Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Cloud Application Platform 1.5.2

A Appendix

A.1 Manual Configuration of Pod Security Policies

SUSE Cloud Application Platform 1.3.1 introduces built-in support for Pod Security Policies (PSPs), which are provided via Helm charts and are set up automatically, unlike older releases which require manual PSP setup. SUSE CaaS Platform and Microsoft AKS both require PSPs for Cloud Application Platform to operate correctly. This section provides instructions for configuring and applying the appropriate PSPs to older Cloud Application Platform releases.

See the upstream documentation at https://kubernetes.io/docs/concepts/policy/pod-security-policy/, https://docs.cloudfoundry.org/concepts/roles.html, and https://docs.cloudfoundry.org/uaa/identity-providers.html#id-flow for more information on understanding and using PSPs.

Copy the following example into cap-psp-rbac.yaml:

---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: suse.cap.psp
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  # Privileged
  #default in suse.caasp.psp.unprivileged
  #privileged: false
  privileged: true
  # Volumes and File Systems
  volumes:
    # Kubernetes Pseudo Volume Types
    - configMap
    - secret
    - emptyDir
    - downwardAPI
    - projected
    - persistentVolumeClaim
    # Networked Storage
    - nfs
    - rbd
    - cephFS
    - glusterfs
    - fc
    - iscsi
    # Cloud Volumes
    - cinder
    - gcePersistentDisk
    - awsElasticBlockStore
    - azureDisk
    - azureFile
    - vsphereVolume
  allowedFlexVolumes: []
  # hostPath volumes are not allowed; pathPrefix must still be specified
  allowedHostPaths:
    - pathPrefix: /opt/kubernetes-hostpath-volumes
  readOnlyRootFilesystem: false
  # Users and groups
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  # Privilege Escalation
  #default in suse.caasp.psp.unprivileged
  #allowPrivilegeEscalation: false
  allowPrivilegeEscalation: true
  #default in suse.caasp.psp.unprivileged
  #defaultAllowPrivilegeEscalation: false
  # Capabilities
  allowedCapabilities:
  - SYS_RESOURCE
  defaultAddCapabilities: []
  requiredDropCapabilities: []
  # Host namespaces
  hostPID: false
  hostIPC: false
  hostNetwork: false
  hostPorts:
  - min: 0
    max: 65535
  # SELinux
  seLinux:
    # SELinux is unsed in CaaSP
    rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: suse:cap:psp
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['suse.cap.psp']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cap:clusterrole
roleRef:
  kind: ClusterRole
  name: suse:cap:psp
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: default
  namespace: uaa
- kind: ServiceAccount
  name: default
  namespace: scf
- kind: ServiceAccount
  name: default
  namespace: stratos
- kind: ServiceAccount
  name: default-privileged
  namespace: scf
- kind: ServiceAccount
  name: node-reader
  namespace: scf

Apply it to your cluster with kubectl:

tux > kubectl create --filename cap-psp-rbac.yaml
podsecuritypolicy.extensions "suse.cap.psp" created
clusterrole.rbac.authorization.k8s.io "suse:cap:psp" created
clusterrolebinding.rbac.authorization.k8s.io "cap:clusterrole" created

Verify that the new PSPs exist by running the kubectl get psp command to list them. Then continue by deploying UAA and SCF. Ensure that your scf-config-values.yaml file specifies the name of your PSP in the kube: section. These settings will grant only a limited subset of roles to be privileged.

kube:
  psp:
    privileged: "suse.cap.psp"
Tip
Tip

Note that the example cap-psp-rbac.yaml file sets the name of the PSPs, which in the previous examples is suse.cap.psp.

A.1.1 Using Custom Pod Security Policies

When using a custom PSP, your scf-config-values.yaml file requires the SYS_RESOURCE capability to be added to the following roles:

sizing:
  cc_uploader:
    capabilities: ["SYS_RESOURCE"]
  diego_api:
    capabilities: ["SYS_RESOURCE"]
  diego_brain:
    capabilities: ["SYS_RESOURCE"]
  diego_ssh:
    capabilities: ["SYS_RESOURCE"]
  nats:
    capabilities: ["SYS_RESOURCE"]
  router:
    capabilities: ["SYS_RESOURCE"]
  routing_api:
    capabilities: ["SYS_RESOURCE"]

A.2 Complete suse/uaa values.yaml File

This is the complete output of helm inspect suse/uaa for the current SUSE Cloud Application Platform 1.5.2 release.

apiVersion: v1
appVersion: 1.5.2
description: A Helm chart for SUSE UAA
name: uaa
version: 2.20.3
scfVersion: 2.20.3+cf12.17.0.0.g7175b9de

---
---
kube:
  auth: "rbac"
  external_ips: []

  # Whether HostPath volume mounts are available
  hostpath_available: false

  limits:
    nproc:
      hard: ""
      soft: ""
  organization: "cap"
  psp:
    default: ~
  registry:
    hostname: "registry.suse.com"
    username: ""
    password: ""

  # Increment this counter to rotate all generated secrets
  secrets_generation_counter: 1

  storage_class:
    persistent: "persistent"
    shared: "shared"
config:
  # Flag to activate high-availability mode
  HA: false

  # Flag to verify instance counts against HA minimums
  HA_strict: true

  # Global memory configuration
  memory:
    # Flag to activate memory requests
    requests: false

    # Flag to activate memory limits
    limits: false

  # Global CPU configuration
  cpu:
    # Flag to activate cpu requests
    requests: false

    # Flag to activate cpu limits
    limits: false

  # Flag to specify whether to add Istio related annotations and labels
  use_istio: false

bosh:
  instance_groups: []
services:
  loadbalanced: false
secrets:
  # Administrator password for an external database server; this is required to
  # create the necessary databases. Only used if DB_EXTERNAL_HOST is set.
  #
  # This value is immutable and must not be changed once set.
  DB_EXTERNAL_PASSWORD: ~

  # A PEM-encoded TLS certificate for the Galera server.
  # This value uses a generated default.
  # This certificate uses the name "galera_server_certificate".
  GALERA_SERVER_CERT: ~

  # A PEM-encoded TLS key for the Galera server.
  GALERA_SERVER_CERT_KEY: ~

  # PEM-encoded CA certificate used to sign the TLS certificate used by all
  # components to secure their communications.
  # This value uses a generated default.
  INTERNAL_CA_CERT: ~

  # PEM-encoded CA key.
  INTERNAL_CA_CERT_KEY: ~

  # PEM-encoded JWT certificate.
  # This value uses a generated default.
  JWT_SIGNING_CERT: ~

  # PEM-encoded JWT signing key.
  JWT_SIGNING_CERT_KEY: ~

  # Password used for the monit API.
  # This value uses a generated default.
  MONIT_PASSWORD: ~

  # The password for the MySQL server admin user.
  # This value uses a generated default.
  MYSQL_ADMIN_PASSWORD: ~

  # The password for the cluster logger health user.
  # This value uses a generated default.
  MYSQL_CLUSTER_HEALTH_PASSWORD: ~

  # Password used to authenticate to the MySQL Galera healthcheck endpoint.
  # This value uses a generated default.
  MYSQL_GALERA_HEALTHCHECK_ENDPOINT_PASSWORD: ~

  # The password for Basic Auth used to secure the MySQL proxy API.
  # This value uses a generated default.
  MYSQL_PROXY_ADMIN_PASSWORD: ~

  # A PEM-encoded TLS certificate for the MySQL server.
  # This value uses a generated default.
  # This certificate uses the names "mysql-set.{{ .KUBERNETES_NAMESPACE
  # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}" and "mysql-proxy-set.{{
  # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}".
  MYSQL_SERVER_CERT: ~

  # A PEM-encoded TLS key for the MySQL server.
  MYSQL_SERVER_CERT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "saml-serviceprovider-cert".
  SAML_SERVICEPROVIDER_CERT: ~

  # PEM-encoded key.
  SAML_SERVICEPROVIDER_CERT_KEY: ~

  # The password for access to the UAA database.
  # This value uses a generated default.
  UAADB_PASSWORD: ~

  # The password of the admin client - a client named admin with uaa.admin as an
  # authority.
  UAA_ADMIN_CLIENT_SECRET: ~

  # The server's ssl certificate. The default is a self-signed certificate and
  # should always be replaced for production deployments.
  # This value uses a generated default.
  # This certificate uses the role name "uaa" and the additional names
  # "uaa.{{.DOMAIN}}" and "*.uaa.{{.DOMAIN}}".
  UAA_SERVER_CERT: ~

  # The server's ssl private key. Only passphrase-less keys are supported.
  UAA_SERVER_CERT_KEY: ~

env:
  # Expiration for generated certificates (in days)
  CERT_EXPIRATION: "10950"

  # Database driver to use for the external database server used to manage the
  # UAA-internal database. Only used if DB_EXTERNAL_HOST is set. Currently only
  # `mysql` is valid.
  DB_EXTERNAL_DRIVER: "mysql"

  # Hostname for an external database server to use for the UAA-internal
  # database If not set, the internal database is used.
  DB_EXTERNAL_HOST: ~

  # Port for an external database server to use for the UAA-internal database.
  # Only used if DB_EXTERNAL_HOST is set.
  DB_EXTERNAL_PORT: "3306"

  # TLS configuration for the external database server to use for the
  # UAA-internal database. Only used if DB_EXTERNAL_HOST is set. Valid values
  # depend on which database driver is in use.
  DB_EXTERNAL_SSL_MODE: ~

