spec

---
name: cloud_controller_ng

description: "The Cloud Controller provides primary Cloud Foundry API that is by the CF CLI. The Cloud Controller uses a database to keep tables for organizations, spaces, apps, services, service instances, user roles, and more. Typically multiple instances of Cloud Controller are load balanced."

templates:
  bin/cloud_controller_ng.erb: bin/cloud_controller_ng
  bin/local_worker.erb: bin/local_worker
  bin/nginx_newrelic_plugin.erb: bin/nginx_newrelic_plugin
  bpm.yml.erb: config/bpm.yml
  pre-backup-lock.sh.erb: bin/bbr/pre-backup-lock
  post-backup-unlock.sh.erb: bin/bbr/post-backup-unlock
  pre-restore-lock.sh.erb: bin/bbr/pre-restore-lock
  post-restore-unlock.sh.erb: bin/bbr/post-restore-unlock

  cloud_controller_ng.yml.erb: config/cloud_controller_ng.yml
  blobstore_waiter.sh.erb: bin/blobstore_waiter.sh
  buildpacks_ca_cert.pem.erb: config/certs/buildpacks_ca_cert.pem
  cloud_controller_api_ctl.erb: bin/cloud_controller_ng_ctl
  cloud_controller_api_health_check.erb: bin/cloud_controller_ng_health_check
  cloud_controller_api_worker_ctl.erb: bin/cloud_controller_worker_ctl
  ccng_monit_http_healthcheck.sh.erb: bin/ccng_monit_http_healthcheck
  console.erb: bin/console
  dns_health_check.erb: bin/dns_health_check
  drain.sh.erb: bin/drain
  droplets_ca_cert.pem.erb: config/certs/droplets_ca_cert.pem
  local_blobstore_downloads.conf.erb: config/local_blobstore_downloads.conf
  logcache_tls.crt.erb: config/certs/logcache_tls.crt
  logcache_tls.key.erb: config/certs/logcache_tls.key
  logcache_tls_ca.crt.erb: config/certs/logcache_tls_ca.crt
  kubernetes_ca.crt.erb: config/certs/kubernetes_ca.crt
  nginx_external_endpoints.conf.erb: config/nginx_external_endpoints.conf
  migrate_db.sh.erb: bin/migrate_db
  mime.types: config/mime.types
  nginx_server_mtls.conf: config/nginx_server_mtls.conf
  nginx_server_public_tls.conf: config/nginx_server_public_tls.conf
  mutual_tls.crt.erb: config/certs/mutual_tls.crt
  mutual_tls.key.erb: config/certs/mutual_tls.key
  mutual_tls_ca.crt.erb: config/certs/mutual_tls_ca.crt
  public_tls.crt.erb: config/certs/public_tls.crt
  public_tls.key.erb: config/certs/public_tls.key
  newrelic.yml.erb: config/newrelic.yml
  newrelic_plugin.yml.erb: config/newrelic_plugin.yml
  nginx.conf.erb: config/nginx.conf
  nginx_maintenance.conf.erb: config/nginx_maintenance.conf
  nginx_ctl.erb: bin/nginx_ctl
  nginx_newrelic_plugin_ctl.erb: bin/nginx_newrelic_plugin_ctl
  opi_tls.crt.erb: config/certs/opi_tls.crt
  opi_tls.key.erb: config/certs/opi_tls.key
  opi_tls_ca.crt.erb: config/certs/opi_tls_ca.crt
  packages_ca_cert.pem.erb: config/certs/packages_ca_cert.pem
  perform_blobstore_benchmarks.erb: bin/perform_blobstore_benchmarks
  post-start.sh.erb: bin/post-start
  pre-start.sh.erb: bin/pre-start
  public_upload.conf.erb: config/public_upload.conf
  restart_drain.sh.erb: bin/restart_drain
  resource_pool_ca_cert.pem.erb: config/certs/resource_pool_ca_cert.pem
  shutdown_drain.rb.erb: bin/shutdown_drain
  ruby_version.sh.erb: bin/ruby_version.sh
  seed_db.sh.erb: bin/seed_db
  setup_local_blobstore.sh.erb: bin/setup_local_blobstore.sh
  stacks.yml.erb: config/stacks.yml
  uaa_ca.crt.erb: config/certs/uaa_ca.crt
  validate_encryption_keys.sh.erb: bin/validate_encryption_keys
  db_ca.crt.erb: config/certs/db_ca.crt
  credhub_ca.crt.erb: config/certs/credhub_ca.crt
  bits_service_ca.crt.erb: config/certs/bits_service_ca.crt
  copilot_ca.crt.erb: config/certs/copilot_ca.crt
  copilot.crt.erb: config/certs/copilot.crt
  copilot.key.erb: config/certs/copilot.key

packages:
  - capi_utils
  - cloud_controller_ng
  - nginx
  - nginx_newrelic_plugin
  - libpq
  - mariadb_connector_c
  - ruby-2.7.2-r0.41.0

