Cloud Controller Blobstore Configuration
- Overview
- Storage CLI with AWS Credentials
- Storage CLI with AWS Server-Side Encryption
- Storage CLI with AWS IAM Instance Profiles
- Storage CLI with Google Cloud Storage Service Accounts
- Storage CLI with Azure Storage
- Storage CLI with AliCloud Object Storage Service (OSS)
- Storage CLI with Other S3 Compatible Stores
- WebDAV
Page last updated:
This topic explains how to configure a blobstore for the Cloud Controller.
Overview
The cf-deployment GitHub repository provides ops files with several common blobstore configurations.
By default, cf-deployment uses the WebDAV blobstore, and no additional ops files are needed. Note that for a productive Cloud Foundry deployment, you should use an external blobstore that guarantees high availability.
If you want to configure your blobstore manually, see the topics below for guidance.
The Cloud Controller has four types of objects that need to be stored in a blobstore: buildpacks, droplets, packages, and resource_pool.
The cloud controller supports the Storage CLI for accessing external hyperscaler blobstores on AWS, GCP, AliCloud and Azure. WebDAV is also supported. The Ruby Fog implementation is deprecated and has been removed.
This document describes the following common blobstore configurations:
- Storage CLI with AWS Credentials
- Storage CLI with AWS Server Side Encryption
- Storage CLI with AWS IAM Instance Profiles
- Storage CLI with Google Cloud Storage Service Accounts
- Storage CLI with AliCloud Storage
- Storage CLI with Other S3 Compatible Stores
- Storage CLI with Azure Storage
- WebDAV internal blobstore
Storage CLI with AWS Credentials
To use the Storage CLI blobstore interface with AWS credentials, do the following:
Insert the following configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: s3 blobstore_type: storage-cli buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-BUILDPACK-BUCKET droplets: blobstore_provider: s3 blobstore_type: storage-cli droplet_directory_key: YOUR-AWS-DROPLET-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-DROPLET-BUCKET packages: blobstore_provider: s3 blobstore_type: storage-cli app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-PACKAGE-BUCKET resource_pool: blobstore_provider: s3 blobstore_type: storage-cli resource_directory_key: YOUR-AWS-RESOURCE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-RESOURCE-BUCKETReplace
AWS-ACCESS-KEYandAWS-SECRET-ACCESS-KEYwith your AWS credentials. ReplaceAWS-REGIONwith the region of your AWS buckets.Replace
YOUR-AWS-BUILDPACK-BUCKET,YOUR-AWS-DROPLET-BUCKET,YOUR-AWS-PACKAGE-BUCKET, andYOUR-AWS-RESOURCE-BUCKETwith the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.
Storage CLI with AWS Server-Side Encryption
AWS S3 offers Server-Side Encryption at rest. For more information, see Protecting Data Using Server-Side Encryption.
AWS SSE-S3 blobstore encryption
Insert the following configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: s3 blobstore_type: storage-cli buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-BUILDPACK-BUCKET server_side_encryption: AES256 droplets: blobstore_provider: s3 blobstore_type: storage-cli droplet_directory_key: YOUR-AWS-DROPLET-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-DROPLET-BUCKET server_side_encryption: AES256 packages: blobstore_provider: s3 blobstore_type: storage-cli app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-PACKAGE-BUCKET server_side_encryption: AES256 resource_pool: blobstore_provider: s3 blobstore_type: storage-cli resource_directory_key: YOUR-AWS-RESOURCE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-RESOURCE-BUCKET server_side_encryption: AES256Replace
AWS-ACCESS-KEYandAWS-SECRET-ACCESS-KEYwith your AWS credentials. ReplaceAWS-REGIONwith the region of your AWS buckets.Replace
YOUR-AWS-BUILDPACK-BUCKET,YOUR-AWS-DROPLET-BUCKET,YOUR-AWS-PACKAGE-BUCKET, andYOUR-AWS-RESOURCE-BUCKETwith the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.Set the value of the
server_side_encryptionkey to a type of encryption algorithm. In the configuration information above,server_side_encryptionis set toAES256to enable AWS SSE-S3 encryption.(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.
AWS SSE-KMS blobstore encryption
Obtain your KMS Key ID. For information about managing KMS keys, see the AWS Key Management Service Getting Started guide.
