assign the newly created quota to the ORG we created above

pasapicella@pas-macbook:~$ cf set-quota myfirst-org medium-quota
Setting quota medium-quota to org myfirst-org as apples...
OK

pasapicella@pas-macbook:~$ cf org myfirst-org
Getting info for org myfirst-org as apples...

name:                 myfirst-org
domains:              apps.pas-apples.online
quota:                medium-quota
spaces:
isolation segments:

Finally we can add a space to the ORG and assign privileges to a user called "pas" as shown below

- Set OrgManager role to the user "pas"

pasapicella@pas-macbook:~$ cf set-org-role pas myfirst-org OrgManager
Assigning role OrgManager to user pas in org myfirst-org as apples...
OK

- Logout as "apples" admin user as "pas" can now do his own admin for the ORG " myfirst-org"

pasapicella@pas-macbook:~$ cf logout
Logging out...
OK

- Login as pas and target the ORG

pasapicella@pas-macbook:~$ cf login -u pas -p PASSWD -o myfirst-org
API endpoint: https://api.system.YYYY
Authenticating...
OK

Targeted org myfirst-org

API endpoint:   https://api.system.YYYY (API version: 2.94.0)
User:           pas
Org:            myfirst-org
Space:          No space targeted, use 'cf target -s SPACE'

- Create a space which will set space roles for the user "pas"

pasapicella@pas-macbook:~$ cf create-space dev
Creating space dev in org myfirst-org as pas...
OK
Assigning role RoleSpaceManager to user pas in org myfirst-org / space dev as pas...
OK
Assigning role RoleSpaceDeveloper to user pas in org myfirst-org / space dev as pas...
OK

TIP: Use 'cf target -o "myfirst-org" -s "dev"' to target new space

- Target the new space

pasapicella@pas-macbook:~$ cf target -o myfirst-org -s dev
api endpoint:   https://api.system.pas-apples.online
api version:    2.94.0
user:           pas
org:            myfirst-org
space:          dev

Typically we would assign other users to the spaces using "cf set-space-role .."

pasapicella@pas-macbook:~$ cf set-space-role --help
NAME:
   set-space-role - Assign a space role to a user

USAGE:
   cf set-space-role USERNAME ORG SPACE ROLE

ROLES:
   'SpaceManager' - Invite and manage users, and enable features for a given space
   'SpaceDeveloper' - Create and manage apps and services, and see logs and reports
   'SpaceAuditor' - View logs, reports, and settings on this space

SEE ALSO:
   space-users

More Information

Creating and Managing Users with the UAA CLI (UAAC)
https://docs.pivotal.io/pivotalcf/1-12/uaa/uaa-user-management.html

Creating and Managing Users with the cf CLI
https://docs.pivotal.io/pivotalcf/1-12/adminguide/cli-user-management.html

Thursday, 5 October 2017

Pivotal Cloud Foundry 1.12 on Google Cloud Platform with VM labels

Once PCF is installed on GCP it's worth noting that viewing the "Compute Engine" labels gives you as indication of what VM each CF service is associated with. The screen shots below show's this.



Monday, 25 September 2017

Updating Cloud Foundry CLI using Brew

Need to upgrade the CF CLI using brew it's as simple as below. Go to love brew

pasapicella@pas-macbook:~$ brew upgrade cf-cli
==> Upgrading 1 outdated package, with result:
cloudfoundry/tap/cf-cli 6.31.0
==> Upgrading cloudfoundry/tap/cf-cli
Warning: Use cloudfoundry/tap/cloudfoundry-cli instead of deprecated pivotal/tap/cloudfoundry-cli
==> Downloading https://cli.run.pivotal.io/stable?release=macosx64-binary&version=6.31.0&source=homebrew
==> Downloading from https://s3-us-west-1.amazonaws.com/cf-cli-releases/releases/v6.31.0/cf-cli_6.31.0_osx.tgz
######################################################################## 100.0%
==> Caveats
Bash completion has been installed to:
  /usr/local/etc/bash_completion.d
==> Summary
🍺  /usr/local/Cellar/cf-cli/6.31.0: 6 files, 17.6MB, built in 16 seconds

pasapicella@pas-macbook:~$ cf --version
cf version 6.31.0+b35df905d.2017-09-15

Friday, 15 September 2017

Using Cloud Foundry CUPS to inject Spring Security credentials into a Spring Boot Application

The following demo shows how to inject the Spring Security username/password credentials from a User Provided service on PCF, hence using the VCAP_SERVICES env variable to inject the values required to protect the application using HTTP Basic Authentication while running in PCF. Spring Boot automatically converts this data into a flat set of properties so you can easily get to the data as shown below.