provides:
- name: cloud_controller
  type: cloud_controller
  properties:
  - system_domain
  - app_domains
- name: cloud_controller_db
  type: cloud_controller_db
  properties:
  - ccdb
  - ccdb.connection_validation_timeout
  - ccdb.max_connections
  - ccdb.pool_timeout
  - ccdb.read_timeout
  - ccdb.ssl_verify_hostname
  - ccdb.ca_cert
- name: directories_to_backup
  type: directories_to_backup
  properties:
  - cc.packages.app_package_directory_key
  - cc.droplets.droplet_directory_key
  - cc.buildpacks.buildpack_directory_key
- name: cloud_controller_https_endpoint
  type: cloud_controller_https_endpoint
  properties:
  - cc.internal_service_hostname
  - cc.public_tls.port
  - cc.public_tls.ca_cert
- name: cloud_controller_mtls_endpoint
  type: cloud_controller_mtls_endpoint
  properties:
  - cc.internal_service_hostname
  - cc.tls_port
  - cc.mutual_tls.ca_cert
- name: cloud_controller_container_networking_info
  type: cloud_controller_container_networking_info
  properties:
  - cc.internal_route_vip_range
- name: cloud_controller_internal
  type: cloud_controller_internal
  properties:
  - cc.bits_service.ca_cert
  - cc.bits_service.enabled
  - cc.bits_service.password
  - cc.bits_service.private_endpoint
  - cc.bits_service.public_endpoint
  - cc.bits_service.username
  - cc.buildpacks.blobstore_type
  - cc.buildpacks.buildpack_directory_key
  - cc.buildpacks.cdn.key_pair_id
  - cc.buildpacks.cdn.private_key
  - cc.buildpacks.cdn.uri
  - cc.buildpacks.fog_aws_storage_options
  - cc.buildpacks.fog_connection
  - cc.buildpacks.webdav_config.blobstore_timeout
  - cc.buildpacks.webdav_config.ca_cert
  - cc.buildpacks.webdav_config.password
  - cc.buildpacks.webdav_config.private_endpoint
  - cc.buildpacks.webdav_config.public_endpoint
  - cc.buildpacks.webdav_config.username
  - cc.credential_references.interpolate_service_bindings
  - cc.custom_metric_tag_prefix_list
  - cc.database_encryption.current_key_label
  - cc.database_encryption.experimental_pbkdf2_hmac_iterations
  - cc.database_encryption.keys
  - cc.db_encryption_key
  - cc.db_logging_level
  - cc.default_app_ssh_access
  - cc.default_health_check_timeout
  - cc.default_stack
  - cc.disable_private_domain_cross_space_context_path_route_sharing
  - cc.droplets.blobstore_type
  - cc.droplets.cdn.key_pair_id
  - cc.droplets.cdn.private_key
  - cc.droplets.cdn.uri
  - cc.droplets.droplet_directory_key
  - cc.droplets.fog_aws_storage_options
  - cc.droplets.fog_connection
  - cc.droplets.webdav_config.blobstore_timeout
  - cc.droplets.webdav_config.ca_cert
  - cc.droplets.webdav_config.password
  - cc.droplets.webdav_config.private_endpoint
  - cc.droplets.webdav_config.public_endpoint
  - cc.droplets.webdav_config.username
  - cc.external_host
  - cc.external_port
  - cc.external_protocol
  - cc.internal_service_hostname
  - cc.log_db_queries
  - cc.logging.format.timestamp
  - cc.logging_level
  - cc.logging_max_retries
  - cc.max_labels_per_resource
  - cc.max_annotations_per_resource
  - cc.maximum_health_check_timeout
  - cc.opi.ca_cert
  - cc.opi.client_cert
  - cc.opi.client_key
  - cc.opi.enabled
  - cc.opi.opi_staging
  - cc.opi.url
  - cc.packages.app_package_directory_key
  - cc.packages.blobstore_type
  - cc.packages.cdn.key_pair_id
  - cc.packages.cdn.private_key
  - cc.packages.cdn.uri
  - cc.packages.fog_aws_storage_options
  - cc.packages.fog_connection
  - cc.packages.max_package_size
  - cc.packages.webdav_config.blobstore_timeout
  - cc.packages.webdav_config.ca_cert
  - cc.packages.webdav_config.password
  - cc.packages.webdav_config.private_endpoint
  - cc.packages.webdav_config.public_endpoint
  - cc.packages.webdav_config.username
  - cc.resource_pool.blobstore_type
  - cc.resource_pool.cdn.key_pair_id
  - cc.resource_pool.cdn.private_key
  - cc.resource_pool.cdn.uri
  - cc.resource_pool.fog_aws_storage_options
  - cc.resource_pool.fog_connection
  - cc.resource_pool.maximum_size
  - cc.resource_pool.minimum_size
  - cc.resource_pool.resource_directory_key
  - cc.resource_pool.webdav_config.blobstore_timeout
  - cc.resource_pool.webdav_config.ca_cert
  - cc.resource_pool.webdav_config.password
  - cc.resource_pool.webdav_config.private_endpoint
  - cc.resource_pool.webdav_config.public_endpoint
  - cc.resource_pool.webdav_config.username
  - cc.stacks
  - cc.staging_timeout_in_seconds
  - cc.staging_upload_password
  - cc.staging_upload_user
  - cc.statsd_host
  - cc.statsd_port
  - cc.system_hostnames
  - cc.tls_port
  - cc.uaa.client_timeout
  - cc.internal_route_vip_range
  - cc.volume_services_enabled
  - copilot.client_ca_file
  - copilot.client_chain_file
  - copilot.client_key_file
  - copilot.enabled
  - copilot.host
  - copilot.temporary_istio_domains
  - credhub_api.ca_cert
  - credhub_api.hostname
  - release_level_backup
  - router.route_services_secret
  - routing_api.enabled
  - ssl.skip_cert_verify
  - system_domain
  - uaa.clients.cc_routing.secret

consumes:
- name: database
  type: database
  optional: true
- name: cc_uploader
  type: cc_uploader
  optional: true
- name: credhub
  type: credhub
  optional: true
- name: cloud_controller_to_copilot_conn
  type: cloud_controller_to_copilot_conn
  optional: true
- name: log-cache
  type: log-cache
  optional: true
- name: file_server
  type: file_server
  optional: true
- name: cloud_controller
  type: cloud_controller
  optional: true

properties:
  ssl.skip_cert_verify:
    description: "specifies that the job is allowed to skip ssl cert verification"
    default: false

  system_domain:
    description: "Domain reserved for CF operator, base URL where the login, uaa, and other non-user apps listen"
  system_domain_organization:
    description: "An organization that will be created as part of the seeding process. When the system_domain is not shared with (in the list of) app_domains, this is required as the system_domain will be created as a PrivateDomain in this organization."
    default: "system"
  app_domains:
    description: "Array of domain hashes for user apps (example: 'user.app.space.foo', a user app called 'neat' will listen at 'http://neat.user.app.space.foo'). Domains specified as internal should be listed last to avoid interfering with default domain selection by old CLI versions."
    example:  |
      - name: example.com
      - name: tcp.example.com
        router_group_name: default-tcp
      - name: example.internal
        internal: true