Insert the following configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: s3 blobstore_type: storage-cli buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-BUILDPACK-BUCKET server_side_encryption: "aws:kms" x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID droplets: blobstore_provider: s3 blobstore_type: storage-cli droplet_directory_key: YOUR-AWS-DROPLET-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-DROPLET-BUCKET server_side_encryption: "aws:kms" x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID packages: blobstore_provider: s3 blobstore_type: storage-cli app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-PACKAGE-BUCKET server_side_encryption: "aws:kms" x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID resource_pool: blobstore_provider: s3 blobstore_type: storage-cli resource_directory_key: YOUR-AWS-RESOURCE-BUCKET connection_config: aws_access_key_id: AWS-ACCESS-KEY aws_secret_access_key: AWS-SECRET-ACCESS-KEY region: AWS-REGION bucket_name: YOUR-AWS-RESOURCE-BUCKET server_side_encryption: "aws:kms" x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-IDReplace
AWS-ACCESS-KEYandAWS-SECRET-ACCESS-KEYwith your AWS credentials. ReplaceAWS-REGIONwith the region of your AWS buckets.Replace
YOUR-AWS-BUILDPACK-BUCKET,YOUR-AWS-DROPLET-BUCKET,YOUR-AWS-PACKAGE-BUCKET, andYOUR-AWS-RESOURCE-BUCKETwith the names of your AWS buckets. Do not use periods (.) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.Set the
server_side_encryptionkey to the valueaws:kms. ReplaceYOUR-AWS-KMS-KEY-IDwith your KMS Key ID.(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.
Storage CLI with AWS IAM Instance Profiles
To configure the Storage CLI to use AWS IAM Instance Profiles, do the following:
Configure an additional
cloud-controllerIAM role with the following policy to give access to the S3 buckets you plan to use:{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET", "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET/*", "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET", "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET/*", "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET", "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET/*", "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET", "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET/*" ] }] }Replace
YOUR-AWS-BUILDPACK-BUCKET,YOUR-AWS-DROPLET-BUCKET,YOUR-AWS-PACKAGE-BUCKET, andYOUR-AWS-RESOURCE-BUCKETwith the names of your AWS buckets. Do not use periods (.) in your AWS bucket names.If you use the AWS console, an IAM Role is automatically assigned to an IAM Instance Profile with the same name,
cloud-controller. If you do not use the AWS console, you must create an IAM Instance Profile with a single assigned IAM Role. For more information, see Step 4: Create an IAM Instance Profile for Your Amazon EC2 Instances in the AWS documentation.In your BOSH cloud config, create a VM extension to add the IAM Instance Profile you created to VMs using the extension.
vm_extensions: - cloud_properties: iam_instance_profile: cloud-controller name: cloud-controller-iamIn your Cloud Foundry deployment manifest, use the
cloud-controller-iamVM extension you created for the instance groups containingcloud_controller,cloud_controller_worker, andcloud_controller_clock, as in the example below:instance_groups: ... - name: api ... vm_extensions: - cloud-controller-iam ... - name: cc-worker ... vm_extensions: - cloud-controller-iam ... - name: scheduler ... vm_extensions: - cloud-controller-iamInsert the following configuration into your deployment manifest under
properties.cc:cc: buildpacks: blobstore_provider: s3 blobstore_type: storage-cli buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET connection_config: region: AWS-REGION bucket_name: YOUR-AWS-BUILDPACK-BUCKET use_iam_profile: true droplets: blobstore_provider: s3 blobstore_type: storage-cli droplet_directory_key: YOUR-AWS-DROPLET-BUCKET connection_config: region: AWS-REGION bucket_name: YOUR-AWS-DROPLET-BUCKET use_iam_profile: true packages: blobstore_provider: s3 blobstore_type: storage-cli app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET connection_config: region: AWS-REGION bucket_name: YOUR-AWS-PACKAGE-BUCKET use_iam_profile: true resource_pool: blobstore_provider: s3 blobstore_type: storage-cli resource_directory_key: YOUR-AWS-RESOURCE-BUCKET connection_config: region: AWS-REGION bucket_name: YOUR-AWS-RESOURCE-BUCKET use_iam_profile: trueReplace
AWS-REGIONwith the region of your AWS buckets.Replace
YOUR-AWS-BUILDPACK-BUCKET,YOUR-AWS-DROPLET-BUCKET,YOUR-AWS-PACKAGE-BUCKET, andYOUR-AWS-RESOURCE-BUCKETwith the names of your AWS buckets. Do not use periods (.) in your AWS bucket names.(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.