  # Administrator user name for an external database server; this is required to
  # create the necessary databases. Only used if DB_EXTERNAL_HOST is set.
  DB_EXTERNAL_USER: ~

  # A suffix that has to be appended to every user name for the external
  # database; usually '@host'. Only used if DB_EXTERNAL_HOST is set.
  DB_EXTERNAL_USER_HOST_SUFFIX: ""

  # Base domain name of the UAA endpoint; `uaa.${DOMAIN}` must be correctly
  # configured to point to this UAA instance.
  DOMAIN: ~

  KUBERNETES_CLUSTER_DOMAIN: ~

  # The cluster's log level: off, fatal, error, warn, info, debug, debug1,
  # debug2.
  LOG_LEVEL: "info"

  # The log destination to talk to. This has to point to a syslog server.
  SCF_LOG_HOST: ~

  # The port used by rsyslog to talk to the log destination. It defaults to 514,
  # the standard port of syslog.
  SCF_LOG_PORT: "514"

  # The protocol used by rsyslog to talk to the log destination. The allowed
  # values are tcp, and udp. The default is tcp.
  SCF_LOG_PROTOCOL: "tcp"

  # If true, authenticate against the SMTP server using AUTH command. See
  # https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
  SMTP_AUTH: "false"

  # SMTP from address, for password reset emails etc.
  SMTP_FROM_ADDRESS: ~

  # SMTP server host address, for password reset emails etc.
  SMTP_HOST: ~

  # SMTP server password, for password reset emails etc.
  SMTP_PASSWORD: ~

  # SMTP server port, for password reset emails etc.
  SMTP_PORT: "25"

  # If true, send STARTTLS command before logging in to SMTP server. See
  # https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
  SMTP_STARTTLS: "false"

  # SMTP server username, for password reset emails etc.
  SMTP_USER: ~

  # Use TLS connection for UAA database.
  # Valid options are:
  # enabled (use TLS with full certificate validation),
  # enabled_skip_hostname_validation (use TLS but skip validation of common and
  # alt names in the host certificate),
  # enabled_skip_all_validation (use TLS but do not validate anything about the
  # host certificate),
  # disabled (do not use TLS)
  UAADB_TLS: "enabled"

  # The TCP port to report as the public port for the UAA server (root zone).
  UAA_PUBLIC_PORT: "2793"

# The sizing section contains configuration to change each individual instance
# group. Due to limitations on the allowable names, any dashes ("-") in the
# instance group names are replaced with underscores ("_").
sizing:
  # The configgin-helper instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - configgin-helper: Copy configgin service account token to secret
  configgin_helper:
    # Node affinity rules can be specified here
    affinity: {}

    # The configgin_helper instance group can scale between 1 and 65535
    # instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 64
      limit: ~

  # The mysql instance group contains the following jobs:
  #
  # - global-uaa-properties: Dummy BOSH job used to host global parameters that
  #   are required to configure SCF / fissile
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: pxc-mysql, galera-agent, gra-log-purger, cluster-health-logger,
  # bootstrap, mysql, and bpm
  mysql:
    # Node affinity rules can be specified here
    affinity: {}

    # The mysql instance group is enabled by the mysql feature.
    # It can scale between 1 and 7 instances.
    # The instance count must be an odd number (not divisible by 2).
    # For high availability it needs at least 3 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    disk_sizes:
      mysql_data: 20

    # Unit [MiB]
    memory:
      request: 2500
      limit: ~

  # The mysql-proxy instance group contains the following jobs:
  #
  # - global-uaa-properties: Dummy BOSH job used to host global parameters that
  #   are required to configure SCF / fissile
  #
  # - switchboard-leader: Job to host the active/passive probe for mysql
  #   switchboard and leader election
  #
  # Also: bpm and proxy
  mysql_proxy:
    # Node affinity rules can be specified here
    affinity: {}

    # The mysql_proxy instance group is enabled by the mysql feature.
    # It can scale between 1 and 5 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2500
      limit: ~

  # The post-deployment-setup instance group contains the following jobs:
  #
  # - global-uaa-properties: Dummy BOSH job used to host global parameters that
  #   are required to configure SCF / fissile
  #
  # - database-seeder: When using an external database server, seed it with the
  #   necessary databases.
  post_deployment_setup:
    # Node affinity rules can be specified here
    affinity: {}

    # The post_deployment_setup instance group cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The secret-generation instance group contains the following jobs:
  #
  # - generate-secrets: This job will generate the secrets for the cluster
  secret_generation:
    # Node affinity rules can be specified here
    affinity: {}

    # The secret_generation instance group cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The uaa instance group contains the following jobs:
  #
  # - global-uaa-properties: Dummy BOSH job used to host global parameters that
  #   are required to configure SCF / fissile
  #
  # - uaa: The UAA is the identity management service for Cloud Foundry. It's
  #   primary role is as an OAuth2 provider, issuing tokens for client
  #   applications to use when they act on behalf of Cloud Foundry users. It can
  #   also authenticate users with their Cloud Foundry credentials, and can act
  #   as an SSO service using those credentials (or others). It has endpoints
  #   for managing user accounts and for registering OAuth2 clients, as well as
  #   various other management functions.
  #
  # - wait-for-database: This is a pre-start job to delay starting the rest of
  #   the role until a database connection is ready. Currently it only checks
  #   that a response can be obtained from the server, and not that it responds
  #   intelligently.
  #
  #
  # Also: bpm
  uaa:
    # Node affinity rules can be specified here
    affinity: {}

    # The uaa instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2100
      limit: ~

enable:
  # The mysql feature enables these instance groups: mysql and mysql_proxy
  mysql: true
ingress:
  # ingress.annotations allows specifying custom ingress annotations that gets
  # merged to the default annotations.
  annotations: {}

  # ingress.enabled enables ingress support - working ingress controller
  # necessary.
  enabled: false

  # ingress.tls.crt and ingress.tls.key, when specified, are used by the TLS
  # secret for the Ingress resource.
  tls: {}

A.3 Complete suse/scf values.yaml File

This is the complete output of helm inspect suse/cf for the current SUSE Cloud Application Platform 1.5.2 release.

apiVersion: v1
appVersion: 1.5.2
description: A Helm chart for SUSE Cloud Foundry
name: cf
version: 2.20.3
scfVersion: 2.20.3+cf12.17.0.0.g7175b9de

---
---
kube:
  auth: "rbac"
  external_ips: []

  # Whether HostPath volume mounts are available
  hostpath_available: false

  limits:
    nproc:
      hard: ""
      soft: ""
  organization: "cap"
  psp:
    default: ~
  registry:
    hostname: "registry.suse.com"
    username: ""
    password: ""

  # Increment this counter to rotate all generated secrets
  secrets_generation_counter: 1

  storage_class:
    persistent: "persistent"
    shared: "shared"
config:
  # Flag to activate high-availability mode
  HA: false

  # Flag to verify instance counts against HA minimums
  HA_strict: true

  # Global memory configuration
  memory:
    # Flag to activate memory requests
    requests: false

    # Flag to activate memory limits
    limits: false

  # Global CPU configuration
  cpu:
    # Flag to activate cpu requests
    requests: false

    # Flag to activate cpu limits
    limits: false

  # Flag to specify whether to add Istio related annotations and labels
  use_istio: false

bosh:
  instance_groups: []
services:
  loadbalanced: false
secrets:
  # PEM encoded RSA private key used to identify host.
  # This value uses a generated default.
  APP_SSH_KEY: ~

  # MD5 fingerprint of the host key of the SSH proxy that brokers connections to
  # application instances.
  APP_SSH_KEY_FINGERPRINT: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "auctioneer-rep-cert".
  AUCTIONEER_REP_CERT: ~

  # PEM-encoded key
  AUCTIONEER_REP_CERT_KEY: ~

  # PEM-encoded server certificate
  # This value uses a generated default.
  # This certificate uses the role name "diego-brain-auctioneer".
  AUCTIONEER_SERVER_CERT: ~

  # PEM-encoded server key
  AUCTIONEER_SERVER_CERT_KEY: ~

  # A PEM-encoded TLS certificate of the Autoscaler API public https server.
  # This includes the Autoscaler ApiServer and the Service Broker.
  # This value uses a generated default.
  # This certificate uses the names "autoscaler.{{.DOMAIN}}" and "localhost".
  AUTOSCALER_ASAPI_PUBLIC_SERVER_CERT: ~

  # A PEM-encoded TLS key of the Autoscaler API public https server. This
  # includes the Autoscaler ApiServer and the Service Broker.
  AUTOSCALER_ASAPI_PUBLIC_SERVER_CERT_KEY: ~

  # A PEM-encoded TLS certificate of the Autoscaler API https server. This
  # includes the Autoscaler ApiServer and the Service Broker.
  # This value uses a generated default.
  # This certificate uses the names
  # "autoscaler-api-apiserver.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}"
  # and "localhost".
  AUTOSCALER_ASAPI_SERVER_CERT: ~

  # A PEM-encoded TLS key of the Autoscaler API https server. This includes the
  # Autoscaler ApiServer and the Service Broker.
  AUTOSCALER_ASAPI_SERVER_CERT_KEY: ~

  # A PEM-encoded TLS certificate for clients to connect to the Autoscaler
  # Metrics. This includes the Autoscaler Metrics Collector and Event Generator.
  # This value uses a generated default.
  # This certificate uses the name "autoscaler-asmetrics-client-cert".
  AUTOSCALER_ASMETRICS_CLIENT_CERT: ~

