Skip to content

policy-server-internal job from cf-networking/2.29.0

Github source: c94386d0 or master branch

Properties

ca_cert

Trusted CA certificate that was used to sign the vxlan policy agent’s client cert and key.

connections_max_lifetime_seconds

Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If value <= 0, connections are reused forever

If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime. Lowering the lifetime will result in connections getting reaped sooner, but the policy server may have to renegotiate connections more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.

Default
3600

database

connect_timeout_seconds

Connection timeout between the policy server and its database.

Default
120

debug_port

Port for the debug server. Use this to adjust log level at runtime or dump process stats.

Default
31945

disable

Disable container to container networking.

Default
false

enforce_experimental_dynamic_egress_policies

Set to true for dynamic egress policy enforcement. Note that you can still create dynamic egress policies through the external API.

Default
false

health_check_port

The port for the health endpoint

Default
31946

health_check_timeout_seconds

Health check timeout for Consul DNS.

Default
5

internal_listen_port

Port where the policy server will serve its internal API.

Default
4003

listen_ip

IP address where the policy server will serve its API.

Default
0.0.0.0

log_level

Logging level (debug, info, warn, error).

Default
info

max_idle_connections

Maximum number of idle connections to the SQL database

Idle connections will be retained until their connections_max_lifetime_seconds has been reached.

Default
10

max_open_connections

Maximum number of open connections to the SQL database.

The number of necessary connections will scale with the number of diego-cells in the deployment. The handlers that use the db conns in this job respond to the vxlan-policy-agent, which runs on the diego-cells. Each agent polls this server once every 5s, by default. Anecdote: in an environment with ~300 diego-cells has seen use up to ~200 conns. Anecdote: in an environment with ~200 diego-cells has seen use up to ~170 conns. In these scenarios, each instance of this job would expect total-number-of-conns/job-instance-count conns each. Idle state will likely use fewer connections.

Default
200

metron_port

Port of metron agent on localhost. This is used to forward metrics.

Default
3457

server_cert

Server certificate for TLS. Must have common name that matches the Consul DNS name of the policy server, eg policy-server.service.cf.internal.

server_key

Server key for TLS.

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/policy-server-internal/ directory (learn more).

  • bin/dns_health_check (from dns_health_check.erb)
  • bin/post-start (from post-start.erb)
  • config/bpm.yml (from bpm.yml.erb)
  • config/certs/ca.crt (from ca.crt.erb)
  • config/certs/database_ca.crt (from database_ca.crt.erb)
  • config/certs/server.crt (from server.crt.erb)
  • config/certs/server.key (from server.key.erb)
  • config/policy-server-internal.json (from policy-server-internal.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.