Storage CLI with Google Cloud Storage Service Accounts
To configure your blobstore to use Google Cloud Storage with a service account, do the following:
Create a custom Cloud IAM role with the following permissions:
storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.listTo create the custom role, follow the Creating and Managing Custom Roles instructions in the GCP documentation. This role will be used for blobstore permissions.
Create a service account by following the Creating and Managing Service Accounts instructions in the GCP documentation and grant this service account the role you created in Step 1. For additional information about granting roles to an existing service account, see Granting Roles to a Service Account for Specific Resources in the GCP documentation.
Create a service account JSON key for your service account by following the Creating and Managing Service Account Keys instructions in the GCP documentation. You need this key to configure your blobstore.
Insert the following configuration in your manifest under
properties.ccfor thecloud_controller_ngjob:cc: buildpacks: &buildpacks blobstore_type: storage-cli blobstore_provider: gcs buildpack_directory_key: YOUR-GCS-BUILDPACK-BUCKET connection_config: bucket_name: YOUR-GCS-BUILDPACK-BUCKET google_json_key_string: > { "type": "service_account", "project_id": "YOUR-GCS-PROJECT", ... } droplets: &droplets blobstore_type: storage-cli blobstore_provider: gcs droplet_directory_key: YOUR-GCS-DROPLET-BUCKET connection_config: bucket_name: YOUR-GCS-DROPLET-BUCKET google_json_key_string: > { "type": "service_account", "project_id": "YOUR-GCS-PROJECT", ... } packages: &packages blobstore_type: storage-cli blobstore_provider: gcs app_package_directory_key: YOUR-GCS-PACKAGE-BUCKET connection_config: bucket_name: YOUR-GCS-PACKAGE-BUCKET google_json_key_string: > { "type": "service_account", "project_id": "YOUR-GCS-PROJECT", ... } resource_pool: &resource_pool blobstore_type: storage-cli blobstore_provider: gcs resource_directory_key: YOUR-GCS-RESOURCE-BUCKET connection_config: bucket_name: YOUR-GCS-RESOURCE-BUCKET google_json_key_string: > { "type": "service_account", "project_id": "YOUR-GCS-PROJECT", ... }Replace the placeholders as follows:
YOUR-GCS-PROJECTis the name of your GCP project.YOUR-GCS-BUILDPACK-BUCKET,YOUR-GCS-DROPLET-BUCKET,YOUR-GCS-PACKAGE-BUCKET, andYOUR-GCS-RESOURCE-BUCKETare the names of your Cloud Storage buckets. Do not use periods in the bucket names.
In
google_json_key_string, provide your Cloud Storage credentials. Use spaces, not tabs, for indentation.To update the
cloud_controller_workerandcloud_controller_clockjobs with the same blobstore configuration, insert the following for both jobs underproperties.cc:cc: # note these reference YAML anchors declared in the previous step buildpacks: *buildpacks droplets: *droplets packages: *packages resource_pool: *resource_pool
Storage CLI with Azure Storage
To configure your blobstores to use Azure Storage credentials, do the following:
Insert the following configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: azurebs blobstore_type: storage-cli buildpack_directory_key: YOUR-AZURE-BUILDPACK-CONTAINER connection_config: azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME container_name: YOUR-AZURE-BUILDPACK-CONTAINER environment: AzureCloud droplets: blobstore_provider: azurebs blobstore_type: storage-cli droplet_directory_key: YOUR-AZURE-DROPLET-CONTAINER connection_config: azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME container_name: YOUR-AZURE-DROPLET-CONTAINER environment: AzureCloud packages: blobstore_provider: azurebs blobstore_type: storage-cli app_package_directory_key: YOUR-AZURE-PACKAGE-CONTAINER connection_config: azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME container_name: YOUR-AZURE-PACKAGE-CONTAINER environment: AzureCloud resource_pool: blobstore_provider: azurebs blobstore_type: storage-cli resource_directory_key: YOUR-AZURE-RESOURCE-CONTAINER connection_config: azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME container_name: YOUR-AZURE-RESOURCE-CONTAINER environment: AzureCloudReplace
YOUR-AZURE-STORAGE-ACCOUNT-NAMEandYOUR-AZURE-STORAGE-ACCESS-KEYwith your Azure Storage credentials.Replace
YOUR-AZURE-BUILDPACK-CONTAINER,YOUR-AZURE-DROPLET-CONTAINER,YOUR-AZURE-PACKAGE-CONTAINER, andYOUR-AZURE-RESOURCE-CONTAINERwith the names of your Cloud Storage containers. Azure container names must consist of only lowercase alphanumeric characters and hyphens. See Azure’s storage name restrictions.You can provide further configuration through the
connection_confighash, which is passed through to theStorage CLIimplementation.
