---
name: rep

templates:
  rep.erb: bin/rep
  rep_ctl.erb: bin/rep_ctl
  rep_as_vcap.erb: bin/rep_as_vcap
  drain.erb: bin/drain
  bbs_ca.crt.erb: config/certs/bbs/ca.crt
  trusted_certs.crt.erb: config/certs/rep/trusted_certs.crt
  trusted_ca_certificates.json.erb: config/certs/rep/trusted_ca_certificates.json
  ca_certs_for_downloads.crt.erb: config/certs/rep/ca_certs_for_downloads.crt
  bbs_client.crt.erb: config/certs/bbs/client.crt
  bbs_client.key.erb: config/certs/bbs/client.key
  rep_ca.crt.erb: config/certs/ca.crt
  rep_server.crt.erb: config/certs/server.crt
  rep_server.key.erb: config/certs/server.key
  instance_identity.crt.erb: config/certs/rep/instance_identity.crt
  instance_identity.key.erb: config/certs/rep/instance_identity.key
  consul_ca.crt.erb: config/certs/consul/ca.crt
  consul_client.crt.erb: config/certs/consul/client.crt
  consul_client.key.erb: config/certs/consul/client.key
  rep.json.erb: config/rep.json
  bpm.yml.erb: config/bpm.yml
  bpm-pre-start.erb: bin/bpm-pre-start
  mount_instance_identity.erb: bin/mount_instance_identity
  pre-start.erb: bin/pre-start
  post-start.erb: bin/post-start
  loggregator_ca.crt.erb: config/certs/loggregator/ca.crt
  loggregator_client.crt.erb: config/certs/loggregator/client.crt
  loggregator_client.key.erb: config/certs/loggregator/client.key
  tls.crt.erb: config/certs/tls.crt
  tls.key.erb: config/certs/tls.key
  tls_ca.crt.erb: config/certs/tls_ca.crt

packages:
  - pid_utils
  - rep
  - healthcheck
  - proxy
  - certsplitter

properties:
  use_v2_tls:
    default: false
    description: "Whether the rep should use mutual TLS for all communications to other Diego components. Requires `tls.ca_cert`, `tls.cert`, and `tls.key` to be configured. Deprecated as mutual TLS will be required in v2.0+"

  admin_api.require_tls:
    default: false
    description: "Whether to require mutual TLS for communication to the rep's administrative API. Requires `tls.ca_cert`, `tls.cert`, and `tls.key` to be configured. Deprecated as mutual TLS will be required in v2.0+"
  bpm.enabled:
    description: "Experimental: use the BOSH Process Manager to manage the cell rep process."
    default: false
  diego.rep.listen_addr:
    description: "address to serve auction and LRP stop requests on. Deprecated in favor of diego.rep.listen_addr_admin and diego.rep.listen_addr_securable."
    default: "0.0.0.0:1800"
  diego.rep.debug_addr:
    description: "address at which to serve debug info"
    default: "127.0.0.1:17008"
  diego.rep.polling_interval_in_seconds:
    description: "The interval to look for completed tasks and LRPs in seconds"
    default: 30
  diego.rep.evacuation_polling_interval_in_seconds:
    description: "The interval to look for completed tasks and LRPs during evacuation in seconds"
    default: 10
  diego.rep.evacuation_timeout_in_seconds:
    description: "The time to wait for evacuation to complete in seconds"
    default: 600
  diego.rep.zone:
    description: "The zone associated with the rep. This will override the BOSH-provided spec.az property if present."
  diego.rep.use_azure_fault_domains:
    description: "Use Azure Fault-Domains to determine the value of the zone. The value of the zone will be z<FD-index>. e.g. z0, z1, etc."
    default: false
  diego.rep.preloaded_rootfses:
    description: "Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden"
  diego.rep.rootfs_providers:
    description: "Array of schemes for which the underlying garden can support arbitrary root filesystems"
    default:
      - docker
  diego.rep.log_level:
    description: "Log level"
    default: "info"
  diego.rep.dropsonde_port:
    description: "local metron agent's port. Deprecated, will be removed when loggregator API v1 support is removed."
    default: 3457
  diego.rep.trusted_certs:
    description: "Concatenation of trusted CA certificates to be made available inside the rootfses. Deprecated in favor of containers.trusted_ca_certificates."
    default: null
  diego.rep.placement_tags:
    description: "Array of tags used for scheduling Tasks and LRPs"
    default: []
  diego.rep.optional_placement_tags:
    description: "Array of optional tags used for scheduling Tasks and LRPs"
    default: []

