Created
December 14, 2015 14:09
-
-
Save Jonty/22efe3658bdf85f261e3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
properties: | |
# The domain name for this CloudFoundry deploy | |
domain: ~ | |
acceptance_tests: | |
# The Elastic Runtime Application Domain | |
apps_domain: ~ | |
# The name of the binary buildpack to use in acceptance tests that specify a | |
# buildpack. | |
binary_buildpack_name: ~ | |
# Whether to pass the -v flag to cf-acceptance-tests | |
verbose: False | |
# Enable colorized output on ginkgo. | |
enable_color: True | |
# The Elastic Runtime API endpoint URL | |
api: ~ | |
# Flag to include the security groups test suite. | |
include_security_groups: False | |
# Flag for using HTTP when making api and application requests rather than the | |
# default HTTPS | |
use_http: False | |
# Flag to include the v3 API test suite. | |
include_v3: False | |
# The username of an existing user. If set, the acceptance-tests will push apps | |
# and perform other actions as this user, otherwise its default behaviour is to | |
# create a temporary user for such actions. | |
existing_user: ~ | |
# The system domain for your CF release | |
system_domain: ~ | |
# Timeout for broker starts | |
broker_start_timeout: ~ | |
# Flag to include the operator tests which may modify the global state of an | |
# Elastic Runtime deployment. | |
include_operator: False | |
# The Elastic Runtime API admin user's password | |
admin_password: ~ | |
# Regex for tests that should be skipped | |
skip_regex: ~ | |
# The name of the go buildpack to use in acceptance tests that specify a | |
# buildpack. | |
go_buildpack_name: ~ | |
# The password of the existing user. Only required if the existing user property | |
# is also being set. | |
existing_user_password: ~ | |
# Flag to include the route services tests. Diego must be deployed for these tests | |
# to pass. | |
include_route_services: False | |
# Flag to include the services tests that integrate with SSO. | |
include_sso: False | |
# Default Timeout | |
default_timeout: ~ | |
# The name of the php buildpack to use in acceptance tests that specify a | |
# buildpack. | |
php_buildpack_name: ~ | |
# The name of the ruby buildpack to use in acceptance tests that specify a | |
# buildpack. | |
ruby_buildpack_name: ~ | |
# The name of the python buildpack to use in acceptance tests that specify a | |
# buildpack. | |
python_buildpack_name: ~ | |
# Flag to include the services API test suite. | |
include_services: False | |
# Flag to include the logging test suite. | |
include_logging: False | |
# The number of parallel test executors to spawn. The larger the number the higher | |
# the stress on the system. | |
nodes: 2 | |
# Toggles cli verification of the Elastic Runtime API SSL certificate | |
skip_ssl_validation: False | |
# App tests push their apps using diego if enabled. Route service tests require | |
# this flag to run. | |
use_diego: False | |
# The Elastic Runtime API admin user | |
admin_user: ~ | |
# Timeout for cf push | |
cf_push_timeout: ~ | |
# Flag to include the routing test suite. | |
include_routing: False | |
# The name of the staticfile buildpack to use in acceptance tests that specify a | |
# buildpack. | |
staticfile_buildpack_name: ~ | |
# The name of the java buildpack to use in acceptance tests that specify a | |
# buildpack. | |
java_buildpack_name: ~ | |
# Timeout for long curls | |
long_curl_timeout: ~ | |
# The client secret for the uaa gorouter client | |
client_secret: ~ | |
# Flag to include the internet dependent test suite. | |
include_internet_dependent: False | |
# The name of the nodejs buildpack to use in acceptance tests that specify a | |
# buildpack. | |
nodejs_buildpack_name: ~ | |
# Skip tests that are known to not be supported by Diego. Set to true if your | |
# deployment defaults to Diego as its runtime. | |
skip_diego_unsupported_tests: False | |
support_address: http://support.cloudfoundry.com | |
app_ssh: | |
# The oauth client ID of the SSH proxy | |
oauth_client_id: ssh-proxy | |
# Fingerprint of the host key of the SSH proxy that brokers connections to | |
# application instances | |
host_key_fingerprint: None | |
# External port for SSH access to application instances | |
port: 2222 | |
cc: | |
default_fog_connection: | |
# Local root when fog provider is not overridden (should be an NFS mount if using | |
# more than one cloud controller) | |
local_root: /var/vcap/nfs/shared | |
# Local fog provider (should always be 'Local'), used if fog_connection hash is | |
# not provided in the manifest | |
provider: Local | |
# The percentage of top stagers considered when choosing a stager | |
placement_top_stager_percentage: 10 | |
# The host for the statsd server, defaults to the local metron agent | |
statsd_host: 127.0.0.1 | |
# Set of buildpacks to install during deploy | |
install_buildpacks: ~ | |
# File descriptor limit for staging tasks | |
staging_file_descriptor_limit: 16384 | |
# Minimum version of the CF CLI to work with the API. | |
min_cli_version: ~ | |
thresholds: | |
api: | |
# The cc will restart if memory remains above this threshold for 3 monit cycles | |
restart_if_above_mb: 2450 | |
# The cc will restart if memory remains above this threshold for 15 monit cycles | |
restart_if_consistently_above_mb: 2250 | |
# The cc will alert if memory remains above this threshold for 3 monit cycles | |
alert_if_above_mb: 2250 | |
worker: | |
# The cc will restart if memory remains above this threshold for 3 monit cycles | |
restart_if_above_mb: 512 | |
# The cc will restart if memory remains above this threshold for 15 monit cycles | |
restart_if_consistently_above_mb: 384 | |
# The cc will alert if memory remains above this threshold for 3 monit cycles | |
alert_if_above_mb: 384 | |
# The nginx access log destination. This can be used to route access logs to a | |
# file, syslog, or a memory buffer. | |
nginx_access_log_destination: /var/vcap/sys/log/nginx_cc/nginx.access.log | |
# Timeout for staging a droplet | |
staging_timeout_in_seconds: 900 | |
# The default running security groups that will be seeded in CloudController. | |
default_running_security_groups: ~ | |
renderer: | |
# Maximum depth of inlined relationships in the result | |
max_inline_relations_depth: 2 | |
# Maximum number of results returned per page | |
max_results_per_page: 100 | |
# Default number of results returned per page if user does not specify | |
default_results_per_page: 50 | |
# API URI of cloud controller | |
srv_api_uri: ~ | |
newrelic: | |
# The location for NewRelic to log to | |
log_file_path: /var/vcap/sys/log/cloud_controller_ng/newrelic | |
# Capture and send query params to NewRelic | |
capture_params: False | |
# The environment name used by NewRelic | |
environment_name: development | |
transaction_tracer: | |
# NewRelic's SQL statement recording mode: [off | obfuscated | raw] | |
record_sql: off | |
# Enable transaction tracing in NewRelic | |
enabled: False | |
# Activate NewRelic monitor mode | |
monitor_mode: False | |
# The api key for NewRelic | |
license_key: None | |
# Activate NewRelic developer mode | |
developer_mode: False | |
# Custom message to use for a disabled feature. | |
feature_disabled_message: ~ | |
# User name used to access internal endpoints of Cloud Controller to upload files | |
# when staging | |
staging_upload_user: | |