  app_ssh.host_key_fingerprint:
    description: >-
      Fingerprint of the host key of the SSH proxy that brokers connections to
      application instances.
      Supported fingerprint formats: SHA256 (recommended), SHA1 and MD5
      Example fingerprints by format:
        SHA256: 0KmvfcwFCnwQRviOJEwZtnz5qoi76BVb8dm3/vgilCI
        SHA1: b8:80:2c:8c:d7:25:ad:2a:b4:8c:02:34:52:06:f7:ba:1f:0d:02:de
        MD5: d2:d6:b9:d7:f9:c4:15:70:de:af:c7:36:88:3a:60:12
    default: ~
  app_ssh.port:
    description: "External port for SSH access to application instances"
    default: 2222
  app_ssh.oauth_client_id:
    description: "The oauth client ID of the SSH proxy"
    default: ssh-proxy

  nfs_server.address:
    description: "NFS server for droplets and apps (not used in an AWS deploy, use s3 instead)"

  request_timeout_in_seconds:
    description: "Timeout for requests in seconds."
    default: 900

  name:
    description: "'name' attribute in the /v2/info endpoint"
    default: ""
  build:
    description: "'build' attribute in the /v2/info endpoint"
    default: ""
  version:
    description: "'version' attribute in the /v2/info endpoint"
    default: 0
  support_address:
    description: "'support' attribute in the /v2/info endpoint"
    default: ""
  description:
    description: "'description' attribute in the /v2/info endpoint"
    default: ""

  temporary_disable_non_tls_endpoints:
    description: "nginx_cc and cc_uploader components disable non-TLS endpoints"
    default: false

  cc.info.custom:
    description: "Custom attribute keys and values for /v2/info endpoint"

  cc.nginx.ip:
    description: "IP address for nginx"
    default: ""
  cc.external_port:
    description: "External Cloud Controller port"
    default: 9022
  cc.tls_port:
    description: "Port for internal TLS communication"
    default: 9023
  cc.public_tls.port:
    description: "Port for TLS with gorouter"
    default: 9024
  cc.internal_service_hostname:
    description: "Internal hostname used to resolve the address of the Cloud Controller"
    default: "cloud-controller-ng.service.cf.internal"

  cc.external_protocol:
    default: "https"
    description: "The protocol used to access the CC API from an external entity"
  cc.external_host:
    default: "api"
    description: "Host part of the cloud_controller API URI, will be joined with value of 'domain'"

  cc.api_post_start_healthcheck_timeout_in_seconds:
    default: 60
    description: "Maximum time (in seconds) for cloud_controller_ng to report healthy"

  cc.api_health_check_timeout_per_retry:
    default: 2
    description: "Maximum health check timeout (in seconds) for each retry attempt in the Cloud Controller's route registration health check"

  cc.api_health_check_total_timeout:
    default: 6
    description: "Maximum health check timeout (in seconds). Health checks will be retried until this time limit is reached. This should be less than or equal to your route_registrar.routes.api.health_check.timeout"

  cc.ccng_monit_http_healthcheck_retries:
    default: 5
    description: "Number of retries performed by the ccng_monit_http_healthcheck process"

  cc.ccng_monit_http_healthcheck_timeout_per_retry:
    default: 2
    description: "Timeout (in seconds) for each HTTP request sent by the ccng_monit_http_healthcheck process"

  cc.jobs.global.timeout_in_seconds:
    description: "The longest any job can take before it is cancelled unless overridden per job"
    default: 14400 # 4 hours
  cc.jobs.blobstore_delete.timeout_in_seconds:
    description: "The longest this job can take before it is cancelled"
  cc.jobs.droplet_upload.timeout_in_seconds:
    description: "The longest this job can take before it is cancelled"
  cc.jobs.priorities:
    description: "List of hashes containing delayed jobs 'display_name' and its desired priority. This will overwrite the default priority of ccng"

  cc.temporary_disable_deployments:
    description: "Do not allow the API client to create app deployments (temporary)"
    default: false

  cc.temporary_use_logcache:
    description: "Use logcache instead of Traffic Controller for retrieving container metrics"
    default: false

  cc.temporary_enable_v2:
    description: "Enable V2 endpoints"
    default: true

  cc.directories.tmpdir:
    default: "/var/vcap/data/cloud_controller_ng/tmp"
    description: "The directory to use for temporary files"
  cc.directories.diagnostics:
    default: "/var/vcap/data/cloud_controller_ng/diagnostics"
    description: "The directory where operator requested diagnostic files should be placed"

  cc.internal_api_user:
    default: "internal_user"
    description: "User name used by Diego to access internal endpoints"
  cc.internal_api_password:
    description: "Password used by Diego to access internal endpoints"

  cc.min_cli_version:
    description: "Minimum version of the CF CLI to work with the API."
    default: ~
  cc.min_recommended_cli_version:
    description: "Minimum recommended version of the CF CLI."
    default: ~

  cc.run_prestart_migrations:
    description: "Run Cloud Controller DB migrations in BOSH pre-start script. Should be changed to false for deployments where the PostgreSQL job is deployed to the same VM as Cloud Controller. Otherwise, the default of true is preferable."
    default: true

  cc.uaa_resource_id:
    default: "cloud_controller,cloud_controller_service_permissions"
    description: "Name of service to register to UAA"

  cc.logging_level:
    default: "info"
    description: "Log level for cc. Valid levels are listed here: https://github.com/cloudfoundry/steno#log-levels."
  cc.logging_max_retries:
    default: 1
    description: "Passthru value for Steno logger"
  cc.logging_anonymize_ips:
      default: false
      description: "Anonymizes IPs in request logs"
  cc.logging.format.timestamp:
      default: "rfc3339"
      description: "Timestamp format for logs. Valid values are 'rfc3339' (for human-readable timestamp format) and 'deprecated' (for old timestamp format)"
  cc.log_db_queries:
    default: false
    description: "Log database queries. WARNING: Setting this to true with cc.db_logging_level >= cc.logging_level will log all field values, including encrypted secrets."
  cc.query_size_log_threshold:
    description: "Log when SQL queries return more than this number of rows if cc.log_db_queries is set to true"
    example: 1000
  cc.db_logging_level:
    default: "debug2"
    description: "Level at which cc database operations will be logged if cc.log_db_queries is set to true."
  cc.log_fog_requests:
    default: false
    description: "Log fog requests and responses."

