CF app route unmap
CF app route unmap temporarily unmaps a Cloud Foundry app route and later maps it back to the app.
Use cases
CF app route unmap:
- Checks resilience against abrupt un-mapping of an app route.
- Validates the effectiveness of disaster recovery and high availability of the app.
Mandatory tunables
| Tunable | Description | Notes |
|---|---|---|
| organization | Organization where the target app resides. | For example, dev-org. |
| space | Space where the target app resides. | The space must reside within the given organization. For example, dev-space. |
| app | The app to be stopped | The app must reside within the given organization and space. For example, cf-app. |
| host | Host name of the route to be unmapped. | For example, v1. For more information, go to host. |
Optional tunables
| Tunable | Description | Notes |
|---|---|---|
| faultInjectorLocation | Fault injector placement with respect to where the LCI is hosted. | Default: local. Supports local and vSphere. For more information, go to Fault Injector location. |
| path | Path of the route to be un-mapped. | For example, /cart. For more information, go to path. |
| port | Port of the route to be un-mapped. | For example, 8080. |
| faultInjectorPort | Local server port used by the fault-injector utility. | Default: 50320. If the default port is unavailable, a random port in the range of 50320-51320 is selected. For more information, go to fault injector port. |
| duration | Duration through which chaos is injected into the target resource (in seconds). | Default: 30s. For more information, go to chaos duration. |
| skipSSLValidation | Skip SSL validation while invoking CF APIs. | Supports true and false. Default: false. For more information, go to skip SSL validation. |
| rampTime | Period to wait before and after injecting chaos (in seconds). | Default: 0s. For more information, go to ramp time. |
CF secrets
The following Cloud Foundry secrets reside on the same machine where the chaos infrastructure is executed. These secrets are provided in the /etc/linux-chaos-infrastructure/cf.env file in the following format:
CF_API_ENDPOINT=XXXXXXXXXXXXXXXXXXX
CF_USERNAME=XXXXXXXXXXXXXXXXXXXXXXX
CF_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXX
UAA_SERVER_ENDPOINT=XXXXXXXXXXXXXXX
If the secrets file is not provided, the secrets are attempted to be derived from environment variables and the config file by the fault-injector.
| ENV name | Description | Example |
|---|---|---|
| CF_API_ENDPOINT | API endpoint for the CF setup | https://api.system.cf-setup.com |
| CF_USERNAME | Username for the CF user | username |
| CF_PASSWORD | Password for the CF user | password |
| UAA_SERVER_ENDPOINT | API endpoint for the UAA server for the CF setup | https://uaa.system.cf-setup.com |
Fault injector ENVs and config file
If /etc/linux-chaos-infrastructure/cf.env file is not provided, fault-injector attempts to derive the secrets from environment variables or a configuration file. Any secret that is re-declared will be overridden in the following order of decreasing precedence:
/etc/linux-chaos-infrastructure/cf.envfile- Environment variables
- Configuration file
The configuration file should be provided at /etc/linux-chaos-infrastructure/cf-fault-injector.yaml:
cf-api-endpoint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uaa-server-endpoint: XXXXXXXXXXXXXXXXXXXXXXXXXX
A mapping between all the three formats for providing the secrets is as follows:
| cf.env | ENV | cf-fault-injector.yaml |
|---|---|---|
| CF_API_ENDPOINT | CF_API_ENDPOINT | cf-api-endpoint |
| CF_USERNAME | USERNAME | username |
| CF_PASSWORD | PASSWORD | password |
| UAA_SERVER_ENDPOINT | UAA_SERVER_ENDPOINT | uaa-server-endpoint |
vSphere secrets
These secrets are provided only if vSphere is used as the deployment platform for CF.
