-
Notifications
You must be signed in to change notification settings - Fork 108
/
spec
194 lines (182 loc) · 8.9 KB
/
spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
---
name: gorouter
description: "Gorouter maintains a dynamic routing table based on updates received from NATS and (when enabled) the Routing API. This routing table maps URLs to backends. The router finds the URL in the routing table that most closely matches the host header of the request and load balances across the associated backends."
templates:
gorouter_ctl: bin/gorouter_ctl
run_gorouter.erb: bin/run_gorouter
dns_health_check.erb: bin/dns_health_check
gorouter.yml.erb: config/gorouter.yml
gorouter_logrotate.cron.erb: config/gorouter_logrotate.cron
logrotate.conf.erb: config/logrotate.conf
drain: bin/drain
cert.pem.erb: config/cert.pem
key.pem.erb: config/key.pem
uaa_ca.crt.erb: config/certs/uaa/ca.crt
packages:
- routing_utils
- gorouter
consumes:
- name: nats
type: nats
optional: true
properties:
router.port:
description: "Listening Port for Router."
default: 80
router.status.port:
description: "Port for the /health, /varz, and /routes endpoints."
default: 8080
router.status.user:
description: "Username for HTTP basic auth to the /varz and /routes endpoints."
router.status.password:
description: "Password for HTTP basic auth to the /varz and /routes endpoints."
router.requested_route_registration_interval_in_seconds:
description: "On startup, the router will delay listening for requests by this duration to increase likelihood that it has a complete routing table before serving requests. The router also broadcasts the same duration as a recommended interval to registering clients via NATS."
default: 20
router.load_balancer_healthy_threshold:
description: "Time period in seconds to wait until declaring the router instance started after starting the listener socket. This allows an external load balancer time to register the instance as healthy."
default: 20
router.balancing_algorithm:
description: "Algorithm used to distribute requests for a route across backends. Supported values are round-robin and least-connection"
default: round-robin
router.number_of_cpus:
description: "Number of CPUs to utilize, the default (-1) will equal the number of available CPUs"
default: -1
router.debug_address:
description: "Address at which to serve debug info"
default: "0.0.0.0:17002"
router.secure_cookies:
description: "Set secure flag on http cookies"
default: false
router.drain_wait:
description: |
Delay in seconds after drain begins before server stops listening.
During this time the server will respond with 503 Service Unavailable to
requests having header
User-Agent: {Value of router.healthcheck_user_agent}.
This accommodates requests in transit sent during the time the health
check responded with `ok`.
default: 0
router.healthcheck_user_agent:
description: User-Agent for the health check agent (usually the Load Balancer).
example: "ELB-HealthChecker/1.0"
default: "HTTP-Monitor/1.1"
router.enable_ssl:
description: "When enabled, Gorouter will listen on port 443 and terminate TLS for requests received on this port."
default: false
router.dns_health_check_host:
description: "Host to ping for confirmation of DNS resolution, only used when Routing API is enabled"
default: "consul.service.cf.internal"
router.ssl_cert:
description: "The public ssl cert for ssl termination"
default: ""
router.ssl_key:
description: "The private ssl key for ssl termination"
default: ""
router.ssl_skip_validation:
description: "Skip validation of TLS certificates received from route services and UAA"
default: false
router.cipher_suites:
description:
An ordered list of supported SSL cipher suites containing golang tls constants separated by colons
The cipher suite will be chosen according to this order during SSL handshake
default: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA"
router.route_services_secret:
description: "Support for route services is disabled when no value is configured. A robust passphrase is recommended."
default: ""
router.route_services_secret_decrypt_only:
description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
default: ""
router.route_services_recommend_https:
description: "Route Services are told where to send requests after processing using the X-CF-Forwarded-Url header. When this property is true, the scheme for this URL is https. When false, the scheme is http. As requests from Route Services to applications on CF transit load balancers and gorouter, disable this property for deployments that have TLS termination disabled."
default: true
router.route_services_timeout:
description: "Expiry time of a route service signature in seconds"
default: 60
router.logrotate.freq_min:
description: "The frequency in minutes which logrotate will rotate VM logs"
default: 5
router.logrotate.rotate:
description: "The number of files that logrotate will keep around on the VM"
default: 7
router.logrotate.size:
description: "The size at which logrotate will decide to rotate the log file"
default: 2M
router.extra_headers_to_log:
description: "An array of headers that access log events will be annotated with"
default: []
router.logging_level:
description: "Log level for router"
default: "info"
router.enable_proxy:
description: "Enables support for the popular PROXY protocol, allowing downstream load balancers that do not support HTTP to pass along client information."
default: false
router.max_idle_connections:
default: 0
description: "Maximum total idle keepalive connections to backends. When 0, support for keepalive connections is disabled. Maximum idle connections per backend is 100."
router.force_forwarded_proto_https:
description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
default: false
router.tracing.enable_zipkin:
description: "Enables the addition of the X-B3-Trace-Id header to incoming requests. If the header already exists on the incoming request, it will not be overwritten."
default: false
nats.user:
description: User name for NATS authentication
example: nats
nats.password:
description: Password for NATS authentication
example: natSpa55w0rd
nats.port:
description: TCP port of NATS servers
example: 4222
nats.machines:
description: IPs of each NATS cluster member
example: |
- 192.168.50.123
- 192.168.52.123
router.offset:
description:
default: 0
router.trace_key:
description:
If the X-Vcap-Trace request header is set and has this value,
trace headers are added to the response.
default: 22
request_timeout_in_seconds:
description: "Timeout in seconds for Router -> Endpoint roundtrip."
default: 900
metron.port:
description: "The port used to emit dropsonde messages to the Metron agent."
default: 3457
uaa.clients.gorouter.secret:
description: "Password for UAA client for the gorouter."
uaa.token_endpoint:
description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
default: uaa.service.cf.internal
uaa.ssl.port:
description: "Secure Port on which UAA is running."
routing_api.uri:
description: "URL where the routing API can be reached internally"
default: http://routing-api.service.cf.internal
routing_api.port:
description: "Port on which Routing API is running."
default: 3000
routing_api.auth_disabled:
description: "When false, Routing API requires OAuth tokens for authentication."
default: false
routing_api.enabled:
description: "When enabled, GoRouter will fetch HTTP routes from the Routing API in addition to routes obtained via NATS."
default: false
router.enable_access_log_streaming:
description: "Enables streaming of access log to syslog."
default: false
router.suspend_pruning_if_nats_unavailable:
description: |
Suspend pruning of routes when NATs is unavailable and maintain the
current routing table. WARNING: This strategy favors availability over
consistency and there is a possibility of routing to an incorrect
endpoint in the case of port re-use. To be used with caution."
default: false
uaa.ca_cert:
description : "Certificate authority for communication between clients and uaa."
default: ""