  cc.staging_timeout_in_seconds:
    default: 900
    description: "Timeout for staging a droplet"
  cc.default_health_check_timeout:
    default: 60
    description: "Default health check timeout (in seconds) that can be set for the app"
  cc.maximum_health_check_timeout:
    default: 180
    description: "Maximum health check timeout (in seconds) that can be set for the app"

  cc.shared_isolation_segment_name:
    default: "shared"
    description: |
      Name of the shared isolation segment created at startup.
      This field can be updated, but subject to the following caveat:
         Using the name of an existing IS will cause a deployment to fail.
         To recover, redeploy using the last valid Shared Isolation Segment name.

  cc.stacks:
    default:
      - name: "cflinuxfs3"
        description: "Cloud Foundry Linux-based filesystem (Ubuntu 18.04)"
    description: |
      List of hashes describing stacks intended for developers to choose from when pushing apps.
      A stack is a prebuilt root file system (rootfs) that supports a specific operating system.
      Note: removing items in this list will not remove the records in the Cloud Controller's database.
  cc.default_stack:
    default: "cflinuxfs3"
    description: "The default stack name to use if no custom stack is specified by an app."

  cc.staging_upload_user:
    description: "User name used to access internal endpoints of Cloud Controller to upload files when staging"
  cc.staging_upload_password:
    description: "User's password used to access internal endpoints of Cloud Controller to upload files when staging"

  cc.quota_definitions:
    description: "Hash of default quota definitions to be seeded. This property can be used to add quotas with subsequent deploys, but not to update existing ones."
    default:
      default:
        memory_limit: 102400
        non_basic_services_allowed: true
        total_routes: 1000
        total_services: -1
        total_reserved_route_ports: 100

  cc.default_quota_definition:
    default: default
    description: "The name of the quota definition CC will fallback on for org and space limits from the list of quota definitions."

  cc.resource_pool.blobstore_type:
    description: "The type of blobstore backing to use. Valid values: ['fog', 'webdav']"
    default: "fog"
  cc.resource_pool.fog_aws_storage_options:
    description: "Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration."
    default: {}
  cc.resource_pool.webdav_config.blobstore_timeout:
    description: "The timeout in seconds for requests to the blobstore"
    default: 5
  cc.resource_pool.webdav_config.public_endpoint:
    description: "The location of the webdav server eg: https://blobstore.com"
    default: ""
  cc.resource_pool.webdav_config.private_endpoint:
    description: "The location of the webdav server eg: https://blobstore.internal"
    default: "https://blobstore.service.cf.internal:4443"
  cc.resource_pool.webdav_config.username:
    description: "The basic auth user that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.resource_pool.webdav_config.password:
    description: "The basic auth password that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.resource_pool.webdav_config.ca_cert:
    description: "The ca cert to use when communicating with webdav"
    default: ""
  cc.resource_pool.minimum_size:
    description: "Minimum size of a resource to add to the pool"
    default: 65536
  cc.resource_pool.maximum_size:
    description: "Maximum size of a resource to add to the pool"
    default: 536870912
  cc.resource_pool.resource_directory_key:
    description: "Directory (bucket) used store app resources.  It does not have be pre-created."
    default: "cc-resources"
  cc.resource_pool.fog_connection:
    description: "Fog connection hash"
  cc.resource_pool.cdn.uri:
    description: "URI for a CDN to used for resource pool downloads"
    default: ""
  cc.resource_pool.cdn.private_key:
    description: "Private key for signing download URIs"
    default: ""
  cc.resource_pool.cdn.key_pair_id:
    description: "Key pair name for signed download URIs"
    default: ""

  cc.packages.blobstore_type:
    description: "The type of blobstore backing to use. Valid values: ['fog', 'webdav']"
    default: "fog"
  cc.packages.fog_aws_storage_options:
    description: "Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration."
    default: {}
  cc.packages.webdav_config.blobstore_timeout:
    description: "The timeout in seconds for requests to the blobstore"
    default: 5
  cc.packages.webdav_config.public_endpoint:
    description: "The location of the webdav server eg: https://blobstore.com"
    default: ""
  cc.packages.webdav_config.private_endpoint:
    description: "The location of the webdav server eg: https://blobstore.internal"
    default: "https://blobstore.service.cf.internal:4443"
  cc.packages.webdav_config.username:
    description: "The basic auth user that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.packages.webdav_config.password:
    description: "The basic auth password that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.packages.webdav_config.ca_cert:
    description: "The ca cert to use when communicating with webdav"
    default: ""
  cc.packages.app_package_directory_key:
    description: "Directory (bucket) used store app packages.  It does not have be pre-created.  Should contain only alphanumeric characters, '-', '_', and '.'"
    default: "cc-packages"
  cc.packages.max_package_size:
    description: "Maximum size of application package"
    default: 1073741824
  cc.packages.max_valid_packages_stored:
    description: "Number of recent, valid packages stored per app (not including package for current droplet)"
    default: 5
  cc.packages.fog_connection:
    description: "Fog connection hash"
  cc.packages.cdn.uri:
    description: "URI for a CDN to used for app package downloads"
    default: ""
  cc.packages.cdn.private_key:
    description: "Private key for signing download URIs"
    default: ""
  cc.packages.cdn.key_pair_id:
    description: "Key pair name for signed download URIs"
    default: ""

  cc.droplets.blobstore_type:
    description: "The type of blobstore backing to use. Valid values: ['fog', 'webdav']"
    default: "fog"
  cc.droplets.fog_aws_storage_options:
    description: "Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration."
    default: {}
  cc.droplets.webdav_config.blobstore_timeout:
    description: "The timeout in seconds for requests to the blobstore"
    default: 5
  cc.droplets.webdav_config.public_endpoint:
    description: "The location of the webdav server eg: https://blobstore.com"
    default: ""
  cc.droplets.webdav_config.private_endpoint:
    description: "The location of the webdav server eg: https://blobstore.internal"
    default: "https://blobstore.service.cf.internal:4443"
  cc.droplets.webdav_config.username:
    description: "The basic auth user that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.droplets.webdav_config.password:
    description: "The basic auth password that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.droplets.webdav_config.ca_cert:
    description: "The ca cert to use when communicating with webdav"
    default: ""
  cc.droplets.droplet_directory_key:
    description: "Directory (bucket) used store droplets.  It does not have be pre-created.  Should contain only alphanumeric characters, '-', '_', and '.'"
    default: "cc-droplets"
  cc.droplets.max_staged_droplets_stored:
    description: "Number of recent, staged droplets stored per app (not including current droplet)"
    default: 5
  cc.droplets.fog_connection:
    description: "Fog connection hash"
  cc.droplets.cdn.uri:
    description: "URI for a CDN to used for droplet downloads"
    default: ""
  cc.droplets.cdn.private_key:
    description: "Private key for signing download URIs"
    default: ""
  cc.droplets.cdn.key_pair_id:
    description: "Key pair name for signed download URIs"
    default: ""

