cloud_controller_ng job from capi/1.172.0

The Cloud Controller provides primary Cloud Foundry API that is by the CF CLI. The Cloud Controller uses a database to keep tables for organizations, spaces, apps, services, service instances, user roles, and more. Typically multiple instances of Cloud Controller are load balanced.

Github source: 1ebef650 or master branch

Properties¶

app_domains¶

Array of domain hashes for user apps (example: ‘user.app.space.foo’, a user app called ‘neat’ will listen at ‘http://neat.user.app.space.foo'). Domains specified as internal should be listed last to avoid interfering with default domain selection by old CLI versions.

Example

|+
  - name: example.com
  - name: tcp.example.com
    router_group_name: default-tcp
  - name: example.internal
    internal: true

app_ssh¶

host_key_fingerprint¶

Fingerprint of the host key of the SSH proxy that brokers connections to application instances. Supported fingerprint formats: SHA256 (recommended), SHA1 and MD5 Example fingerprints by format: SHA256: 0KmvfcwFCnwQRviOJEwZtnz5qoi76BVb8dm3/vgilCI SHA1: b8:80:2c:8c:d7:25:ad:2a:b4:8c:02:34:52:06:f7:ba:1f:0d:02:de MD5: d2:d6:b9:d7:f9:c4:15:70:de:af:c7:36:88:3a:60:12

oauth_client_id¶

The oauth client ID of the SSH proxy

Default

ssh-proxy

port¶

External port for SSH access to application instances

Default

2222

build¶

‘build’ attribute in the /v2/info endpoint

Default

""

cc¶

allow_app_ssh_access¶

Allow users to change the value of the app-level allow_ssh attribute

Default

true

allowed_cors_domains¶

List of domains (including scheme) from which Cross-Origin requests will be accepted, a * can be used as a wildcard for any part of a domain

Default

[]

api_health_check_timeout_per_retry¶

Maximum health check timeout (in seconds) for each retry attempt in the Cloud Controller’s route registration health check

Default

2

api_health_check_total_timeout¶

Maximum health check timeout (in seconds). Health checks will be retried until this time limit is reached. This should be less than or equal to your route_registrar.routes.api.health_check.timeout

Default

6

api_post_start_healthcheck_timeout_in_seconds¶

Maximum time (in seconds) for cloud_controller_ng to report healthy

Default

60

app_bits_max_body_size¶

Maximum body size for nginx bits uploads

Default

2048M

app_bits_upload_grace_period_in_seconds¶

Extra token expiry time while uploading big apps

Default

1200

broker_client_async_poll_exponential_backoff_rate¶

Exponential backoff for service related polling jobs. Default is 1.0, which means there is no exponential backoff.

Default

1

broker_client_default_async_poll_interval_seconds¶

Specifies interval on which the CC will poll a service broker for asynchronous actions. If the service broker provides a value, this value is the minimum accepted value the broker can provide.

Default

60

broker_client_max_async_poll_duration_minutes¶

The max duration the CC will fetch service instance state from a service broker (in minutes). Default is 1 week

Default

10080

broker_client_response_parser¶

log_errors¶

Log errors happening when parsing service broker responses.

Default

false

log_response_fields¶

Specify service broker response fields to be logged. This configuration is a hash, where the key indicates the request type and the value is a list of fields in the response JSON that should be logged. The following request types exist: catalog, provision, update, deprovision, bind, unbind, fetch_service_instance_last_operation, fetch_service_binding_last_operation, fetch_service_instance, fetch_service_binding. The corresponding response fields can be taken from the Open Service Broker API Specification.

Default

{}

log_validators¶

Log the stack of validators used to process the service broker response, e.g. for a 202 response to a ‘provision’ request, the following is logged: [“CommonErrorValidator”, “JsonSchemaValidator[provision_response_schema]“, “SuccessValidator[in progress]“]

Default

false

broker_client_timeout_seconds¶

For requests to service brokers, this is the HTTP (open and read) timeout setting.

Default

60

buildpacks¶

blobstore_type¶

The type of blobstore backing to use. Valid values: [‘fog’, ‘webdav’]

Default

fog

buildpack_directory_key¶

Directory (bucket) used store buildpacks. It does not have be pre-created. Should contain only alphanumeric characters, ‘-’, ‘_‘, and ‘.’

Default

cc-buildpacks

cdn¶

key_pair_id¶

Key pair name for signed download URIs

Default

""

private_key¶

Private key for signing download URIs

Default

""

uri¶

URI for a CDN to used for buildpack downloads

Default

""

fog_aws_storage_options¶

Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration.

