Cloud Controller Blobstore Configuration

Page last updated:

This topic explains how to configure a blobstore for the Cloud Controller.

Overview

The cf-deployment GitHub repository provides ops files with several common blobstore configurations. By default, cf-deployment uses the WebDAV blobstore, and no additional ops files are needed. Note that for a productive Cloud Foundry deployment, you should use an external blobstore that guarantees high availability. If you want to configure your blobstore manually, see the topics below for guidance.

The Cloud Controller has four types of objects that need to be stored in a blobstore: buildpacks, droplets, packages, and resource_pool.

The cloud controller supports the Storage CLI for accessing external hyperscaler blobstores on AWS, GCP, AliCloud and Azure. WebDAV is also supported. The Ruby Fog implementation is deprecated and has been removed.

This document describes the following common blobstore configurations:

Storage CLI with AWS Credentials

To use the Storage CLI blobstore interface with AWS credentials, do the following:

  1. Insert the following configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: s3
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
      droplets:
        blobstore_provider: s3
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-DROPLET-BUCKET
      packages:
        blobstore_provider: s3
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-PACKAGE-BUCKET
      resource_pool:
        blobstore_provider: s3
        blobstore_type: storage-cli
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-RESOURCE-BUCKET
    
  2. Replace AWS-ACCESS-KEY and AWS-SECRET-ACCESS-KEY with your AWS credentials. Replace AWS-REGION with the region of your AWS buckets.

  3. Replace YOUR-AWS-BUILDPACK-BUCKET, YOUR-AWS-DROPLET-BUCKET, YOUR-AWS-PACKAGE-BUCKET, and YOUR-AWS-RESOURCE-BUCKET with the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.

  4. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.

Storage CLI with AWS Server-Side Encryption

AWS S3 offers Server-Side Encryption at rest. For more information, see Protecting Data Using Server-Side Encryption.

AWS SSE-S3 blobstore encryption

  1. Insert the following configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: s3
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
          server_side_encryption: AES256
      droplets:
        blobstore_provider: s3
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-DROPLET-BUCKET
          server_side_encryption: AES256
      packages:
        blobstore_provider: s3
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-PACKAGE-BUCKET
          server_side_encryption: AES256
      resource_pool:
        blobstore_provider: s3
        blobstore_type: storage-cli
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-RESOURCE-BUCKET
          server_side_encryption: AES256
    
  2. Replace AWS-ACCESS-KEY and AWS-SECRET-ACCESS-KEY with your AWS credentials. Replace AWS-REGION with the region of your AWS buckets.

  3. Replace YOUR-AWS-BUILDPACK-BUCKET, YOUR-AWS-DROPLET-BUCKET, YOUR-AWS-PACKAGE-BUCKET, and YOUR-AWS-RESOURCE-BUCKET with the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.

  4. Set the value of the server_side_encryption key to a type of encryption algorithm. In the configuration information above, server_side_encryption is set to AES256 to enable AWS SSE-S3 encryption.

  5. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.

AWS SSE-KMS blobstore encryption

  1. Obtain your KMS Key ID. For information about managing KMS keys, see the AWS Key Management Service Getting Started guide.

  2. Insert the following configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: s3
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
          server_side_encryption: "aws:kms"
          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
      droplets:
        blobstore_provider: s3
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-DROPLET-BUCKET
          server_side_encryption: "aws:kms"
          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
      packages:
        blobstore_provider: s3
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-PACKAGE-BUCKET
          server_side_encryption: "aws:kms"
          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
      resource_pool:
        blobstore_provider: s3
        blobstore_type: storage-cli
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        connection_config:
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          region: AWS-REGION
          bucket_name: YOUR-AWS-RESOURCE-BUCKET
          server_side_encryption: "aws:kms"
          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
    
  3. Replace AWS-ACCESS-KEY and AWS-SECRET-ACCESS-KEY with your AWS credentials. Replace AWS-REGION with the region of your AWS buckets.