  cc.buildpacks.blobstore_type:
    description: "The type of blobstore backing to use. Valid values: ['fog', 'webdav']"
    default: "fog"
  cc.buildpacks.fog_aws_storage_options:
    description: "Storage options passed to fog for aws blobstores. See http://docs.cloudfoundry.org/deploying/common/cc-blobstore-config.html#fog-aws-sse for example configuration."
    default: {}
  cc.buildpacks.webdav_config.blobstore_timeout:
    description: "The timeout in seconds for requests to the blobstore"
    default: 5
  cc.buildpacks.webdav_config.public_endpoint:
    description: "The location of the webdav server eg: https://blobstore.com"
    default: ""
  cc.buildpacks.webdav_config.private_endpoint:
    description: "The location of the webdav server eg: https://blobstore.internal"
    default: "https://blobstore.service.cf.internal:4443"
  cc.buildpacks.webdav_config.username:
    description: "The basic auth user that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.buildpacks.webdav_config.password:
    description: "The basic auth password that CC uses to connect to the admin endpoint on webdav"
    default: ""
  cc.buildpacks.webdav_config.ca_cert:
    description: "The ca cert to use when communicating with webdav"
    default: ""
  cc.buildpacks.buildpack_directory_key:
    description: "Directory (bucket) used store buildpacks.  It does not have be pre-created.  Should contain only alphanumeric characters, '-', '_', and '.'"
    default: "cc-buildpacks"
  cc.buildpacks.fog_connection:
    description: "Fog connection hash"
  cc.buildpacks.cdn.uri:
    description: "URI for a CDN to used for buildpack downloads"
    default: ""
  cc.buildpacks.cdn.private_key:
    description: "Private key for signing download URIs"
    default: ""
  cc.buildpacks.cdn.key_pair_id:
    description: "Key pair name for signed download URIs"
    default: ""

  cc.opi.enabled:
    description: "Set to true to enable running apps on Kubernetes, using Eirini"
    default: false
  cc.opi.opi_staging:
    description: "Set to true to enable staging apps on Kubernetes, using Eirini"
    default: false
  cc.opi.url:
    description: "URL of the Eirini server"
    default: ""
  cc.opi.client_cert:
    description: "Client certificate for connecting to the OPI server"
  cc.opi.client_key:
    description: "Client key for connecting to the OPI server"
  cc.opi.ca_cert:
    description: "The ca cert of the OPI server"

  ccdb.databases:
    description: "Contains the name of the database on the database server"
  ccdb.roles:
    description: "Users to create on the database when seeding"
  ccdb.db_scheme:
    description: "The type of database being used. mysql or postgres"
    default: postgres
  ccdb.address:
    description: "The address of the database server"
  ccdb.port:
    description: "The port of the database server"
  ccdb.max_connections:
    default: 25
    description: "Maximum connections for Sequel"
  ccdb.pool_timeout:
    default: 10
    description: "The timeout for Sequel pooled connections"
  ccdb.ca_cert:
    default: ~
    description: "The ca cert to use when communicating with the database over SSL"
  ccdb.ssl_verify_hostname:
    default: true
    description: "Verify that the database SSL certificate matches the host to which the connection is attempted"
  ccdb.read_timeout:
    default: 3600
    description: "The read timeout in seconds for query responses, passed directly to the Sequel gem - see https://github.com/jeremyevans/sequel/blob/master/doc/opening_databases.rdoc for details"
  ccdb.connection_validation_timeout:
    default: 3600
    description: "The period in seconds after which idle connections are validated, passed directly to the Sequel gem - see http://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_validator_rb.html for details.  Note that setting this to -1 results in an additional query whenever connections are checked out from the pool, which can have performance implications"
  ccdb.max_migration_duration_in_minutes:
    description: "the maximum time migrations should be allowed to run before job startup should error"
    default: 20160
  ccdb.connection_expiration_timeout:
    description: "The period in seconds after which connections are expired (omit to never expire connections), passed directly to the Sequel gem - see https://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_expiration_rb.html for details"
  ccdb.connection_expiration_random_delay:
    description: "The random delay in seconds to the expiration timeout (to prevent all connections being recreated simultaneously), passed directly to the Sequel gem - see https://sequel.jeremyevans.net/rdoc-plugins/files/lib/sequel/extensions/connection_expiration_rb.html for details"

  uaa.cc.token_secret:
    description: "Symmetric secret used to decode uaa tokens."
  uaa.cc.token_secret2:
    description: "Second Symmetric secret used to decode uaa tokens. Used for secret rotation."
  uaa.url:
    description: "URL of the UAA server"
  uaa.ca_cert:
    description: "The certificate authority being used by UAA"
  uaa.ssl.port:
    description: "The port used by UAA for ssl connections"
    default: 8443
  uaa.port:
    description: "The port used by UAA for non-ssl connections"
  cc.uaa.client_timeout:
    description: "The value, in seconds, used for all timeout values when communicating with UAA"
    default: 60
  cc.uaa.internal_url:
    description: "The internal URL used by UAA"
    default: "uaa.service.cf.internal"

  login.protocol:
    description: "http or https"
    default: "https"
  login.url:
    description: "URL of the login server"
  login.enabled:
    default: true
    description: "whether use login as the authorization endpoint or not"

  metron_endpoint.host:
    description: "The host used to emit messages to the Metron agent"
    default: "127.0.0.1"
  metron_endpoint.port:
    description: "The port used to emit messages to the Metron agent"
    default: 3457

  doppler.use_ssl:
    description: "Whether to use ssl for the doppler_logging_endpoint listed at /v2/info"
    default: true
  doppler.port:
    description: "Port for doppler_logging_endpoint listed at /v2/info"
    default: 443

  cc.db_encryption_key:
    default: ""
    description: "key for encrypting sensitive values in the CC database"