Default

{}

fog_connection¶

Fog connection hash

fog_gcp_storage_options¶

Storage options passed to fog for gcp blobstores

Default

{}

webdav_config¶

blobstore_timeout¶

The timeout in seconds for requests to the blobstore

Default

5

ca_cert¶

The ca cert to use when communicating with webdav

Default

""

password¶

The basic auth password that CC uses to connect to the admin endpoint on webdav

Default

""

private_endpoint¶

The location of the webdav server eg: https://blobstore.internal

Default

https://blobstore.service.cf.internal:4443

public_endpoint¶

The location of the webdav server eg: https://blobstore.com

Default

""

username¶

The basic auth user that CC uses to connect to the admin endpoint on webdav

Default

""

ccng_monit_http_healthcheck_retries¶

Number of retries performed by the ccng_monit_http_healthcheck process

Default

5

ccng_monit_http_healthcheck_timeout_per_retry¶

The amount of time in seconds to wait before an HTTP request from the Cloud Controller monit health check is closed

Default

2

client_max_body_size¶

Maximum body size for nginx

Default

15M

core_file_pattern¶

Filename template for core dump files. Use an empty string if you don’t want core files saved.

Default

/var/vcap/sys/cores/core-%e-%s-%p-%t

cpu_weight_max_memory¶

The default maximum application instance memory used for the CPU weight calculation

Default

8192

cpu_weight_min_memory¶

The default minimum application instance memory used for the CPU weight calculation

Default

128

credential_references¶

interpolate_service_bindings¶

Controls whether CredHub credentials are automatically interpolated in VCAP_SERVICES

Default

true

custom_metric_tag_prefix_list¶

Allows users to apply custom metric tags to their apps by adding labels with the given key prefixes. The following key names are ignored: deployment, index, ip, job

Default

- metric.tag.cloudfoundry.org

database_encryption¶

current_key_label¶

current key label for encrypting values in the CC database

Default

""

experimental_pbkdf2_hmac_iterations¶

Number of pbkdf2 hmac iterations (experimental)

Default

2048

keys¶

label-key pairs for encrypting sensitive values in the CC database; labels must be < 256 characters long

Default

{}

skip_validation¶

Skip validations of database encryption properties

Default

false

db_encryption_key¶

key for encrypting sensitive values in the CC database

Default

""

db_logging_level¶

Level at which cc database operations will be logged if cc.log_db_queries is set to true.

Default

debug2

default_app_disk_in_mb¶

The default disk space an app gets

Default

1024

default_app_log_rate_limit_in_bytes_per_second¶

Default application log rate limit

Default

-1

default_app_memory¶

How much memory given to an app if not specified

Default

1024

default_app_ssh_access¶

When ssh is allowed and not explicitly set in the application, new applications will start with ssh service enabled

Default

true

default_health_check_timeout¶

Default health check timeout (in seconds) that can be set for the app

Default

60

default_quota_definition¶

The name of the quota definition CC will fallback on for org and space limits from the list of quota definitions.

Default

default

default_running_security_groups¶

The default running security groups that will be seeded in CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API

default_stack¶

The default stack to use if no custom stack is specified for an app.

Default

cflinuxfs4

default_staging_security_groups¶

The default staging security groups that will be seeded in CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API

development_mode¶

Enable development features for monitoring and insight

Default

false

diego¶

bbs¶

connect_timeout¶

Connect timeout (in seconds) when talking to BBS Server

Default

10

receive_timeout¶

Receive timeout (in seconds) when talking to BBS Server

Default

10

send_timeout¶

Send timeout (in seconds) when talking to BBS Server

Default

10

url¶

URL of the BBS Server

Default

https://bbs.service.cf.internal:8889

cc_uploader_https_url¶

URL of cc uploader. Not used if BOSH link ‘cc_uploader’ is present.

Default

https://cc-uploader.service.cf.internal:9091

cc_uploader_url¶

URL of cc uploader. Not used if BOSH link ‘cc_uploader’ is present.

Default

http://cc-uploader.service.cf.internal:9090

docker_staging_stack¶

stack to use for staging Docker applications

Default

cflinuxfs4

droplet_destinations¶

List of destination directories for different stacks

Default

  cflinuxfs4: /home/vcap
  windows: /Users/vcap
  windows2012R2: /
  windows2016: /Users/vcap

enable_declarative_asset_downloads¶

Enable specifying task and app asset downloads as declarative resources

Default

false

file_server_url¶

URL of file server

Default

http://file-server.service.cf.internal:8080

insecure_docker_registry_list¶

An array of insecure Docker registries in the form of :PORT

Default

[]

lifecycle_bundles¶

List of lifecycle bundles arguments for different stacks

Default

  buildpack/cflinuxfs4: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
  buildpack/windows: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
  buildpack/windows2012R2: windows_app_lifecycle/windows_app_lifecycle.tgz
  buildpack/windows2016: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
  docker: docker_app_lifecycle/docker_app_lifecycle.tgz

pid_limit¶

Maximum pid limit for containerized work running user-provided code

Default

1024

temporary_oci_buildpack_mode¶

Temporary flag to enable OCI buildpack flow. Valid values: ‘oci-phase-1’

use_privileged_containers_for_running¶

Whether or not to use privileged containers for running buildpack apps and tasks.