  # A PEM-encoded TLS key for clients to connect to the Autoscaler Metrics. This
  # includes the Autoscaler Metrics Collector and Event Generator.
  AUTOSCALER_ASMETRICS_CLIENT_CERT_KEY: ~

  # A PEM-encoded TLS certificate of the Autoscaler Metrics https server. This
  # includes the Autoscaler Metrics Collector.
  # This value uses a generated default.
  # This certificate uses the names
  # "autoscaler-metrics-metricscollector.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}",
  # "autoscaler-metrics-eventgenerator.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}",
  # and "localhost".
  AUTOSCALER_ASMETRICS_SERVER_CERT: ~

  # A PEM-encoded TLS key of the Autoscaler Metrics https server. This includes
  # the Autoscaler Metrics Collector.
  AUTOSCALER_ASMETRICS_SERVER_CERT_KEY: ~

  # The password for the Autoscaler postgres database.
  # This value uses a generated default.
  AUTOSCALER_DB_PASSWORD: ~

  # A PEM-encoded TLS certificate for clients to connect to the Autoscaler
  # Scaling Engine.
  # This value uses a generated default.
  # This certificate uses the name "autoscaler-scaling-engine-client-cert".
  AUTOSCALER_SCALING_ENGINE_CLIENT_CERT: ~

  # A PEM-encoded TLS key for clients to connect to the Autoscaler Scaling
  # Engine.
  AUTOSCALER_SCALING_ENGINE_CLIENT_CERT_KEY: ~

  # A PEM-encoded TLS certificate of the Autoscaler Scaling Engine https server.
  # This value uses a generated default.
  # This certificate uses the names
  # "autoscaler-actors-scalingengine.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}"
  # and "localhost".
  AUTOSCALER_SCALING_ENGINE_SERVER_CERT: ~

  # A PEM-encoded TLS key of the Autoscaler Scaling Engine https server.
  AUTOSCALER_SCALING_ENGINE_SERVER_CERT_KEY: ~

  # A PEM-encoded TLS certificate for clients to connect to the Autoscaler
  # Scheduler.
  # This value uses a generated default.
  # This certificate uses the name "autoscaler-scheduler-client-cert".
  AUTOSCALER_SCHEDULER_CLIENT_CERT: ~

  # A PEM-encoded TLS key for clients to connect to the Autoscaler Scheduler.
  AUTOSCALER_SCHEDULER_CLIENT_CERT_KEY: ~

  # A PEM-encoded TLS certificate of the Autoscaler Scheduler https server.
  # This value uses a generated default.
  # This certificate uses the names
  # "autoscaler-actors-scheduler.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}"
  # and "localhost".
  AUTOSCALER_SCHEDULER_SERVER_CERT: ~

  # A PEM-encoded TLS key of the Autoscaler Scheduler https server.
  AUTOSCALER_SCHEDULER_SERVER_CERT_KEY: ~

  # the uaa client secret used by Autoscaler.
  # This value uses a generated default.
  AUTOSCALER_UAA_CLIENT_SECRET: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "bbs-auctioneer-cert".
  BBS_AUCTIONEER_CERT: ~

  # PEM-encoded key
  BBS_AUCTIONEER_CERT_KEY: ~

  # PEM-encoded client certificate.
  # This value uses a generated default.
  # This certificate uses the name "bbs-client-crt".
  BBS_CLIENT_CRT: ~

  # PEM-encoded client key.
  BBS_CLIENT_CRT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "bbs-rep-cert".
  BBS_REP_CERT: ~

  # PEM-encoded key
  BBS_REP_CERT_KEY: ~

  # PEM-encoded client certificate.
  # This value uses a generated default.
  # This certificate uses the role name "diego-api-bbs".
  BBS_SERVER_CRT: ~

  # PEM-encoded client key.
  BBS_SERVER_CRT_KEY: ~

  # This is the key secret Bits-Service uses and clients should use to generate
  # signed URLs.
  # This value uses a generated default.
  BITS_SERVICE_SECRET: ~

  # PEM-encoded client certificate.
  # This value uses a generated default.
  # This certificate uses the name "127.0.0.1".
  BITS_SERVICE_SSL_CERT: ~

  # PEM-encoded client key.
  BITS_SERVICE_SSL_CERT_KEY: ~

  # The basic auth password that Cloud Controller uses to connect to the
  # blobstore server. Auto-generated if not provided. Passwords must be
  # alphanumeric (URL-safe).
  # This value uses a generated default.
  BLOBSTORE_PASSWORD: ~

  # The secret used for signing URLs between Cloud Controller and blobstore.
  # This value uses a generated default.
  BLOBSTORE_SECURE_LINK: ~

  # The PEM-encoded certificate (optionally as a certificate chain) for serving
  # blobs over TLS/SSL.
  # This value uses a generated default.
  # This certificate uses the role name "blobstore-blobstore".
  BLOBSTORE_TLS_CERT: ~

  # The PEM-encoded private key for signing TLS/SSL traffic.
  BLOBSTORE_TLS_CERT_KEY: ~

  # The password for the bulk api.
  # This value uses a generated default.
  BULK_API_PASSWORD: ~

  # A map of labels and encryption keys
  CC_DB_ENCRYPTION_KEYS: "~"

  # The PEM-encoded certificate for secure TLS communication over external
  # endpoints.
  # This value uses a generated default.
  # This certificate uses the names "api", "api-set", "api-set.{{
  # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}", and "api.{{
  # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}".
  CC_PUBLIC_TLS_CERT: ~

  # The PEM-encoded key for secure TLS communication over external endpoints.
  CC_PUBLIC_TLS_CERT_KEY: ~

  # The PEM-encoded certificate for internal cloud controller traffic.
  # This value uses a generated default.
  # This certificate uses the role name "api".
  CC_SERVER_CRT: ~

  # The PEM-encoded private key for internal cloud controller traffic.
  CC_SERVER_CRT_KEY: ~

  # The PEM-encoded certificate for internal cloud controller uploader traffic.
  # This value uses a generated default.
  # This certificate uses the role name "cc-uploader-cc-uploader".
  CC_UPLOADER_CRT: ~

  # The PEM-encoded private key for internal cloud controller uploader traffic.
  CC_UPLOADER_CRT_KEY: ~

  # PEM-encoded broker server certificate.
  # This value uses a generated default.
  # This certificate uses the role name "cf-usb".
  CF_USB_BROKER_SERVER_CERT: ~

  # PEM-encoded broker server key.
  CF_USB_BROKER_SERVER_CERT_KEY: ~

  # The password for access to the Universal Service Broker.
  # This value uses a generated default.
  # Example: "password"
  CF_USB_PASSWORD: ~

  # The password for the cluster administrator.
  CLUSTER_ADMIN_PASSWORD: ~

  # CA trusted for making TLS connections to targeted database server.
  CREDHUB_DB_CA_CERT: ~

  # PEM-encoded server certificate
  # This value uses a generated default.
  # This certificate uses the names "credhub-set" and
  # "server.dc1.{{.KUBERNETES_NAMESPACE}}.svc.{{.KUBERNETES_CLUSTER_DOMAIN}}".
  CREDHUB_SERVER_CERT: ~

  # PEM-encoded server key
  CREDHUB_SERVER_CERT_KEY: ~

  # Administrator password for an external database server; this is required to
  # create the necessary databases. Only used if DB_EXTERNAL_HOST is set.
  #
  # This value is immutable and must not be changed once set.
  DB_EXTERNAL_PASSWORD: ~

  # PEM-encoded client certificate
  # This value uses a generated default.
  # This certificate uses the names "locket-locket.{{.KUBERNETES_NAMESPACE}}"
  # and "127.0.0.1".
  DIEGO_CLIENT_CERT: ~

  # PEM-encoded client key
  DIEGO_CLIENT_CERT_KEY: ~

  # PEM-encoded certificate.
  # This value uses a generated default.
  # This certificate uses the names "doppler", "log-cache", and "metron".
  DOPPLER_CERT: ~

  # PEM-encoded key.
  DOPPLER_CERT_KEY: ~

  # TLS certificate for Eirini server
  # This value uses a generated default.
  # This certificate uses the name "eirini-client-crt".
  EIRINI_CLIENT_CRT: ~

  # Private key associated with TLS certificate for Eirini server
  EIRINI_CLIENT_CRT_KEY: ~

  # Basic auth password to verify on incoming Service Broker requests
  # This value uses a generated default.
  EIRINI_PERSI_NFS_BROKER_PASSWORD: ~

  # Basic auth user password for registry
  # This value uses a generated default.
  EIRINI_REGISTRY_PASSWORD: ~

  # TLS certificate for Eirini server
  # This value uses a generated default.
  # This certificate uses the name "eirini-opi.{{ .KUBERNETES_NAMESPACE
  # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}".
  EIRINI_SERVER_CERT: ~

  # Private key associated with TLS certificate for Eirini server
  EIRINI_SERVER_CERT_KEY: ~

  # PEM-encoded tls certificate that can be used for server auth.
  # This value uses a generated default.
  # This certificate uses the role name "diego-access".
  FILE_SERVER_CERT: ~