# key for encrypting sensitive values in the CC database | |
db_encryption_key: | |
# Maximum body size for nginx bits uploads | |
app_bits_max_body_size: 1536M | |
app_events: | |
# How old an app event should stay in cloud controller database before being | |
# cleaned up | |
cutoff_age_in_days: 31 | |
diego: | |
# URL of the Diego nsync service | |
nsync_url: http://nsync.service.cf.internal:8787 | |
# URL of the Diego tps service | |
tps_url: http://tps.service.cf.internal:1518 | |
# URL of the Diego stager service | |
stager_url: http://stager.service.cf.internal:8888 | |
# Array of security groups that will be seeded into CloudController. | |
security_group_definitions: ~ | |
pending_packages: | |
# How long packages can remain in pending state before being cleaned up | |
expiration_in_seconds: 1200 | |
# How often the package pending cleanup job runs | |
frequency_in_seconds: 300 | |
# The maximum amount of disk a user can request | |
maximum_app_disk_in_mb: 2048 | |
# Minimum recommended version of the CF CLI. | |
min_recommended_cli_version: ~ | |
# The default staging security groups that will be seeded in CloudController. | |
default_staging_security_groups: ~ | |
audit_events: | |
# How old an audit event should stay in cloud controller database before being | |
# cleaned up | |
cutoff_age_in_days: 31 | |
# Username for hm9000 API | |
internal_api_user: internal_user | |
# Hash of default quota definitions. Overriden by custom quota definitions. | |
quota_definitions: ~ | |
# Password for hm9000 API | |
internal_api_password: ~ | |
# How much memory given to an app if not specified | |
default_app_memory: 1024 | |
# Specifies interval on which the CC will poll a service broker for asynchronous | |
# actions | |
broker_client_default_async_poll_interval_seconds: 60 | |
# Log level for cc | |
logging_level: debug2 | |
# Tag used by the DEA to describe capabilities (i.e. 'Windows7', 'python-linux'). | |
# DEA and CC must agree. | |
stacks: [{'description': 'Cloud Foundry Linux-based filesystem', 'name': 'cflinuxfs2'}] | |
nginx_error_log_level: error | |
app_usage_events: | |
# How old an app usage event should stay in cloud controller database before being | |
# cleaned up | |
cutoff_age_in_days: 31 | |
resource_pool: | |
cdn: | |
# Private key for signing download URIs | |
private_key: | |
# URI for a CDN to used for resource pool downloads | |
uri: | |
# Key pair name for signed download URIs | |
key_pair_id: | |
# Minimum size of a resource to add to the pool | |
minimum_size: 65536 | |
# Maximum size of a resource to add to the pool | |
maximum_size: 536870912 | |
# Directory (bucket) used store app resources. It does not have be pre-created. | |
resource_directory_key: cc-resources | |
# Fog connection hash | |
fog_connection: ~ | |
# Name of service to register to UAA | |
uaa_resource_id: cloud_controller,cloud_controller_service_permissions | |
# Disable external (i.e. git) buildpacks? (Admin buildpacks and system buildpacks | |
# only.) | |
disable_custom_buildpacks: False | |
# Allow non-admin users to switch their apps between DEA and Diego backends | |
users_can_select_backend: True | |
jobs: | |
blobstore_upload: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
app_events_cleanup: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
blobstore_delete: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
global: | |
# The longest any job can take before it is cancelled unless overriden per job | |
timeout_in_seconds: 14400 | |
droplet_upload: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
generic: | |
# Number of generic cloud_controller_worker workers | |
number_of_workers: 1 | |
droplet_deletion: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
app_usage_events_cleanup: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
local: | |
# Number of local cloud_controller_worker workers | |
number_of_workers: 2 | |
app_bits_packer: | |
# The longest this job can take before it is cancelled | |
timeout_in_seconds: ~ | |
# The protocol used to access the CC API from an external entity | |
external_protocol: https | |
# Log level for cc database operations | |
db_logging_level: debug2 | |
# Passthru value for Steno logger | |
logging_max_retries: 1 | |
droplets: | |
cdn: | |
# Private key for signing download URIs | |
private_key: | |
# URI for a CDN to used for droplet downloads | |
uri: | |
# Key pair name for signed download URIs | |
key_pair_id: | |
# Directory (bucket) used store droplets. It does not have be pre-created. | |
droplet_directory_key: cc-droplets | |
# Number of recent, staged droplets stored per app (not including current droplet) | |
max_staged_droplets_stored: 5 | |
# Fog connection hash | |
fog_connection: ~ | |
# List of domains (including scheme) from which Cross-Origin requests will be | |
# accepted, a * can be used as a wildcard for any part of a domain | |
allowed_cors_domains: [] | |
# Host part of the cloud_controller api URI, will be joined with value of 'domain' | |
external_host: api | |
# Use Diego backend by default for new apps | |
default_to_diego_backend: False | |
# password for the bulk api | |
bulk_api_password: ~ | |
buildpacks: | |
cdn: | |
# Private key for signing download URIs | |
private_key: | |
# URI for a CDN to used for buildpack downloads | |
uri: | |
# Key pair name for signed download URIs | |
key_pair_id: | |
# Directory (bucket) used store buildpacks. It does not have be pre-created. | |
buildpack_directory_key: cc-buildpacks | |
# Fog connection hash | |
fog_connection: ~ | |
failed_jobs: | |
# How old a failed job should stay in cloud controller database before being | |
# cleaned up | |
cutoff_age_in_days: 31 | |
packages: | |
# Maximum size of application package | |
max_package_size: 1073741824 | |
cdn: | |
# Private key for signing download URIs | |
private_key: | |
# URI for a CDN to used for app package downloads | |
uri: | |
# Key pair name for signed download URIs | |
key_pair_id: | |
# Fog connection hash | |
fog_connection: ~ | |
# Number of recent, valid packages stored per app (not including package for | |
# current droplet) | |
max_valid_packages_stored: 5 | |
# Directory (bucket) used store app packages. It does not have be pre-created. | |
app_package_directory_key: cc-packages | |
# The default stack to use if no custom stack is specified by an app. | |
default_stack: cflinuxfs2 | |
info: | |
# Custom values for /v2/info endpoint | |
custom: ~ | |
# free form description for attribute in the /info endpoint | |
description: ~ | |
# version attribute in the /info endpoint | |
version: ~ | |
# name attribute in the /info endpoint | |
name: ~ | |
# build attribute in the /info endpoint | |
build: ~ | |
# External Cloud Controller port | |
external_port: 9022 | |
# The threshold of crashes after which the app is marked as flapping | |
flapping_crash_count_threshold: 3 | |
# For requests to service brokers, this is the HTTP (open and read) timeout | |
# setting. | |
broker_client_timeout_seconds: 60 | |
# Maximum health check timeout (in seconds) that can be set for the app | |
maximum_health_check_timeout: 180 | |
# The default disk space an app gets | |
default_app_disk_in_mb: 1024 | |
# The port for the statsd server, defaults to the local metron agent | |
statsd_port: 8125 | |
