gistfile1.txt

$ git diff 0.142.0..0.172.0 jobs/*/spec
diff --git a/jobs/acceptance_tests/spec b/jobs/acceptance_tests/spec
index 73e5484..d482a2d 100644
--- a/jobs/acceptance_tests/spec
+++ b/jobs/acceptance_tests/spec
@@ -6,9 +6,8 @@ templates:
   config.json.erb: bin/config.json

 packages:
- - golang1.6
+ - golang1.9
  - acceptance_tests
- - tcp_emitter
  - rtr
  - cf-cli

@@ -55,3 +54,14 @@ properties:
   acceptance_tests.include_http_routes:
     default: false
     description: "When true, additionally runs the HTTP Routes test for Routing API"
+
+  acceptance_tests.user_password:
+    description: "By default, users created during acceptance tests will be configured random names and random passwords. This property enables specifying the password for users created during the test."
+
+  acceptance_tests.default_timeout:
+    default: 120
+    description: "Default timeout for Ginkgo assertions. i.e. Timeout for `Eventually`"
+
+  acceptance_tests.tcp_router_group:
+    default: "default-tcp"
+    description: "The name of the the router group associated with the default TCP Router"
diff --git a/jobs/bbr-routingdb/spec b/jobs/bbr-routingdb/spec
new file mode 100644
index 0000000..6b61f6c
--- /dev/null
+++ b/jobs/bbr-routingdb/spec
@@ -0,0 +1,13 @@
+---
+name: bbr-routingdb
+templates:
+  backup.erb: bin/bbr/backup
+  restore.erb: bin/bbr/restore
+  config.json.erb: config/config.json
+
+consumes:
+- name: routing_api_db
+  type: routing_api_db
+
+packages: []
+properties: {}
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 1352c8b..79b9b76 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -5,20 +5,27 @@ description: "Gorouter maintains a dynamic routing table based on updates receiv

 templates:
   gorouter_ctl: bin/gorouter_ctl
+  post-start.erb: bin/post-start
   run_gorouter.erb: bin/run_gorouter
   dns_health_check.erb: bin/dns_health_check
+  publish_to_nats.erb: bin/publish_to_nats
   gorouter.yml.erb: config/gorouter.yml
-  gorouter_logrotate.cron.erb: config/gorouter_logrotate.cron
-  logrotate.conf.erb: config/logrotate.conf
   drain: bin/drain
-  cert.pem.erb: config/cert.pem
-  key.pem.erb: config/key.pem
   uaa_ca.crt.erb: config/certs/uaa/ca.crt