  # A PEM-encoded TLS key for the file server.
  FILE_SERVER_CERT_KEY: ~

  # A PEM-encoded TLS certificate for the Galera server.
  # This value uses a generated default.
  # This certificate uses the name "galera_server_certificate".
  GALERA_SERVER_CERT: ~

  # A PEM-encoded TLS key for the Galera server.
  GALERA_SERVER_CERT_KEY: ~

  # Basic auth password for access to the Cloud Controller's internal API.
  # This value uses a generated default.
  INTERNAL_API_PASSWORD: ~

  # PEM-encoded CA certificate used to sign the TLS certificate used by all
  # components to secure their communications.
  # This value uses a generated default.
  INTERNAL_CA_CERT: ~

  # PEM-encoded CA key.
  INTERNAL_CA_CERT_KEY: ~

  # PEM-encoded JWT certificate.
  # This value uses a generated default.
  JWT_SIGNING_CERT: ~

  # PEM-encoded JWT signing key.
  JWT_SIGNING_CERT_KEY: ~

  # PEM-encoded certificate.
  # This value uses a generated default.
  # This certificate uses the names "localhost" and "metron".
  LOGGREGATOR_AGENT_CERT: ~

  # PEM-encoded key.
  LOGGREGATOR_AGENT_CERT_KEY: ~

  # PEM-encoded client certificate for loggregator mutual authentication
  # This value uses a generated default.
  # This certificate uses the name "loggregator-client-cert".
  LOGGREGATOR_CLIENT_CERT: ~

  # PEM-encoded client key for loggregator mutual authentication
  LOGGREGATOR_CLIENT_CERT_KEY: ~

  # PEM-encoded client certificate for loggregator forwarder authentication
  # This value uses a generated default.
  # This certificate uses the name "loggregator-forward-cert".
  LOGGREGATOR_FORWARD_CERT: ~

  # PEM-encoded client key for loggregator forwarder authentication
  LOGGREGATOR_FORWARD_CERT_KEY: ~

  # TLS cert for outgoing dropsonde connection
  # This value uses a generated default.
  # This certificate uses the names "doppler" and
  # "log-api-loggregator-trafficcontroller.{{ .KUBERNETES_NAMESPACE }}.svc.{{
  # .KUBERNETES_CLUSTER_DOMAIN }}".
  LOGGREGATOR_OUTGOING_CERT: ~

  # TLS key for outgoing dropsonde connection
  LOGGREGATOR_OUTGOING_CERT_KEY: ~

  # PEM-encoded certificate.
  # This value uses a generated default.
  # This certificate uses the names "log-cache" and "localhost".
  LOG_CACHE_CERT: ~

  # PEM-encoded key.
  LOG_CACHE_CERT_KEY: ~

  # The TLS cert for the auth proxy.
  # This value uses a generated default.
  # This certificate uses the names "log-cache" and "localhost".
  LOG_CACHE_CF_AUTH_PROXY_EXTERNAL_CERT: ~

  # The TLS key for the auth proxy.
  LOG_CACHE_CF_AUTH_PROXY_EXTERNAL_CERT_KEY: ~

  # PEM-encoded certificate.
  # This value uses a generated default.
  # This certificate uses the names "log-cache" and "localhost".
  LOG_CACHE_GATEWAY_PROXY_CERT: ~

  # PEM-encoded key.
  LOG_CACHE_GATEWAY_PROXY_CERT_KEY: ~

  # PEM-encoded certificate.
  # This value uses a generated default.
  # This certificate uses the names "metrics_server" and "localhost".
  METRICS_CERT: ~

  # PEM-encoded key.
  METRICS_CERT_KEY: ~

  # Password used for the monit API.
  # This value uses a generated default.
  MONIT_PASSWORD: ~

  # The password for the MySQL server admin user.
  # This value uses a generated default.
  MYSQL_ADMIN_PASSWORD: ~

  # The password for access to the Cloud Controller database.
  # This value uses a generated default.
  MYSQL_CCDB_ROLE_PASSWORD: ~

  # The password for access to the usb config database.
  # This value uses a generated default.
  # Example: "password"
  MYSQL_CF_USB_PASSWORD: ~

  # The password for the cluster logger health user.
  # This value uses a generated default.
  MYSQL_CLUSTER_HEALTH_PASSWORD: ~

  # The password for access to the credhub-user database.
  # This value uses a generated default.
  MYSQL_CREDHUB_USER_PASSWORD: ~

  # Database password for the diego locket service.
  # This value uses a generated default.
  MYSQL_DIEGO_LOCKET_PASSWORD: ~

  # The password for access to MySQL by diego.
  # This value uses a generated default.
  MYSQL_DIEGO_PASSWORD: ~

  # Password used to authenticate to the MySQL Galera healthcheck endpoint.
  # This value uses a generated default.
  MYSQL_GALERA_HEALTHCHECK_ENDPOINT_PASSWORD: ~

  # Database password for storing broker state for the Persi NFS Broker
  # This value uses a generated default.
  MYSQL_PERSI_NFS_PASSWORD: ~

  # The password for Basic Auth used to secure the MySQL proxy API.
  # This value uses a generated default.
  MYSQL_PROXY_ADMIN_PASSWORD: ~

  # The password for access to MySQL by the routing-api
  # This value uses a generated default.
  MYSQL_ROUTING_API_PASSWORD: ~

  # A PEM-encoded TLS certificate for the MySQL server.
  # This value uses a generated default.
  # This certificate uses the names "mysql-set.{{ .KUBERNETES_NAMESPACE
  # }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}" and "mysql-proxy-set.{{
  # .KUBERNETES_NAMESPACE }}.svc.{{ .KUBERNETES_CLUSTER_DOMAIN }}".
  MYSQL_SERVER_CERT: ~

  # A PEM-encoded TLS key for the MySQL server.
  MYSQL_SERVER_CERT_KEY: ~

  # The password for access to NATS.
  # This value uses a generated default.
  NATS_PASSWORD: ~

  # Basic auth password to verify on incoming Service Broker requests
  # This value uses a generated default.
  PERSI_NFS_BROKER_PASSWORD: ~

  # LDAP service account password (required for LDAP integration only)
  PERSI_NFS_DRIVER_LDAP_PASSWORD: "-"

  # PEM-encoded prom_scraper certificate
  # This value uses a generated default.
  # This certificate uses the role name "prom_scraper_metrics".
  PROM_SCRAPER_METRICS_TLS_CERT: ~

  # PEM-encoded prom_scraper key
  PROM_SCRAPER_METRICS_TLS_CERT_KEY: ~

  # PEM-encoded prom_scraper certificate
  # This value uses a generated default.
  # This certificate uses the name "prom-scraper-scrape-tls-cert".
  PROM_SCRAPER_SCRAPE_TLS_CERT: ~

  # PEM-encoded prom_scraper key
  PROM_SCRAPER_SCRAPE_TLS_CERT_KEY: ~

  # PEM-encoded server certificate
  # This value uses a generated default.
  # This certificate uses the role name "diego-cell" and the additional name
  # "127.0.0.1".
  REP_SERVER_CERT: ~

  # PEM-encoded server key
  REP_SERVER_CERT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the names "log-stream", "log-stream.((DOMAIN))",
  # "rlp-gateway",
  # "rlp-gateway.((KUBERNETES_NAMESPACE)).svc.((KUBERNETES_CLUSTER_DOMAIN))",
  # "log-api", and
  # "log-api.((KUBERNETES_NAMESPACE)).svc.((KUBERNETES_CLUSTER_DOMAIN))".
  RLP_GATEWAY_CERT: ~

  # PEM-encoded key.
  RLP_GATEWAY_CERT_KEY: ~

  # Support for route services is disabled when no value is configured. A robust
  # passphrase is recommended.
  # This value uses a generated default.
  ROUTER_SERVICES_SECRET: ~

  # The public ssl cert for ssl termination. Will be ignored if ROUTER_TLS_PEM
  # is set.
  # This value uses a generated default.
  # This certificate uses the name "*.{{.DOMAIN}}".
  ROUTER_SSL_CERT: ~

  # The private ssl key for ssl termination. Will be ignored if ROUTER_TLS_PEM
  # is set.
  ROUTER_SSL_CERT_KEY: ~

  # Password for HTTP basic auth to the varz/status endpoint.
  # This value uses a generated default.
  ROUTER_STATUS_PASSWORD: ~

  # Array of private keys and certificates used for TLS handshakes with
  # downstream clients. Each element in the array is an object containing fields
  # 'private_key' and 'cert_chain', each of which supports a PEM block. This
  # setting overrides ROUTER_SSL_CERT and ROUTER_SSL_KEY.
  # Example:
  #   - cert_chain: |
  #       -----BEGIN CERTIFICATE-----
  #       -----END CERTIFICATE-----
  #       -----BEGIN CERTIFICATE-----
  #       -----END CERTIFICATE-----
  #     private_key: |
  #       -----BEGIN RSA PRIVATE KEY-----
  #       -----END RSA PRIVATE KEY-----
  ROUTER_TLS_PEM: ~

  # PEM-encoded routing api mtls client certificate.
  # This value uses a generated default.
  # This certificate uses the role name "cf-usb".
  ROUTING_API_MTLS_CLIENT_CERT: ~

  # PEM-encoded routing api mtls client key.
  ROUTING_API_MTLS_CLIENT_CERT_KEY: ~

  # PEM-encoded routing api mtls server certificate.
  # This value uses a generated default.
  # This certificate uses the role name "cf-usb".
  ROUTING_API_MTLS_SERVER_CERT: ~

