routing-api job from routing/0.232.0
Github source:
02a2529
or
master branch
Properties¶
dns_health_check_host
¶
Host to ping for confirmation of DNS resolution
- Default
uaa.service.cf.internal
golang
¶
x509ignoreCN
¶Environment Flag to temporarily ignore golang’s strict checking for at least one SAN in a TLS certificate. See: https://github.com/cloudfoundry/routing-release/blob/develop/docs/golang1.15-remove-x509ignoreCN%3D0-flag-certificates-now-require-SANs.md for more info.
- Default
true
metron
¶
port
¶The port used to emit dropsonde messages to the Metron agent.
- Default
3457
release_level_backup
¶
Include routing api database in backup and restore operations
- Default
false
routing_api
¶
admin_port
¶Local port to listen on with admin endpoint (used for backup/restore locking)
- Default
15897
auth_disabled
¶Disables UAA authentication
- Default
false
clients
¶OAuth client ids and secrets provided via link to jobs in other BOSH deployments that need to read and/or write to Routing API. These clients must be configured in UAA via API or using the property uaa.clients with the desired scopes. For a list of scopes supported see https://github.com/cloudfoundry-incubator/routing-api/blob/master/docs/api_docs.md. Jobs consuming the link should use these credentials to fetch a token from UAA with which to authenticate with Routing API.
- Example
cfcr_routing_api_client: secret: ((uaa_clients_cfcr_routing_api_client_secret))
debug_address
¶Address at which to serve debug info
- Default
127.0.0.1:17002
enabled_api_endpoints
¶Protocols that the routing api will listen on. Possible values: ‘mtls’, or ‘both’ (mTLS + HTTP)
- Default
both
fail_on_router_port_conflicts
¶This should come via a bosh link from the tcp_routing job. This property is here in case it needs to be overwritten.
lock_retry_interval
¶interval to wait before retrying a failed lock acquisition
- Default
5s
lock_ttl
¶TTL for service lock
- Default
10s
locket
¶
api_location
¶Hostname and port of the Locket server. Used to obtain a lock so only one instance of Routing API is active at a time.
ca_cert
¶CA cert for the Locket server.
- Default
""
client_cert
¶Client cert for the Locket server.
- Default
""
client_key
¶Client key for the Locket server.
- Default
""
log_level
¶Log level
- Default
info
max_ttl
¶String representing the maximum TTL a client can request for route registration.
- Default
120s
metrics_reporting_interval
¶String representing interval for reporting the following metrics: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events. Units: ms, s, m h
- Default
30s
mtls_ca
¶Routing API CA cert
mtls_client_cert
¶Routing API client cert (provided to clients by bosh link)
mtls_client_key
¶Routing API client key (provided to clients by bosh link)
mtls_port
¶Port on which Routing API is running, listening with mTLS.
- Default
3001
mtls_server_cert
¶Routing API server cert
mtls_server_key
¶Routing API server key
port
¶Port on which Routing API is running. If this is changed and routing_api.enabled:true in cf-release, it will break management of routes and domains until routing_api.port is updated in cf-release.
- Default
3000
reserved_system_component_ports
¶Array of ports that are reserved for system components. Users will not be able to create router_groups with ports that overlap with this value. Please see docs for more information about these ports.
- Default
- 2822 - 2825 - 3457 - 3458 - 3459 - 3460 - 3461 - 8853 - 9100 - 14726 - 14727 - 14821 - 14822 - 14823 - 14824 - 14829 - 14830 - 14920 - 14922 - 15821 - 17002 - 53035 - 53080
router_groups
¶Array of router groups that will be seeded into routing_api database. Once some value is included with a deploy, subsequent changes to this property will be ignored. TCP Routing requires a router group of type: tcp.
- Default
[]- Example
|+ - name: default-tcp reservable_ports: 1024-10000,12000 type: tcp
sqldb
¶
ca_cert
¶(optional, string) When present, force database connections via TLS.
connections_max_lifetime_seconds
¶Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If value <= 0, connections are reused forever. If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime. Lowering the lifetime will result in connections getting reaped sooner, but the routing-api may have to renegotiate connections more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.
- Default
3600
host
¶Host for SQL database
max_idle_connections
¶Maximum number of idle connections to the SQL database. Idle connections will be retained until their
routing_api.sqldb.connections_max_lifetime_seconds
has been reached.
- Default
10
max_open_connections
¶Maximum number of open connections to the SQL database. The number of necessary connections will scale with the number of requests to the
/routing/...
cf api endpoints.
- Default
200
password
¶Password used for connecting to SQL database
port
¶Port on which SQL database is listening
schema
¶Database name for routing api
- Example
routing_api
skip_hostname_validation
¶skip checking the hostname of the server cert when connecting via TLS
- Default
false
type
¶Type of SQL database
- Example
mysql
username
¶Username used for connecting to SQL database
statsd_client_flush_interval
¶Buffered statsd client flush interval
- Default
300ms
statsd_endpoint
¶The endpoint for the statsd server used to translate the following metrics from statsd to dropsonde: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events.
- Default
localhost:8125
system_domain
¶Domain reserved for CF operator; base URL where the UAA, Cloud Controller, and other non-user apps listen
skip_ssl_validation
¶
Skip TLS verification when talking to UAA
- Default
false
uaa
¶
ca_cert
¶Certificate authority for communication between clients and UAA.
- Default
""
tls_port
¶Port on which UAA is listening for TLS connections. This is required for obtaining a key to verify client OAuth tokens.
token_endpoint
¶UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA.
- Default
uaa.service.cf.internal
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/routing-api/
directory
(learn more).
bin/bbr/metadata
(frombbr-metadata
)bin/bbr/post-backup-unlock
(frompost-backup-unlock.erb
)bin/bbr/post-restore-unlock
(frompost-restore-unlock.erb
)bin/bbr/pre-backup-lock
(frompre-backup-lock.erb
)bin/bbr/pre-restore-lock
(frompre-restore-lock.erb
)bin/bpm-pre-start
(frombpm-pre-start.erb
)bin/dns_health_check
(fromdns_health_check.erb
)config/bpm.yml
(frombpm.yml.erb
)config/certs/locket/ca.crt
(fromlocket_ca.crt.erb
)config/certs/locket/client.crt
(fromlocket_client.crt.erb
)config/certs/locket/client.key
(fromlocket_client.key.erb
)config/certs/routing-api/client_ca.crt
(fromapi_mtls_client_ca.crt.erb
)config/certs/routing-api/server.crt
(fromapi_mtls_server.crt.erb
)config/certs/routing-api/server.key
(fromapi_mtls_server.key.erb
)config/certs/uaa/ca.crt
(fromuaa_ca.crt.erb
)config/routing-api.yml
(fromrouting-api.yml.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.