# Extra token expiry time while uploading big apps. | |
app_bits_upload_grace_period_in_seconds: 1200 | |
# The max duration the CC will fetch service instance state from a service broker. | |
# Default is 1 week | |
broker_client_max_async_poll_duration_minutes: 10080 | |
# User's password used to access internal endpoints of Cloud Controller to upload | |
# files when staging | |
staging_upload_password: | |
# The nginx log format string to use when writing to the access log. | |
nginx_access_log_format: $host - [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" $proxy_add_x_forwarded_for vcap_request_id:$upstream_http_x_vcap_request_id response_time:$upstream_response_time | |
# User used to access the bulk_api, health_manager uses it to connect to the cc, | |
# announced over NATS | |
bulk_api_user: bulk_api | |
# Deprecated. Defines a 'partition' for the health_manager job | |
cc_partition: default | |
# Local to use a local (NFS) file system. AWS to use AWS. | |
default_quota_definition: default | |
# Maximum body size for nginx | |
client_max_body_size: 1536M | |
# The file descriptors made available to each app instance | |
instance_file_descriptor_limit: 16384 | |
# Allow users to change the value of the app-level allow_ssh attribute | |
allow_app_ssh_access: True | |
# Default health check timeout (in seconds) that can be set for the app | |
default_health_check_timeout: 60 | |
# The nginx error log destination. This can be used to route error logs to a file, | |
# syslog, or a memory buffer. | |
nginx_error_log_destination: /var/vcap/sys/log/nginx_cc/nginx.error.log | |
# Enable development features for monitoring and insight | |
development_mode: False | |
directories: | |
# The directory to use for temporary files | |
tmpdir: /var/vcap/data/cloud_controller_ng/tmp | |
# The directory where operator requested diagnostic files should be placed | |
diagnostics: /var/vcap/data/cloud_controller_ng/diagnostics | |
consul: | |
# PEM-encoded server certificate | |
server_cert: ~ | |
# PEM-encoded server key | |
server_key: ~ | |
# PEM-encoded agent certificate | |
agent_cert: ~ | |
# PEM-encoded CA certificate | |
ca_cert: ~ | |
# enable ssl for all communication with consul | |
require_ssl: True | |
agent: | |
# Time to wait for a consul node to finish syncing with the cluster in seconds | |
sync_timeout_in_seconds: 60 | |
# Name of the agent's datacenter. | |
datacenter: dc1 | |
# Agent log level. | |
log_level: info | |
servers: | |
# WAN server addresses to join. | |
wan: [] | |
# LAN server addresses to join on start. | |
lan: [] | |
# Mode to run the agent in. (client or server) | |
mode: client | |
# Map of consul service definitions. | |
services: {} | |
# The Consul protocol to use. | |
protocol_version: 2 | |
# PEM-encoded client key | |
agent_key: ~ | |
# A list of passphrases that will be converted into encryption keys, the first key | |
# in the list is the active one | |
encrypt_keys: ~ | |
dea_logging_agent: | |
status: | |
# password used to log into varz endpoint | |
password: | |
# username used to log into varz endpoint | |
user: | |
# port used to run the varz endpoint | |
port: 0 | |
# boolean value to turn on verbose mode | |
debug: False | |
syslog_drain_binder: | |
# boolean value to turn on verbose logging for syslog_drain_binder | |
debug: False | |
# Interval on which to poll cloud controller in seconds | |
update_interval_seconds: 15 | |
# Batch size for the poll from cloud controller | |
polling_batch_size: 1000 | |
# Time to live for drain urls in seconds | |
drain_url_ttl_seconds: 60 | |
doppler_endpoint: | |
# Shared secret used to verify cryptographically signed doppler messages | |
shared_secret: ~ | |
loggregator: | |
tls: | |
# CA root required for key/cert verification | |
ca: | |
# Port for outgoing dropsonde messages | |
outgoing_dropsonde_port: 8081 | |
# Port for outgoing doppler messages | |
doppler_port: 8081 | |
# Port where loggregator listens for dropsonde log messages | |
dropsonde_incoming_port: 3457 | |
etcd: | |
# Number of concurrent requests to ETCD | |
maxconcurrentrequests: 10 | |
# IPs pointing to the ETCD cluster | |
machines: ~ | |
dea_next: | |
# Disk limit in mb for staging tasks | |
staging_disk_limit_mb: 6144 | |
staging_bandwidth_limit: | |
# Network bandwidth limit for staging tasks in bytes per second | |
rate: ~ | |
# Network bandwidth burst limit for staging tasks in bytes | |
burst: ~ | |
# The protocol to use when communicating with the directory server ("http" or | |
# "https") | |
directory_server_protocol: https | |
# Maximum size of core file in bytes. 0 represents no core dump files can be | |
# created, and -1 represents no size limits. | |
rlimit_core: 0 | |
disk_mb: 32000 | |
# The Availability Zone | |
zone: default | |
# frequency of staging & DEA advertisments in seconds. | |
advertise_interval_in_seconds: 5 | |
# CPU limit in shares for staging tasks cgroup | |
staging_cpu_limit_shares: 512 | |
# Memory limit in mb for staging tasks | |
staging_memory_limit_mb: 1024 | |
# The minimum number of CPU shares that can be given to an app | |
instance_min_cpu_share_limit: 1 | |
deny_networks: ~ | |
# Limit on inodes for a staging container | |
staging_disk_inode_limit: 200000 | |
streaming_timeout: 60 | |
# Controls the relationship between app memory and cpu shares. app_cpu_shares = | |
# app_memory / cpu_share_factor | |
instance_memory_to_cpu_share_ratio: 8 | |
# Log level for DEA. | |
logging_level: debug | |
# with latest kernel version, no kernel network tunings allowed with in warden cpi | |
# containers | |
kernel_network_tuning_enabled: True | |
max_staging_duration: 900 | |
# Crashed app lifetime in seconds | |
crash_lifetime_secs: 3600 | |
allow_networks: ~ | |
disk_overcommit_factor: 1 | |
# Duration to wait before shutting down, in seconds. | |
evacuation_bail_out_time_in_seconds: 115 | |
instance_bandwidth_limit: | |
# Network bandwidth limit for running instances in bytes per second | |
rate: ~ | |
# Network bandwidth burst limit for running instances in bytes | |
burst: ~ | |
memory_overcommit_factor: 1 | |
# The maximum number of CPU shares that can be given to an app | |
instance_max_cpu_share_limit: 256 | |
# Allows warden containers to access the DEA host via its IP | |
allow_host_access: False | |
# Heartbeat interval for DEAs | |
heartbeat_interval_in_seconds: 10 | |
# Interface MTU size | |
mtu: 1500 | |
memory_mb: 8000 | |
# Default timeout for application to start | |
default_health_check_timeout: 60 | |
# Limit on inodes for an instance container | |
instance_disk_inode_limit: 200000 | |
# An array of stacks, specifying the name and package path. | |
stacks: [{'name': 'cflinuxfs2', 'package_path': '/var/vcap/packages/rootfs_cflinuxfs2/rootfs'}] | |
# Server and client timeouts in seconds | |
request_timeout_in_seconds: 900 | |
uaa: | |
# [Not Currently Used] A pipe delimited set of regular expressions of IP addresses | |
# that can reach the listening HTTP port of the server. | |
restricted_ips_regex: None | |
cc: | |
client_secret: ~ | |
token_secret: ~ | |
zones: | |
internal: | |