  # PEM-encoded routing api mtls server key.
  ROUTING_API_MTLS_SERVER_CERT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "saml-serviceprovider-cert".
  SAML_SERVICEPROVIDER_CERT: ~

  # PEM-encoded key.
  SAML_SERVICEPROVIDER_CERT_KEY: ~

  # The password for access to the uploader of staged droplets.
  # This value uses a generated default.
  STAGING_UPLOAD_PASSWORD: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "adapter".
  SYSLOG_ADAPT_CERT: ~

  # PEM-encoded key.
  SYSLOG_ADAPT_CERT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the names "syslog_rlp" and "reverselogproxy".
  SYSLOG_RLP_CERT: ~

  # PEM-encoded key.
  SYSLOG_RLP_CERT_KEY: ~

  # PEM-encoded certificate
  # This value uses a generated default.
  # This certificate uses the name "syslog-sched-cert".
  SYSLOG_SCHED_CERT: ~

  # PEM-encoded key.
  SYSLOG_SCHED_CERT_KEY: ~

  # PEM-encoded client certificate for internal communication between the cloud
  # controller and TPS.
  # This value uses a generated default.
  # This certificate uses the name "tps-cc-client-crt".
  TPS_CC_CLIENT_CRT: ~

  # PEM-encoded client key for internal communication between the cloud
  # controller and TPS.
  TPS_CC_CLIENT_CRT_KEY: ~

  # PEM-encoded certificate for communication with the traffic controller of the
  # log infra structure.
  # This value uses a generated default.
  # This certificate uses the name "trafficcontroller-cert".
  TRAFFICCONTROLLER_CERT: ~

  # PEM-encoded key for communication with the traffic controller of the log
  # infra structure.
  TRAFFICCONTROLLER_CERT_KEY: ~

  # The password for access to the UAA database.
  # This value uses a generated default.
  UAADB_PASSWORD: ~

  # The password of the admin client - a client named admin with uaa.admin as an
  # authority.
  UAA_ADMIN_CLIENT_SECRET: ~

  # The CA certificate for UAA
  UAA_CA_CERT: ~

  # The password for UAA access by the Routing API.
  # This value uses a generated default.
  UAA_CLIENTS_CC_ROUTING_SECRET: ~

  # Used for third party service dashboard SSO.
  # This value uses a generated default.
  UAA_CLIENTS_CC_SERVICE_DASHBOARDS_CLIENT_SECRET: ~

  # Used for fetching service key values from CredHub.
  # This value uses a generated default.
  UAA_CLIENTS_CC_SERVICE_KEY_CLIENT_SECRET: ~

  # Client secret for the CF smoke tests job
  # This value uses a generated default.
  UAA_CLIENTS_CF_SMOKE_TESTS_CLIENT_SECRET: ~

  # The password for UAA access by the Universal Service Broker.
  # This value uses a generated default.
  UAA_CLIENTS_CF_USB_SECRET: ~

  # The password for UAA access by the Cloud Controller for fetching usernames.
  # This value uses a generated default.
  UAA_CLIENTS_CLOUD_CONTROLLER_USERNAME_LOOKUP_SECRET: ~

  # The password for UAA access by the client for the user-accessible credhub
  # This value uses a generated default.
  UAA_CLIENTS_CREDHUB_USER_CLI_SECRET: ~

  # The password for UAA access by the SSH proxy.
  # This value uses a generated default.
  UAA_CLIENTS_DIEGO_SSH_PROXY_SECRET: ~

  # The password for UAA access by doppler.
  # This value uses a generated default.
  UAA_CLIENTS_DOPPLER_SECRET: ~

  # The password for UAA access by the gorouter.
  # This value uses a generated default.
  UAA_CLIENTS_GOROUTER_SECRET: ~

  # The OAuth client secret used by the routing-api.
  # This value uses a generated default.
  UAA_CLIENTS_ROUTING_API_CLIENT_SECRET: ~

  # The password for UAA access by the task creating the cluster administrator
  # user
  # This value uses a generated default.
  UAA_CLIENTS_SCF_AUTO_CONFIG_SECRET: ~

  # The password for UAA access by the TCP emitter.
  # This value uses a generated default.
  UAA_CLIENTS_TCP_EMITTER_SECRET: ~

  # The password for UAA access by the TCP router.
  # This value uses a generated default.
  UAA_CLIENTS_TCP_ROUTER_SECRET: ~

  # The server's ssl certificate. The default is a self-signed certificate and
  # should always be replaced for production deployments.
  # This value uses a generated default.
  # This certificate uses the role name "uaa" and the additional names
  # "uaa.{{.DOMAIN}}" and "*.uaa.{{.DOMAIN}}".
  UAA_SERVER_CERT: ~

  # The server's ssl private key. Only passphrase-less keys are supported.
  UAA_SERVER_CERT_KEY: ~

env:
  # The number of times Ginkgo will run a CATS test before treating it as a
  # failure. Individual failed runs will still be reported in the test output.
  ACCEPTANCE_TEST_FLAKE_ATTEMPTS: "3"

  # The number of parallel test executors to spawn for Cloud Foundry acceptance
  # tests. The larger the number the higher the stress on the system.
  ACCEPTANCE_TEST_NODES: "4"

  # List of domains (including scheme) from which Cross-Origin requests will be
  # accepted, a * can be used as a wildcard for any part of a domain.
  ALLOWED_CORS_DOMAINS: "[]"

  # Allow users to change the value of the app-level allow_ssh attribute.
  ALLOW_APP_SSH_ACCESS: "true"

  # Extra token expiry time while uploading big apps, in seconds.
  APP_TOKEN_UPLOAD_GRACE_PERIOD: "1200"

  # The db address for the Autoscaler postgres database.
  AUTOSCALER_DB_ADDRESS: "autoscaler-postgres-postgres.((KUBERNETES_NAMESPACE)).svc.((KUBERNETES_CLUSTER_DOMAIN))"

  # The tcp port of postgres database serves on
  AUTOSCALER_DB_PORT: "5432"

  # The role name of autoscaler postgres database
  AUTOSCALER_DB_ROLE_NAME: "postgres"

  # The name of the metadata label to query on worker nodes to get AZ
  # information.
  AZ_LABEL_NAME: "failure-domain.beta.kubernetes.io/zone"

  # List of allow / deny rules for the blobstore internal server. Will be
  # followed by 'deny all'. Each entry must be follow by a semicolon.
  BLOBSTORE_ACCESS_RULES: "allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16;"

  # Maximal allowed file size for upload to blobstore, in megabytes.
  BLOBSTORE_MAX_UPLOAD_SIZE: "5000"

  # For requests to service brokers, this is the HTTP (open and read) timeout
  # setting, in seconds.
  BROKER_CLIENT_TIMEOUT_SECONDS: "70"

  # The set of CAT test suites to run. If not specified it falls back to a
  # hardwired set of suites.
  CATS_SUITES: ~

  # The key used to encrypt entries in the CC database
  CC_DB_CURRENT_KEY_LABEL: ""

  # URI for a CDN to use for buildpack downloads.
  CDN_URI: ""

  # Expiration for generated certificates (in days)
  CERT_EXPIRATION: "10950"

  # An ordered, colon-delimited list of golang supported TLS cipher suites in
  # OpenSSL or RFC format.
  CIPHER_SUITES: "ECDHE-ECDSA-CHACHA20-POLY1305:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384"

  # The Oauth2 authorities available to the cluster administrator.
  CLUSTER_ADMIN_AUTHORITIES: "scim.write,scim.read,openid,cloud_controller.admin,clients.read,clients.write,doppler.firehose,routing.router_groups.read,routing.router_groups.write"

  # 'build' attribute in the /v2/info endpoint
  CLUSTER_BUILD: "2.20.3"

  # 'description' attribute in the /v2/info endpoint
  CLUSTER_DESCRIPTION: "SUSE Cloud Foundry"

  # 'name' attribute in the /v2/info endpoint
  CLUSTER_NAME: "SCF"

  # 'version' attribute in the /v2/info endpoint
  CLUSTER_VERSION: "2"

  # Enables hostname verification for TLS connections to targeted database
  # server. This property is only respected when targeting a MariaDB database.
  # Hostname verification cannot be disabled for TLS connections to postgres
  # databases.
  CREDHUB_DB_HOST_VALIDATION: "true"

  # Requires only TLS connections to targeted database server.
  CREDHUB_DB_REQUIRE_TLS: "true"

  # Database driver to use for the external database server used to manage the
  # CF-internal databases. Only used if DB_EXTERNAL_HOST is set. Currently only
  # `mysql` is valid.
  DB_EXTERNAL_DRIVER: "mysql"

  # Hostname for an external database server to use for the CF-internal
  # databases (such as for the cloud controller database). If not set, the
  # internal database is used.
  DB_EXTERNAL_HOST: ~

  # Port for an external database server to use for the CF-internal databases.
  # Only used if DB_EXTERNAL_HOST is set.
  DB_EXTERNAL_PORT: "3306"

  # SSL configuration for the external database server to use for the
  # CF-internal databases. Only used if DB_EXTERNAL_HOST is set. Valid values
  # are 'false', 'skip-verify', 'preferred', and 'true'.
  DB_EXTERNAL_SSL_MODE: "true"

  # Administrator user name for an external database server; this is required to
  # create the necessary databases. Only used if DB_EXTERNAL_HOST is set.
  DB_EXTERNAL_USER: ~