Default

false

use_privileged_containers_for_staging¶

Whether or not to use privileged containers for staging tasks.

Default

false

directories¶

diagnostics¶

The directory where operator requested diagnostic files should be placed

Default

/var/vcap/data/cloud_controller_ng/diagnostics

tmpdir¶

The directory to use for temporary files

Default

/var/vcap/data/cloud_controller_ng/tmp

disable_custom_buildpacks¶

Disable external (i.e. git) buildpacks? (Admin buildpacks and system buildpacks only.)

Default

false

disable_private_domain_cross_space_context_path_route_sharing¶

Disallow route collisions over shared private domains when created in different spaces

Default

false

droplets¶

blobstore_type¶

The type of blobstore backing to use. Valid values: [‘fog’, ‘webdav’]

Default

fog

cdn¶

key_pair_id¶

Key pair name for signed download URIs

Default

""

private_key¶

Private key for signing download URIs

Default

""

uri¶

URI for a CDN to used for droplet downloads

Default

""

droplet_directory_key¶

Directory (bucket) used store droplets. It does not have be pre-created. Should contain only alphanumeric characters, ‘-’, ‘_‘, and ‘.’

Default

cc-droplets

fog_aws_storage_options¶

Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration.

Default

{}

fog_connection¶

Fog connection hash

fog_gcp_storage_options¶

Storage options passed to fog for gcp blobstores

Default

{}

max_staged_droplets_stored¶

Number of recent, staged droplets stored per app (not including current droplet)

Default

5

webdav_config¶

blobstore_timeout¶

The timeout in seconds for requests to the blobstore

Default

5

ca_cert¶

The ca cert to use when communicating with webdav

Default

""

password¶

The basic auth password that CC uses to connect to the admin endpoint on webdav

Default

""

private_endpoint¶

The location of the webdav server eg: https://blobstore.internal

Default

https://blobstore.service.cf.internal:4443

public_endpoint¶

The location of the webdav server eg: https://blobstore.com

Default

""

username¶

The basic auth user that CC uses to connect to the admin endpoint on webdav

Default

""

enable_statsd_metrics¶

Use statsd metrics on api vms.

Default

true

experimental¶

thin_server¶

thread_pool_size¶

How many threads a single cloud controller instance’s thin server will attempt to use. Alter at your own peril.

Default

20

use_jemalloc_memory_allocator¶

Enables jemalloc rather than malloc for Cloud Controller API servers and workers; however, it’s experimental and not typically recommended, so review its pros and cons before use.

Default

false

use_puma_webserver¶

Use Puma in place of Thin as the webserver. This may increase performance as Puma forks Cloud Controller processes to avoid relying on threads

Default

false

use_redis¶

Use co-deployed Redis for rate limiting and metrics. If the Puma webserver is enabled, Redis will automatically be used.

Default

false

use_yjit_compiler¶

Use Ruby’s YJIT compiler when running Cloud Controller API servers and workers. This feature is experimental and not recommended. Please review the drawbacks and benefits of YJIT before enabling.

Default

false

external_host¶

Host part of the cloud_controller API URI, will be joined with value of ‘domain’

Default

api

external_port¶

External Cloud Controller port

Default

9022

external_protocol¶

The protocol used to access the CC API from an external entity

Default

https

info¶

custom¶

Custom attribute keys and values for /v2/info endpoint

install_buildpacks¶

Set of buildpacks to install during deploy

Default

[]

instance_file_descriptor_limit¶

The file descriptors made available to each app instance

Default

16384

internal_route_vip_range¶

The IPv4 CIDR range of virtual IP addresses to be assigned to routes on internal domains. WARNING: Changing this range is not supported, and has undefined behaviors. It is recommended to leave this value as the default. If this range is changed, it is likely the routes on the internal service mesh domain will need to be recreated.

Default

127.128.0.0/9

internal_service_hostname¶

Internal hostname used to resolve the address of the Cloud Controller

Default

cloud-controller-ng.service.cf.internal

jobs¶

blobstore_delete¶

timeout_in_seconds¶

The longest this job can take before it is cancelled

droplet_upload¶

timeout_in_seconds¶

The longest this job can take before it is cancelled

global¶

timeout_in_seconds¶

The longest any job can take before it is cancelled unless overridden per job

Default

14400

local¶

number_of_workers¶

Number of local cloud_controller_worker workers

Default

2

priorities¶

List of hashes containing delayed jobs ‘display_name’ and its desired priority. This will overwrite the default priority of ccng

legacy_md5_buildpack_paths_enabled¶

Enable legacy MD5 buildpack paths. If disabled, xxhash64 is used for calculating paths in buildpack image layers.

