ssh_proxy job from diego/2.55.0
Github source:
3db7716
or
master branch
Properties¶
backends
¶
tls
¶
ca_certificates
¶List of PEM-encoded CA certificate bundles for the SSH proxy to use to verify backends when connecting via TLS proxy. Should be non-empty if
backends.tls.enabled
is enabled.
- Default
[]
client_certificate
¶PEM-encoded certificate for the SSH proxy to present to backends for verification when connecting via TLS proxy.
client_private_key
¶PEM-encoded private key associated to backends.tls.client_certificate.
enabled
¶Whether to enable TLS-proxied connections to target backend instances.
- Default
false
bpm
¶
enabled
¶use the BOSH Process Manager to manage the ssh-proxy process.
- Default
false
connect_to_instance_address
¶
Connect directly to container IP instead of to the host IP and external port. Suitable only for deployments in which the gorouters and TCP routers can route directly to the container IP of instances.
- Default
false
diego
¶
ssh_proxy
¶
allowed_ciphers
¶Comma separated list of allowed cipher algorithms
allowed_keyexchanges
¶Comma separated list of allowed key exchange algorithms
allowed_macs
¶Comma separated list of allowed MAC algorithms
bbs
¶
api_location
¶Address to the BBS Server
- Default
bbs.service.cf.internal:8889
ca_cert
¶REQUIRED: PEM-encoded CA certificate
client_cert
¶REQUIRED: PEM-encoded client certificate
client_key
¶REQUIRED: PEM-encoded client key
client_session_cache_size
¶capacity of the tls client cache
max_idle_conns_per_host
¶maximum number of idle http connections
cc
¶
external_port
¶External port of the Cloud Controller API
- Default
9022
internal_service_hostname
¶Internal service hostname of Cloud Controller API
- Default
cloud-controller-ng.service.cf.internal
debug_addr
¶address at which to serve debug info
- Default
127.0.0.1:17016
diego_credentials
¶Diego Credentials to be used with the Diego authenitcation method
disable_healthcheck_server
¶Whether to disable the ssh proxy HTTP healthcheck server. Defaults to
false
.
- Default
false
enable_cf_auth
¶Allow ssh access for cf applications
- Default
false
enable_diego_auth
¶Allow ssh access for diego applications
- Default
false
healthcheck_listen_addr
¶address for the ssh proxy healthcheck server
- Default
0.0.0.0:2223
host_key
¶PEM encoded RSA private key used to identify host
idle_connection_timeout_in_seconds
¶Idle timeout for incoming connections
- Default
300
listen_addr
¶address for the proxy to listen on
- Default
0.0.0.0:2222
log_level
¶Log level
- Default
info
uaa
¶
ca_cert
¶The CA certificate of the UAA
port
¶The port to contact UAA on
- Default
8443
url
¶The domain name of the UAA
- Default
https://uaa.service.cf.internal
uaa_secret
¶The oauth client secret used to authenticate the ssh-proxy with the uaa
ssl
¶
skip_cert_verify
¶when connecting over https, ignore bad ssl certificates
- Default
false
enable_consul_service_registration
¶
Enable the ssh-proxy to register itself as a service with Consul, for client discovery via Consul DNS. Do not disable without arranging alternate service discovery.
- Default
true
logging
¶
format
¶
timestamp
¶Format for timestamp in component logs. Valid values are ‘unix-epoch’ and ‘rfc3339’.
- Default
unix-epoch
loggregator
¶
ca_cert
¶CA Cert used to communicate with local metron agent over gRPC
cert
¶Cert used to communicate with local metron agent over gRPC
key
¶Key used to communicate with local metron agent over gRPC
use_v2_api
¶True to use local metron agent gRPC v2 API. False to use UDP v1 API.
- Default
false
v2_api_port
¶Local metron agent gRPC port
- Default
3458
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/ssh_proxy/
directory
(learn more).
bin/ssh_proxy_as_vcap
(fromssh_proxy_as_vcap.erb
)bin/ssh_proxy_ctl
(fromssh_proxy_ctl.erb
)config/bpm.yml
(frombpm.yml.erb
)config/certs/backends_tls/ca.crt
(frombackends_tls_ca.crt.erb
)config/certs/backends_tls/client.crt
(frombackends_tls_client.crt.erb
)config/certs/backends_tls/client.key
(frombackends_tls_client.key.erb
)config/certs/bbs/ca.crt
(frombbs_ca.crt.erb
)config/certs/bbs/client.crt
(frombbs_client.crt.erb
)config/certs/bbs/client.key
(frombbs_client.key.erb
)config/certs/cc/cc_api_ca_cert.crt
(fromcc_api_ca_cert.crt.erb
)config/certs/loggregator/ca.crt
(fromloggregator_ca.crt.erb
)config/certs/loggregator/client.crt
(fromloggregator_client.crt.erb
)config/certs/loggregator/client.key
(fromloggregator_client.key.erb
)config/certs/uaa/ca.crt
(fromuaa_ca.crt.erb
)config/ssh_proxy.json
(fromssh_proxy.json.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.