  # A suffix that has to be appended to every user name for the external
  # database; usually '@host'.
  DB_EXTERNAL_USER_HOST_SUFFIX: ""

  # The standard amount of disk (in MB) given to an application when not
  # overriden by the user via manifest, command line, etc.
  DEFAULT_APP_DISK_IN_MB: "1024"

  # The standard amount of memory (in MB) given to an application when not
  # overriden by the user via manifest, command line, etc.
  DEFAULT_APP_MEMORY: "1024"

  # If set apps pushed to spaces that allow SSH access will have SSH enabled by
  # default.
  DEFAULT_APP_SSH_ACCESS: "true"

  # The default stack to use if no custom stack is specified by an app.
  DEFAULT_STACK: "sle15"

  # The container disk capacity the cell should manage. If this capacity is
  # larger than the actual disk quota of the cell component, over-provisioning
  # will occur.
  DIEGO_CELL_DISK_CAPACITY_MB: "auto"

  # The memory capacity the cell should manage. If this capacity is larger than
  # the actual memory of the cell component, over-provisioning will occur.
  DIEGO_CELL_MEMORY_CAPACITY_MB: "auto"

  # Maximum network transmission unit length in bytes for application
  # containers.
  DIEGO_CELL_NETWORK_MTU: "1400"

  # A CIDR subnet mask specifying the range of subnets available to be assigned
  # to containers.
  DIEGO_CELL_SUBNET: "10.38.0.0/16"

  # Disable external buildpacks. Only admin buildpacks and system buildpacks
  # will be available to users.
  DISABLE_CUSTOM_BUILDPACKS: "false"

  # Base domain of the SCF cluster.
  # Example: "my-scf-cluster.com"
  DOMAIN: ~

  # The number of versions of an application to keep. You will be able to
  # rollback to this amount of versions.
  DROPLET_MAX_STAGED_STORED: "5"

  # Downloads app-bits and buildpacks from the bits-service
  EIRINI_DOWNLOADER_IMAGE: "registry.suse.com/cap/recipe-downloader:0.30.0"

  # Executes the buildpackapplifecyle to build a Droplet
  EIRINI_EXECUTOR_IMAGE: "registry.suse.com/cap/recipe-executor:0.31.0"

  # Address of Kubernetes' Heapster installation, used for reading Cloud Foundry
  # app metrics.
  EIRINI_KUBE_HEAPSTER_ADDRESS: "http://heapster.kube-system/apis/metrics/v1alpha1"

  # The namespace used by Eirini for deploying applications.
  EIRINI_KUBE_NAMESPACE: "eirini"

  # Array of plans that the Eirini persi broker will expose to Cloud Foundry.
  # Example:
  #   - id: "default-storageclass"
  #     name: "default"
  #     description: "Eirini persistence broker"
  #     free: true
  #     kube_storage_class: "persistent"
  #     default_size: "1Gi"
  EIRINI_PERSI_PLANS: "[]"

  # The port of the ssh proxy for Eirini
  EIRINI_SSH_PORT: "2222"

  # Uploads the Droplet to the bits-service
  EIRINI_UPLOADER_IMAGE: "registry.suse.com/cap/recipe-uploader:0.28.0"

  # By default, Cloud Foundry does not enable Cloud Controller request logging.
  # To enable this feature, you must set this property to "true". You can learn
  # more about the format of the logs here
  # https://docs.cloudfoundry.org/loggregator/cc-uaa-logging.html#cc
  ENABLE_SECURITY_EVENT_LOGGING: "false"

  # Enables setting the X-Forwarded-Proto header if SSL termination happened
  # upstream and the header value was set incorrectly. When this property is set
  # to true, the gorouter sets the header X-Forwarded-Proto to https. When this
  # value set to false, the gorouter sets the header X-Forwarded-Proto to the
  # protocol of the incoming request.
  FORCE_FORWARDED_PROTO_AS_HTTPS: "false"

  # AppArmor profile name for garden-runc; set this to empty string to disable
  # AppArmor support
  GARDEN_APPARMOR_PROFILE: "garden-default"

  # URL pointing to the Docker registry used for fetching Docker images. If not
  # set, the Docker service default is used.
  GARDEN_DOCKER_REGISTRY: "registry-1.docker.io"

  # Override DNS servers to be used in containers; defaults to the same as the
  # host.
  GARDEN_LINUX_DNS_SERVER: ""

  # The filesystem driver to use (btrfs or overlay-xfs).
  GARDEN_ROOTFS_DRIVER: "btrfs"

  # Location of the proxy to use for secure web access.
  HTTPS_PROXY: ~

  # Location of the proxy to use for regular web access.
  HTTP_PROXY: ~

  # A comma-separated whitelist of insecure Docker registries in the form of
  # '<HOSTNAME|IP>:PORT'. Each registry must be quoted separately.
  #
  # Example: "\"docker-registry.example.com:80\", \"hello.example.org:443\""
  INSECURE_DOCKER_REGISTRIES: ""

  KUBERNETES_CLUSTER_DOMAIN: ~

  # Allow the secrets-generator to auto-approve the kube cert signing requests
  # it makes.
  KUBE_CSR_AUTO_APPROVAL: "false"

  # The cluster's log level: off, fatal, error, warn, info, debug, debug1,
  # debug2.
  LOG_LEVEL: "info"

  # The maximum amount of disk a user can request for an application via
  # manifest, command line, etc., in MB. See also DEFAULT_APP_DISK_IN_MB for the
  # standard amount.
  MAX_APP_DISK_IN_MB: "2048"

  # Maximum health check timeout that can be set for an app, in seconds.
  MAX_HEALTH_CHECK_TIMEOUT: "180"

  # Sets the maximum allowed size of the client request body, specified in the
  # “Content-Length” request header field, in megabytes. If the size in a
  # request exceeds the configured value, the 413 (Request Entity Too Large)
  # error is returned to the client. Please be aware that browsers cannot
  # correctly display this error. Setting size to 0 disables checking of client
  # request body size. This limits application uploads, buildpack uploads, etc.
  NGINX_MAX_REQUEST_BODY_SIZE: "2048"

  # Comma separated list of IP addresses and domains which should not be
  # directoed through a proxy, if any.
  NO_PROXY: ~

  # Comma separated list of white-listed options that may be set during create
  # or bind operations.
  # Example:
  # "uid,gid,allow_root,allow_other,nfs_uid,nfs_gid,auto_cache,fsname,username,password"
  PERSI_NFS_ALLOWED_OPTIONS: "uid,gid,auto_cache,username,password"

  # Comma separated list of default values for nfs mount options. If a default
  # is specified with an option not included in PERSI_NFS_ALLOWED_OPTIONS, then
  # this default value will be set and it won't be overridable.
  PERSI_NFS_DEFAULT_OPTIONS: ~

  # Comma separated list of white-listed options that may be accepted in the
  # mount_config options. Note a specific 'sloppy_mount:true' volume option
  # tells the driver to ignore non-white-listed options, while a
  # 'sloppy_mount:false' tells the driver to fail fast instead when receiving a
  # non-white-listed option."
  #
  # Example:
  # "allow_root,allow_other,nfs_uid,nfs_gid,auto_cache,sloppy_mount,fsname"
  PERSI_NFS_DRIVER_ALLOWED_IN_MOUNT: "auto_cache"

  # Comma separated list of white-listed options that may be configured in
  # supported in the mount_config.source URL query params.
  # Example: "uid,gid,auto-traverse-mounts,dircache"
  PERSI_NFS_DRIVER_ALLOWED_IN_SOURCE: "uid,gid"

  # Comma separated list default values for options that may be configured in
  # the mount_config options, formatted as 'option:default'. If an option is not
  # specified in the volume mount, or the option is not white-listed, then the
  # specified default value will be used instead.
  #
  # Example:
  # "allow_root:false,nfs_uid:2000,nfs_gid:2000,auto_cache:true,sloppy_mount:true"
  PERSI_NFS_DRIVER_DEFAULT_IN_MOUNT: "auto_cache:true"

  # Comma separated list of default values for options in the source URL query
  # params, formatted as 'option:default'. If an option is not specified in the
  # volume mount, or the option is not white-listed, then the specified default
  # value will be applied.
  PERSI_NFS_DRIVER_DEFAULT_IN_SOURCE: ~

  # Disable Persi NFS driver
  PERSI_NFS_DRIVER_DISABLE: "false"

  # LDAP server host name or ip address (required for LDAP integration only)
  PERSI_NFS_DRIVER_LDAP_HOST: ""

  # LDAP server port (required for LDAP integration only)
  PERSI_NFS_DRIVER_LDAP_PORT: "389"

  # LDAP server protocol (required for LDAP integration only)
  PERSI_NFS_DRIVER_LDAP_PROTOCOL: "tcp"

  # LDAP service account user name (required for LDAP integration only)
  PERSI_NFS_DRIVER_LDAP_USER: ""

  # LDAP fqdn for user records we will search against when looking up user uids
  # (required for LDAP integration only)
  # Example: "cn=Users,dc=corp,dc=test,dc=com"
  PERSI_NFS_DRIVER_LDAP_USER_FQDN: ""

  # The name of the metadata label to query on worker nodes to get placement tag
  # information, also known as isolation segments. When set, the cells will
  # query their worker node for placement information and inject the result into
  # cloudfoundry via the KUBE_PZ parameter. When left to the default no custom
  # placement processing is done.
  PZ_LABEL_NAME: ""