Storage CLI with AliCloud Object Storage Service (OSS)
To configure an AliCloud OSS blobstore using the storage-cli implementation, do the following:
Insert this configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: alioss blobstore_type: storage-cli buildpack_directory_key: YOUR-ALICLOUD-BUILDPACK-CONTAINER connection_config: aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET aliyun_oss_bucket: YOUR-ALICLOUD-BUILDPACK-CONTAINER aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT aliyun_region_id: YOUR-ALICLOUD-REGION-ID droplets: blobstore_provider: alioss blobstore_type: storage-cli droplet_directory_key: YOUR-ALICLOUD-DROPLET-CONTAINER connection_config: aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET aliyun_oss_bucket: YOUR-ALICLOUD-DROPLET-CONTAINER aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT aliyun_region_id: YOUR-ALICLOUD-REGION-ID packages: blobstore_provider: alioss blobstore_type: storage-cli app_package_directory_key: YOUR-ALICLOUD-PACKAGE-CONTAINER connection_config: aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET aliyun_oss_bucket: YOUR-ALICLOUD-PACKAGE-CONTAINER aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT aliyun_region_id: YOUR-ALICLOUD-REGION-ID resource_pool: blobstore_provider: alioss blobstore_type: storage-cli resource_directory_key: YOUR-ALICLOUD-RESOURCE-CONTAINER connection_config: aliyun_accesskey_id: YOUR-ALICLOUD-ACCESSKEY-ID aliyun_accesskey_secret: YOUR-ALICLOUD-ACCESSKEY-SECRET aliyun_oss_bucket: YOUR-ALICLOUD-RESOURCE-CONTAINER aliyun_oss_endpoint: YOUR-ALICLOUD-OSS-ENDPOINT aliyun_region_id: YOUR-ALICLOUD-REGION-IDReplace
YOUR-ALICLOUD-ACCESSKEY-IDandYOUR-ALICLOUD-ACCESSKEY-SECRETwith your AliCloud OSS credentials.Replace
YOUR-ALICLOUD-BUILDPACK-CONTAINER,YOUR-ALICLOUD-DROPLET-CONTAINER,YOUR-ALICLOUD-PACKAGE-CONTAINER, andYOUR-ALICLOUD-RESOURCE-CONTAINERwith the names of your AliCloud OSS buckets. For the bucket naming restrictions, see Bucket naming conventions.Replace
YOUR-ALICLOUD-OSS-ENDPOINTandYOUR-ALICLOUD-REGION-IDwith the endpoint and region of your AliCloud OSS buckets. For more information, see Regions and endpoints in the AliCloud documentation.