# A list of hostnames that are routed to the UAA, specifically the default zone in | |
# the UAA. The UAA will reject any Host headers that it doesn't recognize. By | |
# default the UAA recognizes uaa.<domain> - the default UAA route login.<domain> - | |
# the login-server route that the UAA now also serves. localhost - in order to | |
# accept health checks Any hostnames added as a list are additive to the default | |
# hostnames allowed. Example uaa: zones: internal: hostnames: | |
# - hostname1 - hostname2.localhost - hostname3.example.com | |
hostnames: ['uaa.service.cf.internal'] | |
# To enable newrelic monitoring, the sub element of this property will be placed | |
# in a configuration file called newrelic.yml in the jobs config directory. The | |
# syntax that must adhere to documentation in | |
# https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent- | |
# configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will | |
# be added to Apache Tomcat's startup script The enablement of the NewRelic agent | |
# in the UAA is triggered by the property uaa.newrelic.common.license_key The | |
# property uaa.newrelic.common.license_key must be set! | |
newrelic: ~ | |
# Sets the time format for log messages to be rfc3339 compatible. | |
logging_use_rfc3339: False | |
# Port that uaa will accept connections on | |
port: 8080 | |
# The url to use as the issuer URI | |
issuer: ~ | |
# A pipe delimited set of regular expressions of IP addresses that are considered | |
# reverse proxies. When a request from these IP addresses come in, the x | |
# -forwarded-for and x-forwarded-proto headers will be respected. If the | |
# uaa.restricted_ips_regex is set, it will be appended to this list for backwards | |
# compatibility purposes If spiff has been used and includes templates/cf-jobs.yml | |
# to generate the manifest. This list will automatically contain the Router IP | |
# addresses | |
proxy_ips_regex: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} | |
authentication: | |
policy: | |
# Number of seconds in which lockoutAfterFailures failures must occur in order for | |
# account to be locked | |
countFailuresWithinSeconds: ~ | |
# Number of seconds to lock out an account when lockoutAfterFailures failures is | |
# exceeded | |
lockoutPeriodSeconds: ~ | |
# Number of allowed failures before account is locked | |
lockoutAfterFailures: ~ | |
catalina_opts: -Xmx768m -XX:MaxPermSize=256m | |
# Deprecated. Use 'uaa.ldap.enabled'. Sets the Spring profiles on the UAA web | |
# application. This gets combined with the 'uaadb.db_scheme' property if and only | |
# if the value is exactly 'ldap' in order to setup the database, for example | |
# 'ldap,mysql'. If spring_profiles contains more than just 'ldap' it will be used | |
# to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb. | |
spring_profiles: ~ | |
scim: | |
# A list of external group mappings. Pipe delimited. A value may look as '- | |
# internal.read|cn=developers,ou=scopes,dc=test,dc=com' | |
external_groups: ~ | |
userids_enabled: True | |
users: ~ | |
# Comma separated list of groups that should be added to the UAA db, but not | |
# assigned to a user by default. | |
groups: ~ | |
user: ~ | |
# Set UAA logging level. (e.g. TRACE, DEBUG, INFO) | |
logging_level: DEBUG | |
require_https: ~ | |
id_token: | |
# When set to true, requests to /oauth/authorize will ignore the | |
# response_type=id_token parameter | |
disable: True | |
ldap: | |
# Used with simple-bind only. A semi-colon separated lists of DN patterns to | |
# construct a DN direct from the user ID without performing a search. | |
userDNPattern: ~ | |
# Defines an email pattern containing a {0} to generate an email address for an | |
# LDAP user during authentication | |
mailSubstitute: | |
# Set to true if you wish to override an LDAP user email address with a generated | |
# one | |
mailSubstituteOverridesLdap: False | |
# Used with search-and-bind and search-and-compare. Search filter used. Takes one | |
# parameter, user ID defined as {0} | |
searchFilter: cn={0} | |
# The file to be used for configuring the LDAP authentication. options are simple- | |
# bind, search-and-bind and search-and-compare | |
profile_type: search-and-bind | |
# The URL to the ldap server, must start with ldap:// or ldaps:// | |
url: ~ | |
# Used with search-and-bind and search-and-compare. Password for the LDAP ID that | |
# performs a search of the LDAP tree for user information. | |
userPassword: ~ | |
# Set to true to enable LDAP | |
enabled: False | |
# Used with search-and-compare only. The name of the password attribute in the | |
# LDAP directory | |
passwordAttributeName: userPassword | |
# Used with search-and-compare only. The encoder used to properly encode user | |
# password to match the one in the LDAP directory. | |
passwordEncoder: org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator | |
# Used with search-and-bind and search-and-compare. A valid LDAP ID that has read | |
# permissions to perform a search of the LDAP tree for user information. | |
userDN: ~ | |
# The delimiter character in between user DN patterns for simple bind | |
# authentication | |
userDNPatternDelimiter: ; | |
# Used with ldaps:// URLs. The certificate alias, to be trusted by this connection | |
# and stored in the keystore. | |
sslCertificateAlias: ~ | |
# Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this | |
# connection. | |
sslCertificate: ~ | |
groups: | |
# Set to true when profile_type=groups_as_scopes to auto create scopes for a user. | |
# Ignored for other profiles. | |
autoAdd: true | |
# Search query filter to find groups a user belongs to, or for a nested search, | |
# groups that a group belongs to | |
groupSearchFilter: member={0} | |
# What type of group integration should be used. Values are no-groups, groups-as- | |
# scopes and groups-map-to-scopes | |
profile_type: no-groups | |
# Set to number of levels a nested group search should go. Set to 1 to disable | |
# nested groups (default) | |
maxSearchDepth: 1 | |
# Search start point for a user group membership search | |
searchBase: | |
# Boolean value, set to true to search below the search base | |
searchSubtree: true | |
# Used with groups-as-scopes, defines the attribute that holds the scope name(s). | |
groupRoleAttribute: ~ | |
# Sets the whitelist of emails domains that the LDAP identity provider handles | |
emailDomain: ~ | |
# Used with search-and-bind and search-and-compare. Define a base where the search | |
# starts at. | |
searchBase: | |
# The name of the LDAP attribute that contains the users email address | |
mailAttributeName: mail | |
# Specifies how UAA user attributes map to LDAP attributes | |
attributeMappings: ~ | |
# Used with search-and-compare only. Set to true if passwords are retrieved by the | |
# search, and should be compared in the login server. | |
localPasswordCompare: true | |
user: | |
# Contains a list of the default authorities/scopes assigned to a user. | |
authorities: ['openid', 'scim.me', 'cloud_controller.read', 'cloud_controller.write', 'cloud_controller_service_permissions.read', 'password.write', 'uaa.user', 'approvals.me', 'oauth.approvals', 'notification_preferences.read', 'notification_preferences.write', 'profile', 'roles', 'user_attributes'] | |
# Disables internal user authentication | |
disableInternalAuth: False | |
dump_requests: ~ | |
password: | |
policy: | |
# Number of months after which current password expires | |
expirePasswordInMonths: 0 | |