 packages:
   - routing_utils
   - gorouter

+provides:
+  - name: gorouter
+    type: http-router
+
+consumes:
+- name: nats
+  type: nats
+  optional: true
+
 properties:
   router.port:
     description: "Listening Port for Router."
@@ -28,10 +35,14 @@ properties:
     default: 8080
   router.status.user:
     description: "Username for HTTP basic auth to the /varz and /routes endpoints."
+    default: router-status
   router.status.password:
     description: "Password for HTTP basic auth to the /varz and /routes endpoints."
   router.requested_route_registration_interval_in_seconds:
-    description: "On startup, the router will delay listening for requests by this duration to increase likelihood that it has a complete routing table before serving requests. The router also broadcasts the same duration as a recommended interval to registering clients via NATS."
+    description: |
+      On startup, the router will delay listening for requests by this duration to increase likelihood that it has a complete routing table before serving requests.
+      The router also broadcasts the same duration as a recommended interval to registering clients via NATS.
+      This must be less than 60, otherwise monit will mark the process as failed.
     default: 20
   router.load_balancer_healthy_threshold:
     description: "Time period in seconds to wait until declaring the router instance started after starting the listener socket. This allows an external load balancer time to register the instance as healthy."
@@ -44,43 +55,80 @@ properties:
     default: -1
   router.debug_address:
     description: "Address at which to serve debug info"
-    default: "0.0.0.0:17002"
+    default: "127.0.0.1:17002"
   router.secure_cookies:
     description: "Set secure flag on http cookies"
     default: false
   router.drain_wait:
     description: |
-      Delay in seconds after drain begins before server stops listening.
-      During this time the server will respond with 503 Service Unavailable to
-      requests having header
-      User-Agent: {Value of router.healthcheck_user_agent}.
-      This accommodates requests in transit sent during the time the health
-      check responded with `ok`.
-    default: 0
+      Delay in seconds after shut down is initiated before server stops listening.
+      During this time the server will reject requests to the /health endpoint.
+      This accommodates requests forwarded by a load balancer until it considers the router unhealthy.
+    default: 20
   router.healthcheck_user_agent:
-    description: User-Agent for the health check agent (usually the Load Balancer).
+    description: DEPRECATED. Use /health endpoint on port specified by status.port. User-Agent for the health check agent (usually the Load Balancer).
     example: "ELB-HealthChecker/1.0"
     default: "HTTP-Monitor/1.1"
   router.enable_ssl:
     description: "When enabled, Gorouter will listen on port 443 and terminate TLS for requests received on this port."
     default: false
+  router.client_cert_validation:
+    description: |
+      none - Gorouter will not request client certificates in TLS handshakes, and will ignore them if presented. Incompatible with `forwarded_client_cert: forward` or `sanitize_set`.
+      request - Gorouter will request client certificates in TLS handshakes, and will validate them when presented, but will not require them.
+      require - Gorouter will fail a TLS handshake if the client does not provide a certificate signed by a CA it trusts. For use with Gorouters responsible for app domains only; incompatible with Gorouters responsible for the CF system domain as not all clients provide client certificates.
+    default: request
+  router.disable_http:
+    description: Disables the http listener on port specified by router.port. This cannot be set to true if enable_ssl is false.
+    default: false
+  router.min_tls_version:
+    description: Minimum accepted version of TLS protocol. All versions above this will also be accepted. Valid values are TLSv1.0, TLSv1.1, and TLSv1.2.
+    default: TLSv1.2
   router.dns_health_check_host:
       description: "Host to ping for confirmation of DNS resolution, only used when Routing API is enabled"
-      default: "consul.service.cf.internal"
-  router.ssl_cert:
-    description: "The public ssl cert for ssl termination"
-    default: ""
-  router.ssl_key:
-    description: "The private ssl key for ssl termination"
-    default: ""
+      default: "uaa.service.cf.internal"
+  router.tls_pem:
+    description: "Array of private keys and certificates used for TLS handshakes with downstream clients. Each element in the array is an object containing fields 'private_key' and 'cert_chain', each of which supports a PEM block. Required if router.enable_ssl is true."
+    example: |
+        tls_pem:
+        - cert_chain: |
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+          private_key: |
+          -----BEGIN RSA PRIVATE KEY-----
+          -----END RSA PRIVATE KEY-----
+  router.ca_certs:
+    description: "String of concatenated certificate authorities in PEM format, used to validate certificates provided by remote systems. By default, Gorouter will trust certificates signed by well-known CAs and by CA certificates installed on the filesystem."
+  router.backends.cert_chain:
+    description: Certificate chain used for client authentication to TLS-registered backends.  In PEM format.
+  router.backends.private_key:
+    description: Private key used for client authentication to TLS-registered backends.  In PEM format.
   router.ssl_skip_validation:
     description: "Skip validation of TLS certificates received from route services and UAA"
     default: false
   router.cipher_suites:
     description:
-      An ordered list of supported SSL cipher suites containing golang tls constants separated by colons
-      The cipher suite will be chosen according to this order during SSL handshake
-    default: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA"
+      An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
+      The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
+      See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites.
+      The first four of these are supported for TLSv1.0/1.1 only.
+      See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
+    default: "ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+  router.forwarded_client_cert:
+    description: |
+      How to handle the x-forwarded-client-cert (XFCC) HTTP header. Possible values are:
+      - always_forward: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
+        Use this value when your load balancer is forwarding the client certificate and requests are not forwarded to Gorouter over mTLS. In the case where the connection between load balancer and Gorouter is mTLS, the client certificate received by Gorouter in the TLS handshake will not be forwarded.
+      - forward: Forward the XFCC header received from the client only when the client connection is mTLS.
+        This is a more secure version of `always_forward`. The client certificate received by Gorouter in the TLS handshake will not be forwarded.
+        Requires `client_cert_validation: request` or `require`.
+      - sanitize_set: Strip any instances of XFCC headers from the client request.
+        When the client connection is mTLS, the client certificate received by Gorouter in the TLS handshake will be forwarded in this header.
+        Values will be base64 encoded PEM. Use this value when Gorouter is the first component to terminate TLS.
+        Requires `client_cert_validation: request` or `require`.
+    default: always_forward
   router.route_services_secret:
     description: "Support for route services is disabled when no value is configured. A robust passphrase is recommended."
     default: ""
@@ -93,15 +141,6 @@ properties:
   router.route_services_timeout:
     description: "Expiry time of a route service signature in seconds"
     default: 60
-  router.logrotate.freq_min:
-    description: "The frequency in minutes which logrotate will rotate VM logs"
-    default: 5
-  router.logrotate.rotate:
-    description: "The number of files that logrotate will keep around on the VM"
-    default: 7
-  router.logrotate.size:
-    description: "The size at which logrotate will decide to rotate the log file"
-    default: 2M
   router.extra_headers_to_log:
     description: "An array of headers that access log events will be annotated with"
     default: []
@@ -111,23 +150,59 @@ properties:
   router.enable_proxy:
     description: "Enables support for the popular PROXY protocol, allowing downstream load balancers that do not support HTTP to pass along client information."
     default: false
-
+  router.max_idle_connections:
+    default: 0
+    description: "Maximum total idle keepalive connections to backends. When 0, support for keepalive connections is disabled. Maximum idle connections per backend is 100."
   router.force_forwarded_proto_https:
     description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
     default: false

