policy-server-internal job from cf-networking/3.3.0
Github source:
b70852fc
or
master branch
Properties¶
ca_cert
¶
Trusted CA certificate that was used to sign the vxlan policy agent’s client cert and key.
connections_max_lifetime_seconds
¶
Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If value <= 0, connections are reused forever
If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime. Lowering the lifetime will result in connections getting reaped sooner, but the policy server may have to renegotiate connections more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.
- Default
3600
database
¶
connect_timeout_seconds
¶Connection timeout between the policy server and its database.
- Default
120
debug_port
¶
Port for the debug server. Use this to adjust log level at runtime or dump process stats.
- Default
31945
disable
¶
Disable container to container networking.
- Default
false
enforce_experimental_dynamic_egress_policies
¶
Set to true for dynamic egress policy enforcement. Note that you can still create dynamic egress policies through the external API.
- Default
false
health_check_port
¶
The port for the health endpoint
- Default
31946
health_check_timeout_seconds
¶
Health check timeout for Consul DNS.
- Default
5
internal_listen_port
¶
Port where the policy server will serve its internal API.
- Default
4003
listen_ip
¶
IP address where the policy server will serve its API.
- Default
0.0.0.0
log_level
¶
Logging level (debug, info, warn, error).
- Default
info
max_idle_connections
¶
Maximum number of idle connections to the SQL database
Idle connections will be retained until their connections_max_lifetime_seconds
has been reached.
- Default
10
max_open_connections
¶
Maximum number of open connections to the SQL database.
The number of necessary connections will scale with the number of diego-cells in the deployment. The handlers that use the db conns in this job respond to the vxlan-policy-agent, which runs on the diego-cells. Each agent polls this server once every 5s, by default. Anecdote: in an environment with ~300 diego-cells has seen use up to ~200 conns. Anecdote: in an environment with ~200 diego-cells has seen use up to ~170 conns. In these scenarios, each instance of this job would expect total-number-of-conns/job-instance-count conns each. Idle state will likely use fewer connections.
- Default
200
metron_port
¶
Port of metron agent on localhost. This is used to forward metrics.
- Default
3457
server_cert
¶
Server certificate for TLS. Must have common name that matches the Consul DNS name of the policy server, eg policy-server.service.cf.internal
.
server_key
¶
Server key for TLS.
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/policy-server-internal/
directory
(learn more).
bin/dns_health_check
(fromdns_health_check.erb
)bin/post-start
(frompost-start.erb
)config/bpm.yml
(frombpm.yml.erb
)config/certs/ca.crt
(fromca.crt.erb
)config/certs/database_ca.crt
(fromdatabase_ca.crt.erb
)config/certs/server.crt
(fromserver.crt.erb
)config/certs/server.key
(fromserver.key.erb
)config/policy-server-internal.json
(frompolicy-server-internal.json.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.