Default

true

log_audit_events¶

Log audit events

Default

true

log_db_queries¶

Log database queries. WARNING: Setting this to true with cc.db_logging_level >= cc.logging_level will log all field values, including encrypted secrets.

Default

false

log_fog_requests¶

Log fog requests and responses.

Default

false

logcache¶

host¶

Hostname of the Logcache server

Default

doppler.service.cf.internal

port¶

Port of the Logcache server

Default

8080

logcache_tls¶

certificate¶

PEM-encoded client certificate for connecting to Log Cache via mTLS

private_key¶

Private key for connecting to Log Cache via mTLS

subject_name¶

The host name the client will accept on the server certificate when communicating with Log Cache via mTLS

Default

log_cache

logging¶

format¶

timestamp¶

Timestamp format for logs. Valid values are ‘rfc3339’ (for human-readable timestamp format) and ‘deprecated’ (for old timestamp format)

Default

rfc3339

logging_anonymize_ips¶

Anonymizes IPs in request logs

Default

false

logging_level¶

Log level for cc. Valid levels are listed here: https://github.com/cloudfoundry/steno#log-levels.

Default

info

logging_max_retries¶

Passthru value for Steno logger

Default

1

loggregator¶

internal_url¶

Internal URL used to communicate with traffic_controller

Default

http://loggregator-trafficcontroller.service.cf.internal:8081

max_annotations_per_resource¶

Maximum number of annotations allowed on any single resource. Too many annotations may degrade performance of annotation selectors.

Default

200

max_concurrent_service_broker_requests¶

Maximum number of concurrent requests to service brokers per user. Set to 0 to not limit concurrent requests

Default

0

max_labels_per_resource¶

Maximum number of labels allowed on any single resource. Too many labels may degrade performance of label selectors.

Default

50

maximum_app_disk_in_mb¶

The maximum amount of disk a user can request

Default

2048

maximum_health_check_timeout¶

Maximum health check timeout (in seconds) that can be set for the app

Default

180

min_cli_version¶

Minimum version of the CF CLI to work with the API.

min_recommended_cli_version¶

Minimum recommended version of the CF CLI.

mutual_tls¶

ca_cert¶

PEM-encoded CA certificate for secure, mutually authenticated TLS communication

private_key¶

PEM-encoded key for secure, mutually authenticated TLS communication

public_cert¶

PEM-encoded certificate for secure, mutually authenticated TLS communication

newrelic¶

capture_params¶

Capture and send query params to NewRelic

Default

false

developer_mode¶

Activate NewRelic developer mode

Default

false

environment_name¶

The environment name used by NewRelic

Default

development

license_key¶

The API key for NewRelic

log_file_path¶

The location for NewRelic to log to

Default

/var/vcap/sys/log/cloud_controller_ng/newrelic

monitor_mode¶

Activate NewRelic monitor mode

Default

false

transaction_tracer¶

enabled¶

Enable transaction tracing in NewRelic

Default

false

record_sql¶

NewRelic’s SQL statement recording mode: [off | obfuscated | raw]

Default

"off"

nginx¶

ip¶

IP address for nginx

Default

""

nginx_access_log_destination¶

The nginx access log destination. This can be used to route access logs to a file, syslog, or a memory buffer.

Default

/var/vcap/sys/log/nginx_cc/nginx.access.log

nginx_access_log_escaping¶

The characters escaping used for logging variables: [default | json]

Default

default

nginx_access_log_format¶

The nginx log format string to use when writing to the access log.

Default

  |+
    $host - [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" $proxy_add_x_forwarded_for vcap_request_id:$upstream_http_x_vcap_request_id response_time:$upstream_response_time

nginx_drain_timeout¶

Timeout for nginx graceful shutdown in seconds. Default is 30

Default

30

nginx_error_log_destination¶

The nginx error log destination. This can be used to route error logs to a file, syslog, or a memory buffer.

Default

/var/vcap/sys/log/nginx_cc/nginx.error.log

nginx_error_log_level¶

The lowest severity nginx log level to capture in the error log.

Default

error

nginx_rate_limit_general¶

The rate limiting and burst value to use for ‘/’

Example

|+
  limit: 100r/s
  burst: 500

nginx_rate_limit_zones¶

Array of zones to do rate limiting for.

Example

|+
  - name: apps
    location: /v2/apps
    limit: 10r/s
    burst: 50
  - name: spaces
    location: ~ ^/v2/spaces/(.*)
    limit: 10r/s
    burst: 100

packages¶

app_package_directory_key¶

Directory (bucket) used store app packages. It does not have be pre-created. Should contain only alphanumeric characters, ‘-’, ‘_‘, and ‘.’