  4. Replace YOUR-AWS-BUILDPACK-BUCKET, YOUR-AWS-DROPLET-BUCKET, YOUR-AWS-PACKAGE-BUCKET, and YOUR-AWS-RESOURCE-BUCKET with the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.

  5. Set the server_side_encryption key to the value aws:kms. Replace YOUR-AWS-KMS-KEY-ID with your KMS Key ID.

  6. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.

Storage CLI with AWS IAM Instance Profiles

To configure the Storage CLI to use AWS IAM Instance Profiles, do the following:

  1. Configure an additional cloud-controller IAM role with the following policy to give access to the S3 buckets you plan to use:

    {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Action": [ "s3:*" ],
        "Resource": [
          "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET",
          "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET",
          "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET",
          "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET",
          "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET/*"
        ]
      }]
    }
    

    Replace YOUR-AWS-BUILDPACK-BUCKET, YOUR-AWS-DROPLET-BUCKET, YOUR-AWS-PACKAGE-BUCKET, and YOUR-AWS-RESOURCE-BUCKET with the names of your AWS buckets. Do not use periods (.) in your AWS bucket names.

    If you use the AWS console, an IAM Role is automatically assigned to an IAM Instance Profile with the same name, cloud-controller. If you do not use the AWS console, you must create an IAM Instance Profile with a single assigned IAM Role. For more information, see Step 4: Create an IAM Instance Profile for Your Amazon EC2 Instances in the AWS documentation.

  2. In your BOSH cloud config, create a VM extension to add the IAM Instance Profile you created to VMs using the extension.

    vm_extensions:
    - cloud_properties:
        iam_instance_profile: cloud-controller
      name: cloud-controller-iam
    
  3. In your Cloud Foundry deployment manifest, use the cloud-controller-iam VM extension you created for the instance groups containing cloud_controller, cloud_controller_worker, and cloud_controller_clock, as in the example below:

    instance_groups:
    ...
    - name: api
      ...
      vm_extensions:
      - cloud-controller-iam
    ...
    - name: cc-worker
      ...
      vm_extensions:
      - cloud-controller-iam
    ...
    - name: scheduler
      ...
      vm_extensions:
      - cloud-controller-iam
    
  4. Insert the following configuration into your deployment manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: s3
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        connection_config:
          region: AWS-REGION
          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
          use_iam_profile: true
      droplets:
        blobstore_provider: s3
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        connection_config:
          region: AWS-REGION
          bucket_name: YOUR-AWS-DROPLET-BUCKET
          use_iam_profile: true
      packages:
        blobstore_provider: s3
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        connection_config:
          region: AWS-REGION
          bucket_name: YOUR-AWS-PACKAGE-BUCKET
          use_iam_profile: true
      resource_pool:
        blobstore_provider: s3
        blobstore_type: storage-cli
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        connection_config:
          region: AWS-REGION
          bucket_name: YOUR-AWS-RESOURCE-BUCKET
          use_iam_profile: true
    
  5. Replace AWS-REGION with the region of your AWS buckets.

  6. Replace YOUR-AWS-BUILDPACK-BUCKET, YOUR-AWS-DROPLET-BUCKET, YOUR-AWS-PACKAGE-BUCKET, and YOUR-AWS-RESOURCE-BUCKET with the names of your AWS buckets. Do not use periods (.) in your AWS bucket names.

  7. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.

Storage CLI with Google Cloud Storage Service Accounts

To configure your blobstore to use Google Cloud Storage with a service account, do the following:

  1. Create a custom Cloud IAM role with the following permissions:

    storage.buckets.create
    storage.buckets.get
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.list
    

    To create the custom role, follow the Creating and Managing Custom Roles instructions in the GCP documentation. This role will be used for blobstore permissions.

  2. Create a service account by following the Creating and Managing Service Accounts instructions in the GCP documentation and grant this service account the role you created in Step 1. For additional information about granting roles to an existing service account, see Granting Roles to a Service Account for Specific Resources in the GCP documentation.

  3. Create a service account JSON key for your service account by following the Creating and Managing Service Account Keys instructions in the GCP documentation. You need this key to configure your blobstore.