The demo application can be found as follows

https://github.com/papicella/springsecurity-cf-cups

The application.yml would access the VCAP_SERVICES CF env variable using the the Spring Boot flat set of properties as shown below.

eg:

VCAP_SERVICES

System-Provided:
{
 "VCAP_SERVICES": {
  "user-provided": [
   {
    "credentials": {
     "password": "myadminpassword",
     "username": "myadminuser"
    },
    "label": "user-provided",
    "name": "my-cfcups-service",
    "syslog_drain_url": "",
    "tags": [],
    "volume_mounts": []
   }
  ]
 }
}
...

application.yml

spring:
  application:
    name: security-cf-cups-demo
security:
  user:
    name: ${vcap.services.my-cfcups-service.credentials.username:admin}
    password: ${vcap.services.my-cfcups-service.credentials.password:password}

Thursday, 14 September 2017

Oracle 12c Service Broker for Pivotal Cloud Foundry

The following example is a PCF 2.0 Service Broker written as a Spring Boot application. This is just an example and should be evolved to match a production type setup in terms oracle requirements. This service broker simple creates USERS and assigns then 20M of quota against a known TABLESPACE

It's all documented as follows

https://github.com/papicella/oracle-service-broker




Monday, 4 September 2017

Introducing Pivotal MySQL*Web, Pivotal’s New Open Source Web-Based Administration UI for MySQL for Pivotal Cloud Foundry

Recently Pivotal announced "Pivotal MySQL*Web" on it's main blog page. You can read more about it here which was an Open Source project I created a while ago for Pivotal MySQL instances on Pivotal Cloud Foundry

https://content.pivotal.io/blog/introducing-pivotal-mysql-web-pivotal-s-new-open-source-web-based-administration-ui-for-mysql-for-pivotal-cloud-foundry


Couchbase Service Broker for Pivotal Cloud Foundry

The following example is a PCF 2.0 Service Broker written as a Spring Boot application for Couchbase 4.6.x. This is just an example and should be evolved to match a production type setup in terms of bucket creation and access for created service instances.

It's all documented as follows

https://github.com/papicella/couchbase-service-broker




More Information

https://docs.pivotal.io/tiledev/service-brokers.html

Thursday, 27 July 2017

Accessing Pivotal Cloud Foundry droplet file system when "cf ssh" isn't enabled

In order to view your application layout you can simply use "cf ssh" to log into the container and then view the files created as part of the droplet. The problem is "cf ssh" isn't always enabled bye the Ops team so what is your alternative in cloud foundry?

You can use "cf curl" to invoke an endpoint using the application GUID as shown in the steps below.

** cf ssh demo **

pasapicella@pas-macbook:~/temp/droplets$ cf ssh pas-swagger-demo
vcap@ef9e4e93-0df9-47a7-5351-dccf:~$ ls -lartF
total 16
-rw-r--r-- 1 vcap vcap  675 Apr  9  2014 .profile
-rw-r--r-- 1 vcap vcap 3637 Apr  9  2014 .bashrc
-rw-r--r-- 1 vcap vcap  220 Apr  9  2014 .bash_logout
drwxr-xr-x 2 vcap vcap    6 Jun 14 03:32 deps/
drwxr-xr-x 1 vcap root   72 Jun 14 03:32 app/
-rw-r--r-- 1 vcap vcap 1087 Jun 14 03:32 staging_info.yml
drwxr-xr-x 2 vcap vcap    6 Jun 14 03:32 logs/
drwx------ 1 vcap vcap   76 Jun 14 03:32 ./
drwxr-xr-x 1 root root   18 Jul 26 23:45 ../
drwxr-xr-x 4 vcap vcap   92 Jul 26 23:48 tmp/
vcap@ef9e4e93-0df9-47a7-5351-dccf:~$

** Steps **


1. Download droplet as follows

Format:

   cf curl /v2/apps/`cf app {appname} --guid`/droplet/download > droplet.tar.gz

Example:

pasapicella@pas-macbook:~/temp/droplets$ cf curl /v2/apps/`cf app pas-swagger-demo --guid`/droplet/download > droplet.tar.gz

To determine the app name you can either use Applications manager UI or use "cf apps" to get the app name


2. This will take some time due to the size of the droplet but when done verify you have this on the file system

pasapicella@pas-macbook:~/temp/droplets$ ls -la
total 150736
drwxr-xr-x   3 pasapicella  staff       102 Jul 27 14:20 .
drwxr-xr-x  23 pasapicella  staff       782 Jul 27 14:19 ..
-rw-r--r--   1 pasapicella  staff  77173173 Jul 27 14:23 droplet.tar.gz

3. Gunzip followed by tar -xvf and you will then have a file system replicator of what your application droplet looks like in CF

pasapicella@pas-macbook:~/temp/droplets$ d
total 313408
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 deps/
drwxr-xr-x   6 pasapicella  staff        204 Jun 14 13:32 app/
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 tmp/
-rw-r--r--   1 pasapicella  staff       1087 Jun 14 13:32 staging_info.yml
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 logs/
drwxr-xr-x  23 pasapicella  staff        782 Jul 27 14:19 ../
-rw-r--r--   1 pasapicella  staff  160460800 Jul 27 14:23 droplet.tar
drwxr-xr-x   8 pasapicella  staff        272 Jul 27 14:25 ./


You really only want to do this to see how your application was staged on the file system as the buildpack may have changed some files or added files based on what you deployed. This is not how you would debug an application but rather view what the file system looks like for your application itself and what content exists in the files should the buildpack have changed file content for example.