  loggregator.use_v2_api:
    description: "True to use local metron agent gRPC v2 API. False to use UDP v1 API."
    default: false
  loggregator.v2_api_port:
    description: "Local metron agent gRPC port"
    default: 3458
  loggregator.ca_cert:
    description: "CA Cert used to communicate with local metron agent over gRPC"
  loggregator.cert:
    description: "Cert used to communicate with local metron agent over gRPC"
  loggregator.key:
    description: "Key used to communicate with local metron agent over gRPC"

  diego.rep.enable_legacy_api_endpoints:
    description: "Whether to enable the auction, LRP, and Task endpoints on the legacy, insecurable API server. Deprecated since the legacy API server will be removed in Diego v2.0."
    default: true
  diego.rep.listen_addr_admin:
    description: "When enable_legacy_api_endpoints is set to false, serve (insecure) ping and evacuate requests on this address and port"
    default: "127.0.0.1:1800"
  diego.rep.advertise_domain:
    description: "base domain at which the rep should advertise its secure API"
    default: "cell.service.cf.internal"
  diego.rep.listen_addr_securable:
    description: "address where rep listens for LRP and task start auction requests"
    default: "0.0.0.0:1801"
  diego.rep.require_tls:
    description: "Whether to require mutual TLS for communication to the securable rep API server. Deprecated since mutual TLS will be required in Diego v2.0+."
    default: false
  diego.rep.ca_cert:
    description: "PEM-encoded CA certificate. Deprecated in favor of tls.ca_cert"
  diego.rep.server_cert:
    description: "PEM-encoded server certificate. Deprecated in favor of tls.cert"
  diego.rep.server_key:
    description: "PEM-encoded server key. Deprecated in favor of tls.key"

  diego.ssl.skip_cert_verify:
    description: "when connecting over https, ignore bad ssl certificates"
    default: false
  diego.executor.ca_certs_for_downloads:
    description: "Concatenation of trusted CA certificates to be used when downloading assets. Deprecated in favor of tls.ca_cert."
    default: null
  tls.cert:
    description: "PEM-encoded tls certificate that can be used for client or server auth"
  tls.key:
    description: "PEM-encoded tls client key"
  tls.ca_cert:
    description: "PEM-encoded tls client CA certificate for asset upload/download"

  diego.rep.consul.require_tls:
    description: "Require mutual TLS to talk to the local consul API"
    default: false
  diego.rep.consul.ca_cert:
    description: "PEM-encoded CA certificate"
  diego.rep.consul.client_cert:
    description: "PEM-encoded client certificate"
  diego.rep.consul.client_key:
    description: "PEM-encoded client key"

  diego.executor.memory_capacity_mb:
    description: "the memory capacity the executor should manage.  this should not be greater than the actual memory on the VM"
    default: "auto"
  diego.executor.disk_capacity_mb:
    description: "the container disk capacity the executor should manage.  this should not be greater than the actual disk quota on the VM"
    default: "auto"
  diego.executor.auto_disk_capacity_overhead_mb:
    description: "the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto"
    default: 0
  diego.executor.max_concurrent_downloads:
    description: "the max concurrent download steps that can be active"
    default: 5
  diego.executor.container_max_cpu_shares:
    description: "the maximum number of cpu shares for a container."
    default: 1024
  diego.executor.container_inode_limit:
    description: "the inode limit enforced on each garden container."
    default: 200000
  diego.executor.container_metrics_report_interval:
    description: "the frequency for emitting container metrics; should be a string that can be parsed by time.ParseDuration, such as 15s"
  diego.executor.max_cache_size_in_bytes:
    description: "maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc."
    default: 10000000000
  diego.executor.garden.address:
    description: "Garden server listening address."
    default: /var/vcap/data/garden/garden.sock
  diego.executor.garden.network:
    description: "Network type for the garden server connection (tcp or unix)."
    default: unix
  diego.executor.export_network_env_vars:
    description: "Export network environment variables into container (e.g. CF_INSTANCE_IP, CF_INSTANCE_PORT). Deprecated, these will always be exported in Diego v2.0+."
    default: true
  diego.executor.healthy_monitoring_interval_in_seconds:
    description: "Interval to check healthy containers in seconds."
    default: 30
  diego.executor.unhealthy_monitoring_interval_in_seconds:
    description: "Interval to check unhealthy containers in seconds."
    default: 2
  diego.executor.create_work_pool_size:
    description: "Maximum number of concurrent create container operations."
    default: 32
  diego.executor.delete_work_pool_size:
    description: "Maximum number of concurrent delete container operations."
    default: 32
  diego.executor.read_work_pool_size:
    description: "Maximum number of concurrent get container info operations."
    default: 64
  diego.executor.metrics_work_pool_size:
    description: "Maximum number of concurrent get container metrics operations."
    default: 8
  diego.executor.healthcheck_work_pool_size:
    description: "Maximum number of concurrent health check operations."
    default: 64