Default

cc-packages

blobstore_type¶

The type of blobstore backing to use. Valid values: [‘fog’, ‘webdav’]

Default

fog

cdn¶

key_pair_id¶

Key pair name for signed download URIs

Default

""

private_key¶

Private key for signing download URIs

Default

""

uri¶

URI for a CDN to used for app package downloads

Default

""

fog_aws_storage_options¶

Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration.

Default

{}

fog_connection¶

Fog connection hash

fog_gcp_storage_options¶

Storage options passed to fog for gcp blobstores

Default

{}

max_package_size¶

Maximum size of application package

Default

1.073741824e+09

max_valid_packages_stored¶

Number of recent, valid packages stored per app (not including package for current droplet)

Default

5

webdav_config¶

blobstore_timeout¶

The timeout in seconds for requests to the blobstore

Default

5

ca_cert¶

The ca cert to use when communicating with webdav

Default

""

password¶

The basic auth password that CC uses to connect to the admin endpoint on webdav

Default

""

private_endpoint¶

The location of the webdav server eg: https://blobstore.internal

Default

https://blobstore.service.cf.internal:4443

public_endpoint¶

The location of the webdav server eg: https://blobstore.com

Default

""

username¶

The basic auth user that CC uses to connect to the admin endpoint on webdav

Default

""

post_bbr_healthcheck_timeout_in_seconds¶

Maximum time (in seconds) for cloud_controller_ng to report healthy in backup and restore unlock

Default

60

prom_metrics_server_tls_port¶

Port for internal TLS communication with prom_scraper

Default

9025

prom_scraper¶

disabled¶

When set to true, the prom_scraper job won’t scrape the Cloud Controller’s metrics. Use this if you have another scraper in place and to prevent scraping metrics twice.

Default

false

prom_scraper_tls¶

ca_cert¶

PEM-encoded CA certificate for secure, mutually authenticated TLS communication with prom_scraper

private_key¶

PEM-encoded key for secure, mutually authenticated TLS communication with prom_scraper

public_cert¶

PEM-encoded certificate for secure, mutually authenticated TLS communication with prom_scraper

public_tls¶

ca_cert¶

PEM-encoded CA certificate that was used to sign certificate for external enpoints. This CA certificate is not used by cloud controller to verify other certificates. It is exposed as a bosh link for components that communicate directly with the cloud controller.

certificate¶

PEM-encoded certificate for secure TLS communication over external endpoints

port¶

Port for TLS with gorouter

Default

9024

private_key¶

PEM-encoded key for secure TLS communication over external endpoints

puma¶

max_db_connections_per_process¶

Maximum database connections for Puma per process (main + Puma workers), if not set the ccng value is used (default)

max_threads¶

Maximum number of threads per Puma webserver worker.

Default

2

workers¶

Number of workers for Puma webserver.

Default

3

query_size_log_threshold¶

Log when SQL queries return more than this number of rows if cc.log_db_queries is set to true

Example

1000

quota_definitions¶

Hash of default quota definitions to be seeded. This property can be used to add quotas with subsequent deploys, but not to update existing ones.

Default

  default:
    memory_limit: 102400
    non_basic_services_allowed: true
    total_reserved_route_ports: 100
    total_routes: 1000
    total_services: -1

rate_limiter¶

enabled¶

Use rate limiting for UAA-authenticated endpoints per user or client

Default

false

general_limit¶

The number of requests that a user or client is allowed to make over an hour-long interval for all endpoints that do not have a custom limit

Default

2000

reset_interval_in_minutes¶

The interval in minutes after which a user’s available API requests will be reset

Default

60

unauthenticated_limit¶

The number of requests that an unauthenticated client is allowed to make over an hour-long interval

Default

100

rate_limiter_v2_api¶

admin_limit¶

The number of requests an admin user or client is allowed to make for v2/* endpoints over the configured interval

Default

2000

enabled¶

Enable rate limiting for UAA-authenticated V2 API (v2/*, except v2/info) endpoints per user or client

Default

false

general_limit¶

The number of requests a user or client is allowed to make for v2/* endpoints that do not have a custom limit over the configured interval

Default

2000

reset_interval_in_minutes¶

The interval in minutes after which a user’s available V2 API requests will be reset

Default

60

renderer¶

default_results_per_page¶

Default number of results returned per page if user does not specify

Default

50

max_inline_relations_depth¶

Maximum depth of inlined relationships in the result

Default

2

max_results_per_page¶

Maximum number of results returned per page

Default

100

max_total_results¶

Maximum number of total results (page * per_page)

reserved_private_domains¶

File location of a list of reserved private domains (for file format, see https://publicsuffix.org/)

resource_pool¶

blobstore_type¶

The type of blobstore backing to use. Valid values: [‘fog’, ‘webdav’]

Default

fog

cdn¶

key_pair_id¶

Key pair name for signed download URIs

Default

""

private_key¶

Private key for signing download URIs

Default

""

uri¶

URI for a CDN to used for resource pool downloads

Default

""

fog_aws_storage_options¶

Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration.