  4. Insert the following configuration in your manifest under properties.cc for the cloud_controller_ng job:

    cc:
      buildpacks: &buildpacks
        blobstore_type: storage-cli
        blobstore_provider: gcs
        buildpack_directory_key: YOUR-GCS-BUILDPACK-BUCKET
        connection_config:
          bucket_name: YOUR-GCS-BUILDPACK-BUCKET
          google_json_key_string: >
            {
              "type": "service_account",
              "project_id": "YOUR-GCS-PROJECT",
              ...
            }
      droplets: &droplets
        blobstore_type: storage-cli
        blobstore_provider: gcs
        droplet_directory_key: YOUR-GCS-DROPLET-BUCKET
        connection_config:
          bucket_name: YOUR-GCS-DROPLET-BUCKET
          google_json_key_string: >
            {
              "type": "service_account",
              "project_id": "YOUR-GCS-PROJECT",
              ...
            }
      packages: &packages
        blobstore_type: storage-cli
        blobstore_provider: gcs
        app_package_directory_key: YOUR-GCS-PACKAGE-BUCKET
        connection_config:
          bucket_name: YOUR-GCS-PACKAGE-BUCKET
          google_json_key_string: >
            {
              "type": "service_account",
              "project_id": "YOUR-GCS-PROJECT",
              ...
            }
      resource_pool: &resource_pool
        blobstore_type: storage-cli
        blobstore_provider: gcs
        resource_directory_key: YOUR-GCS-RESOURCE-BUCKET
        connection_config:
          bucket_name: YOUR-GCS-RESOURCE-BUCKET
          google_json_key_string: >
            {
              "type": "service_account",
              "project_id": "YOUR-GCS-PROJECT",
              ...
            }
    

    Replace the placeholders as follows:

    • YOUR-GCS-PROJECT is the name of your GCP project.
    • YOUR-GCS-BUILDPACK-BUCKET, YOUR-GCS-DROPLET-BUCKET,
      YOUR-GCS-PACKAGE-BUCKET, and YOUR-GCS-RESOURCE-BUCKET are the names of your Cloud Storage buckets. Do not use periods in the bucket names.

    In google_json_key_string, provide your Cloud Storage credentials. Use spaces, not tabs, for indentation.

  5. To update the cloud_controller_worker and cloud_controller_clock jobs with the same blobstore configuration, insert the following for both jobs under properties.cc:

    cc:
      # note these reference YAML anchors declared in the previous step
      buildpacks: *buildpacks
      droplets: *droplets
      packages: *packages
      resource_pool: *resource_pool
    

Storage CLI with Azure Storage

To configure your blobstores to use Azure Storage credentials, do the following:

  1. Insert the following configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: azurebs
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-AZURE-BUILDPACK-CONTAINER
        connection_config:
          azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
          azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
          container_name: YOUR-AZURE-BUILDPACK-CONTAINER
          environment: AzureCloud
      droplets:
        blobstore_provider: azurebs
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-AZURE-DROPLET-CONTAINER
        connection_config:
          azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
          azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
          container_name: YOUR-AZURE-DROPLET-CONTAINER
          environment: AzureCloud
      packages:
        blobstore_provider: azurebs
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-AZURE-PACKAGE-CONTAINER
        connection_config:
          azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
          azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
          container_name: YOUR-AZURE-PACKAGE-CONTAINER
          environment: AzureCloud
      resource_pool:
        blobstore_provider: azurebs
        blobstore_type: storage-cli
        resource_directory_key: YOUR-AZURE-RESOURCE-CONTAINER
        connection_config:
          azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
          azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
          container_name: YOUR-AZURE-RESOURCE-CONTAINER
          environment: AzureCloud
    
  2. Replace YOUR-AZURE-STORAGE-ACCOUNT-NAME and YOUR-AZURE-STORAGE-ACCESS-KEY with your Azure Storage credentials.

  3. Replace YOUR-AZURE-BUILDPACK-CONTAINER, YOUR-AZURE-DROPLET-CONTAINER, YOUR-AZURE-PACKAGE-CONTAINER, and YOUR-AZURE-RESOURCE-CONTAINER with the names of your Cloud Storage containers. Azure container names must consist of only lowercase alphanumeric characters and hyphens. See Azure’s storage name restrictions.

