-
Notifications
You must be signed in to change notification settings - Fork 216
/
Copy pathspec
340 lines (313 loc) · 16.5 KB
/
spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
---
name: rep
templates:
rep.erb: bin/rep
rep_ctl.erb: bin/rep_ctl
rep_as_vcap.erb: bin/rep_as_vcap
drain.erb: bin/drain
trusted_ca_certificates.json.erb: config/certs/rep/trusted_ca_certificates.json
instance_identity.crt.erb: config/certs/rep/instance_identity.crt
instance_identity.key.erb: config/certs/rep/instance_identity.key
rep.json.erb: config/rep.json
bpm.yml.erb: config/bpm.yml
bpm-pre-start.erb: bin/bpm-pre-start
set-rep-kernel-params.erb: bin/set-rep-kernel-params
setup_mounted_data_dirs.erb: bin/setup_mounted_data_dirs
post-start.erb: bin/post-start
loggregator_ca.crt.erb: config/certs/loggregator/ca.crt
loggregator_client.crt.erb: config/certs/loggregator/client.crt
loggregator_client.key.erb: config/certs/loggregator/client.key
tls.crt.erb: config/certs/tls.crt
tls.key.erb: config/certs/tls.key
tls_ca.crt.erb: config/certs/tls_ca.crt
indicators.yml.erb: config/indicators.yml
packages:
- pid_utils
- rep
- healthcheck
- proxy
- certsplitter
properties:
bpm.enabled:
description: "use the BOSH Process Manager to manage the cell rep process."
default: false
diego.rep.debug_addr:
description: "address at which to serve debug info"
default: "127.0.0.1:17008"
diego.rep.polling_interval_in_seconds:
description: "The interval to look for completed tasks and LRPs in seconds"
default: 30
diego.rep.evacuation_polling_interval_in_seconds:
description: "The interval to look for completed tasks and LRPs during evacuation in seconds"
default: 10
diego.rep.evacuation_timeout_in_seconds:
description: "The time to wait for evacuation to complete in seconds"
default: 600
diego.rep.zone:
description: "The zone associated with the rep. This will override the BOSH-provided spec.az property if present."
diego.rep.use_azure_fault_domains:
description: "If set to true the rep zone will be determined by IAAS. If VM belongs to Azure Fault-Domain the value of the zone will be z<Fault-Domain-index>. e.g. z0, z1, etc. If VM belongs to Azure Availability Zone the value of zone determined in diego.rep.zone will be used."
default: false
diego.rep.preloaded_rootfses:
description: "Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden"
diego.rep.rootfs_providers:
description: "Array of schemes for which the underlying garden can support arbitrary root filesystems"
default:
- docker
diego.rep.log_level:
description: "Log level"
default: "info"
diego.rep.placement_tags:
description: "Array of tags used for scheduling Tasks and LRPs"
default: []
diego.rep.optional_placement_tags:
description: "Array of optional tags used for scheduling Tasks and LRPs"
default: []
loggregator.use_v2_api:
description: "True to use local metron agent gRPC v2 API. False to use UDP v1 API."
default: false
loggregator.v2_api_port:
description: "Local metron agent gRPC port"
default: 3458
loggregator.ca_cert:
description: "CA Cert used to communicate with local metron agent over gRPC"
loggregator.cert:
description: "Cert used to communicate with local metron agent over gRPC"
loggregator.key:
description: "Key used to communicate with local metron agent over gRPC"
loggregator.app_metric_exclusion_filter:
description: "Array of application metrics to not emit"
default:
- cpu_entitlement
diego.rep.listen_addr_admin:
description: "serve (insecure) ping and evacuate requests on this address and port"
default: "127.0.0.1:1800"
diego.rep.advertise_domain:
description: "base domain at which the rep should advertise its secure API"
default: "cell.service.cf.internal"
diego.rep.listen_addr_securable:
description: "address where rep listens for LRP and task start auction requests"
default: "0.0.0.0:1801"
diego.rep.advertise_preference_for_instance_address:
description: "advertise that containers managed by this rep are directly accessible on the infrastructure network at their instance address. Components like ssh-proxy or routers may use this property when determining how to connect to a container. Set this flag only when using a third-party container-networking solution that provides direct connectivity between containers and VMs"
default: false
diego.ssl.skip_cert_verify:
description: "when connecting over https, ignore bad ssl certificates"
default: false
tls.cert:
description: "REQUIRED: PEM-encoded tls certificate that can be used for client or server auth"
tls.key:
description: "REQUIRED: PEM-encoded tls client key"
tls.ca_cert:
description: "REQUIRED: PEM-encoded tls client CA certificate for asset upload/download"
diego.executor.memory_capacity_mb:
description: "the memory capacity the executor should manage. this should not be greater than the actual memory on the VM"
default: "auto"
diego.executor.disk_capacity_mb:
description: "the container disk capacity the executor should manage. this should not be greater than the actual disk quota on the VM"
default: "auto"
diego.executor.auto_disk_capacity_overhead_mb:
description: "the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto"
default: 0
diego.executor.max_concurrent_downloads:
description: "the max concurrent download steps that can be active"
default: 5
diego.executor.container_max_cpu_shares:
description: "number of CPU shares per 100 CPU weight"
default: 1024
diego.executor.container_inode_limit:
description: "the inode limit enforced on each garden container."