+  router.frontend_idle_timeout:
+    description: |
+      (optional, integer) Duration in seconds to maintain an open connection when client supports keep-alive.
+      This property must be configured with regards to how an IaaS-provided load balancer behaves in order to prevent connections from being closed prematurely.
+      Generally, this timeout must be greater than that of the load balancer. As examples, GCP has a default timeout of 600 seconds so a value greater than 600 is recommended and AWS ELB has a default timeout of 60 seconds so a value greater than 60 is recommended.
+      However, depending on the IaaS, this timeout may need to be shorter than the load balancer's timeout, e.g., Azure's load balancer times out at 240 seconds (by default) without sending a TCP RST to clients, so a value lower than this is recommended in order to force it to send the TCP RST.
+    default: 900
+
+  router.backends.enable_tls:
+    description:
+      (optional, boolean) By default, Gorouter forwards requests to backends over unencrypted connections and will ignore routes registered with a TLS port,
+      preferring a non-tls port when both are present. When this property is set to true, Gorouter will connect to backends using TLS when routes are
+      registered with a TLS port, ignoring non-tls ports when both are present.
+    default: false
+  router.backends.max_conns:
+    description: "Maximum concurrent TCP connections per backend. When set to 0 there is no limit"
+    default: 0
+
   router.tracing.enable_zipkin:
     description: "Enables the addition of the X-B3-Trace-Id header to incoming requests. If the header already exists on the incoming request, it will not be overwritten."
     default: false

+  router.isolation_segments:
+    description: "Routes with these isolation segments will be registered. Used in combination with routing_table_sharding_mode."
+    default: []
+  router.routing_table_sharding_mode:
+    description: |
+      all: all routes will be registered.
+      shared-and-segments: both routes for the configured isolation segments and those that do not have an isolation segment specified will be registered.
+      segments: only routes for the configured isolation segments will be registered.
+    default: all
+
   nats.user:
-    description:
+    description: User name for NATS authentication
+    example: nats
   nats.password:
-    description:
+    description: Password for NATS authentication
+    example: natSpa55w0rd
   nats.port:
-    description:
+    description: TCP port of NATS servers
+    example: 4222
   nats.machines:
-    description: "IP of each NATS cluster member."
+    description: IPs of each NATS cluster member
+    example: |
+      - 192.168.50.123
+      - 192.168.52.123
   router.offset:
     description:
     default: 0
@@ -147,11 +222,8 @@ properties:
   uaa.clients.gorouter.secret:
     description: "Password for UAA client for the gorouter."
   uaa.token_endpoint:
-    description: "UAA token endpoint host name"
+    description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
     default: uaa.service.cf.internal
-  uaa.port:
-    description: "Port on which UAA is running."
-    default: 8080
   uaa.ssl.port:
     description: "Secure Port on which UAA is running."

