policy-server job from cf-networking/3.36.0
              Github source:
              3f56c6cc or
              master branch
            
Properties¶
allowed_cors_domains¶
  
    
      List of domains (including scheme) from which Cross-Origin requests will be accepted.
- Default
- [] 
cc_hostname¶
  
    
      Host name for the Cloud Controller server for connecting to the non-secure api endpoint.
If this value is not provided, policy-server will obtain the secure api endpoint by consuming
the cloud_controller_https_endpoint link.
The value supplied to this property must match the value supplied to the Cloud Controller
property cc.internal_service_hostname.
- Example
- 
            
            cloud-controller-ng.service.cf.internal 
cc_port¶
  
    
      External port of Cloud Controller server for connecting to the non-secure api endpoint.
If this value is not provided, policy-server will obtain the secure api port by consuming
the cloud_controller_https_endpoint link.
The value supplied to this property must match the value supplied to the Cloud Controller
property cc.external_port.
- Example
- 
            
            9022 
connections_max_lifetime_seconds¶
  
    
      Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If value <= 0, connections are reused forever
If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime. Lowering the lifetime will result in connections getting reaped sooner, but the policy server may have to renegotiate connections more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.
- Default
- 3600 
database¶
  
  
    
ca_cert¶ca cert for db connectivity. Requires ‘database.require_ssl’ to be true.
connect_timeout_seconds¶Connection timeout between the policy server and its database.
- Default
120
host¶Host (IP or DNS name) for database server.
name¶Name of logical database to use.
password¶Password for database connection.
port¶Port for database server.
require_ssl¶Require ssl db connectivity when true. Must be used in conjuncture with a release that is configured with ssl.
- Default
false
skip_hostname_validation¶Skip hostname validation when true. Requires ‘database.require_ssl’ to be true
- Default
false
type¶Type of database: postgres or mysql.
username¶Username for database connection.
debug_port¶
  
    
      Port for the debug server. Use this to adjust log level at runtime or dump process stats.
- Default
- 31821 
disable¶
  
    
      Disable container to container networking.
- Default
- false 
enable_space_developer_self_service¶
  
    
      Allows space developers to always be able to configure policies for the apps they own.
- Default
- false 
enable_tls¶
  
    
      Use TLS server for external API server.
- Default
- false 
listen_ip¶
  
    
      IP address where the policy server will serve its API.
- Default
- 0.0.0.0 
listen_port¶
  
    
      Port where the policy server will serve its external API.
- Default
- 4002 
log_level¶
  
    
      Logging level (debug, info, warn, error).
- Default
- info 
max_idle_connections¶
  
    
      Maximum number of idle connections to the SQL database.
Idle connections will be retained until their connections_max_lifetime_seconds has been reached.
- Default
- 10 
max_open_connections¶
  
    
      Maximum number of open connections to the SQL database.
The number of necessary connections will scale with the number of requests to the /networking/... cf api endpoints.
- Default
- 200 
max_policies_per_app_source¶
  
    
      Maximum policies a space developer may configure for an application source. Does not affect admin users.
- Default
- 150 
metron_port¶
  
    
      Port of metron agent on localhost. This is used to forward metrics.
- Default
- 3457 
policy_cleanup_interval¶
  
    
      Clean up stale policies on this interval, in minutes.
- Default
- 60 
server_cert¶
  
    
      External API server certificate for TLS.
server_key¶
  
    
      External API server key for TLS.
skip_ssl_validation¶
  
    
      Skip verifying ssl certs when speaking to UAA or Cloud Controller.
- Default
- false 
tag_length¶
  
    
      Length in bytes of the packet tags to generate for policy sources and destinations. Must be greater than 0 and less than or equal to 4. If using VXLAN GBP, must be less than or equal to 2.
- Default
- 2 
uaa_ca¶
  
    
      Trusted CA for UAA server.
uaa_client¶
  
    
      UAA client name. Must match the name of a UAA client with the following properties:
authorities: uaa.resource,cloud_controller.admin_read_only,
authorities: uaa.resource,cloud_controller.admin_read_only.
- Default
- network-policy 
uaa_client_secret¶
  
    
      UAA client secret. Must match the secret of the above UAA client.
uaa_hostname¶
  
    
      Host name for the UAA server.  E.g. the service advertised via Consul DNS.  Must match common name in the UAA server cert. Must be listed in uaa.zones.internal.hostnames.
- Default
- uaa.service.cf.internal 
uaa_port¶
  
    
      Port of the UAA server. Must match uaa.ssl.port.
- Default
- 8443 
Templates¶
            Templates are rendered and placed onto corresponding
            instances during the deployment process. This job's templates
            will be placed into /var/vcap/jobs/policy-server/ directory
            (learn more).
          
- bin/bbr/post-backup-unlock(from- post-backup-unlock.sh.erb)
- bin/bbr/pre-backup-lock(from- pre-backup-lock.sh.erb)
- bin/post-start(from- post-start.erb)
- bin/pre-start(from- pre-start.erb)
- config/bpm.yml(from- bpm.yml.erb)
- config/certs/cc_ca.crt(from- cc_ca.crt.erb)
- config/certs/database_ca.crt(from- database_ca.crt.erb)
- config/certs/server.crt(from- server.crt.erb)
- config/certs/server.key(from- server.key.erb)
- config/certs/uaa_ca.crt(from- uaa_ca.crt.erb)
- config/policy-server.json(from- policy-server.json.erb)
Packages¶
            Packages are compiled and placed onto corresponding
            instances during the deployment process. Packages will be
            placed into /var/vcap/packages/ directory.