  cc.database_encryption.keys:
    default: {}
    description: "label-key pairs for encrypting sensitive values in the CC database; labels must be < 256 characters long"
  cc.database_encryption.current_key_label:
    default: ""
    description: "current key label for encrypting values in the CC database"
  cc.database_encryption.experimental_pbkdf2_hmac_iterations:
      default: 2048
      description: "Number of pbkdf2 hmac iterations (experimental)"
  cc.database_encryption.skip_validation:
    default: false
    description: "Skip validations of database encryption properties"

  cc.default_app_memory:
    default: 1024
    description: "How much memory given to an app if not specified"
  cc.default_app_disk_in_mb:
    default: 1024
    description: "The default disk space an app gets"
  cc.maximum_app_disk_in_mb:
    default: 2048
    description: "The maximum amount of disk a user can request"
  cc.allow_app_ssh_access:
    default: true
    description: "Allow users to change the value of the app-level allow_ssh attribute"
  cc.default_app_ssh_access:
    default: true
    description: "When ssh is allowed and not explicitly set in the application, new applications will start with ssh service enabled"
  cc.client_max_body_size:
    default: "15M"
    description: "Maximum body size for nginx"
  cc.app_bits_max_body_size:
    default: "1536M"
    description: "Maximum body size for nginx bits uploads"

  cc.disable_custom_buildpacks:
    default: false
    description: "Disable external (i.e. git) buildpacks? (Admin buildpacks and system buildpacks only.)"

  cc.broker_client_timeout_seconds:
    default: 60
    description: "For requests to service brokers, this is the HTTP (open and read) timeout setting."

  cc.broker_client_default_async_poll_interval_seconds:
    default: 60
    description: "Specifies interval on which the CC will poll a service broker for asynchronous actions. If the service broker provides a value, this value is the minimum accepted value the broker can provide."

  cc.broker_client_max_async_poll_duration_minutes:
    default: 10080
    description: "The max duration the CC will fetch service instance state from a service broker (in minutes). Default is 1 week"

  cc.broker_client_async_poll_exponential_backoff_rate:
    default: 1.0
    description: "Exponential backoff for service related polling jobs. Default is 1.0, which means there is no exponential backoff."

  cc.development_mode:
    default: false
    description: "Enable development features for monitoring and insight"

  cc.max_annotations_per_resource:
    description: "Maximum number of annotations allowed on any single resource. Too many annotations may degrade performance of annotation selectors."
    default: 200
  cc.max_labels_per_resource:
    description: "Maximum number of labels allowed on any single resource. Too many labels may degrade performance of label selectors."
    default: 50

  cc.custom_metric_tag_prefix_list:
    description: "Allows users to apply custom metric tags to their apps by adding labels with the given key prefixes. The following key names are ignored: deployment, index, ip, job"
    default: ["metric.tag.cloudfoundry.org"]

  cc.newrelic.license_key:
    default: ~
    description: "The API key for NewRelic"
  cc.newrelic.environment_name:
    default: "development"
    description: "The environment name used by NewRelic"
  cc.newrelic.developer_mode:
    default: false
    description: "Activate NewRelic developer mode"
  cc.newrelic.monitor_mode:
    default: false
    description: "Activate NewRelic monitor mode"
  cc.newrelic.log_file_path:
    default: "/var/vcap/sys/log/cloud_controller_ng/newrelic"
    description: "The location for NewRelic to log to"
  cc.newrelic.capture_params:
    default: false
    description: "Capture and send query params to NewRelic"
  cc.newrelic.transaction_tracer.enabled:
    default: false
    description: "Enable transaction tracing in NewRelic"
  cc.newrelic.transaction_tracer.record_sql:
    default: "off"
    description: "NewRelic's SQL statement recording mode: [off | obfuscated | raw]"

  cc.nginx_access_log_destination:
    description: "The nginx access log destination. This can be used to route access logs to a file, syslog, or a memory buffer."
    default: "/var/vcap/sys/log/nginx_cc/nginx.access.log"
  cc.nginx_access_log_format:
    description: "The nginx log format string to use when writing to the access log."
    default: >
      $host - [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent"
      $proxy_add_x_forwarded_for vcap_request_id:$upstream_http_x_vcap_request_id response_time:$upstream_response_time
  cc.nginx_access_log_escaping:
    description: "The characters escaping used for logging variables: [default | json]"
    default: default
  cc.nginx_error_log_destination:
    description: "The nginx error log destination. This can be used to route error logs to a file, syslog, or a memory buffer."
    default: "/var/vcap/sys/log/nginx_cc/nginx.error.log"
  cc.nginx_error_log_level:
    description: "The lowest severity nginx log level to capture in the error log."
    default: error

  cc.nginx_rate_limit_general:
    description: "The rate limiting and burst value to use for '/'"
    example: |
      limit: 100r/s
      burst: 500
  cc.nginx_rate_limit_zones:
    description: "Array of zones to do rate limiting for. "
    example: |
      - name: apps
        location: /v2/apps
        limit: 10r/s
        burst: 50
      - name: spaces
        location: ~ ^/v2/spaces/(.*)
        limit: 10r/s
        burst: 100

  cc.nginx_drain_timeout:
    description: "Timeout for nginx graceful shutdown in seconds. Default is 30"
    default: 30

  cc.server_keepalive_timeout:
    description: "Configure keep alive timeout for connections to cloud controller. This is a temporary field used for testing."
    default: 75

  cc.jobs.local.number_of_workers:
    default: 2
    description: "Number of local cloud_controller_worker workers"

  cc.thresholds.api.alert_if_above_mb:
    description: "The cc will alert if memory remains above this threshold for 3 monit cycles"
    default: 3500
  cc.thresholds.api.restart_if_consistently_above_mb:
    description: "The cc will restart if memory remains above this threshold for n monit cycles"
    default: 3500
  cc.thresholds.api.restart_if_consistently_above_mb_cycles:
    description: "Monit cycles for 'restart_if_consistently_above_mb'. Default is 15 cycles"
    default: 15
  cc.thresholds.api.restart_if_above_mb:
    description: "The cc will restart if memory remains above this threshold for 3 monit cycles"
    default: 3750
  cc.thresholds.api.restart_if_monit_connection_test_consistently_fails_cycles:
    description: "Number of monit cycles until a failing unixsocket test triggers a restart. Default is 60 cycles (i.e. 10 minutes)"
    default: 60