  # Certficates to add to the rootfs trust store. Multiple certs are possible by
  # concatenating their definitions into one big block of text.
  ROOTFS_TRUSTED_CERTS: ""

  # The algorithm used by the router to distribute requests for a route across
  # backends. Supported values are round-robin and least-connection.
  ROUTER_BALANCING_ALGORITHM: "round-robin"

  # How to handle client certificates. Supported values are none, request, or
  # require. See
  # https://docs.cloudfoundry.org/adminguide/securing-traffic.html#gorouter_mutual_auth
  # for more information.
  ROUTER_CLIENT_CERT_VALIDATION: "request"

  # How to handle the x-forwarded-client-cert (XFCC) HTTP header. Supported
  # values are always_forward, forward, and sanitize_set. See
  # https://docs.cloudfoundry.org/concepts/http-routing.html for more
  # information.
  ROUTER_FORWARDED_CLIENT_CERT: "always_forward"

  # The log destination to talk to. This has to point to a syslog server.
  SCF_LOG_HOST: ~

  # The port used by rsyslog to talk to the log destination. It defaults to 514,
  # the standard port of syslog.
  SCF_LOG_PORT: "514"

  # The protocol used by rsyslog to talk to the log destination. The allowed
  # values are tcp, and udp. The default is tcp.
  SCF_LOG_PROTOCOL: "tcp"

  # If true, authenticate against the SMTP server using AUTH command. See
  # https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
  SMTP_AUTH: "false"

  # SMTP from address, for password reset emails etc.
  SMTP_FROM_ADDRESS: ~

  # SMTP server host address, for password reset emails etc.
  SMTP_HOST: ~

  # SMTP server password, for password reset emails etc.
  SMTP_PASSWORD: ~

  # SMTP server port, for password reset emails etc.
  SMTP_PORT: "25"

  # If true, send STARTTLS command before logging in to SMTP server. See
  # https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
  SMTP_STARTTLS: "false"

  # SMTP server username, for password reset emails etc.
  SMTP_USER: ~

  # Timeout for staging an app, in seconds.
  STAGING_TIMEOUT: "900"

  # Support contact information for the cluster
  SUPPORT_ADDRESS: "https://scc.suse.com"

  # The number of times Ginkgo will run a SITS test before treating it as a
  # failure. Individual failed runs will still be reported in the test output.
  SYNC_INTEGRATION_TESTS_FLAKE_ATTEMPTS: "3"

  # Regex for which SITS tests the test runner should focus on executing.
  SYNC_INTEGRATION_TESTS_FOCUS: ~

  # The number of parallel test executors to spawn for Cloud Foundry sync
  # integration tests.
  SYNC_INTEGRATION_TESTS_NODES: "4"

  # Regex for which SITS tests the test runner should skip.
  SYNC_INTEGRATION_TESTS_SKIP: ~

  # Whether the output of the sync integration tests should be verbose or not.
  SYNC_INTEGRATION_TESTS_VERBOSE: "false"

  # TCP routing domain of the SCF cluster; only used for testing;
  # Example: "tcp.my-scf-cluster.com"
  TCP_DOMAIN: ~

  # Concatenation of trusted CA certificates to be made available on the cell.
  TRUSTED_CERTS: ~

  # Use TLS connection for UAA database.
  # Valid options are:
  # enabled (use TLS with full certificate validation),
  # enabled_skip_hostname_validation (use TLS but skip validation of common and
  # alt names in the host certificate),
  # enabled_skip_all_validation (use TLS but do not validate anything about the
  # host certificate),
  # disabled (do not use TLS)
  UAADB_TLS: "enabled"

  # The host name of the UAA server (root zone)
  UAA_HOST: ~

  # The tcp port the UAA server (root zone) listens on for requests.
  UAA_PORT: "2793"

  # The TCP port to report as the public port for the UAA server (root zone).
  UAA_PUBLIC_PORT: "2793"

  # Whether or not to use privileged containers for buildpack based
  # applications. Containers with a docker-image-based rootfs will continue to
  # always be unprivileged.
  USE_DIEGO_PRIVILEGED_CONTAINERS: "false"

  # Whether or not to use privileged containers for staging tasks.
  USE_STAGER_PRIVILEGED_CONTAINERS: "false"

# The sizing section contains configuration to change each individual instance
# group. Due to limitations on the allowable names, any dashes ("-") in the
# instance group names are replaced with underscores ("_").
sizing:
  # The adapter instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # Also: adapter and bpm
  adapter:
    # Node affinity rules can be specified here
    affinity: {}

    # The adapter instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The api-group instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # - wait-for-database: This is a pre-start job to delay starting the rest of
  #   the role until a database connection is ready. Currently it only checks
  #   that a response can be obtained from the server, and not that it responds
  #   intelligently.
  #
  #
  # - cloud_controller_ng: The Cloud Controller provides primary Cloud Foundry
  #   API that is by the CF CLI. The Cloud Controller uses a database to keep
  #   tables for organizations, spaces, apps, services, service instances, user
  #   roles, and more. Typically multiple instances of Cloud Controller are load
  #   balanced.
  #
  # - route_registrar: Used for registering routes
  #
  # Also: bpm, statsd_injector, suse-go-buildpack, go-buildpack,
  # suse-binary-buildpack, binary-buildpack, suse-nodejs-buildpack,
  # nodejs-buildpack, suse-ruby-buildpack, ruby-buildpack, suse-php-buildpack,
  # php-buildpack, suse-python-buildpack, python-buildpack,
  # suse-staticfile-buildpack, staticfile-buildpack, suse-nginx-buildpack,
  # nginx-buildpack, suse-java-buildpack, java-buildpack,
  # suse-dotnet-core-buildpack, and dotnet-core-buildpack
  api_group:
    # Node affinity rules can be specified here
    affinity: {}

    # The api_group instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 3800
      limit: ~

  # The autoscaler-actors instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: scheduler, scalingengine, operator, and bpm
  autoscaler_actors:
    # Node affinity rules can be specified here
    affinity: {}

    # The autoscaler_actors instance group can be enabled by the autoscaler
    # feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2350
      limit: ~

  # The autoscaler-api instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - route_registrar: Used for registering routes
  #
  # Also: apiserver and bpm
  autoscaler_api:
    # Node affinity rules can be specified here
    affinity: {}

    # The autoscaler_api instance group can be enabled by the autoscaler
    # feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The autoscaler-metrics instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: metricscollector, eventgenerator, and bpm
  autoscaler_metrics:
    # Node affinity rules can be specified here
    affinity: {}

    # The autoscaler_metrics instance group can be enabled by the autoscaler
    # feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 1024
      limit: ~

  # The autoscaler-postgres instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - postgres: The Postgres server provides a single instance Postgres database
  #   that can be used with the Cloud Controller or the UAA. It does not provide
  #   highly-available configuration.
  autoscaler_postgres:
    # Node affinity rules can be specified here
    affinity: {}

    # The autoscaler_postgres instance group can be enabled by the autoscaler
    # feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    disk_sizes:
      postgres_data: 5

    # Unit [MiB]
    memory:
      request: 1024
      limit: ~

  # The bits instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - eirinifs-sle15: This job copies the eirinifs-sle15 to a desired location
  #
  # Also: statsd_injector, bpm, and bits-service
  bits:
    # Node affinity rules can be specified here
    affinity: {}

    # The bits instance group can be enabled by the eirini feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The blobstore instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - route_registrar: Used for registering routes
  #
  # Also: blobstore and bpm
  blobstore:
    # Node affinity rules can be specified here
    affinity: {}

    # The blobstore instance group cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    disk_sizes:
      blobstore_data: 50

    # Unit [MiB]
    memory:
      request: 500
      limit: ~

  # The cc-clock instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - wait-for-api: Wait for API to be ready before starting any jobs
  #
  # - cloud_controller_clock: The Cloud Controller Clock runs the Diego Sync job
  #   to keep the actual state of running processes in Diego in sync with Cloud
  #   Controller's desired state. Additionally, the Clock schedules periodic
  #   clean up jobs to prune app usage events, audit events, failed jobs, and
  #   more.
  #
  # Also: statsd_injector and bpm
  cc_clock:
    # Node affinity rules can be specified here
    affinity: {}

    # The cc_clock instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 750
      limit: ~

  # The cc-uploader instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: tps, cc_uploader, and bpm
  cc_uploader:
    # Node affinity rules can be specified here
    affinity: {}

    # The cc_uploader instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The cc-worker instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - cloud_controller_worker: Cloud Controller worker processes background
  #   tasks submitted via the.
  #
  # Also: bpm
  cc_worker:
    # Node affinity rules can be specified here
    affinity: {}

    # The cc_worker instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 750
      limit: ~

  # The cf-usb-group instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - route_registrar: Used for registering routes
  #
  # Also: cf-usb and bpm
  cf_usb_group:
    # Node affinity rules can be specified here
    affinity: {}

    # The cf_usb_group instance group is enabled by the cf_usb feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The configgin-helper instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - configgin-helper: Copy configgin service account token to secret
  configgin_helper:
    # Node affinity rules can be specified here
    affinity: {}

    # The configgin_helper instance group can scale between 1 and 65535
    # instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 64
      limit: ~