@@ -170,6 +242,9 @@ properties:
   router.enable_access_log_streaming:
     description: "Enables streaming of access log to syslog."
     default: false
+  router.write_access_logs_locally:
+    description: "Enables writing access log to local disk."
+    default: true
   router.suspend_pruning_if_nats_unavailable:
     description: |
       Suspend pruning of routes when NATs is unavailable and maintain the
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index d83ae9a..8e488db 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -7,10 +7,15 @@ packages:
 - routing_utils
 - route_registrar

+consumes:
+- name: nats
+  type: nats
+  optional: true
+
 templates:
   pre-start: bin/pre-start
   route_registrar_ctl.erb: bin/route_registrar_ctl
-  registrar_settings.yml.erb: config/registrar_settings.yml
+  registrar_settings.json.erb: config/registrar_settings.json

 properties:
   nats.machines:
@@ -31,13 +36,14 @@ properties:
   route_registrar.routes:
     description: |
       * Array of hashes determining which routes will be registered.
-      * Each hash should have 'port', 'uris', 'registration_interval'
+      * Each hash should have 'port' or 'tls_port', 'uris', 'registration_interval'
         and 'name' keys.
+      * 'server_cert_domain_san' is the SAN on the destination host's TLS certificate. You must provide 'server_cert_domain_san' when 'tls_port' is specified.
       * 'registration_interval' is the delay between
         routing updates. It must be a time duration represented as a string
         (e.g. "10s").
         It must parse to a positive time duration i.e. "-5s" is not permitted.
-      * Additionally, the 'tags' and 'health_check' keys are optional.
+      * Additionally, the 'tags', 'health_check', and 'prepend_instance_index' keys are optional.
       * 'uris' is an array of URIs to register for the 'port'.
       * 'tags' are included in metrics that gorouter emits to support filtering.
       * 'health_check' is a hash which should have 'name' and 'script_path'.
@@ -52,6 +58,13 @@ properties:
       * if the healthcheck script exits with error, the route is unregistered.
       * if a timeout is configured, the healthcheck script must exit within the timeout,
         otherwise it is terminated (with `SIGKILL`) and the route is unregistered.
+      * 'prepend_instance_index' is a boolean. When set to true the values in 'uris'
+        will be prepended with the instance index.
+        e.g. 'some-uri.system-domain.com' will become '0-some-uri.system-domain.com' on the instance
+        with index 0, and '2-some-url.system-domain.com' on the instance with index 2.
+        When this value is enabled, each instance will register its own, unique, set of uris.
+        To additionally continue to register these original uris, create another route
+        with the same uris and set 'prepend_instance_index' to false (or omit the key entirely).
     example: |
       - name: my-service
         registration_interval: 20s
@@ -66,7 +79,21 @@ properties:
           name: my-service-health_check
           script_path: /path/to/script
           timeout: 5s
+      - name: my-tls-endpoint
+        tls_port: 12346
+        server_cert_domain_san: "my-tls-endpoint.internal.com"
+        uris:
+          - my-service.system-domain.com
       - name: my-debug-endpoint
         port: 12346
         uris:
           - my-service.system-domain.com/debug
+      - name: cf-mysql-proxy-api-per-instance
+        port: 8080
+        uris:
+        - proxy-cf-mysql.system.domain
+        prepend_instance_index: true
+      - name: cf-mysql-proxy-api
+        port: 8081
+        uris:
+        - proxy-cf-mysql.system.domain
diff --git a/jobs/routing-api/spec b/jobs/routing-api/spec
index 110614b..690a1a0 100644
--- a/jobs/routing-api/spec
+++ b/jobs/routing-api/spec
@@ -4,16 +4,35 @@ templates:
   routing-api_ctl.erb: bin/routing-api_ctl
   dns_health_check.erb: bin/dns_health_check
   pre-start: bin/pre-start
-  etcd_ca.crt.erb: config/certs/etcd/ca.crt
-  etcd_client.crt.erb: config/certs/etcd/client.crt
   uaa_ca.crt.erb: config/certs/uaa/ca.crt
-  etcd_client.key.erb: config/certs/etcd/client.key
   routing-api.yml.erb: config/routing-api.yml
+  locket_ca.crt.erb: config/certs/locket/ca.crt
+  locket_client.crt.erb: config/certs/locket/client.crt
+  locket_client.key.erb: config/certs/locket/client.key
+  bbr-metadata: bin/bbr/metadata
+  pre-backup-lock.erb: bin/bbr/pre-backup-lock
+  post-backup-unlock.erb: bin/bbr/post-backup-unlock
+  pre-restore-lock.erb: bin/bbr/pre-restore-lock
+  post-restore-unlock.erb: bin/bbr/post-restore-unlock

