---
name: rep_windows

templates:
  drain.ps1.erb: bin/drain.ps1
  pre-start.ps1.erb: bin/pre-start.ps1
  post-start.ps1.erb: bin/post-start.ps1
  bbs_ca.crt.erb: config/certs/bbs/ca.crt
  trusted_certs.crt.erb: config/certs/rep/trusted_certs.crt
  trusted_ca_certificates.json.erb: config/certs/rep/trusted_ca_certificates.json
  ca_certs_for_downloads.crt.erb: config/certs/rep/ca_certs_for_downloads.crt
  bbs_client.crt.erb: config/certs/bbs/client.crt
  bbs_client.key.erb: config/certs/bbs/client.key
  instance_identity.crt.erb: config/certs/rep/instance_identity.crt
  instance_identity.key.erb: config/certs/rep/instance_identity.key
  rep_ca.crt.erb: config/certs/ca.crt
  rep_server.crt.erb: config/certs/server.crt
  rep_server.key.erb: config/certs/server.key
  consul_ca.crt.erb: config/certs/consul/ca.crt
  consul_client.crt.erb: config/certs/consul/client.crt
  consul_client.key.erb: config/certs/consul/client.key
  rep.json.erb: config/rep.json
  loggregator_ca.crt.erb: config/certs/loggregator/ca.crt
  loggregator_client.crt.erb: config/certs/loggregator/client.crt
  loggregator_client.key.erb: config/certs/loggregator/client.key
  tls.crt.erb: config/certs/tls.crt
  tls.key.erb: config/certs/tls.key
  tls_ca.crt.erb: config/certs/tls_ca.crt

packages:
  - rep_windows
  - healthcheck_windows
  - certsplitter_windows

properties:
  use_v2_tls:
    default: false
    description: "Whether the rep should use mutual TLS for all communications to other Diego components. Requires `tls.ca_cert`, `tls.cert`, and `tls.key` to be configured. Deprecated as mutual TLS will be required in v2.0+"

  admin_api.require_tls:
    default: false
    description: "Whether to require mutual TLS for communication to the rep's administrative API. Requires `tls.ca_cert`, `tls.cert`, and `tls.key` to be configured. Deprecated as mutual TLS will be required in v2.0+"
  diego.rep.listen_addr:
    description: "address to serve auction and LRP stop requests on. Deprecated in favor of diego.rep.listen_addr_admin and diego.rep.listen_addr_securable."
    default: "0.0.0.0:1800"
  diego.rep.debug_addr:
    description: "address at which to serve debug info"
    default: "127.0.0.1:17008"
  diego.rep.polling_interval_in_seconds:
    description: "The interval to look for completed tasks and LRPs in seconds"
    default: 30
  diego.rep.evacuation_polling_interval_in_seconds:
    description: "The interval to look for completed tasks and LRPs during evacuation in seconds"
    default: 10
  diego.rep.evacuation_timeout_in_seconds:
    description: "The time to wait for evacuation to complete in seconds"
    default: 600
  diego.rep.zone:
    description: "The zone associated with the rep. This will override the BOSH-provided spec.az property if present."
  diego.rep.use_azure_fault_domains:
    description: "Use Azure Fault-Domains to determine the value of the zone. The value of the zone will be z<FD-index>. e.g. z0, z1, etc."
    default: false
  diego.rep.preloaded_rootfses:
    description: "Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden"
    default:
      - windows2012R2:/tmp/windows2012R2
  diego.rep.rootfs_providers:
    description: "Array of schemes for which the underlying garden can support arbitrary root filesystems"
    default: []
  diego.rep.log_level:
    description: "Log level"
    default: "info"
  diego.rep.dropsonde_port:
    description: "local metron agent's port. Deprecated, will be removed when loggregator API v1 support is removed."
    default: 3457
  diego.rep.trusted_certs:
    description: "Concatenation of trusted CA certificates to be made available on the cell. Deprecated in favor of containers.trusted_ca_certificates"
    default: null
  diego.rep.open_bindmounts_acl:
    description: "Add more permissive ACLs to directories that are bind mounted into containers. Required for Windows 2016 cells"
    default: false

  loggregator.use_v2_api:
    description: "True to use local metron agent gRPC v2 API. False to use UDP v1 API."
    default: false
  loggregator.v2_api_port:
    description: "Local metron agent gRPC port"
    default: 3458
  loggregator.ca_cert:
    description: "CA Cert used to communicate with local metron agent over gRPC"
  loggregator.cert:
    description: "Cert used to communicate with local metron agent over gRPC"
  loggregator.key:
    description: "Key used to communicate with local metron agent over gRPC"