  4. You can provide further configuration through the connection_config hash, which is passed through to the Storage CLI implementation.

Storage CLI with AliCloud Object Storage Service (OSS)

To configure an AliCloud OSS blobstore using the storage-cli implementation, do the following:

  1. Insert this configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: alioss
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-ALICLOUD-BUILDPACK-CONTAINER
        connection_config:
          aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID
          aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET
          aliyun_oss_bucket: YOUR-ALICLOUD-BUILDPACK-CONTAINER
          aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT
          aliyun_region_id: YOUR-ALICLOUD-REGION-ID
      droplets:
        blobstore_provider: alioss
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-ALICLOUD-DROPLET-CONTAINER
        connection_config:
          aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID
          aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET
          aliyun_oss_bucket: YOUR-ALICLOUD-DROPLET-CONTAINER
          aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT
          aliyun_region_id: YOUR-ALICLOUD-REGION-ID
      packages:
        blobstore_provider: alioss
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-ALICLOUD-PACKAGE-CONTAINER
        connection_config:
          aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID
          aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET
          aliyun_oss_bucket: YOUR-ALICLOUD-PACKAGE-CONTAINER
          aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT
          aliyun_region_id: YOUR-ALICLOUD-REGION-ID
      resource_pool:
        blobstore_provider: alioss
        blobstore_type: storage-cli
        resource_directory_key: YOUR-ALICLOUD-RESOURCE-CONTAINER
        connection_config:
          aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID
          aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET
          aliyun_oss_bucket: YOUR-ALICLOUD-RESOURCE-CONTAINER
          aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT
          aliyun_region_id: YOUR-ALICLOUD-REGION-ID
    
  2. Replace YOUR-ALICLOUD-ACCESSKEY-ID and YOUR-ALICLOUD-ACCESSKEY-SECRET with your AliCloud OSS credentials.

  3. Replace YOUR-ALICLOUD-BUILDPACK-CONTAINER, YOUR-ALICLOUD-DROPLET-CONTAINER, YOUR-ALICLOUD-PACKAGE-CONTAINER, and YOUR-ALICLOUD-RESOURCE-CONTAINER with the names of your AliCloud OSS buckets. For the bucket naming restrictions, see Bucket naming conventions.

  4. Replace YOUR-ALICLOUD-OSS-ENDPOINT and YOUR-ALICLOUD-REGION-ID with the endpoint and region of your AliCloud OSS buckets. For more information, see Regions and endpoints in the AliCloud documentation.

Storage CLI with Other S3 Compatible Stores

Using Storage CLI with other S3 compatible stores, such as Minio or EMC Elastic Cloud Storage is similar to AWS, but requires slightly different configuration:

  1. Insert the following configuration into your manifest under properties.cc:

    cc:
      buildpacks:
        blobstore_provider: s3
        blobstore_type: storage-cli
        buildpack_directory_key: YOUR-S3-BUILDPACK-BUCKET
        connection_config:
          endpoint: S3-ENDPOINT
          aws_access_key_id: S3-ACCESS-KEY
          aws_secret_access_key: S3-SECRET-ACCESS-KEY
          region: "''"
          host_style: false
          bucket_name: YOUR-S3-BUILDPACK-BUCKET
      droplets:
        blobstore_provider: s3
        blobstore_type: storage-cli
        droplet_directory_key: YOUR-S3-DROPLET-BUCKET
        connection_config:
          endpoint: S3-ENDPOINT
          aws_access_key_id: S3-ACCESS-KEY
          aws_secret_access_key: S3-SECRET-ACCESS-KEY
          region: "''"
          host_style: false
          bucket_name: YOUR-S3-DROPLET-BUCKET
      packages:
        blobstore_provider: s3
        blobstore_type: storage-cli
        app_package_directory_key: YOUR-S3-PACKAGE-BUCKET
        connection_config:
          endpoint: S3-ENDPOINT
          aws_access_key_id: S3-ACCESS-KEY
          aws_secret_access_key: S3-SECRET-ACCESS-KEY
          region: "''"
          host_style: false
          bucket_name: YOUR-S3-PACKAGE-BUCKET
      resource_pool:
        blobstore_provider: s3
        blobstore_type: storage-cli
        resource_directory_key: YOUR-S3-RESOURCE-BUCKET
        connection_config:
          endpoint: S3-ENDPOINT
          aws_access_key_id: S3-ACCESS-KEY
          aws_secret_access_key: S3-SECRET-ACCESS-KEY
          region: "''"
          host_style: false
          bucket_name: YOUR-S3-RESOURCE-BUCKET
    
