Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Configuration reference

Field-by-field schema reference for the workspace config.yaml. Source of truth is the Workspace struct in internal/config/workspace.go; this chapter is the human-readable rendering of those tags.

Chapter 12 — Workspace config is the teaching chapter; this one is the lookup chapter. Use chapter 12 to learn the shape, use this one to look up the type of a specific field.

File location and lifecycle

PropertyValue
Path~/.roksbnkctl/<workspace>/config.yaml
Default workspacedefault (auto-created on first run)
Overridable homeROKSBNKCTL_HOME env var (defaults to ~/.roksbnkctl/)
Mode0644
Created byroksbnkctl init
Updated byroksbnkctl init --upgrade-tf, roksbnkctl kubeconfig --download, hand-editing

The file is hand-editable; YAML is parsed with gopkg.in/yaml.v3 so anchors and aliases work but are not idiomatic for this file. Plaintext credentials in any of the regex-matched secret fields (api_key, apikey, password, token, secret_access_key, hmac_secret) are rejected at load time — the file fails to parse with a clear error. Base64-encoded credentials in ibmcloud.api_key_b64 are allowed (the field name doesn’t match the rejection regex). See Chapter 14.

Top-level structure

ibmcloud:        # required
cluster:         # required
bnk:             # optional; populates upstream HCL bnk variables
test:            # optional; populates test.* settings
tf_source:       # required (defaults to embedded if omitted)
cos:             # optional; supply-chain auto-upload
targets:         # optional; populated automatically by up's post-apply hook
exec:            # optional; per-tool default-backend map

The order of the top-level keys in the file doesn’t matter; YAML is a mapping. The order shown above is the canonical render order produced by roksbnkctl init.

ibmcloud: block

ibmcloud:
  region: ca-tor
  resource_group: default
  api_key_source: keychain
  api_key_b64: <base64>
FieldTypeDefaultAllowedNotes
regionstring— (prompted by init)any IBM Cloud region: us-south, us-east, ca-tor, eu-de, eu-gb, jp-tok, au-syd, etc.The IBM Cloud region for all cluster + COS resources. Crosses module boundaries — must match the upstream HCL’s ibmcloud_cluster_region.
resource_groupstringdefaultany RG name in the accountThe resource group cluster + COS resources are provisioned into.
api_key_sourcestring(resolver chain runs)env | keychain | config | promptPins the resolver to a single source rather than walking the chain. Set explicitly when you want predictable behaviour in CI. See Chapter 14 §“Pinning a single source”.
api_key_b64stringbase64-encoded API keyObfuscation, not encryption — anyone with file-read access decodes instantly. For single-user dev only; never commit. The field name deliberately doesn’t match the plaintext-secret rejection regex.

cluster: block

cluster:
  create: true
  name: tf-openshift-cluster
  openshift_version: "4.18"
  workers_per_zone: 1
FieldTypeDefaultAllowedNotes
createbooltruetrue | falsetrue provisions a new ROKS cluster; false attaches to an existing one (set name to the existing cluster’s name or ID).
namestring— (prompted by init)RFC 1123 DNS labelThe cluster name. Used as the OpenShift cluster identity and as the resource group disambiguator.
openshift_versionstring4.18any version IBM Cloud’s catalog acceptsPinned to a minor (4.18) rather than patch — IBM ships continuous patch updates within a minor. Leave empty for “latest”.
workers_per_zoneinteger11+Worker nodes provisioned per availability zone. Multiply by the zone count (typically 3) for the total cluster size. BNK needs ≥1 worker; production deployments use 2-3 per zone.

bnk: block

bnk:
  cneinstance_size: Small
  far_repo_url: repo.f5.com
  manifest_version: 2.3.0-3.2598.3-0.0.170
FieldTypeDefaultAllowedNotes
cneinstance_sizestringSmallSmall | Medium | LargeSizing for the deployed CNE Instance. Renders into the upstream HCL cneinstance_deployment_size variable.
far_repo_urlstringrepo.f5.comURL of a Docker-compatible image registryThe image registry FLO pulls FAR container images from. Override for air-gapped installs pointing at a local mirror.
manifest_versionstring2.3.0-3.2598.3-0.0.170a published f5-bigip-k8s-manifest chart versionPins the FLO + CIS versions transitively (both are extracted from the manifest chart).