Storage CLI with Other S3 Compatible Stores
Using Storage CLI with other S3 compatible stores, such as Minio or EMC Elastic Cloud Storage is similar to AWS, but requires slightly different configuration:
Insert the following configuration into your manifest under
properties.cc:cc: buildpacks: blobstore_provider: s3 blobstore_type: storage-cli buildpack_directory_key: YOUR-S3-BUILDPACK-BUCKET connection_config: endpoint: S3-ENDPOINT aws_access_key_id: S3-ACCESS-KEY aws_secret_access_key: S3-SECRET-ACCESS-KEY region: "''" host_style: false bucket_name: YOUR-S3-BUILDPACK-BUCKET droplets: blobstore_provider: s3 blobstore_type: storage-cli droplet_directory_key: YOUR-S3-DROPLET-BUCKET connection_config: endpoint: S3-ENDPOINT aws_access_key_id: S3-ACCESS-KEY aws_secret_access_key: S3-SECRET-ACCESS-KEY region: "''" host_style: false bucket_name: YOUR-S3-DROPLET-BUCKET packages: blobstore_provider: s3 blobstore_type: storage-cli app_package_directory_key: YOUR-S3-PACKAGE-BUCKET connection_config: endpoint: S3-ENDPOINT aws_access_key_id: S3-ACCESS-KEY aws_secret_access_key: S3-SECRET-ACCESS-KEY region: "''" host_style: false bucket_name: YOUR-S3-PACKAGE-BUCKET resource_pool: blobstore_provider: s3 blobstore_type: storage-cli resource_directory_key: YOUR-S3-RESOURCE-BUCKET connection_config: endpoint: S3-ENDPOINT aws_access_key_id: S3-ACCESS-KEY aws_secret_access_key: S3-SECRET-ACCESS-KEY region: "''" host_style: false bucket_name: YOUR-S3-RESOURCE-BUCKETReplace
S3-ENDPOINTwith the URL used to access your S3 API. This will typically look something likehttp://S3-NAMESPACE.HOST:9020but may vary for your server or network.Replace
S3-ACCESS-KEYandS3-SECRET-ACCESS-KEYwith your S3 credentials. This key must have access to all S3 activities on the buckets you will specify below.Replace
YOUR-S3-BUILDPACK-BUCKET,YOUR-S3-DROPLET-BUCKET,YOUR-S3-PACKAGE-BUCKET, andYOUR-S3-RESOURCE-BUCKETwith the names of your S3 buckets. Do not use periods (.) in your S3 bucket names.(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the S3-Specific Configuration.
WebDAV
To configure your blobstores to use the WebDAV protocol, perform the steps below:
Ensure your deployment manifest has a single instance of the blobstore job. For a working example, see the example bosh-lite manifest.
Insert the following configuration into your manifest under
properties.blobstoreandproperties.cc:blobstore: admin_users: - password: WEBDAV-BASIC-AUTH-PASSWORD username: WEBDAV-BASIC-AUTH-USER port: 8080 secure_link: secret: WEBDAV-SECRET tls: cert: WEBDAV-CERT port: 4443 private_key: WEBDAV-PRIVATE-KEY ca_cert: WEBDAV-CA-CERT-BUNDLE cc: buildpacks: &blobstore-properties blobstore_type: storage-cli blobstore_provider: dav connection_config: username: WEBDAV-BASIC-AUTH-USER password: WEBDAV-BASIC-AUTH-PASSWORD private_endpoint: https://blobstore.service.cf.internal:4443 public_endpoint: https://blobstore.SYSTEM_DOMAIN secret: WEBDAV-SECRET ca_cert: WEBDAV-CA-CERT-BUNDLE resource_pool: *blobstore-properties packages: *blobstore-properties droplets: *blobstore-propertiesConfigure your WebDAV blobstores by doing the following:
- Replace
WEBDAV-BASIC-AUTH-USERandWEBDAV-BASIC-AUTH-PASSWORDwith Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation. - Replace
WEBDAV-SECRETwith a secret phrase used to sign URLs. - Replace
WEBDAV-CERT,WEBDAV-PRIVATE-KEY, andWEBDAV-CA-CERT-BUNDLEwith proper TLS configuration that are used for the internal blobstore. - Replace
WEBDAV-PUBLIC-ENDPOINTwith the public URL that resolves to your WebDAV installation. For example,https://blobstore.SYSTEM-DOMAIN.example.com. - Replace
WEBDAV-PRIVATE-ENDPOINTwith a routable URL on your internal network. If not set, this defaults tohttps://blobstore.service.cf.internal:4443. - Replace
WEBDAV-BASIC-AUTH-USERandWEBDAV-BASIC-AUTH-PASSWORDwith Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation.
- Replace
(Optional) Provide additional configuration through the
connection_confighash, which is passed through to the Storage CLI. For more information about configuration options, see the DAV-Specific Configuration.