# Minimum number of special characters required for password to be considered | |
# valid | |
requireSpecialCharacter: 0 | |
# Minimum number of digits required for password to be considered valid | |
requireDigit: 0 | |
# Maximum number of characters required for password to be considered valid | |
maxLength: 255 | |
# Minimum number of uppercase characters required for password to be considered | |
# valid | |
requireUpperCaseCharacter: 0 | |
# Minimum number of lowercase characters required for password to be considered | |
# valid | |
requireLowerCaseCharacter: 0 | |
# Minimum number of characters required for password to be considered valid | |
minLength: 0 | |
# Disables UI and API for internal user management | |
disableInternalUserManagement: False | |
# Do not use SSL to connect to UAA (used in case uaa.url is not set) | |
no_ssl: False | |
database: | |
# Timeout in seconds for the longest running queries. Take into DB migrations for | |
# this timeout as they may run during a long period of time. | |
abandoned_timeout: 300 | |
# Should connections that are forcibly closed be logged. | |
log_abandoned: True | |
# True if connections that are left open longer then abandoned_timeout seconds | |
# during a session(time between borrow and return from pool) should be forcibly | |
# closed | |
remove_abandoned: False | |
# The max number of open idle connections to the DB from a running UAA instance | |
max_idle_connections: 10 | |
# Set to true if you don't want to be using LOWER() SQL functions in search | |
# queries/filters, because you know that your DB is case insensitive. If this | |
# property is null, then it will be set to true if the UAA DB is MySQL and false | |
# otherwise, but even on MySQL you can override it by setting it explicitly to | |
# false | |
case_insensitive: ~ | |
# The max number of open connections to the DB from a running UAA instance | |
max_connections: 100 | |
# URL of UAA | |
url: ~ | |
clients: | |
cc_routing: | |
# Used for fetching routing information from the Routing API | |
secret: ~ | |
jwt: | |
# The verification key for UAA | |
verification_key: | |
signing_key: ~ | |
admin: | |
# Secret of the admin client - a client named admin with uaa.admin as an authority | |
client_secret: ~ | |
client: | |
autoapprove: ~ | |
login: | |
# Deprecated. Default login client secret if no login client is defined | |
client_secret: ~ | |
proxy: | |
# Array of the router IPs acting as the first group of HTTP/TCP backends. These | |
# will be added to the proxy_ips_regex as exact matches. When using spiff, these | |
# will be router_z1 and router_z2 static IPs from cf-jobs.yml | |
servers: [] | |
syslog_daemon_config: | |
# Custom rule for syslog forward daemon | |
custom_rule: | |
# maximum message size to be sent | |
max_message_size: 4k | |
# Addresses of fallback servers to be used if the primary syslog server is down. | |
# Only tcp or relp are supported. Each list entry should consist of "address", | |
# "transport" and "port" keys. | |
fallback_addresses: [] | |
# IP address for syslog aggregator | |
address: ~ | |
# TCP port of syslog aggregator | |
port: ~ | |
# Transport to be used when forwarding logs (tcp|udp|relp). | |
transport: tcp | |
collector: | |
# enable CloudWatch plugin | |
use_aws_cloudwatch: False | |
datadog: | |
# Datadog application key | |
application_key: ~ | |
# Datadog API key | |
api_key: ~ | |
# name for this bosh deployment. All metrics will be tagged with deployment:XXX | |
# when sending them to CloudWatch, Datadog and Graphite | |
deployment_name: ~ | |
aws: | |
# AWS secret for CloudWatch access | |
secret_access_key: ~ | |
# AWS access key for CloudWatch access | |
access_key_id: ~ | |
# enable Graphite plugin | |
use_graphite: False | |
# Memory threshold for collector restart (Mb) | |
memory_threshold: 800 | |
# the logging level for the collector | |
logging_level: info | |
intervals: | |
# the interval in seconds that the collector attempts to prune unresponsive | |
# components | |
prune: 300 | |
# the interval in seconds that local_metrics are checked | |
local_metrics: 30 | |
# the interval in seconds that healthz is checked | |
healthz: 30 | |
# the interval in seconds that the collector attempts to discover components | |
discover: 60 | |
# the interval in seconds that varz is checked | |
varz: 30 | |
# the interval in seconds that the collector pings nats to record latency | |
nats_ping: 30 | |
graphite: | |
# TCP port of Graphite | |
port: ~ | |
# IP address of Graphite | |
address: ~ | |
opentsdb: | |
# TCP port of OpenTsdb | |
port: ~ | |
# IP address of OpenTsdb | |
address: ~ | |
# enable Datadog plugin | |
use_datadog: False | |
# enable OpenTsdb plugin | |
use_tsdb: False | |
description: Cloud Foundry sponsored by Pivotal | |
# Array of domains for user apps (example: 'user.app.space.foo', a user app called | |
# 'neat' will listen at 'http://neat.user.app.space.foo') | |
app_domains: ~ | |
routing-api: | |
# Buffered statsd client flush interval | |
statsd_client_flush_interval: 300ms | |
# Address at which to serve debug info | |
debug_address: 0.0.0.0:17002 | |
# String representing interval for reporting metrics. Units: ms, s, m h | |
metrics_reporting_interval: 30s | |
# The maximum ttl | |
max_ttl: 60 | |
# Maximum number of concurrent ETCD requests | |
max_concurrent_etcd_requests: 25 | |
# Disables UAA authentication | |
auth_disabled: False | |
# The port to run the routing api on | |
port: 3000 | |
# The endpoint for the statsd server, defaults to the local metron agent | |
statsd_endpoint: localhost:8125 | |
# Domain reserved for CF operator, base URL where the login, uaa, and other non- | |
# user apps listen | |
system_domain: ~ | |
statsd_injector: | |
# The port on which metron is running | |
metron_port: 3457 | |
# The port on which the injector should listen for statsd messages | |
statsd_port: 8125 | |
# The log level for the statsd injector | |
log_level: info | |
nats: | |
# Port for varz and connz monitoring. 0 means disabled. | |
monitor_port: 0 | |
# After accepting a connection, wait up to this many seconds for credentials. | |
authorization_timeout: 15 | |
# Enable trace logging output. | |
trace: False | |
# Port for pprof. 0 means disabled. | |
prof_port: 0 | |
user: | |
# Enable debug logging output. | |
debug: False | |
password: | |
# IP port of Cloud Foundry NATS server | |
port: 4222 | |
machines: | |
route_registrar: | |
routes: | |
# The delay in seconds between routing updates | |
update_frequency_in_seconds: 20 | |
ccdb: | |
roles: ~ | |
address: ~ | |
port: ~ | |
pool_timeout: 10 | |
databases: ~ | |
db_scheme: postgres | |
# Maximum connections for Sequel | |
max_connections: 25 | |
version: 2 | |
hm9000: | |
url: ~ | |
# The maximum number of messages the sender should send per invocation. | |
sender_message_limit: 60 | |
# Each API call to the CC must succeed within this timeout. | |
fetcher_network_timeout_in_seconds: 30 | |
# The batch size when fetching desired state information from the CC. | |
desired_state_batch_size: 5000 | |
build: 2222 | |
env: | |
# Set No_Proxy accross the VMs | |
no_proxy: ~ | |
# The https_proxy accross the VMs | |
https_proxy: ~ | |
# The http_proxy accross the VMs | |
http_proxy: ~ | |
etcd_metrics_server: | |
nats: | |