Default

{}

fog_connection¶

Fog connection hash

fog_gcp_storage_options¶

Storage options passed to fog for gcp blobstores

Default

{}

maximum_size¶

Maximum size of a resource to add to the pool

Default

5.36870912e+08

minimum_size¶

Minimum size of a resource to add to the pool

Default

65536

resource_directory_key¶

Directory (bucket) used store app resources. It does not have be pre-created.

Default

cc-resources

webdav_config¶

blobstore_timeout¶

The timeout in seconds for requests to the blobstore

Default

5

ca_cert¶

The ca cert to use when communicating with webdav

Default

""

password¶

The basic auth password that CC uses to connect to the admin endpoint on webdav

Default

""

private_endpoint¶

The location of the webdav server eg: https://blobstore.internal

Default

https://blobstore.service.cf.internal:4443

public_endpoint¶

The location of the webdav server eg: https://blobstore.com

Default

""

username¶

The basic auth user that CC uses to connect to the admin endpoint on webdav

Default

""

run_prestart_migrations¶

Run Cloud Controller DB migrations in BOSH pre-start script. Should be changed to false for deployments where the PostgreSQL job is deployed to the same VM as Cloud Controller. Otherwise, the default of true is preferable.

Default

true

security_event_logging¶

enabled¶

Enable logging of all requests made to the Cloud Controller in CEF format.

Default

false

security_group_definitions¶

Array of security groups that will be seeded into CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API

server_keepalive_timeout¶

Configure keep alive timeout for connections to cloud controller. This is a temporary field used for testing.

Default

75

shared_isolation_segment_name¶

Name of the shared isolation segment created at startup. This field can be updated, but subject to the following caveat: Using the name of an existing IS will cause a deployment to fail. To recover, redeploy using the last valid Shared Isolation Segment name.

Default

shared

stacks¶

List of hashes describing stacks intended for developers to choose from when pushing apps. A stack is a prebuilt root file system (rootfs) that supports a specific operating system. Note: removing items in this list will not remove the records in the Cloud Controller’s database.

Default

  - description: Cloud Foundry Linux-based filesystem (Ubuntu 22.04)
    name: cflinuxfs4

staging_file_descriptor_limit¶

File descriptor limit for staging tasks

Default

16384

staging_timeout_in_seconds¶

Timeout for staging a droplet

Default

900

staging_upload_password¶

User’s password used to access internal endpoints of Cloud Controller to upload files when staging

staging_upload_user¶

User name used to access internal endpoints of Cloud Controller to upload files when staging

statsd_host¶

The host for the statsd server, defaults to the local metron agent

Default

127.0.0.1

statsd_port¶

The port for the statsd server, defaults to the local metron agent

Default

8125

system_hostnames¶

List of hostnames for which routes cannot be created on the system domain.

Default

  - api
  - proxy
  - uaa
  - login
  - blobstore
  - log-cache
  - doppler
  - log-stream
  - credhub
  - ssh

telemetry_logging_enabled¶

Enable telemetry logging.

Default

true

temporary_disable_deployments¶

Do not allow the API client to create app deployments (temporary)

Default

false

temporary_enable_v2¶

Enable V2 endpoints

Default

true

thresholds¶

api¶

alert_if_above_mb¶

The cc will alert if memory remains above this threshold for 3 monit cycles

Default

3500

restart_if_above_mb¶

The cc will restart if memory remains above this threshold for 3 monit cycles

Default

3750

restart_if_consistently_above_mb¶

The cc will restart if memory remains above this threshold for n monit cycles

Default

3500

restart_if_consistently_above_mb_cycles¶

Monit cycles for ‘restart_if_consistently_above_mb’. Default is 15 cycles

Default

15

restart_if_monit_connection_test_consistently_fails_cycles¶

Number of monit cycles until a failing unixsocket test triggers a restart. Default is 60 cycles (i.e. 10 minutes)

Default

60

tls_port¶

Port for internal TLS communication

Default

9023

uaa¶

client_timeout¶

The value, in seconds, used for all timeout values when communicating with UAA

Default

60

internal_url¶

The internal URL used by UAA

Default

uaa.service.cf.internal

uaa_resource_id¶

Name of service to register to UAA

Default

cloud_controller,cloud_controller_service_permissions

update_metric_tags_on_rename¶

Enable sending a Desired LRP update when an app is renamed

Default

true

volume_services_enabled¶

Enable binding to services that provide volume_mount information.