 packages:
 - routing-api
 - routing_utils

+provides:
+- name: routing_api
+  type: routing_api
+  properties:
+  - routing_api.clients
+  - routing_api.system_domain
+  - uaa.ca_cert
+  - skip_ssl_validation
+- name: routing_api_db
+  type: routing_api_db
+  properties:
+  - routing_api.sqldb
+  - release_level_backup
+
 properties:
   routing_api.max_ttl:
     description: "String representing the maximum TTL a client can request for route registration."
@@ -29,7 +48,7 @@ properties:
     default: "localhost:8125"
   routing_api.debug_address:
     description: "Address at which to serve debug info"
-    default: "0.0.0.0:17002"
+    default: "127.0.0.1:17002"
   routing_api.statsd_client_flush_interval:
     description: "Buffered statsd client flush interval"
     default: "300ms"
@@ -41,21 +60,9 @@ properties:
   routing_api.log_level:
     description: "Log level"
     default: "info"
-
-  routing_api.etcd.servers:
-    description: "Must be the internal DNS name for the etcd cluster when require_ssl:true. When require_ssl:false either a DNS name or an array of IP addresses is supported."
-  routing_api.etcd.client_cert:
-     description: "Client certificate for communication between clients and etcd"
-     default: ""
-  routing_api.etcd.client_key:
-     description: "Client key for communication between clients and etcd"
-     default: ""
-  routing_api.etcd.ca_cert:
-     description: "Certificate authority used to sign cert hosted by etcd"
-     default: ""
-  routing_api.etcd.require_ssl:
-     description: "etcd requires client to communicate via TLS"
-     default: false
+  routing_api.port:
+    description: "Port on which Routing API is running. If this is changed and routing_api.enabled:true in cf-release, it will break management of routes and domains until routing_api.port is updated in cf-release."
+    default: 3000

   metron.port:
     description: "The port used to emit dropsonde messages to the Metron agent."
@@ -63,7 +70,7 @@ properties:

   dns_health_check_host:
     description: "Host to ping for confirmation of DNS resolution"
-    default: consul.service.cf.internal
+    default: uaa.service.cf.internal

   routing_api.sqldb.host:
     description: "Host for SQL database"
@@ -81,18 +88,26 @@ properties:
     description: "Username used for connecting to SQL database"
   routing_api.sqldb.password:
     description: "Password used for connecting to SQL database"
+  routing_api.sqldb.ca_cert:
+    description: (optional, string) When present, force database connections via TLS.

   uaa.ca_cert:
     description : "Certificate authority for communication between clients and UAA."
     default: ""

   uaa.token_endpoint:
-    description: "UAA token endpoint host name"
+    description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
     default: uaa.service.cf.internal

   uaa.tls_port:
     description: "Port on which UAA is listening for TLS connections. This is required for obtaining a key to verify client OAuth tokens."

