routing-api job from routing/0.232.0

Github source: 02a2529 or master branch

Properties¶

dns_health_check_host¶

Host to ping for confirmation of DNS resolution

Default

uaa.service.cf.internal

golang¶

x509ignoreCN¶

Environment Flag to temporarily ignore golang’s strict checking for at least one SAN in a TLS certificate. See: https://github.com/cloudfoundry/routing-release/blob/develop/docs/golang1.15-remove-x509ignoreCN%3D0-flag-certificates-now-require-SANs.md for more info.

Default

true

metron¶

port¶

The port used to emit dropsonde messages to the Metron agent.

Default

3457

release_level_backup¶

Include routing api database in backup and restore operations

Default

false

routing_api¶

admin_port¶

Local port to listen on with admin endpoint (used for backup/restore locking)

Default

15897

auth_disabled¶

Disables UAA authentication

Default

false

clients¶

OAuth client ids and secrets provided via link to jobs in other BOSH deployments that need to read and/or write to Routing API. These clients must be configured in UAA via API or using the property uaa.clients with the desired scopes. For a list of scopes supported see https://github.com/cloudfoundry-incubator/routing-api/blob/master/docs/api_docs.md. Jobs consuming the link should use these credentials to fetch a token from UAA with which to authenticate with Routing API.

Example

cfcr_routing_api_client:
  secret: ((uaa_clients_cfcr_routing_api_client_secret))

debug_address¶

Address at which to serve debug info

Default

127.0.0.1:17002

enabled_api_endpoints¶

Protocols that the routing api will listen on. Possible values: ‘mtls’, or ‘both’ (mTLS + HTTP)

Default

both

fail_on_router_port_conflicts¶

This should come via a bosh link from the tcp_routing job. This property is here in case it needs to be overwritten.

lock_retry_interval¶

interval to wait before retrying a failed lock acquisition

Default

5s

lock_ttl¶

TTL for service lock

Default

10s

locket¶

api_location¶

Hostname and port of the Locket server. Used to obtain a lock so only one instance of Routing API is active at a time.

ca_cert¶

CA cert for the Locket server.

Default

""

client_cert¶

Client cert for the Locket server.

Default

""

client_key¶

Client key for the Locket server.

Default

""

log_level¶

Log level

Default

info

max_ttl¶

String representing the maximum TTL a client can request for route registration.

Default

120s

metrics_reporting_interval¶

String representing interval for reporting the following metrics: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events. Units: ms, s, m h

Default

30s

mtls_ca¶

Routing API CA cert

mtls_client_cert¶

Routing API client cert (provided to clients by bosh link)

mtls_client_key¶

Routing API client key (provided to clients by bosh link)

mtls_port¶

Port on which Routing API is running, listening with mTLS.

Default

3001

mtls_server_cert¶

Routing API server cert

mtls_server_key¶

Routing API server key

port¶

Port on which Routing API is running. If this is changed and routing_api.enabled:true in cf-release, it will break management of routes and domains until routing_api.port is updated in cf-release.

Default

3000

reserved_system_component_ports¶

Array of ports that are reserved for system components. Users will not be able to create router_groups with ports that overlap with this value. Please see docs for more information about these ports.

Default

  - 2822
  - 2825
  - 3457
  - 3458
  - 3459
  - 3460
  - 3461
  - 8853
  - 9100
  - 14726
  - 14727
  - 14821
  - 14822
  - 14823
  - 14824
  - 14829
  - 14830
  - 14920
  - 14922
  - 15821
  - 17002
  - 53035
  - 53080

router_groups¶

Array of router groups that will be seeded into routing_api database. Once some value is included with a deploy, subsequent changes to this property will be ignored. TCP Routing requires a router group of type: tcp.

Default

[]

Example

|+
  - name: default-tcp
    reservable_ports: 1024-10000,12000
    type: tcp

sqldb¶

ca_cert¶

(optional, string) When present, force database connections via TLS.

connections_max_lifetime_seconds¶

Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If value <= 0, connections are reused forever. If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime. Lowering the lifetime will result in connections getting reaped sooner, but the routing-api may have to renegotiate connections more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.

Default

3600

host¶

Host for SQL database

max_idle_connections¶

Maximum number of idle connections to the SQL database. Idle connections will be retained until their routing_api.sqldb.connections_max_lifetime_seconds has been reached.

Default

10

max_open_connections¶

Maximum number of open connections to the SQL database. The number of necessary connections will scale with the number of requests to the /routing/... cf api endpoints.

Default

200

password¶

Password used for connecting to SQL database

port¶

Port on which SQL database is listening

schema¶

Database name for routing api

Example

routing_api

skip_hostname_validation¶

skip checking the hostname of the server cert when connecting via TLS

Default

false

type¶

Type of SQL database

Example

mysql

username¶

Username used for connecting to SQL database

statsd_client_flush_interval¶

Buffered statsd client flush interval

Default

300ms

statsd_endpoint¶

The endpoint for the statsd server used to translate the following metrics from statsd to dropsonde: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events.

Default

localhost:8125

system_domain¶

Domain reserved for CF operator; base URL where the UAA, Cloud Controller, and other non-user apps listen

skip_ssl_validation¶

Skip TLS verification when talking to UAA

Default

false

uaa¶

ca_cert¶

Certificate authority for communication between clients and UAA.

Default

""

tls_port¶

Port on which UAA is listening for TLS connections. This is required for obtaining a key to verify client OAuth tokens.

token_endpoint¶

UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA.

Default

uaa.service.cf.internal

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/routing-api/ directory (learn more).

• bin/bbr/metadata (from bbr-metadata)
• bin/bbr/post-backup-unlock (from post-backup-unlock.erb)
• bin/bbr/post-restore-unlock (from post-restore-unlock.erb)
• bin/bbr/pre-backup-lock (from pre-backup-lock.erb)
• bin/bbr/pre-restore-lock (from pre-restore-lock.erb)
• bin/bpm-pre-start (from bpm-pre-start.erb)
• bin/dns_health_check (from dns_health_check.erb)
• config/bpm.yml (from bpm.yml.erb)
• config/certs/locket/ca.crt (from locket_ca.crt.erb)
• config/certs/locket/client.crt (from locket_client.crt.erb)
• config/certs/locket/client.key (from locket_client.key.erb)
• config/certs/routing-api/client_ca.crt (from api_mtls_client_ca.crt.erb)
• config/certs/routing-api/server.crt (from api_mtls_server.crt.erb)
• config/certs/routing-api/server.key (from api_mtls_server.key.erb)
• config/certs/uaa/ca.crt (from uaa_ca.crt.erb)
• config/routing-api.yml (from routing-api.yml.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• routing-api
• routing_utils