All three fields are optional; omitting renders the HCL’s own defaults. See Chapter 13 — Terraform variables for the upstream defaults.

test: block

test:
  throughput:
    image: ghcr.io/jgruberf5/roksbnkctl-tools-iperf3:v0.9.0
    duration: 30
    streams: 8
    default_mode: north-south
  connectivity:
    extra_hosts:
      - https://www.example.com/healthz
      - https://internal.bnk.local/status
  dns:
    resolvers:
      google: "8.8.8.8:53"
      cloudflare: "1.1.1.1:53"
      gslb-vip: "169.45.91.5:53"
    default_target: www.example.com

test.throughput

FieldTypeDefaultAllowedNotes
imagestringnetworkstatic/iperf3:latestany iperf3 Docker imageThe image used for both server pod and client Job. The default runs as root and fails on OpenShift’s restricted-v2; use the bundled image ghcr.io/jgruberf5/roksbnkctl-tools-iperf3:<v> for SCC-clean installs. See Chapter 22.
durationinteger301-300 (seconds)The iperf3 -t flag — test duration in seconds.
streamsinteger81-128The iperf3 -P flag — parallel TCP streams.
default_modestringnorth-southnorth-south | east-westDefault --mode when not passed on the command line.

test.connectivity

FieldTypeDefaultAllowedNotes
extra_hostslist of string(empty)URLsEach URL is probed via HTTP GET; pass criterion is a 2xx response. The v1.0 shape is a bare list — no per-host method, expected-status, or TLS-trust override. Use --insecure (session-wide) for self-signed certs. See Chapter 20 §“Configuring extra_hosts”.

test.dns

FieldTypeDefaultAllowedNotes
resolversmap[string]string(empty)name → <ip>[:<port>]Friendly-name aliases for --server <name>. Lets workspace config push GSLB VIP addresses out of the command line.
default_targetstring(empty)DNS nameDefault --target when not passed on the command line. Useful for “always probe this name”.

tf_source: block

tf_source:
  type: embedded         # or: github | local
  repo: jgruberf5/roksbnkctl-tf
  ref: v1.0.0
  path: /path/to/checkout
FieldTypeDefaultAllowedNotes
typestringembeddedembedded | github | localWhere the Terraform source comes from. embedded uses the HCL bundled into the binary at compile time via //go:embed. github downloads a tarball from a GitHub release. local points at a directory on disk.
repostringowner/name formRequired for type: github. The GitHub repo holding the HCL.
refstringa tag, branch, or SHARequired for type: github. The release tag or git ref to fetch.
pathstringabsolute or relative directoryRequired for type: local. The on-disk directory containing main.tf.

Most users want embedded (the default). The github mode is for testing forks or pinning to an upstream tag that’s newer than the bundled one. The local mode is for active development on the HCL itself.

cos: block

cos:
  instance: bnk-orchestration
  bucket: bnk-schematics-resources
  upload:
    - source: ./local/f5-far-auth-key.tgz
      key: f5-far-auth-key.tgz
    - source: ./local/trial.jwt
      key: trial.jwt
FieldTypeDefaultAllowedNotes
instancestringCOS instance name or CRNThe instance the supply-chain bucket lives on. Names are resolved via Resource Controller at runtime.
bucketstringS3 bucket nameThe bucket within the instance.
uploadlist of {source, key}(empty)host path → bucket keyPre-flight uploads run before roksbnkctl up. Idempotent — re-running overwrites the bucket objects.

See Chapter 25 — COS supply chain management for the full surface.

targets: block

targets:
  jumphost:
    host: 169.45.91.10
    port: 22
    user: ubuntu
    key_path: /path/to/private/key.pem      # one of key_path
    key_source: tf-output:jumphost_shared_key  # ...or key_source

The top-level value is a map; the key is the target name (jumphost, eu-bastion, etc.). Each entry:

FieldTypeDefaultAllowedNotes
hoststringhostname or IPThe SSH endpoint. IPv6 literals must be unbracketed (the SSH client brackets internally).
portinteger221-65535SSH port.
userstringa username on the targetTypically ubuntu for HCL-provisioned jumphosts (cloud-init writes the user); root for direct-IBM-Cloud Linux VSIs.
key_pathstringa path to a PEM fileOne of key_path or key_source is required. Path to the PEM-encoded private key.
key_sourcestringagent | tf-output:<output-name>The other “key source” form. agent uses ssh-agent; tf-output:<name> reads the named terraform output as the PEM.

Auto-populated by roksbnkctl up post-apply for the upstream HCL’s TGW jumphost when testing_create_tgw_jumphost = true. See Chapter 15 — SSH targets and Chapter 16 — The --on flag.

exec: block

exec:
  ibmcloud:  { backend: local }
  iperf3:    { backend: k8s }
  terraform: { backend: local }

Top-level value is a map keyed by tool name. Each entry has one field:

FieldTypeDefaultAllowedNotes
backendstringlocallocal | docker | k8s | ssh:<target>The default execution backend for this tool. A --backend <value> flag on the command line overrides the workspace config for that single invocation.

The per-tool defaults at v1.0:

ToolDefault backendSupported backends
terraformlocallocal, docker (k8s and ssh deferred to v1.x)
ibmcloudlocallocal, docker, k8s, ssh:<target>
iperf3k8slocal, k8s, ssh:<target> (docker rejected)
dnslocallocal, k8s, ssh:<target> (docker rejected)

See Chapter 17 — Execution backends and Chapter 18 — Choosing a backend per tool.