Default

false

ccdb¶

address¶

The address of the database server

ca_cert¶

The ca cert to use when communicating with the database over SSL

connection_expiration_random_delay¶

The random delay in seconds to the expiration timeout (to prevent all connections being recreated simultaneously), passed directly to the Sequel gem - see https://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_expiration_rb.html for details

connection_expiration_timeout¶

The period in seconds after which connections are expired (omit to never expire connections), passed directly to the Sequel gem - see https://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_expiration_rb.html for details

connection_validation_timeout¶

The period in seconds after which idle connections are validated, passed directly to the Sequel gem - see http://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_validator_rb.html for details. Note that setting this to -1 results in an additional query whenever connections are checked out from the pool, which can have performance implications

Default

3600

databases¶

Contains the name of the database on the database server

db_scheme¶

The type of database being used. mysql or postgres

Default

postgres

max_connections¶

Maximum connections for Sequel

Default

25

max_connections_per_local_worker¶

Maximum database connections per cc local worker, if not set the ccng value is used (default)

max_migration_duration_in_minutes¶

the maximum time migrations should be allowed to run before job startup should error

Default

20160

pool_timeout¶

The timeout for Sequel pooled connections

Default

10

port¶

The port of the database server

read_timeout¶

The read timeout in seconds for query responses, passed directly to the Sequel gem - see https://github.com/jeremyevans/sequel/blob/master/doc/opening_databases.rdoc for details

Default

3600

roles¶

Users to create on the database when seeding

ssl_verify_hostname¶

Verify that the database SSL certificate matches the host to which the connection is attempted

Default

true

credhub_api¶

ca_cert¶

The certificate authority being used by CredHub

external_url¶

The external address of CredHub to expose at the ‘/’ endpoint

hostname¶

Hostname used to resolve the address of CredHub

Default

credhub.service.cf.internal

dea_next¶

advertise_interval_in_seconds¶

Advertise interval for DEAs

Default

5

staging_disk_limit_mb¶

Disk limit in MB for staging tasks

Default

4096

staging_memory_limit_mb¶

Memory limit in MB for staging tasks

Default

1024

description¶

‘description’ attribute in the /v2/info endpoint

Default

""

doppler¶

port¶

Port for doppler_logging_endpoint listed at /v2/info

Default

443

use_ssl¶

Whether to use ssl for the doppler_logging_endpoint listed at /v2/info

Default

true

login¶

enabled¶

whether use login as the authorization endpoint or not

Default

true

protocol¶

http or https

Default

https

url¶

URL of the login server

metron_endpoint¶

host¶

The host used to emit messages to the Metron agent

Default

127.0.0.1

port¶

The port used to emit messages to the Metron agent

Default

3457

name¶

‘name’ attribute in the /v2/info endpoint

Default

""

nfs_server¶

address¶

NFS server for droplets and apps (not used in an AWS deploy, use s3 instead)

release_level_backup¶

Include cloud_controller jobs in backup and restore operations

Default

true

request_timeout_in_seconds¶

Timeout for requests in seconds.

Default

900

router¶

route_services_secret¶

Support for route services is disabled when no value is configured.

Default

""

routing_api¶

enabled¶

Whether to expose the routing_endpoint listed at /v2/info and /. Enable this after deploying the Routing API

Default

false

ssl¶

skip_cert_verify¶

specifies that the job is allowed to skip ssl cert verification

Default

false

support_address¶

‘support’ attribute in the /v2/info endpoint

Default

""

system_domain¶

Domain reserved for CF operator, base URL where the login, uaa, and other non-user apps listen

system_domain_organization¶

An organization that will be created as part of the seeding process. When the system_domain is not shared with (in the list of) app_domains, this is required as the system_domain will be created as a PrivateDomain in this organization.

Default

system

temporary_disable_non_tls_endpoints¶

nginx_cc and cc_uploader components disable non-TLS endpoints

Default

false

uaa¶

ca_cert¶

The certificate authority being used by UAA

cc¶

token_secret¶

Symmetric secret used to decode uaa tokens.

token_secret2¶

Second Symmetric secret used to decode uaa tokens. Used for secret rotation.

clients¶

cc-service-dashboards¶

scope¶

Used to grant scope for SSO clients for service brokers

Default

openid,cloud_controller_service_permissions.read

secret¶

Used for generating SSO clients for service brokers.

cc_routing¶

secret¶

Used for fetching routing information from the Routing API

cc_service_key_client¶

secret¶

Used for fetching service key values from CredHub

cloud_controller_username_lookup¶

secret¶

Used for fetching usernames from UAA

port¶

The port used by UAA for non-ssl connections

ssl¶

port¶

The port used by UAA for ssl connections

Default

8443

url¶

URL of the UAA server

version¶

‘version’ attribute in the /v2/info endpoint

Default

0

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/cloud_controller_ng/ directory (learn more).