  # The configure-eirini instance group contains the following jobs:
  #
  # - configure-eirini-scf: Creates and configures components needed for Eirini
  configure_eirini:
    # Node affinity rules can be specified here
    affinity: {}

    # The configure_eirini instance group can be enabled by the eirini feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The credhub-user instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - route_registrar: Used for registering routes
  #
  # Also: credhub and bpm
  credhub_user:
    # Node affinity rules can be specified here
    affinity: {}

    # The credhub_user instance group can be enabled by the credhub feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2000
      limit: ~

  # The diego-api instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: bbs and cfdot
  diego_api:
    # Node affinity rules can be specified here
    affinity: {}

    # The diego_api instance group can be disabled by the eirini feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The diego-brain instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: auctioneer and cfdot
  diego_brain:
    # Node affinity rules can be specified here
    affinity: {}

    # The diego_brain instance group can be disabled by the eirini feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The diego-cell instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - get-kubectl: This job exists only to ensure the presence of the kubectl
  #   binary in the role referencing it.
  #
  # - wait-for-uaa: Wait for UAA to be ready before starting any jobs
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: rep, cfdot, route_emitter, garden, groot-btrfs,
  # cflinuxfs3-rootfs-setup, cf-sle12-setup, sle15-rootfs-setup, nfsv3driver,
  # and mapfs
  diego_cell:
    # Node affinity rules can be specified here
    affinity: {}

    # The diego_cell instance group can be disabled by the eirini feature.
    # It can scale between 1 and 254 instances.
    # For high availability it needs at least 3 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    disk_sizes:
      grootfs_data: 50

    # Unit [MiB]
    memory:
      request: 2800
      limit: ~

  # The diego-ssh instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: ssh_proxy and file_server
  diego_ssh:
    # Node affinity rules can be specified here
    affinity: {}

    # The diego_ssh instance group can be disabled by the eirini feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The doppler instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - route_registrar: Used for registering routes
  #
  # Also: log-cache-gateway, log-cache-nozzle, log-cache-cf-auth-proxy,
  # log-cache, doppler, and bpm
  doppler:
    # Node affinity rules can be specified here
    affinity: {}

    # The doppler instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 410
      limit: ~

  # The eirini instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: bpm, eirini-loggregator-bridge, and opi
  eirini:
    # Node affinity rules can be specified here
    affinity: {}

    # The eirini instance group can be enabled by the eirini feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The eirini-persi instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: bpm, eirini-persi-broker, and eirini-persi
  eirini_persi:
    # Node affinity rules can be specified here
    affinity: {}

    # The eirini_persi instance group can be enabled by the eirini feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The eirini-ssh instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: bpm, eirini-ssh-proxy, and eirini-ssh-extension
  eirini_ssh:
    # Node affinity rules can be specified here
    affinity: {}

    # The eirini_ssh instance group can be enabled by the eirini feature.
    # It cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The locket instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: locket
  locket:
    # Node affinity rules can be specified here
    affinity: {}

    # The locket instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The log-api instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - route_registrar: Used for registering routes
  #
  # Also: loggregator_trafficcontroller, reverse_log_proxy,
  # reverse_log_proxy_gateway, and bpm
  log_api:
    # Node affinity rules can be specified here
    affinity: {}

    # The log_api instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The loggregator-agent instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # Also: loggregator_agent, prom_scraper, and bpm
  loggregator_agent:
    # Node affinity rules can be specified here
    affinity: {}

    # The loggregator_agent instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: ~
      limit: ~

    # Unit [MiB]
    memory:
      request: ~
      limit: ~

  # The mysql instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - patch-properties: Dummy BOSH job used to host parameters that are used in
  #   SCF patches for upstream bugs
  #
  # Also: pxc-mysql, galera-agent, gra-log-purger, cluster-health-logger,
  # bootstrap, mysql, and bpm
  mysql:
    # Node affinity rules can be specified here
    affinity: {}

    # The mysql instance group is enabled by the mysql feature.
    # It can scale between 1 and 7 instances.
    # The instance count must be an odd number (not divisible by 2).
    # For high availability it needs at least 3 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    disk_sizes:
      mysql_data: 20

    # Unit [MiB]
    memory:
      request: 2500
      limit: ~

  # The mysql-proxy instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - switchboard-leader: Job to host the active/passive probe for mysql
  #   switchboard and leader election
  #
  # Also: bpm and proxy
  mysql_proxy:
    # Node affinity rules can be specified here
    affinity: {}

    # The mysql_proxy instance group is enabled by the mysql feature.
    # It can scale between 1 and 5 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2500
      limit: ~

  # The nats instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - nats: NATS server providing a publish-subscribe messaging system for Cloud
  #   Foundry components.
  #
  # Also: bpm
  nats:
    # Node affinity rules can be specified here
    affinity: {}

    # The nats instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The nfs-broker instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: nfsbroker
  nfs_broker:
    # Node affinity rules can be specified here
    affinity: {}

    # The nfs_broker instance group can be disabled by the eirini feature.
    # It can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The post-deployment-setup instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - database-seeder: When using an external database server, seed it with the
  #   necessary databases.
  #
  #
  # - uaa-create-user: Create the initial user in UAA
  #
  # - configure-scf: Uses the cf CLI to configure SCF once it's online (things
  #   like proxy settings, service brokers, etc.)
  post_deployment_setup:
    # Node affinity rules can be specified here
    affinity: {}

    # The post_deployment_setup instance group cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The router instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - gorouter: Gorouter maintains a dynamic routing table based on updates
  #   received from NATS and (when enabled) the Routing API. This routing table
  #   maps URLs to backends. The router finds the URL in the routing table that
  #   most closely matches the host header of the request and load balances
  #   across the associated backends.
  #
  # Also: bpm
  router:
    # Node affinity rules can be specified here
    affinity: {}

    # The router instance group can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The routing-api instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # Also: bpm and routing-api
  routing_api:
    # Node affinity rules can be specified here
    affinity: {}

    # The routing_api instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 4000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The secret-generation instance group contains the following jobs:
  #
  # - generate-secrets: This job will generate the secrets for the cluster
  secret_generation:
    # Node affinity rules can be specified here
    affinity: {}

    # The secret_generation instance group cannot be scaled.
    count: ~

    # Unit [millicore]
    cpu:
      request: 1000
      limit: ~

    # Unit [MiB]
    memory:
      request: 256
      limit: ~

  # The syslog-scheduler instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # Also: scheduler and bpm
  syslog_scheduler:
    # Node affinity rules can be specified here
    affinity: {}

    # The syslog_scheduler instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

  # The tcp-router instance group contains the following jobs:
  #
  # - global-properties: Dummy BOSH job used to host global parameters that are
  #   required to configure SCF
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - wait-for-uaa: Wait for UAA to be ready before starting any jobs
  #
  # Also: tcp_router and bpm
  tcp_router:
    # Node affinity rules can be specified here
    affinity: {}

    # The tcp_router instance group can scale between 1 and 3 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 128
      limit: ~

    ports:
      tcp_route:
        count: 9

  # The uaa instance group contains the following jobs:
  #
  # - global-uaa-properties: Dummy BOSH job used to host global parameters that
  #   are required to configure SCF / fissile
  #
  # - authorize-internal-ca: Install both internal and UAA CA certificates
  #
  # - uaa: The UAA is the identity management service for Cloud Foundry. It's
  #   primary role is as an OAuth2 provider, issuing tokens for client
  #   applications to use when they act on behalf of Cloud Foundry users. It can
  #   also authenticate users with their Cloud Foundry credentials, and can act
  #   as an SSO service using those credentials (or others). It has endpoints
  #   for managing user accounts and for registering OAuth2 clients, as well as
  #   various other management functions.
  #
  # - wait-for-database: This is a pre-start job to delay starting the rest of
  #   the role until a database connection is ready. Currently it only checks
  #   that a response can be obtained from the server, and not that it responds
  #   intelligently.
  #
  #
  # Also: bpm
  uaa:
    # Node affinity rules can be specified here
    affinity: {}

    # The uaa instance group can be enabled by the uaa feature.
    # It can scale between 1 and 65535 instances.
    # For high availability it needs at least 2 instances.
    count: ~

    # Unit [millicore]
    cpu:
      request: 2000
      limit: ~

    # Unit [MiB]
    memory:
      request: 2100
      limit: ~

enable:
  # The autoscaler feature enables these instance groups: autoscaler_postgres,
  # autoscaler_api, autoscaler_metrics, and autoscaler_actors
  autoscaler: false

  # The cf_usb feature enables these instance groups: cf_usb_group
  cf_usb: true

  # The credhub feature enables these instance groups: credhub_user
  credhub: false

  # The eirini feature enables these instance groups: eirini, eirini_persi,
  # eirini_ssh, bits, and configure_eirini
  # It disables these instance groups: diego_api, diego_brain, diego_ssh,
  # nfs_broker, and diego_cell
  eirini: false

  # The mysql feature enables these instance groups: mysql and mysql_proxy
  mysql: true

  # The uaa feature enables these instance groups: uaa
  uaa: false

ingress:
  # ingress.annotations allows specifying custom ingress annotations that gets
  # merged to the default annotations.
  annotations: {}

  # ingress.enabled enables ingress support - working ingress controller
  # necessary.
  enabled: false

  # ingress.tls.crt and ingress.tls.key, when specified, are used by the TLS
  # secret for the Ingress resource.
  tls: {}
Print this page