  diego.executor.garden_healthcheck.interval:
    description: "Frequency for healtchecking garden"
    default: "10m"
  diego.executor.garden_healthcheck.timeout:
    description: "Maximum allowed time for garden healthcheck"
    default: "10m"
  diego.executor.garden_healthcheck.command_retry_pause:
    description: "Time to wait between retrying garden commands"
    default: "1s"
  diego.executor.garden_healthcheck.process.path:
    description: "Path of the command to run to perform a container healthcheck"
    default: "/bin/sh"
  diego.executor.garden_healthcheck.process.args:
    description: "List of command line args to pass to the garden health check process"
    default: "-c, ls > /tmp/test"
  diego.executor.garden_healthcheck.process.user:
    description: "User to use while performing a container healthcheck"
    default: "vcap"
  diego.executor.garden_healthcheck.process.dir:
    description: "Directory to run the healthcheck process from"
  diego.executor.garden_healthcheck.process.env:
    description: "Environment variables to use when running the garden health check"
  diego.executor.post_setup_hook:
    description: "Experimental: arbitrary command to run after setup action"
  diego.executor.post_setup_user:
    description: "Experimental: user to run post setup hook command"
  diego.executor.volman.driver_paths:
    description: "Experimental: OS style path string containing the directories volman will look in for voldriver specs (delimited by : or ; depending on the OS)"
    default: "/var/vcap/data/voldrivers"
  diego.executor.volman.csi_paths:
    description: "Experimental: A list of path string containing the directories volman will look in for CSI plugins specs (delimited by : or ; depending on the OS)"
    default: "/var/vcap/data/csiplugins"
  diego.executor.volman.csi_mount_root_dir:
    description: "Experimental: A OS style path string containing the directory under which volman will mount CSI volumes"
    default: "/var/vcap/data/csimountroot"
  diego.executor.instance_identity_ca_cert:
    description: "PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key"
  diego.executor.instance_identity_key:
    description: "PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert"
  diego.executor.instance_identity_validity_period_in_hours:
    description: "Validity period for the generated instance identity certificate"
    default: 24

  diego.rep.bbs.api_location:
    description: "Address to the BBS Server"
    default: "bbs.service.cf.internal:8889"

  diego.rep.bbs.ca_cert:
    description: "PEM-encoded CA certificate. Deprecated in favor of tls.ca_cert"
  diego.rep.bbs.client_cert:
    description: "PEM-encoded client certificate. Deprecated in favor of tls.cert"
  diego.rep.bbs.client_key:
    description: "PEM-encoded client key. Deprecated in favor of tls.key"
  diego.rep.bbs.require_ssl:
    description: "require ssl for all communication with the bbs. Deprecated, TLS will be required for the bbs in Diego v2.0+."
    default: true
  diego.rep.bbs.client_session_cache_size:
    description: "capacity of the tls client cache"
  diego.rep.bbs.max_idle_conns_per_host:
    description: "maximum number of idle http connections"

  diego.rep.job_name:
    description: "The name of the Diego job referenced by this spec (DO NOT override)"
    default: "rep"

  diego.rep.locket.api_location:
    description: "Hostname and port of the Locket server. When set, the cell rep will establish its cell registration in the Locket API instead of in the Consul key-value store."

  enable_consul_service_registration:
    description: "Enable the cell rep to register itself as a service with Consul, for client discovery via Consul DNS. Do not disable without arranging alternate service discovery."
    default: true
  enable_declarative_healthcheck:
    description: "EXPERIMENTAL: When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action. Requires Garden-Runc v1.10.0+"
    default: false

  containers.graceful_shutdown_interval_in_seconds:
    description: "EXPERIMENTAL: time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10."
    default: 10

  containers.proxy.enabled:
    description: "EXPERIMENTAL: Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key."
    default: false
  containers.proxy.additional_memory_allocation_mb:
    description: "EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This value must not be negative"
    default: 5

  containers.trusted_ca_certificates:
    description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs."
    example:
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #1
      ----- END CERTIFICATE -----
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #2
      ----- END CERTIFICATE -----
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #3
      ----- END CERTIFICATE -----
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #4
      ----- END CERTIFICATE -----