# NATS server username | |
username: ~ | |
# NATS server password | |
password: ~ | |
# NATS server port | |
port: 4222 | |
# array of NATS addresses | |
machines: ~ | |
status: | |
# basic auth username for metrics server (leave empty for generated) | |
username: | |
# basic auth password for metrics server (leave empty for generated) | |
password: | |
# listening port for metrics server | |
port: 5678 | |
etcd: | |
# address of ETCD server to instrument | |
machine: 127.0.0.1 | |
# port of ETCD server to instrument | |
port: 4001 | |
smoke_tests: | |
# The Elastic Runtime Application Domain | |
apps_domain: ~ | |
# Toggles setup and cleanup of the Elastic Runtime space | |
use_existing_space: False | |
# The Elastic Runtime space name to use when running tests | |
space: ~ | |
# Toggles setup and cleanup of the Elastic Runtime organization | |
use_existing_org: False | |
# Ginkgo options for the smoke tests | |
ginkgo_opts: | |
# The Elastic Runtime app name to use when running runtime tests | |
runtime_app: | |
# The Elastic Runtime app name to use when running logging tests | |
logging_app: | |
# The Elastic Runtime API endpoint URL | |
api: ~ | |
# A token used by the tests when creating Apps / Spaces | |
suite_name: CF_SMOKE_TESTS | |
# The Elastic Runtime API user | |
user: ~ | |
# The Elastic Runtime organization name to use when running tests | |
org: ~ | |
# The Elastic Runtime API user's password | |
password: ~ | |
# Toggles cli verification of the Elastic Runtime API SSL certificate | |
skip_ssl_validation: False | |
traffic_controller: | |
status: | |
# password used to log into varz endpoint | |
password: | |
# port used to run the varz endpoint | |
port: 0 | |
# username used to log into varz endpoint | |
user: | |
# boolean value to turn on verbose logging for loggregator system (dea agent & | |
# loggregator server) | |
debug: False | |
# Zone of the loggregator_trafficcontroller | |
zone: ~ | |
# Port on which the traffic controller listens to for requests | |
outgoing_port: 8080 | |
nfs_server: | |
# Exports /var/vcap/store with no_root_squash when set to true | |
no_root_squash: False | |
# Location to mount the nfs share | |
share_path: /var/vcap/nfs | |
# An array of Hosts, Domains, Wildcard Domains, CIDR Networks and/or IPs from | |
# which /var/vcap/store is accessible | |
allow_from_entries: ~ | |
# bool to use NFS4 (not used in an AWS deploy, use s3 instead) | |
nfsv4: ~ | |
# Pipefs directory for NFS idmapd | |
pipefs_directory: /var/lib/nfs/rpc_pipefs | |
# Path to share from the remote NFS server (not used in an AWS deploy, use s3 | |
# instead) | |
share: ~ | |
# Domain name for NFS idmapd | |
idmapd_domain: localdomain | |
# NFS server for droplets and apps (not used in an AWS deploy, use s3 instead) | |
address: ~ | |
doppler: | |
status: | |
# password used to log into varz endpoint | |
password: | |
# port used to run the varz endpoint | |
port: 0 | |
# username used to log into varz endpoint | |
user: | |
# Interval before removing a sink due to inactivity | |
sink_inactivity_timeout_seconds: 3600 | |
# Enable TLS listener on doppler so that it can receive dropsonde envelopes over | |
# TLS transport. If enabled, Cert and Key files must be specified. | |
enable_tls_transport: False | |
# Zone of the doppler server | |
zone: ~ | |
# Number of parallel unmarshallers to run within Doppler | |
unmarshaller_count: 5 | |
# Port for outgoing log messages | |
outgoing_port: 8081 | |
# number of log messages to retain per application | |
maxRetainedLogMessages: 100 | |
# Whether to expose the doppler_logging_endpoint listed at /v2/info | |
enabled: True | |
# Size of the internal buffer used by doppler to store messages. If the buffer | |
# gets full doppler will drop the messages. | |
message_drain_buffer_size: 100 | |
# Port for doppler_logging_endpoint listed at /v2/info | |
port: 443 | |
# Port for incoming messages in the dropsonde format | |
dropsonde_incoming_port: 3457 | |
# Doppler's client id to connect to UAA | |
uaa_client_id: doppler | |
# Blacklist for IPs that should not be used as syslog drains, e.g. internal ip | |
# addresses. | |
blacklisted_syslog_ranges: ~ | |
# TTL (in seconds) for container usage metrics | |
container_metric_ttl_seconds: 120 | |
# I/O Timeout on sinks | |
sink_io_timeout_seconds: 0 | |
# boolean value to turn on verbose logging for doppler system (dea agent & doppler | |
# server) | |
debug: False | |
# Whether to use ssl for the doppler_logging_endpoint listed at /v2/info | |
use_ssl: True | |
# Port for incoming log messages in the legacy format | |
incoming_port: 3456 | |
# Dial timeout for sinks | |
sink_dial_timeout_seconds: 1 | |
tls_server: | |
# TLS server certificate | |
cert: | |
# Port for incoming messages in the dropsonde format over tls listener | |
port: 3458 | |
# TLS server key | |
key: | |
etcd: | |
# PEM-encoded peer key | |
peer_key: ~ | |
# enable ssl for all communication with etcd | |
require_ssl: True | |
# PEM-encoded server key | |
server_key: ~ | |
# Interval between heartbeats in milliseconds. See https://coreos.com/docs | |
# /cluster-management/debugging/etcd-tuning | |
heartbeat_interval_in_milliseconds: 50 | |
# PEM-encoded CA certificate | |
ca_cert: ~ | |
# enable ssl between etcd peers | |
peer_require_ssl: True | |
# PEM-encoded peer certificate | |
peer_cert: ~ | |
# PEM-encoded server certificate | |
server_cert: ~ | |
# Information about etcd cluster | |
cluster: ~ | |
# PEM-encoded peer CA certificate | |
peer_ca_cert: ~ | |
# Time without recieving a heartbeat before peer should attempt to become leader | |
# in milliseconds. See https://coreos.com/docs/cluster-management/debugging/etcd- | |
# tuning | |
election_timeout_in_milliseconds: 1000 | |
# Time to wait for a joining node to finish syncing logs with the existing cluster | |
# in seconds | |
log_sync_timeout_in_seconds: 30 | |
# PEM-encoded client certificate | |
client_cert: ~ | |
# Addresses of etcd machines | |
machines: ~ | |
# PEM-encoded client key | |
client_key: ~ | |
ha_proxy: | |
# SSL certificate (PEM file) | |
ssl_pem: None | |
# Whether to send logs to a file instead of the default syslog | |
log_to_file: False | |
# Whether to disable logging of requests with no traffic (usually load-balancer | |
# TCP checks) | |
dontlognull: False | |
# Buffer size to use for requests, any requests larger than this (large cookies or | |
# query strings) will result in a gateway error | |
buffer_size_bytes: 16384 | |
# Disable port 80 traffic | |
disable_http: False | |
# List of SSL Ciphers that are passed to HAProxy | |
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-CBC-SHA256:ECDHE-RSA-AES256-CBC-SHA384:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:AES128-SHA256:AES128-SHA:RC4-SHA | |
# Whether to enable a socket that can be used to query errors and status | |
enable_stats_socket: False | |
ssl: | |
# when connecting over https, ignore bad ssl certificates | |
skip_cert_verify: False | |
logger_endpoint: | |
# Whether to use ssl for logger endpoint listed at /v2/info | |
use_ssl: True | |
# Port for logger endpoint listed at /v2/info | |
port: 443 | |
loggregator_acceptance_tests: | |
login_required: ~ | |
admin_user: ~ | |
admin_password: ~ | |
# disk quota must be disabled to use warden-inside-warden with the warden cpi | |
disk_quota_enabled: True | |