Field-by-field reference table

Sorted by top-level block. Lookup-friendly. Every field that appears in internal/config/workspace.go.

PathTypeDefaultNotes
ibmcloud.regionstring(prompted)IBM Cloud region (ca-tor, us-south, …).
ibmcloud.resource_groupstringdefaultResource group name.
ibmcloud.api_key_sourcestring(chain)env | keychain | config | prompt.
ibmcloud.api_key_b64string(empty)Base64-encoded API key. Obfuscation only.
cluster.createbooltrueProvision new vs attach existing.
cluster.namestring(prompted)Cluster name.
cluster.openshift_versionstring4.18OpenShift minor version.
cluster.workers_per_zoneinteger1Workers per AZ.
bnk.cneinstance_sizestringSmallSmall | Medium | Large.
bnk.far_repo_urlstringrepo.f5.comFAR image registry URL.
bnk.manifest_versionstring2.3.0-3.2598.3-0.0.170f5-bigip-k8s-manifest chart version.
test.throughput.imagestringnetworkstatic/iperf3:latestiperf3 image.
test.throughput.durationinteger30iperf3 -t (seconds).
test.throughput.streamsinteger8iperf3 -P (parallel streams).
test.throughput.default_modestringnorth-southDefault mode.
test.connectivity.extra_hosts[]string(empty)URLs to probe.
test.dns.resolversmap[string]string(empty)Name → <ip>[:<port>].
test.dns.default_targetstring(empty)Default --target value.
tf_source.typestringembeddedembedded | github | local.
tf_source.repostring(empty)GitHub owner/name; required for github.
tf_source.refstring(empty)Git ref; required for github.
tf_source.pathstring(empty)Local directory; required for local.
cos.instancestring(empty)COS instance name or CRN.
cos.bucketstring(empty)Bucket name.
cos.upload[].sourcestringLocal file path.
cos.upload[].keystringBucket key.
targets.<name>.hoststringSSH host.
targets.<name>.portinteger22SSH port.
targets.<name>.userstringSSH user.
targets.<name>.key_pathstring(empty)PEM file path.
targets.<name>.key_sourcestring(empty)agent | tf-output:<name>.
exec.<tool>.backendstringlocal (varies by tool)local | docker | k8s | ssh:<target>.

Behaviour when fields are missing

roksbnkctl falls through three layers: workspace config → upstream HCL default → fail.

Missing fieldBehaviour
ibmcloud.regionroksbnkctl init prompts; programmatic loads error with “region is empty”.
ibmcloud.resource_groupDefaults to default.
ibmcloud.api_key_sourceResolver walks the full chain (env → keychain → config → prompt).
ibmcloud.api_key_b64Skipped in the resolver chain.
cluster.createDefaults to true.
cluster.nameinit prompts; programmatic loads error.
cluster.openshift_versionEmpty string passed to upstream HCL; the module picks the current default.
cluster.workers_per_zoneFalls through to 1 (upstream HCL default).
bnk.*Each field is omitted from the generated terraform.tfvars and the upstream HCL default applies.
test.throughput.*Coded defaults (30s, 8 streams, networkstatic/iperf3:latest) apply.
test.connectivity.extra_hostsConnectivity probe runs with built-in URLs only.
test.dns.resolvers--server requires a literal IP or host:port.
test.dns.default_target--target becomes required on the command line.
tf_sourceTreated as type: embedded (legacy default).
cosBlock omitted ⇒ no pre-flight uploads; FLO reads whatever’s already in the configured bucket.
targets.*Block absent ⇒ roksbnkctl --on jumphost errors with “no target named jumphost”; auto-populated by up when terraform provisions a jumphost.
exec.*Each tool falls back to its built-in default (typically local; iperf3 is k8s).

How --var-file interacts with config.yaml

roksbnkctl up --var-file <file> layers user-supplied tfvars after the auto-rendered tfvars derived from config.yaml. Later wins, terraform-style. Multiple --var-file flags are accepted and stack in command-line order.

The auto-render path: config.yaml → typed Workspace struct → key/value tfvars → ~/.roksbnkctl/<ws>/state/terraform.tfvars. The user’s --var-file is appended to the terraform invocation as an additional -var-file=<path> argument. See Chapter 13 — Terraform variables for the layering rules.

A workspace-persistent override file is ~/.roksbnkctl/<ws>/terraform.tfvars.user — when present, it’s auto-layered after the rendered tfvars and before any explicit --var-file. Useful for “always pass this bigip_password value when applying this workspace” without putting it in config.yaml (where the plaintext-secret rejection would reject it).

Cross-references