The following vSphere secrets reside on the same machine where the chaos infrastructure is executed. These secrets are provided in the /etc/linux-chaos-infrastructure/vsphere.env file in the following format:
GOVC_URL=XXXXXXXXXXXXXXXXXXXXXX
GOVC_USERNAME=XXXXXXXXXXXXXXXXX
GOVC_PASSWORD=XXXXXXXXXXXXXXXXX
GOVC_INSECURE=XXXXXXXXXXXXXXXXX
VM_NAME=XXXXXXXXXXXXXXXXXXXXXXX
VM_USERNAME=XXXXXXXXXXXXXXXXXXX
VM_PASSWORD=XXXXXXXXXXXXXXXXXXX
| ENV Name | Description | Notes |
|---|---|---|
| GOVC_URL | Endpoint for vSphere | For example, 192.168.214.244 |
| GOVC_USERNAME | Username for the vSphere user | For example, username |
| GOVC_PASSWORD | Password for the vSphere user | For example, password |
| GOVC_INSECURE | Skip SSL validation for govc commands | For example, true |
| VM_NAME | Name of the vSphere VM where the fault-injector utility is installed | For example, cf-vm |
| VM_USERNAME | Username for the VM guest user | For example, root |
| VM_PASSWORD | Password for the VM guest user | For example, password |
Fault Permissions
Lists all apps that the user or system has visibility into
Required Roles (any one):
SpaceDeveloperSpaceAuditorOrgManagerOrgAuditor
Required OAuth Scopes (any one):
cloud_controller.readcloud_controller.admincloud_controller.global_auditor
Fetch routes associated with a specific app
Required Roles (any one):
SpaceDeveloperSpaceAuditor
Required OAuth Scopes (any one):
cloud_controller.readcloud_controller.admincloud_controller.global_auditor
Remove (unmap) a specific route from the given app
Required Role:
SpaceDeveloper(in the space where the app exists)
Required OAuth Scopes (any one):
cloud_controller.writecloud_controller.admin
Associate (map) a specific route with an app
Required Role:
SpaceDeveloper
Required OAuth Scopes (any one):
cloud_controller.writecloud_controller.admin
Host
The host input variable determines the host of the route which is un-mapped.
For example, for a route http://example-app.shared-domain.example.com, the host is example-app.
The following YAML snippet illustrates the use of this input variable:
# host for the route
apiVersion: litmuchaos.io/v1alpha1
kind: LinuxFault
metadata:
name: cf-app-route-unmap
labels:
name: app-route-unmap
spec:
cfAppRouteUnmap/inputs:
duration: 30
faultInjectorLocation: vSphere
app: cf-app
organization: dev-org
space: dev-space
host: example-app
Path
The path input variable determines the path of the route which is un-mapped.
For example, for a route http://example-app.shared-domain.example.com/abc, the path is /abc.
The following YAML snippet illustrates the use of this input variable:
# host and path for the route
apiVersion: litmuchaos.io/v1alpha1
kind: LinuxFault
metadata:
name: cf-app-route-unmap
labels:
name: app-route-unmap
spec:
cfAppRouteUnmap/inputs:
duration: 30
faultInjectorLocation: vSphere
app: cf-app
organization: dev-org
space: dev-space
host: example-app
path: /abc
Fault Injector location
The faultInjectorLocation input determines the fault injector placement with respect to where the LCI is hosted.
- It supports one of:
local: LCI and fault injector are placed in the same machine.vSphere: Fault injector is placed in a remote vSphere managed VM.
The following YAML snippet illustrates the use of this environment variable:
# Fault Injector location
apiVersion: litmuchaos.io/v1alpha1
kind: LinuxFault
metadata:
name: cf-app-container-kill
labels:
name: app-container-kill
spec:
cfAppContainerKill/inputs:
duration: 30s
faultInjectorLocation: vSphere
app: cf-app
organization: dev-org
space: dev-space
Skip SSL validation
The skipSSLValidation input variable determines whether to skip SSL validation for calling the CF APIs.
The following YAML snippet illustrates the use of this input variable:
# skip ssl validation for cf
apiVersion: litmuchaos.io/v1alpha1
kind: LinuxFault
metadata:
name: cf-app-route-unmap
labels:
name: app-route-unmap
spec:
cfAppRouteUnmap/inputs:
duration: 30
faultInjectorLocation: vSphere
app: cf-app
organization: dev-org
space: dev-space
skipSSLValidation: true
Fault injector port
The faultInjectorPort input variable determines the port used for the fault-injector local server.
The following YAML snippet illustrates the use of this input variable:
# fault injector port
apiVersion: litmuchaos.io/v1alpha1
kind: LinuxFault
metadata:
name: cf-app-route-unmap
labels:
name: app-route-unmap
spec:
cfAppRouteUnmap/inputs:
duration: 30
faultInjectorLocation: local
app: cf-app
organization: dev-org
space: dev-space
faultInjectorPort: 50331