name: vcap | |
# The User Org that owns the system_domain, required if system_domain is defined | |
system_domain_organization: | |
dropsonde: | |
# Enable the dropsonde emitter library | |
enabled: False | |
loggregator_endpoint: | |
# Shared secret used to verify cryptographically signed loggregator messages | |
shared_secret: ~ | |
metron_agent: | |
tls_client: | |
# TLS client certificate | |
cert: | |
# TLS client key | |
key: | |
# Availability zone where this agent is running | |
zone: ~ | |
# Incoming port for dropsonde log messages | |
dropsonde_incoming_port: 3457 | |
logrotate: | |
# The frequency in minutes which logrotate will rotate VM logs | |
freq_min: 5 | |
# The number of files that logrotate will keep around on the VM | |
rotate: 7 | |
# The size at which logrotate will decide to rotate the log file | |
size: 50M | |
# Name of deployment (added as tag on all outgoing metrics) | |
deployment: ~ | |
# boolean value to turn on verbose mode | |
debug: False | |
# Preferred protocol to droppler (udp|tls) | |
preferred_protocol: udp | |
databases: | |
# A list of database roles and associated properties to create | |
roles: ~ | |
# The postgres `printf` style string that is output at the beginning of each log | |
# line | |
log_line_prefix: %m: | |
# A list of databases and associated properties to create | |
databases: ~ | |
# The database port | |
port: ~ | |
# The database address | |
address: ~ | |
# The database scheme | |
db_scheme: ~ | |
# Enable the `pg_stat_statements` extension and collect statement execution | |
# statistics | |
collect_statement_statistics: False | |
# Maximum number of database connections | |
max_connections: ~ | |
uaadb: | |
# Database scheme for UAA DB | |
db_scheme: ~ | |
# The UAA database IP address | |
address: ~ | |
# The UAA database Port | |
port: ~ | |
# The list of database Roles used in UAA database including tag/name/password | |
roles: ~ | |
# The list of databases used in UAA database including tag/name | |
databases: ~ | |
router: | |
# The private ssl key for ssl termination | |
ssl_key: | |
acceptance_tests: | |
# Whether to pass the -v flag to router acceptance tests | |
verbose: False | |
# Port on which UAA is running. | |
uaa_port: 8080 | |
# Router API IP Address | |
router_api_addresses: ['10.244.8.2'] | |
# The number of parallel test executors to spawn. The larger the number the higher | |
# the stress on the system. | |
nodes: 4 | |
# Password for UAA client for the gorouter. | |
gorouter_secret: ~ | |
bbs: | |
# enable ssl for all communication with the bbs | |
require_ssl: True | |
# PEM-encoded client key | |
client_key: ~ | |
# PEM-encoded client certificate | |
client_cert: ~ | |
# PEM-encoded CA certificate | |
ca_cert: ~ | |
# Diego BBS Server endpoint url | |
api_location: https://bbs.service.cf.internal:8889 | |
# (Optional) ELB Address to check connectivity through load balancer | |
elb_address: | |
# Router API IP Port | |
router_api_port: 9999 | |
router_configurer: | |
# Address at which to serve debug info | |
debug_addr: 0.0.0.0:17014 | |
# Log level | |
log_level: info | |
# Base Config file of underlying tcp proxy | |
tcp_config_file_template: /var/vcap/jobs/haproxy/config/haproxy.conf.template | |
# auth disabled setting of routing api | |
routing_api_auth_disabled: False | |
# Port on which UAA is running. | |
uaa_port: 8080 | |
# Config file of underlying tcp proxy | |
tcp_config_file: /var/vcap/jobs/haproxy/config/haproxy.conf | |
# Password for UAA client for the gorouter. | |
gorouter_secret: ~ | |
# Port of routing api | |
routing_api_port: 3000 | |
servers: | |
# Array of the router IPs acting as the first group of HTTP/TCP backends | |
z1: [] | |
# Array of the router IPs acting as the second group of HTTP/TCP backends | |
z2: [] | |
# Enable the GoRouter to receive routes from the Routing API | |
enable_routing_api: True | |
logrotate: | |
# The frequency in minutes which logrotate will rotate VM logs | |
freq_min: 5 | |
# The number of files that logrotate will keep around on the VM | |
rotate: 7 | |
# The size at which logrotate will decide to rotate the log file | |
size: 2M | |
# Support for route services is disabled when no value is configured. | |
route_services_secret: | |
# Listening port for Router | |
port: 80 | |
# Skip SSL client cert validation | |
ssl_skip_validation: False | |
# An ordered list of supported SSL cipher suites containing golang tls constants | |
# separated by colons The cipher suite will be chosen according to this order | |
# during SSL handshake For example, | |
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
cipher_suites: | |
# A list of headers that log events will be annotated with | |
extra_headers_to_log: [] | |
# Log level for router | |
logging_level: info | |
# To rotate keys, add your new key here and deploy. Then swap this key with the | |
# value of route_services_secret and deploy again. | |
route_services_secret_decrypt_only: | |
status: | |
# Password for HTTP basic auth to the varz/status endpoint. | |
password: ~ | |
# Username for HTTP basic auth to the varz/status endpoint. | |
user: ~ | |
# Port for the Router varz/status endpoint. | |
port: 8080 | |
# Address at which to serve debug info | |
debug_addr: 0.0.0.0:17001 | |
# Enable ssl termination on the router | |
enable_ssl: False | |
offset: 0 | |
haproxy: | |
# Port that is used to check the health of HA-proxy | |
health_check_port: 80 | |
# Server and client timeouts in seconds | |
request_timeout_in_seconds: 300 | |
# The public ssl cert for ssl termination | |
ssl_cert: | |
tcp_emitter: | |
# Address at which to serve debug info | |
debug_addr: 0.0.0.0:17016 | |
# TTL for service lock | |
lock_ttl: 10s | |
# comma-separated list of consul server URLs (scheme://ip:port) | |
consul_cluster: http://127.0.0.1:8500 | |
# Log level | |
log_level: info | |
# auth disabled setting of routing api | |
routing_api_auth_disabled: False | |
# Port on which UAA is running. | |
uaa_port: 8080 | |
# interval to wait before retrying a failed lock acquisition | |
lock_retry_interval: 5s | |
# consul session name | |
session_name: tcp-emitter | |
# Password for UAA client for the gorouter. | |
gorouter_secret: ~ | |
bbs: | |
# enable ssl for all communication with the bbs | |
require_ssl: True | |
# PEM-encoded client key | |
client_key: ~ | |
# PEM-encoded client certificate | |
client_cert: ~ | |
# PEM-encoded CA certificate | |
ca_cert: ~ | |
# Diego BBS Server endpoint url | |
api_location: http://bbs.service.cf.internal:8889 | |
# Port of routing api | |
routing_api_port: 3000 | |
# Interval at which the router requests routes to be registered. | |
requested_route_registration_interval_in_seconds: 20 | |
# Number of CPUs to utilize, the default (-1) will equal the number of available | |
# CPUs | |
number_of_cpus: -1 | |
# Expiry time of a route service signature in seconds | |
route_service_timeout: 60 | |
# Set secure flag on http cookies | |
secure_cookies: False | |
# If the X-Vcap-Trace request header is set and has this value, trace headers are | |
# added to the response. | |
trace_key: 22 | |
login: | |
# Deprecated: Use login.saml.entityid | |
entity_id: ~ | |
prompt: | |
username: | |
# The text used to prompt for a username during login | |
text: Email | |