  dea_next.staging_memory_limit_mb:
    description: "Memory limit in MB for staging tasks"
    default: 1024
  dea_next.staging_disk_limit_mb:
    description: "Disk limit in MB for staging tasks"
    default: 4096
  cc.staging_file_descriptor_limit:
    description: "File descriptor limit for staging tasks"
    default: 16384

  dea_next.advertise_interval_in_seconds:
    description: "Advertise interval for DEAs"
    default: 5
  cc.renderer.max_results_per_page:
    description: "Maximum number of results returned per page"
    default: 100
  cc.renderer.default_results_per_page:
    description: "Default number of results returned per page if user does not specify"
    default: 50
  cc.renderer.max_inline_relations_depth:
    description: "Maximum depth of inlined relationships in the result"
    default: 2

  uaa.clients.cc_service_broker_client.secret:
    description: "(DEPRECATED) - Used for generating SSO clients for service brokers"
  uaa.clients.cc_service_broker_client.scope:
    description: "(DEPRECATED) - Used to grant scope for SSO clients for service brokers"
    default: "openid,cloud_controller_service_permissions.read"

  uaa.clients.cc-service-dashboards.secret:
    description: "Used for generating SSO clients for service brokers."
  uaa.clients.cc-service-dashboards.scope:
    description: "Used to grant scope for SSO clients for service brokers"
    default: "openid,cloud_controller_service_permissions.read"

  uaa.clients.cloud_controller_username_lookup.secret:
    description: "Used for fetching usernames from UAA"

  uaa.clients.cc_service_key_client.secret:
    description: "Used for fetching service key values from CredHub"

  uaa.clients.cc_routing.secret:
    description: "Used for fetching routing information from the Routing API"

  cc.install_buildpacks:
    description: "Set of buildpacks to install during deploy"
    default: []
  cc.app_bits_upload_grace_period_in_seconds:
    description: "Extra token expiry time while uploading big apps"
    default: 1200

  cc.security_group_definitions:
    description: "Array of security groups that will be seeded into CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API"
  cc.default_running_security_groups:
    description: "The default running security groups that will be seeded in CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API"
  cc.default_staging_security_groups:
    description: "The default staging security groups that will be seeded in CloudController. Note: security groups are only seeded on the first deploy, after which they should be managed via the API"

  cc.allowed_cors_domains:
    description: "List of domains (including scheme) from which Cross-Origin requests will be accepted, a * can be used as a wildcard for any part of a domain"
    default: []

  cc.instance_file_descriptor_limit:
    description: "The file descriptors made available to each app instance"
    default: 16384

  cc.statsd_host:
    description: "The host for the statsd server, defaults to the local metron agent"
    default: "127.0.0.1"

  cc.statsd_port:
    description: "The port for the statsd server, defaults to the local metron agent"
    default: 8125

  router.route_services_secret:
    description: "Support for route services is disabled when no value is configured."
    default: ""

  routing_api.enabled:
    description: "Whether to expose the routing_endpoint listed at /v2/info and /. Enable this after deploying the Routing API"
    default: false

  cc.reserved_private_domains:
    description: "File location of a list of reserved private domains (for file format, see https://publicsuffix.org/)"
    default: ~

  cc.disable_private_domain_cross_space_context_path_route_sharing:
    description: "Disallow route collisions over shared private domains when created in different spaces"
    default: false

  cc.core_file_pattern:
    description: "Filename template for core dump files. Use an empty string if you don't want core files saved."
    default: "/var/vcap/sys/cores/core-%e-%s-%p-%t"

  cc.security_event_logging.enabled:
    description: "Enable logging of all requests made to the Cloud Controller in CEF format."
    default: false

  cc.volume_services_enabled:
    description: "Enable binding to services that provide volume_mount information."
    default: false

  cc.system_hostnames:
    description: "List of hostnames for which routes cannot be created on the system domain."
    default: [api,proxy,uaa,login,blobstore,log-cache,doppler,log-stream,credhub,ssh]

  cc.bits_service.enabled:
    description: "Enable integration of the bits-service incubator (experimental)"
    default: false
  cc.bits_service.public_endpoint:
    description: "Public URL for the bits-service service"
    default: ""
  cc.bits_service.private_endpoint:
    description: "Private URL for the bits-service service"
    default: ""
  cc.bits_service.username:
    description: "Username for the bits-service"
    default: ""
  cc.bits_service.password:
    description: "Password for the bits-service"
    default: ""
  cc.bits_service.ca_cert:
    description: "The ca cert to use when communicating with bits-service endpoints"
    default: ""

  cc.rate_limiter.enabled:
    description: "Enable rate limiting for UAA-authenticated endpoints per user or client"
    default: false
  cc.rate_limiter.general_limit:
    description: "The number of requests a user or client is allowed to make for all endpoints that do not have a custom limit over the configured interval"
    default: 2000
  cc.rate_limiter.unauthenticated_limit:
    description: "The number of requests an unauthenticated client is allowed to make over the configured interval"
    default: 100
  cc.rate_limiter.reset_interval_in_minutes:
    description: "The interval in minutes after which a user's available API requests will be reset"
    default: 60

  cc.max_concurrent_service_broker_requests:
    description: "Maximum number of concurrent requests to service brokers per user. Set to 0 to not limit concurrent requests"
    default: 0

  cc.diego.bbs.url:
    description: "URL of the BBS Server"
    default: https://bbs.service.cf.internal:8889
  cc.diego.bbs.connect_timeout:
    description: "Connect timeout (in seconds) when talking to BBS Server"
    default: 10
  cc.diego.bbs.send_timeout:
    description: "Send timeout (in seconds) when talking to BBS Server"
    default: 10
  cc.diego.bbs.receive_timeout:
    description: "Receive timeout (in seconds) when talking to BBS Server"
    default: 10

  cc.mutual_tls.ca_cert:
    description: "PEM-encoded CA certificate for secure, mutually authenticated TLS communication"
  cc.mutual_tls.public_cert:
    description: "PEM-encoded certificate for secure, mutually authenticated TLS communication"
  cc.mutual_tls.private_key:
    description: "PEM-encoded key for secure, mutually authenticated TLS communication"