  diego.rep.advertise_domain:
    description: "base domain at which the rep should advertise its secure API"
    default: "cell.service.cf.internal"
  diego.rep.enable_legacy_api_endpoints:
    description: "Whether to enable the auction, LRP, and Task endpoints on the legacy, insecurable API server. Deprecated since the legacy API server will be removed in Diego v2.0."
    default: true
  diego.rep.listen_addr_admin:
    description: "When enable_legacy_api_endpoints is set to false, serve (insecure) ping and evacuate requests on this address and port"
    default: "127.0.0.1:1800"
  diego.rep.listen_addr_securable:
    description: "address where rep listens for LRP and task start auction requests"
    default: "0.0.0.0:1801"
  diego.rep.require_tls:
    description: "Whether to require mutual TLS for communication to the securable rep API server. Deprecated since mutual TLS will be required in Diego v2.0+."
    default: true
  diego.rep.ca_cert:
    description: "PEM-encoded CA certificate. Deprecated in favor of tls.ca_cert"
  diego.rep.server_cert:
    description: "PEM-encoded server certificate. Deprecated in favor of tls.cert"
  diego.rep.server_key:
    description: "PEM-encoded server key. Deprecated in favor of tls.key"

  diego.ssl.skip_cert_verify:
    description: "when connecting over https, ignore bad ssl certificates"
    default: false
  diego.executor.ca_certs_for_downloads:
    description: "Concatenation of trusted CA certificates to be used when downloading assets. Deprecated in favor of configuration with tls.{crt,key,ca_cert}"
    default: null
  tls.cert:
    description: "PEM-encoded tls certificate that can be used for client and server authentication"
  tls.key:
    description: "PEM-encoded tls client key"
  tls.ca_cert:
    description: "PEM-encoded tls client CA certificate for asset upload/download"

  diego.rep.consul.require_tls:
    description: "Require mutual TLS to talk to the local consul API"
    default: false
  diego.rep.consul.ca_cert:
    description: "PEM-encoded CA certificate"
  diego.rep.consul.client_cert:
    description: "PEM-encoded client certificate"
  diego.rep.consul.client_key:
    description: "PEM-encoded client key"

  diego.executor.memory_capacity_mb:
    description: "the memory capacity the executor should manage.  this should not be greater than the actual memory on the VM"
    default: "auto"
  diego.executor.disk_capacity_mb:
    description: "the container disk capacity the executor should manage.  this should not be greater than the actual disk quota on the VM"
    default: "auto"
  diego.executor.auto_disk_capacity_overhead_mb:
    description: "the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto"
    default: 0
  diego.executor.max_concurrent_downloads:
    description: "the max concurrent download steps that can be active"
    default: 5
  diego.executor.container_max_cpu_shares:
    description: "the maximum number of cpu shares for a container."
    default: 1024
  diego.executor.container_inode_limit:
    description: "the inode limit enforced on each garden container."
    default: 200000
  diego.executor.container_metrics_report_interval:
    description: "the frequency for emitting container metrics"
  diego.executor.max_cache_size_in_bytes:
    description: "maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc."
    default: 10000000000
  diego.executor.garden.address:
    description: "Garden server listening address."
    default: 127.0.0.1:9241
  diego.executor.garden.network:
    description: "Network type for the garden server connection (tcp or unix)."
    default: tcp
  diego.executor.export_network_env_vars:
    description: "Export network environment variables into container (e.g. CF_INSTANCE_IP, CF_INSTANCE_PORT). Deprecated, these will always be exported in Diego v2.0+."
    default: true
  diego.executor.healthy_monitoring_interval_in_seconds:
    description: "Interval to check healthy containers in seconds."
    default: 30
  diego.executor.unhealthy_monitoring_interval_in_seconds:
    description: "Interval to check unhealthy containers in seconds."
    default: 2
  diego.executor.create_work_pool_size:
    description: "Maximum number of concurrent create container operations."
    default: 32
  diego.executor.delete_work_pool_size:
    description: "Maximum number of concurrent delete container operations."
    default: 32
  diego.executor.read_work_pool_size:
    description: "Maximum number of concurrent get container info operations."
    default: 64
  diego.executor.metrics_work_pool_size:
    description: "Maximum number of concurrent get container metrics operations."
    default: 8
  diego.executor.healthcheck_work_pool_size:
    description: "Maximum number of concurrent health check operations."
    default: 64