default: 200000
diego.executor.container_metrics_report_interval:
description: "the frequency for emitting container metrics; should be a string that can be parsed by time.ParseDuration, such as 15s"
default: "15s"
diego.executor.max_cache_size_in_bytes:
description: "maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc."
default: 10000000000
diego.executor.use_schedulable_disk_size:
description: "Use total space available to containers reported by Garden. If false the total size of image plugin store minus max_cache_size_in_bytes is used."
default: false
diego.executor.garden.address:
description: "Garden server listening address."
default: /var/vcap/data/garden/garden.sock
diego.executor.garden.network:
description: "Network type for the garden server connection (tcp or unix)."
default: unix
diego.executor.healthy_monitoring_interval_in_seconds:
description: "Interval to check healthy containers in seconds."
default: 30
diego.executor.unhealthy_monitoring_interval_in_seconds:
description: "Interval to check unhealthy containers in seconds."
default: 2
diego.executor.create_work_pool_size:
description: "Maximum number of concurrent create container operations."
default: 32
diego.executor.delete_work_pool_size:
description: "Maximum number of concurrent delete container operations."
default: 32
diego.executor.read_work_pool_size:
description: "Maximum number of concurrent get container info operations."
default: 64
diego.executor.metrics_work_pool_size:
description: "Maximum number of concurrent get container metrics operations."
default: 8
diego.executor.healthcheck_work_pool_size:
description: "Maximum number of concurrent health check operations."
default: 64
diego.executor.garden_healthcheck.interval:
description: "Frequency for healtchecking garden"
default: "10m"
diego.executor.garden_healthcheck.timeout:
description: "Maximum allowed time for garden healthcheck"
default: "10m"
diego.executor.garden_healthcheck.command_retry_pause:
description: "Time to wait between retrying garden commands"
default: "1s"
diego.executor.garden_healthcheck.process.path:
description: "Path of the command to run to perform a container healthcheck"
default: "/bin/sh"
diego.executor.garden_healthcheck.process.args:
description: "List of command line args to pass to the garden health check process"
default: "-c, ls > /tmp/test"
diego.executor.garden_healthcheck.process.user:
description: "User to use while performing a container healthcheck"
default: "vcap"
diego.executor.garden_healthcheck.process.dir:
description: "Directory to run the healthcheck process from"
diego.executor.garden_healthcheck.process.env:
description: "Environment variables to use when running the garden health check"
default: ""
diego.executor.post_setup_hook:
description: "Experimental: arbitrary command to run after setup action. WARNING: this applies to both buildpack + docker app lifecycles. Any commands specified here *MUST* exist in any docker image being run, or the app will fail to start"
diego.executor.post_setup_user:
description: "Experimental: user to run post setup hook command"
diego.executor.volman.driver_paths:
description: "OS style path string containing the directories volman will look in for voldriver specs (delimited by : or ; depending on the OS)"
default: "/var/vcap/data/voldrivers"
diego.executor.instance_identity_ca_cert:
description: "PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key"
diego.executor.instance_identity_key:
description: "PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert"
diego.executor.instance_identity_validity_period_in_hours:
description: "Validity period for the generated instance identity certificate"
default: 24
diego.executor.max_log_lines_per_second:
description: "EXPERIMENTAL: Maximum log lines allowed per second per app instance. Default value of 0 will disable rate limiting. Minimum recommended value is 100."
