policy-server job from cf-networking/1.3.2

Github source: a2222cc or master branch

Properties¶

cf_networking¶

disable¶

Disable container to container networking.

Default

false

enable_space_developer_self_service¶

Allows space developers to always be able to configure policies for the apps they own.

Default

false

max_policies_per_app_source¶

Maximum policies a space developer may configure for an application source. Does not affect admin users.

Default

50

policy_cleanup_interval¶

Clean up stale policies on this interval, in minutes.

Default

60

policy_server¶

ca_cert¶

Trusted CA certificate that was used to sign the vxlan policy agent’s client cert and key.

cc_hostname¶

Host name for the Cloud Controller server. E.g. the service advertised via Consul DNS. Must match cc.internal_service_hostname.

Default

cloud-controller-ng.service.cf.internal

cc_port¶

External port of Cloud Controller server. Must match cc.external_port.

Default

9022

connect_timeout_seconds¶

Connection timeout between the policy server and its database. Also used by Consul DNS health check.

Default

5

database¶

host¶

Host (IP or DNS name) for database server.

name¶

Name of logical database to use.

password¶

Password for database connection.

port¶

Port for database server.

type¶

Type of database: postgres or mysql.

username¶

Username for database connection.

debug_port¶

Port for the debug server. Use this to adjust log level at runtime or dump process stats.

Default

31821

internal_listen_port¶

Port where the policy server will serve its internal API.

Default

4003

listen_ip¶

IP address where the policy server will serve its API.

Default

0.0.0.0

listen_port¶

Port where the policy server will serve its external API.

Default

4002

log_level¶

Logging level (debug, info, warn, error).

Default

info

metron_port¶

Port of metron agent on localhost. This is used to forward metrics.

Default

3457

server_cert¶

Server certificate for TLS. Must have common name that matches the Consul DNS name of the policy server, eg policy-server.service.cf.internal.

server_key¶

Server key for TLS.

skip_ssl_validation¶

Skip verifying ssl certs when speaking to UAA or Cloud Controller.

Default

false

tag_length¶

Length in bytes of the packet tags to generate for policy sources and destinations. Must be greater than 0 and less than or equal to 4. If using VXLAN GBP, must be less than or equal to 2.

Default

2

uaa_ca¶

Trusted CA for UAA server.

uaa_client¶

UAA client name. Must match the name of a UAA client with the following properties: authorities: uaa.resource,cloud_controller.admin_read_only, authorities: uaa.resource,cloud_controller.admin_read_only.”

Default

network-policy

uaa_client_secret¶

UAA client secret. Must match the secret of the above UAA client.

uaa_hostname¶

Host name for the UAA server. E.g. the service advertised via Consul DNS. Must match common name in the UAA server cert. Must be listed in uaa.zones.internal.hostnames.

Default

uaa.service.cf.internal

uaa_port¶

Port of the UAA server. Must match uaa.ssl.port.

Default

8443

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/policy-server/ directory (learn more).

• bin/dns_health_check (from dns_health_check.erb)
• bin/policy-server_as_vcap (from policy-server_as_vcap.erb)
• bin/policy-server_ctl (from policy-server_ctl.erb)
• bin/pre-start (from pre-start.erb)
• config/certs/ca.crt (from ca.crt.erb)
• config/certs/server.crt (from server.crt.erb)
• config/certs/server.key (from server.key.erb)
• config/certs/uaa_ca.crt (from uaa_ca.crt.erb)
• config/policy-server.json (from policy-server.json.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• ctl-utils
• policy-server