  diego.executor.garden_healthcheck.interval:
    description: "Frequency for healtchecking garden"
    default: "10m"
  diego.executor.garden_healthcheck.timeout:
    description: "Maximum allowed time for garden healthcheck"
    default: "10m"
  diego.executor.garden_healthcheck.command_retry_pause:
    description: "Time to wait between retrying garden commands"
    default: "1s"
  diego.executor.garden_healthcheck.process.path:
    description: "Path of the command to run to perform a container healthcheck"
    default: "C:\\windows\\system32\\cmd.exe"
  diego.executor.garden_healthcheck.process.args:
    description: "List of command line args to pass to the garden health check process"
    default: "/c, dir"
  diego.executor.garden_healthcheck.process.user:
    description: "User to use while performing a container healthcheck"
    default: "vcap"
  diego.executor.garden_healthcheck.process.dir:
    description: "Directory to run the healthcheck process from"
  diego.executor.garden_healthcheck.process.env:
    description: "Environment variables to use when running the garden health check"
  diego.executor.post_setup_hook:
    description: "Experimental: arbitrary command to run after setup action"
  diego.executor.post_setup_user:
    description: "Experimental: user to run post setup hook command"
  diego.executor.instance_identity_ca_cert:
    description: "PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key"
  diego.executor.instance_identity_key:
    description: "PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert"
  diego.executor.instance_identity_validity_period_in_hours:
    description: "Validity period for the generated instance identity certificate"
    default: 24

  diego.rep.bbs.api_location:
    description: "Address to the BBS Server"
    default: "bbs.service.cf.internal:8889"

  diego.rep.bbs.ca_cert:
    description: "PEM-encoded CA certificate. Deprecated in favor of tls.ca_cert"
  diego.rep.bbs.client_cert:
    description: "PEM-encoded client certificate. Deprecated in favor of tls.cert"
  diego.rep.bbs.client_key:
    description: "PEM-encoded client key. Deprecated in favor of tls.key"
  diego.rep.bbs.require_ssl:
    description: "require ssl for all communication with the bbs. Deprecated, TLS will be required for the bbs in Diego v2.0+."
    default: true
  diego.rep.bbs.client_session_cache_size:
    description: "capacity of the tls client cache"
  diego.rep.bbs.max_idle_conns_per_host:
    description: "maximum number of idle http connections"

  diego.rep.placement_tags:
    description: "Array of tags used for scheduling Tasks and LRPs"
    default: []
  diego.rep.optional_placement_tags:
    description: "Array of optional tags used for scheduling Tasks and LRPs"
    default: []

  syslog_daemon_config.address:
    description: "Syslog host"
    default: ""
  syslog_daemon_config.port:
    description: "Syslog port"
    default: ""
  syslog_daemon_config.transport:
    description: "Syslog transport protocol (tcp or udp)"
    default: "udp"

  diego.rep.job_name:
    description: "The name of the Diego job referenced by this spec (DO NOT override)"
    default: "rep_windows"

  diego.rep.locket.api_location:
    description: "Hostname and port of the locket server"

  enable_consul_service_registration:
    description: "Enable the cell rep to register itself as a service with Consul, for client discovery via Consul DNS. Do not disable without arranging alternate service discovery."
    default: true
  enable_declarative_healthcheck:
    description: "EXPERIMENTAL: When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action."
    default: false
  declarative_healthcheck_path:
    description: "EXPERIMENTAL: The directory containing the declarative healthcheck binary"
    default: "/var/vcap/packages/healthcheck_windows/external"

  containers.graceful_shutdown_interval_in_seconds:
    description: "EXPERIMENTAL: time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10."
    default: 10

  containers.proxy.enabled:
    description: "EXPERIMENTAL: Enable envoy proxy on garden containers. Currently doesn't work on windows cells but left here for compatability with the linux Rep"
    default: false
  containers.proxy.additional_memory_allocation_mb:
    description: "EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This must not be negative. Currently doesn't work on windows cells but left here for compatability with the linux Rep"
    default: 5

  containers.trusted_ca_certificates:
    description: "List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs."
    example:
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #1
      ----- END CERTIFICATE -----
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #2
      ----- END CERTIFICATE -----
    - |
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #3
      ----- END CERTIFICATE -----
      ----- BEGIN CERTIFICATE -----
      CONTENTS OF CERTIFICATE #4
      ----- END CERTIFICATE -----