  cc.public_tls.ca_cert:
    description: "PEM-encoded CA certificate that was used to sign certificate for external enpoints.
                  This CA certificate is not used by cloud controller to verify other certificates.
                  It is exposed as a bosh link for components that communicate directly with the cloud controller."
  cc.public_tls.certificate:
    description: "PEM-encoded certificate for secure TLS communication over external endpoints"
  cc.public_tls.private_key:
    description: "PEM-encoded key for secure TLS communication over external endpoints"

  cc.diego.file_server_url:
    description: "URL of file server"
    default: http://file-server.service.cf.internal:8080
  cc.diego.cc_uploader_url:
    #TODO: Delete this property - story #164937832
    description: "URL of cc uploader. Not used if BOSH link 'cc_uploader' is present."
    default: http://cc-uploader.service.cf.internal:9090
  cc.diego.cc_uploader_https_url:
    description: "URL of cc uploader. Not used if BOSH link 'cc_uploader' is present."
    default: https://cc-uploader.service.cf.internal:9091
  cc.diego.use_privileged_containers_for_running:
    description: "Whether or not to use privileged containers for running buildpack apps and tasks."
    default: false
  cc.diego.use_privileged_containers_for_staging:
    description: "Whether or not to use privileged containers for staging tasks."
    default: false
  cc.diego.lifecycle_bundles:
    description: "List of lifecycle bundles arguments for different stacks"
    default:
      "buildpack/cflinuxfs3": "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
      "buildpack/windows": "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
      "buildpack/windows2012R2": "windows_app_lifecycle/windows_app_lifecycle.tgz"
      "buildpack/windows2016": "buildpack_app_lifecycle/buildpack_app_lifecycle.tgz"
      "docker": "docker_app_lifecycle/docker_app_lifecycle.tgz"
  cc.diego.droplet_destinations:
    description: "List of destination directories for different stacks"
    default:
      "cflinuxfs3": "/home/vcap"
      "windows": "/Users/vcap"
      "windows2012R2": "/"
      "windows2016": "/Users/vcap"
  cc.diego.insecure_docker_registry_list:
    description: "An array of insecure Docker registries in the form of <HOSTNAME|IP>:PORT"
    default: []
  cc.diego.docker_staging_stack:
    description: "stack to use for staging Docker applications"
    default: "cflinuxfs3"

  cc.diego.temporary_oci_buildpack_mode:
    description: "Temporary flag to enable OCI buildpack flow. Valid values: 'oci-phase-1'"
    default: ~
  cc.diego.enable_declarative_asset_downloads:
    description: "Enable specifying task and app asset downloads as declarative resources"
    default: false
  cc.diego.pid_limit:
    description: "Maximum pid limit for containerized work running user-provided code"
    default: 1024

  cc.logcache.host:
    description: "Hostname of the Logcache server"
    default: doppler.service.cf.internal
  cc.logcache.port:
    description: "Port of the Logcache server"
    default: 8080

  cc.logcache_tls.private_key:
    description: "Private key for connecting to Log Cache via mTLS"
  cc.logcache_tls.certificate:
    description: "PEM-encoded client certificate for connecting to Log Cache via mTLS"
  cc.logcache_tls.subject_name:
    description: "The host name the client will accept on the server certificate when communicating with Log Cache via mTLS"
    default: "log_cache"

  cc.loggregator.internal_url:
    description: "Internal URL used to communicate with traffic_controller"
    default: "http://loggregator-trafficcontroller.service.cf.internal:8081"

  credhub_api.hostname:
    description: "Hostname used to resolve the address of CredHub"
    default: "credhub.service.cf.internal"
  credhub_api.external_url:
    description: "The external address of CredHub to expose at the '/' endpoint"
  credhub_api.ca_cert:
    description: "The certificate authority being used by CredHub"

  release_level_backup:
    default: true
    description: "Include cloud_controller jobs in backup and restore operations"

  cc.credential_references.interpolate_service_bindings:
    description: "Controls whether CredHub credentials are automatically interpolated in VCAP_SERVICES"
    default: true

  cc.internal_route_vip_range:
    default: "127.128.0.0/9"
    description: "The IPv4 CIDR range of virtual IP addresses to be assigned to routes on internal domains.
                  WARNING: Changing this range is not supported, and has undefined behaviors.
                  It is recommended to leave this value as the default.
                  If this range is changed, it is likely the routes on the internal service mesh domain
                  will need to be recreated."

  cc.log_audit_events:
    default: false
    description: "Log audit events"

  copilot.enabled:
    description: "Enable communication with CF Copilot. Must be enabled when using Envoy for ingress routing."
    default: false
  copilot.host:
    description: "The FQDN to reach CF Copilot"
    default: copilot.service.cf.internal
  copilot.client_ca_file:
    description: "PEM-encoded CA cert used to sign CF Copilot's server cert"
  copilot.client_key_file:
    description: "PEM-encoded Client key for communication with CF Copilot"
  copilot.client_chain_file:
    description: "PEM-encoded Client cert chain for communication with CF Copilot"
  copilot.temporary_istio_domains:
    description: "Array of domains (strings) to be used for routes propagated to the Envoy/Istio routing tier. These routes will not be propagated to Gorouter."
    default: []

  cc.experimental.thin_server.thread_pool_size:
    description: "How many threads a single cloud controller instance's thin server will attempt to use. Alter at your own peril."
    default: 20 # inherited from default in Thin/EventMachine

  cc.experimental.use_optimized_json_encoder:
    description: "Switch to a different Ruby JSON encoder, i.e. Oj (https://github.com/ohler55/oj)."
    default: false

  cc.kubernetes.host_url:
    description: "Kubernetes master API URL"
  cc.kubernetes.service_account.name:
    description: "The Kubernetes service account name"
  cc.kubernetes.service_account.token:
    description: "The Kubernetes service account token"
  cc.kubernetes.ca:
    description: "The CA certificate for connecting to the master"
  cc.kubernetes.kpack.builder_namespace:
    description: "The namespace where kpack images and builds will be created"
  cc.kubernetes.kpack.registry_service_account_name:
    description: "The name of the kubernetes ServiceAccount that has the credentials to upload to the registry"
  cc.kubernetes.kpack.registry_tag_base:
    description: "The first part of the registry tag where built images will be uploaded"