Skip to content

ssh_proxy job from diego/2.46.0

Github source: 53f2e55 or master branch

Properties

backends

tls

ca_certificates

List of PEM-encoded CA certificate bundles for the SSH proxy to use to verify backends when connecting via TLS proxy. Should be non-empty if backends.tls.enabled is enabled.

Default
[]
client_certificate

PEM-encoded certificate for the SSH proxy to present to backends for verification when connecting via TLS proxy.

client_private_key

PEM-encoded private key associated to backends.tls.client_certificate.

enabled

Whether to enable TLS-proxied connections to target backend instances.

Default
false

bpm

enabled

use the BOSH Process Manager to manage the ssh-proxy process.

Default
false

connect_to_instance_address

Connect directly to container IP instead of to the host IP and external port. Suitable only for deployments in which the gorouters and TCP routers can route directly to the container IP of instances.

Default
false

diego

ssh_proxy

allowed_ciphers

Comma separated list of allowed cipher algorithms

allowed_keyexchanges

Comma separated list of allowed key exchange algorithms

allowed_macs

Comma separated list of allowed MAC algorithms

bbs
api_location

Address to the BBS Server

Default
bbs.service.cf.internal:8889
ca_cert

REQUIRED: PEM-encoded CA certificate

client_cert

REQUIRED: PEM-encoded client certificate

client_key

REQUIRED: PEM-encoded client key

client_session_cache_size

capacity of the tls client cache

max_idle_conns_per_host

maximum number of idle http connections

cc
external_port

External port of the Cloud Controller API

Default
9022
internal_service_hostname

Internal service hostname of Cloud Controller API

Default
cloud-controller-ng.service.cf.internal
debug_addr

address at which to serve debug info

Default
127.0.0.1:17016
diego_credentials

Diego Credentials to be used with the Diego authenitcation method

disable_healthcheck_server

Whether to disable the ssh proxy HTTP healthcheck server. Defaults to false.

Default
false
enable_cf_auth

Allow ssh access for cf applications

Default
false
enable_diego_auth

Allow ssh access for diego applications

Default
false
healthcheck_listen_addr

address for the ssh proxy healthcheck server

Default
0.0.0.0:2223
host_key

PEM encoded RSA private key used to identify host

idle_connection_timeout_in_seconds

Idle timeout for incoming connections

Default
300
listen_addr

address for the proxy to listen on

Default
0.0.0.0:2222
log_level

Log level

Default
info
uaa
ca_cert

The CA certificate of the UAA

port

The port to contact UAA on

Default
8443
url

The domain name of the UAA

Default
https://uaa.service.cf.internal
uaa_secret

The oauth client secret used to authenticate the ssh-proxy with the uaa

ssl

skip_cert_verify

when connecting over https, ignore bad ssl certificates

Default
false

enable_consul_service_registration

Enable the ssh-proxy to register itself as a service with Consul, for client discovery via Consul DNS. Do not disable without arranging alternate service discovery.

Default
true

logging

format

timestamp

Format for timestamp in component logs. Valid values are ‘unix-epoch’ and ‘rfc3339’.

Default
unix-epoch

loggregator

ca_cert

CA Cert used to communicate with local metron agent over gRPC

cert

Cert used to communicate with local metron agent over gRPC

key

Key used to communicate with local metron agent over gRPC

use_v2_api

True to use local metron agent gRPC v2 API. False to use UDP v1 API.

Default
false

v2_api_port

Local metron agent gRPC port

Default
3458

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/ssh_proxy/ directory (learn more).

  • bin/ssh_proxy_as_vcap (from ssh_proxy_as_vcap.erb)
  • bin/ssh_proxy_ctl (from ssh_proxy_ctl.erb)
  • config/bpm.yml (from bpm.yml.erb)
  • config/certs/backends_tls/ca.crt (from backends_tls_ca.crt.erb)
  • config/certs/backends_tls/client.crt (from backends_tls_client.crt.erb)
  • config/certs/backends_tls/client.key (from backends_tls_client.key.erb)
  • config/certs/bbs/ca.crt (from bbs_ca.crt.erb)
  • config/certs/bbs/client.crt (from bbs_client.crt.erb)
  • config/certs/bbs/client.key (from bbs_client.key.erb)
  • config/certs/cc/cc_api_ca_cert.crt (from cc_api_ca_cert.crt.erb)
  • config/certs/loggregator/ca.crt (from loggregator_ca.crt.erb)
  • config/certs/loggregator/client.crt (from loggregator_client.crt.erb)
  • config/certs/loggregator/client.key (from loggregator_client.key.erb)
  • config/certs/uaa/ca.crt (from uaa_ca.crt.erb)
  • config/ssh_proxy.json (from ssh_proxy.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.