default: 0
diego.rep.bbs.api_location:
description: "Address of the BBS server"
default: "bbs.service.cf.internal:8889"
diego.rep.bbs.request_timeout:
description: "Request timeout to the BBS server"
default: "10s"
diego.rep.bbs.client_session_cache_size:
description: "capacity of the tls client cache"
diego.rep.bbs.max_idle_conns_per_host:
description: "maximum number of idle http connections"
diego.rep.job_name:
description: "The name of the Diego job referenced by this spec (DO NOT override)"
default: "rep"
diego.rep.locket.api_location:
description: "Hostname and port of the Locket server. When set, the cell rep will establish its cell registration in the Locket API."
default: locket.service.cf.internal:8891
diego.rep.locket.client_keepalive_time:
description: "Period in seconds after which the locket gRPC client sends keepalive ping requests to the locket server it is connected to."
default: 10
diego.rep.locket.client_keepalive_timeout:
description: "Timeout in seconds to receive a response to the keepalive ping. If a response is not received within this time, the locket client will reconnect to another server."
default: 22
diego.rep.max_containers:
description: "Maximum container capacity per rep"
default: 250
enable_declarative_healthcheck:
description: "When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action. Requires Garden-Runc v1.10.0+"
default: false
enable_healthcheck_metrics:
description: "When set, enables the rep to emit healtcheck failure metrics. Requires enable_declarative_healthcheck to be set to true."
default: false
cell_registrations.locket.enabled:
description: Enable the cell rep to register itself as a service with Locket.
default: true
containers.graceful_shutdown_interval_in_seconds:
description: "time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10."
default: 10
containers.proxy.enabled:
description: "Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key."
default: false
containers.proxy.additional_memory_allocation_mb:
description: "Additional memory allocated to each container for the envoy proxy. This value must not be negative"
default: 32
containers.proxy.enable_http2:
description: "Whether envoy proxy advertises HTTP/2 support via ALPN."
default: true
containers.proxy.require_and_verify_client_certificates:
default: false
description: "whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable."
containers.proxy.trusted_ca_certificates:
default: []
description: "List of CA certificate bundles against which the per-container proxy will verify certificates for clients connecting to its ingress listeners, if containers.proxy.require_and_verify_client_certificates is enabled."
example:
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #1
----- END CERTIFICATE -----
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #2
----- END CERTIFICATE -----
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #3
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #4
----- END CERTIFICATE -----
containers.proxy.verify_subject_alt_name:
default: []
description: "If specified when containers.proxy.require_and_verify_client_certificates is enabled, the per-container proxy will also verify that the Subject Alternative Name of the presented certificate matches one of the specified values."
example:
- gorouter.service.cf.internal
- tcp-router.service.cf.internal
containers.proxy.enable_unproxied_port_mappings:
default: true
description: "EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true."
containers.trusted_ca_certificates:
description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs."
example:
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #1
----- END CERTIFICATE -----
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #2
----- END CERTIFICATE -----
- |
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #3
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
CONTENTS OF CERTIFICATE #4
----- END CERTIFICATE -----
containers.set_cpu_weight:
description: "EXPERIMENTAL: Set CPU weight on each Garden container to be proportional to its memory limit."
default: false
containers.proxy.ads_addresses:
description: "EXPERIMENTAL: When set, the envoy proxy consumes dynamic config from the specified Aggregated Discovery Service servers (specified as a list of host:port). This config is in addition to the static configuration that supports TLS termination / route-integrity."
default: []
example: [ "169.254.0.2:15001" ]
logging.format.timestamp:
description: "Format for timestamp in component logs. Valid values are 'unix-epoch' and 'rfc3339'."
default: "unix-epoch"
logging.max_data_string_length:
description: "Length in bytes above which logged strings will be truncated. If set to 0, turns off truncation."
default: 640
set_kernel_parameters:
description: "Enable tuning /proc/sys kernel parameters. NOTE: set this property to 'false' when deploying to BOSH-Lite or other containerized BOSH clouds."
default: true
containers.proxy.configuration_reload_duration:
description: "Duration of time in seconds that the rep grants the container Envoy proxy to reload its listener configuration when shutting down a container gracefully so that TLS-verifying clients will stop making connections. After this time duration, the rep will shut down other processes in the container."
default: 5s
containers.layering_mode:
description: "Configures downloaded container asset management mode. Valid values are 'single-layer' and 'two-layer'. Setting this property to 'two-layer' enables the conversion of some downloaded Task and LRP assets to container image layers."
default: "single-layer"