Skip to content

policy-server-asg-syncer job from cf-networking/3.13.0

Github source: 25c9a100 or master branch

Properties

asg_poll_interval_seconds

Interval in seconds that policy-server will poll CAPI for ASG data. Requires asg_sync_enabled. Must be > 0

Default
60

cc_hostname

Host name for the Cloud Controller server for connecting to the non-secure api endpoint. If this value is not provided, policy-server-asg-syncer will obtain the secure api endpoint by consuming the cloud_controller_https_endpoint link. The value supplied to this property must match the value supplied to the Cloud Controller property cc.internal_service_hostname.

Example
cloud-controller-ng.service.cf.internal

cc_internal

client_cert

Client certificate for cloud controller

client_key

Client private key for cloud controller

cc_port

External port of Cloud Controller server for connecting to the non-secure api endpoint. If this value is not provided, policy-server will obtain the secure api port by consuming the cloud_controller_https_endpoint link. The value supplied to this property must match the value supplied to the Cloud Controller property cc.external_port.

Example
9022

database

connect_timeout_seconds

Connection timeout between the policy server and its database.

Default
120

disable

Disable syncing application security groups for dynamic security group updates

Default
false

locket

address

Hostname and port of the Locket server. Must be set when asg_sync_enabled is set to true.

Default
locket.service.cf.internal:8891

ca_cert

The CA certificiate for the CA for Locket.

client_cert

The client certificate for Locket.

client_key

The private key for Locket.

log_level

Logging level (debug, info, warn, error).

Default
info

metron_port

Port of metron agent on localhost. This is used to forward metrics.

Default
3457

retry_deadline_seconds

Maximum amount of time that policy-server-asg-syncer will retry CAPI for when detecting unstable ASG lists

Default
300

skip_ssl_validation

Skip verifying ssl certs when speaking to UAA or Cloud Controller.

Default
false

uaa_ca

Trusted CA for UAA server.

uaa_client

UAA client name. Must match the name of a UAA client with the following properties: authorities: uaa.resource,cloud_controller.admin_read_only, authorities: uaa.resource,cloud_controller.admin_read_only.

Default
network-policy

uaa_client_secret

UAA client secret. Must match the secret of the above UAA client.

uaa_hostname

Host name for the UAA server. E.g. the service advertised via Consul DNS. Must match common name in the UAA server cert. Must be listed in uaa.zones.internal.hostnames.

Default
uaa.service.cf.internal

uaa_port

Port of the UAA server. Must match uaa.ssl.port.

Default
8443

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/policy-server-asg-syncer/ directory (learn more).

  • config/bpm.yml (from bpm.yml.erb)
  • config/certs/cc_ca.crt (from cc_ca.crt.erb)
  • config/certs/cc_internal_ca.crt (from cc_internal_ca.crt.erb)
  • config/certs/cc_internal_client.crt (from cc_internal_client.crt.erb)
  • config/certs/cc_internal_client.key (from cc_internal_client.key.erb)
  • config/certs/database_ca.crt (from database_ca.crt.erb)
  • config/certs/locket.crt (from locket.crt.erb)
  • config/certs/locket.key (from locket.key.erb)
  • config/certs/locket_ca.crt (from locket_ca.crt.erb)
  • config/certs/uaa_ca.crt (from uaa_ca.crt.erb)
  • config/policy-server-asg-syncer.json (from policy-server-asg-syncer.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.