  2. Replace S3-ENDPOINT with the URL used to access your S3 API. This will typically look something like http://S3-NAMESPACE.HOST:9020 but may vary for your server or network.

  3. Replace S3-ACCESS-KEY and S3-SECRET-ACCESS-KEY with your S3 credentials. This key must have access to all S3 activities on the buckets you will specify below.

  4. Replace YOUR-S3-BUILDPACK-BUCKET, YOUR-S3-DROPLET-BUCKET, YOUR-S3-PACKAGE-BUCKET, and YOUR-S3-RESOURCE-BUCKET with the names of your S3 buckets. Do not use periods (.) in your S3 bucket names.

  5. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.

WebDAV

To configure your blobstores to use the WebDAV protocol, perform the steps below:

  1. Ensure your deployment manifest has a single instance of the blobstore job. For a working example, see the example bosh-lite manifest.

  2. Insert the following configuration into your manifest under properties.blobstore and properties.cc:

    blobstore:
      admin_users:
      - password: WEBDAV-BASIC-AUTH-PASSWORD
        username: WEBDAV-BASIC-AUTH-USER
      port: 8080
      secure_link:
        secret: WEBDAV-SECRET
      tls:
        cert: WEBDAV-CERT
        port: 4443
        private_key: WEBDAV-PRIVATE-KEY
        ca_cert: WEBDAV-CA-CERT-BUNDLE
    cc:
      buildpacks: &blobstore-properties
        blobstore_type: storage-cli
        blobstore_provider: dav
        connection_config:
          username: WEBDAV-BASIC-AUTH-USER
          password: WEBDAV-BASIC-AUTH-PASSWORD
          private_endpoint: https://blobstore.service.cf.internal:4443
          public_endpoint: https://blobstore.SYSTEM_DOMAIN
          secret: WEBDAV-SECRET
          ca_cert: WEBDAV-CA-CERT-BUNDLE
      resource_pool: *blobstore-properties
      packages: *blobstore-properties
      droplets: *blobstore-properties
    
  3. Configure your WebDAV blobstores by doing the following:

    • Replace WEBDAV-BASIC-AUTH-USER and WEBDAV-BASIC-AUTH-PASSWORD with Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation.
    • Replace WEBDAV-SECRET with a secret phrase used to sign URLs.
    • Replace WEBDAV-CERT, WEBDAV-PRIVATE-KEY, and WEBDAV-CA-CERT-BUNDLE with proper TLS configuration that are used for the internal blobstore.
    • Replace WEBDAV-PUBLIC-ENDPOINT with the public URL that resolves to your WebDAV installation. For example, https://blobstore.SYSTEM-DOMAIN.example.com.
    • Replace WEBDAV-PRIVATE-ENDPOINT with a routable URL on your internal network. If not set, this defaults to https://blobstore.service.cf.internal:4443.
    • Replace WEBDAV-BASIC-AUTH-USER and WEBDAV-BASIC-AUTH-PASSWORD with Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation.
  4. (Optional) Provide additional configuration through the connection_config hash, which is passed through to the Storage CLI. For more information about configuration options, see the DAV-Specific Configuration.

Create a pull request or raise an issue on the source for this page in GitHub