• bin/bbr/post-backup-unlock (from post-backup-unlock.sh.erb)
• bin/bbr/post-restore-unlock (from post-restore-unlock.sh.erb)
• bin/bbr/pre-backup-lock (from pre-backup-lock.sh.erb)
• bin/bbr/pre-restore-lock (from pre-restore-lock.sh.erb)
• bin/blobstore_waiter.sh (from blobstore_waiter.sh.erb)
• bin/ccng_monit_http_healthcheck (from ccng_monit_http_healthcheck.sh.erb)
• bin/cloud_controller_ng (from bin/cloud_controller_ng.erb)
• bin/cloud_controller_ng_health_check (from cloud_controller_api_health_check.erb)
• bin/console (from console.erb)
• bin/dns/healthy (from bin/dns/healthy.sh.erb)
• bin/dns_health_check (from dns_health_check.erb)
• bin/drain (from drain.sh.erb)
• bin/local_worker (from bin/local_worker.erb)
• bin/migrate_db (from migrate_db.sh.erb)
• bin/nginx_newrelic_plugin (from bin/nginx_newrelic_plugin.erb)
• bin/perform_blobstore_benchmarks (from perform_blobstore_benchmarks.erb)
• bin/post-start (from post-start.sh.erb)
• bin/pre-start (from pre-start.sh.erb)
• bin/restart_drain (from restart_drain.sh.erb)
• bin/ruby_version.sh (from ruby_version.sh.erb)
• bin/seed_db (from seed_db.sh.erb)
• bin/setup_local_blobstore.sh (from setup_local_blobstore.sh.erb)
• bin/shutdown_drain (from shutdown_drain.rb.erb)
• bin/validate_encryption_keys (from validate_encryption_keys.sh.erb)
• config/bpm.yml (from bpm.yml.erb)
• config/certs/buildpacks_ca_cert.pem (from buildpacks_ca_cert.pem.erb)
• config/certs/credhub_ca.crt (from credhub_ca.crt.erb)
• config/certs/db_ca.crt (from db_ca.crt.erb)
• config/certs/droplets_ca_cert.pem (from droplets_ca_cert.pem.erb)
• config/certs/logcache_tls.crt (from logcache_tls.crt.erb)
• config/certs/logcache_tls.key (from logcache_tls.key.erb)
• config/certs/logcache_tls_ca.crt (from logcache_tls_ca.crt.erb)
• config/certs/mutual_tls.crt (from mutual_tls.crt.erb)
• config/certs/mutual_tls.key (from mutual_tls.key.erb)
• config/certs/mutual_tls_ca.crt (from mutual_tls_ca.crt.erb)
• config/certs/packages_ca_cert.pem (from packages_ca_cert.pem.erb)
• config/certs/public_tls.crt (from public_tls.crt.erb)
• config/certs/public_tls.key (from public_tls.key.erb)
• config/certs/resource_pool_ca_cert.pem (from resource_pool_ca_cert.pem.erb)
• config/certs/scrape.crt (from scrape.crt.erb)
• config/certs/scrape.key (from scrape.key.erb)
• config/certs/scrape_ca.crt (from scrape_ca.crt.erb)
• config/certs/uaa_ca.crt (from uaa_ca.crt.erb)
• config/cloud_controller_local_worker_override.yml (from cloud_controller_local_worker_override.yml.erb)
• config/cloud_controller_ng.yml (from cloud_controller_ng.yml.erb)
• config/local_blobstore_downloads.conf (from local_blobstore_downloads.conf.erb)
• config/mime.types (from mime.types)
• config/newrelic.yml (from newrelic.yml.erb)
• config/newrelic_plugin.yml (from newrelic_plugin.yml.erb)
• config/nginx.conf (from nginx.conf.erb)
• config/nginx_external_endpoints.conf (from nginx_external_endpoints.conf.erb)
• config/nginx_maintenance.conf (from nginx_maintenance.conf.erb)
• config/nginx_server_mtls.conf (from nginx_server_mtls.conf)
• config/nginx_server_public_tls.conf (from nginx_server_public_tls.conf)
• config/prom_scraper_config.yml (from prom_scraper_config.yml.erb)
• config/prom_scraper_mtls.conf (from prom_scraper_mtls.conf)
• config/public_upload.conf (from public_upload.conf.erb)
• config/stacks.yml (from stacks.yml.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• capi_utils
• cloud_controller_ng
• jemalloc
• libpq
• mariadb_connector_c
• nginx
• nginx_newrelic_plugin
• ruby-3.2