+  routing_api.clients:
+    description: "OAuth client ids and secrets provided via link to jobs in other BOSH deployments that need to read and/or write to Routing API. These clients must be configured in UAA via API or using the property uaa.clients with the desired scopes. For a list of scopes supported see https://github.com/cloudfoundry-incubator/routing-api/blob/master/docs/api_docs.md. Jobs consuming the link should use these credentials to fetch a token from UAA with which to authenticate with Routing API."
+    example:
+      cfcr_routing_api_client:
+        secret: "((uaa_clients_cfcr_routing_api_client_secret))"
+
   routing_api.router_groups:
     description: "Array of router groups that will be seeded into routing_api database. Once some value is included with a deploy, subsequent changes to this property will be ignored. TCP Routing requires a router group of type: tcp."
     default: []
@@ -112,3 +127,32 @@ properties:
   routing_api.lock_retry_interval:
     description: "interval to wait before retrying a failed lock acquisition"
     default: "5s"
+
+  routing_api.locket.api_location:
+    description: "Hostname and port of the Locket server. Used to obtain a lock so only one instance of Routing API is active at a time. Requires Locket, which is not deployed with cf-release by default."
+    default: ""
+
+  routing_api.locket.ca_cert:
+    description: "CA cert for the Locket server. Requires Locket, which is not deployed with cf-release by default."
+    default: ""
+
+  routing_api.locket.client_cert:
+    description: "Client cert for the Locket server. Requires Locket, which is not deployed with cf-release by default."
+    default: ""
+
+  routing_api.locket.client_key:
+    description: "Client key for the Locket server. Requires Locket, which is not deployed with cf-release by default."
+    default: ""
+
+  routing_api.skip_consul_lock:
+    description: "When false, Routing API will obtain a lock from both Consul and Locket. When true, Routing API will obtain the lock from Locket only. Requires locket.api_location to be set and Locket, which is not deployed with cf-release by default."
+    default: false
+
+  routing_api.admin_port:
+    description: "Local port to listen on with admin endpoint (used for backup/restore locking)"
+    default: 15897
+
+
+  release_level_backup:
+    default: false
+    description: "Include routing api database in backup and restore operations"
diff --git a/jobs/smoke_tests/spec b/jobs/smoke_tests/spec
new file mode 100644
index 0000000..b173025
--- /dev/null
+++ b/jobs/smoke_tests/spec
@@ -0,0 +1,62 @@
+---
+name: smoke_tests
+
+templates:
+  run.erb: bin/run
+  config.json.erb: bin/config.json
+
+packages:
+ - golang1.9
+ - acceptance_tests
+ - cf-cli
+
+properties:
+  acceptance_tests.verbose:
+    default: false
+    description: "Whether to pass the -v flag to router acceptance tests"
+
+  acceptance_tests.addresses:
+    default:
+      - "10.244.14.2"
+    description: "A list of addresses which will be checked for TCP connectivity and features"
+
+  acceptance_tests.skip_ssl_validation:
+    default: false
+    description: "When true, does not verify TLS certificates for any API calls made during the test run"
+
+  acceptance_tests.cloud_controller.api:
+    description: "URL of the Cloud Controller API"
+
+  acceptance_tests.cloud_controller.apps_domain:
+    description: "App domain that will be created"
+
+  acceptance_tests.cloud_controller.admin_user:
+    description: "Cloud Controller admin user"
+
+  acceptance_tests.cloud_controller.admin_password:
+    description: "Cloud Controller admin user's password"
+
+  acceptance_tests.cloud_controller.use_http:
+    default: false
+    description: Flag for using HTTP when making application requests rather than the default HTTPS
+
+  tcp_emitter.oauth_secret:
+    description: "Password for UAA client for the tcp emitter."
+
+  acceptance_tests.system_domain:
+    description: "Domain for system components, e.g. bosh-lite.com"
+
+  smoke_tests.tcp_apps_domain:
+    description: "TCP app domain to use for testing. By default, a temporary domain will be created but tests will use the IP address of the TCP Router"
+    default: ""
+
+  acceptance_tests.user_password:
+    description: "By default, users created during acceptance tests will be configured random names and random passwords. This property enables specifying the password for users created during the test."
+
+  acceptance_tests.default_timeout:
+    default: 120
+    description: "Default timeout for Ginkgo assertions. i.e. Timeout for `Eventually`"
+
+  acceptance_tests.tcp_router_group:
+    default: "default-tcp"
+    description: "The name of the the router group associated with the default TCP Router"
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index ba77a8f..3e16f87 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -15,10 +15,17 @@ packages:
   - tcp_router
   - haproxy

+provides:
+  - name: tcp_router
+    type: tcp-router
+
 properties:
   tcp_router.debug_address:
     description: "Address at which to serve debug info"
-    default: "0.0.0.0:17002"
+    default: "127.0.0.1:17002"
+  tcp_router.isolation_segments:
+    description: "Routes with these isolation segments will be registered. Used in combination with routing_table_sharding_mode."
+    default: []
   tcp_router.log_level:
     description: "Log level"
     default: "info"
@@ -46,7 +53,7 @@ properties:
     default: 80

   uaa.token_endpoint:
-    description: "UAA token endpoint host name"
+    description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
     default: uaa.service.cf.internal

   uaa.tls_port:
@@ -58,7 +65,7 @@ properties:

   dns_health_check_host:
     description: "Host to ping for confirmation of DNS resolution"
-    default: consul.service.cf.internal
+    default: uaa.service.cf.internal

   metron.port:
     description: "The port used to emit dropsonde messages to the Metron agent."
@@ -67,4 +74,3 @@ properties:
   uaa.ca_cert:
     description : "Certificate authority for communication between clients and uaa."
     default: ""
-