Skip to content

policy-server job from cf-networking/2.0.0

Github source: 4f06fd25 or master branch

Properties

allowed_cors_domains

List of domains (including scheme) from which Cross-Origin requests will be accepted.

Default
[]

cc_hostname

Host name for the Cloud Controller server. E.g. the service advertised via Consul DNS. Must match cc.internal_service_hostname.

Default
cloud-controller-ng.service.cf.internal

cc_port

External port of Cloud Controller server. Must match cc.external_port.

Default
9022

connect_timeout_seconds

Connection timeout between the policy server and its database. Also used for policy server health check timeout.

Default
120

database

host

Host (IP or DNS name) for database server.

name

Name of logical database to use.

password

Password for database connection.

port

Port for database server.

type

Type of database: postgres or mysql.

username

Username for database connection.

debug_port

Port for the debug server. Use this to adjust log level at runtime or dump process stats.

Default
31821

disable

Disable container to container networking.

Default
false

enable_space_developer_self_service

Allows space developers to always be able to configure policies for the apps they own.

Default
false

listen_ip

IP address where the policy server will serve its API.

Default
0.0.0.0

listen_port

Port where the policy server will serve its external API.

Default
4002

log_level

Logging level (debug, info, warn, error).

Default
info

max_policies_per_app_source

Maximum policies a space developer may configure for an application source. Does not affect admin users.

Default
50

metron_port

Port of metron agent on localhost. This is used to forward metrics.

Default
3457

policy_cleanup_interval

Clean up stale policies on this interval, in minutes.

Default
60

skip_ssl_validation

Skip verifying ssl certs when speaking to UAA or Cloud Controller.

Default
false

tag_length

Length in bytes of the packet tags to generate for policy sources and destinations. Must be greater than 0 and less than or equal to 4. If using VXLAN GBP, must be less than or equal to 2.

Default
2

uaa_ca

Trusted CA for UAA server.

uaa_client

UAA client name. Must match the name of a UAA client with the following properties: authorities: uaa.resource,cloud_controller.admin_read_only, authorities: uaa.resource,cloud_controller.admin_read_only.”

Default
network-policy

uaa_client_secret

UAA client secret. Must match the secret of the above UAA client.

uaa_hostname

Host name for the UAA server. E.g. the service advertised via Consul DNS. Must match common name in the UAA server cert. Must be listed in uaa.zones.internal.hostnames.

Default
uaa.service.cf.internal

uaa_port

Port of the UAA server. Must match uaa.ssl.port.

Default
8443

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/policy-server/ directory (learn more).

  • bin/bbr/post-backup-unlock (from post-backup-unlock.sh.erb)
  • bin/bbr/pre-backup-lock (from pre-backup-lock.sh.erb)
  • bin/policy-server_as_vcap (from policy-server_as_vcap.erb)
  • bin/policy-server_ctl (from policy-server_ctl.erb)
  • config/certs/uaa_ca.crt (from uaa_ca.crt.erb)
  • config/policy-server.json (from policy-server.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.