password: | |
# The text used to prompt for a password during login | |
text: Password | |
links: | |
# URL for requesting password reset | |
passwd: ~ | |
# URL for requesting to signup/register for an account | |
signup: ~ | |
# Certificate to import if the UAA is using self-signed certificates | |
uaa_certificate: ~ | |
# A nested or flat hash of messages that the login server uses to display UI | |
# message This will be flattened into a java.util.Properties file. The example | |
# below will lead to four properties, where the key is the concatenated value | |
# delimited by dot, for example scope.tokens.read=message Nested example: | |
# messages: scope: tokens: read: View details of your approvals you | |
# have granted to this and other applications write: Cancel the approvals | |
# like this one that you have granted to this and other applications | |
# cloud_controller: read: View details of your applications and services | |
# write: Push applications to your account and create and bind services Flat | |
# example: messages: scope.tokens.read: View details of your approvals you have | |
# granted to this and other applications scope.tokens.write: Cancel the | |
# approvals like this one that you have granted to this and other applications | |
# scope.cloud_controller.read: View details of your applications and services | |
# scope.cloud_controller.write: Push applications to your account and create and | |
# bind services | |
messages: ~ | |
# SMTP server configuration, for password reset emails etc. | |
smtp: ~ | |
analytics: | |
# Analytics domain | |
domain: ~ | |
# Analytics code | |
code: ~ | |
# Enable account creation flow in the login server. Enabled by default. | |
signups_enabled: ~ | |
# Scheme to use for HTTP communication (http/https) | |
protocol: https | |
# Base url for static assets, allows custom styling of the login server. | |
asset_base_url: ~ | |
port: 8080 | |
# Enable self-service account creation and password resets links. | |
self_service_links_enabled: ~ | |
saml: | |
# Private key for the service provider certificate. | |
serviceProviderKey: ~ | |
socket: | |
# Read timeout in milliseconds for SAML metadata HTTP requests | |
soTimeout: ~ | |
# Timeout in milliseconds for connection pooling for SAML metadata HTTP requests | |
connectionManagerTimeout: ~ | |
# Password to protect the service provider private key. | |
serviceProviderKeyPassword: ~ | |
# Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed | |
# by key/value pairs for idpMetadata, nameID, assertionConsumerIndex, | |
# metadataTrustCheck, showSamlLoginLink, linkText, iconUrl | |
providers: ~ | |
# Key name of the SAML login server keystore. | |
keystore_key: selfsigned | |
# Set to true, if you wish the that the UAA signs all its SAML auth requests | |
signRequest: True | |
# Deprecated: Use login.saml.providers list objects | |
metadataTrustCheck: True | |
# Set to true, if you wish that the UAA signs its SAML metadata | |
signMetaData: True | |
# Deprecated: Use login.saml.providers list objects | |
idp_metadata_file: ~ | |
# Deprecated: Use login.saml.providers list objects | |
nameidFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | |
# Service provider certificate. | |
serviceProviderCertificate: ~ | |
# The URL for which SAML identity providers will post assertions to. If set it | |
# overrides the default of login.<domain>. This URL should NOT have the schema | |
# (http:// or https:// prefix in it) instead just the hostname. The schema is | |
# derived by login.protocol property. The default value is | |
# #{protocol}://login.#{properties.domain} | |
entity_base_url: ~ | |
# Key password to the SAML login server keystore. | |
keystore_password: password | |
# Deprecated: Use login.saml.providers list objects | |
idpEntityAlias: ~ | |
# Deprecated: Use login.saml.providers list objects | |
idpMetadataURL: ~ | |
# The ID to represent this server | |
entityid: ~ | |
# Deprecated: Use login.saml.providers list objects | |
assertion_consumer_index: 1 | |
# Name of the SAML login server keystore. | |
keystore_name: samlKeystore.jks | |
catalina_opts: ~ | |
ldap: | |
# See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
userDNPattern: ~ | |
# See uaa.ldap.searchFilter - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
searchFilter: cn={0} | |
# See uaa.ldap.profile_type - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
profile_type: ~ | |
# See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to | |
# enable ldap from login config | |
url: ~ | |
# See uaa.ldap.userPassword - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
userPassword: ~ | |
# See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to | |
# enable ldap from login config | |
userDN: ~ | |
# See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator | |
# See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
passwordAttributeName: userPassword | |
# See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
sslCertificateAlias: ~ | |
# See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
sslCertificate: ~ | |
# See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility | |
# to enable ldap from login config | |
searchBase: | |
# See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards | |
# compatibility to enable ldap from login config | |
localPasswordCompare: true | |
# A list of links to other services to show on the landing page after logging in | |
# and/or signing up, depending on whether login-link and/or signup-link is | |
# specified. | |
tiles: ~ | |
# Allows users to send invitations to email addresses outside the system and | |
# invite them to create an account. Disabled by default. | |
invitations_enabled: ~ | |
# The branding style to use with the web interface, account confirmation, and | |
# password reset emails. | |
brand: oss | |
# See uaa.spring_profiles - login.spring_profiles is used for backwards | |
# compatibility to enable ldap from login config | |
spring_profiles: ~ | |
notifications: | |
# The url for the notifications service (configure to use Notifications Service | |
# instead of SMTP server) | |
url: ~ | |
logout: | |
redirect: | |
# The Location of the redirect header following a logout of the the UAA | |
# (/logout.do). Default value is back to login page (/login) | |
url: ~ | |
parameter: | |
# A list of URLs. When this list is non null, including empty, and disable=false, | |
# logout redirects are allowed, but limited to the whitelist URLs. If a redirect | |
# parameter value is not white listed, redirect will be to the default URL. | |
whitelist: ~ | |
# When set to false, this allows an operator to leverage an open redirect on the | |
# UAA (/logout.do?redirect=google.com). Default value is true. No open redirect | |
# enabled | |
disable: ~ | |
# Location of the UAA. | |
uaa_base: ~ | |
url: ~ | |
# whether use login as the authorization endpoint or not | |
enabled: True | |
metron_endpoint: | |
# The host used to emit messages to the Metron agent | |
host: 127.0.0.1 | |
# The port used to emit dropsonde messages to the Metron agent | |
dropsonde_port: 3457 | |
# The port used to emit legacy messages to the Metron agent. | |
port: 3456 | |
# The key used to sign log messages | |
shared_secret: ~ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment