Skip to content

Latest commit

 

History

History
167 lines (136 loc) · 10.9 KB

configuration.md

File metadata and controls

167 lines (136 loc) · 10.9 KB
Raw

Broker Configuration

The broker can be configured though environment variables or configuration files or a combo of both.

Configuration File

A configuration file can be provided at run time to the broker.

cloud-service-broker serve --config <config file name>

A configuration file can be YAML or JSON. Config file values that are . delimited represent hierarchy in the config file.

Example:

db:
  host: hostname

represents a config file value of db.host

Database Configuration Properties

Connection details for the backing database for the service broker.

You can configure the following values:

Environment Variable Config File Value Type Description
DB_HOST * db.host string

Database host

DB_USERNAME db.user string

Database username

DB_PASSWORD db.password secret

Database password

DB_PORT * db.port string

Database port (defaults to 3306) Default: 3306
DB_NAME * db.name string

Database name Default: servicebroker
DB_TLS * db.tls string

Enforce TLS on connection to Database. Allowed values:true,false,skip-verify,custom
CUSTOM_CERT_TLS_SKIP_VERIFY * db.custom_certs.tls_skip_verify bool

Skip TLS verification when using custom certificates. Default: true
CA_CERT db.ca.cert text

Server CA cert

CLIENT_CERT db.client.cert text

Client cert

CLIENT_KEY db.client.key text

Client key

ENCRYPTION_ENABLED db.encryption.enabled Boolean

Enable encryption of sensitive data in the database

ENCRYPTION_PASSWORDS db.encryption.passwords text

JSON collection of passwords

Example:

db:
  host: hostname
  encryption:
    enabled: true
    passwords: "[{\"label\":\"first-password\",{\"password\":{\"secret\": \"veryStrongSecurePassword\"}},\"primary\": true}]"

Example Encryption Passwords JSON object:

[
  {
    "label": "first-password",
    "password": {
      "secret": "veryStrongSecurePassword"
    },
    "primary": true
  }
]

Enabling first time encryption

  1. Set encryption.enabled to true and add a password to the collection of passwords and mark it as primary.
  2. Restart the CSB app.

Rotating encryption keys

  1. Add a new password to the collection of passwords and mark it as primary. The previous primary password should still be provided and no longer marked as primary.
  2. Restart the CSB app.
  3. Once the app has successfully started, the old password(s) can be removed from the configuration.

Disabling encryption (after it was enabled)

  1. Set encryption.enabled to false. The previous primary password should still be provided and no longer marked as primary.
  2. Restart the CSB app.
  3. Once the app has successfully started, the old password(s) can be removed from the configuration.

Broker Service Configuration

Broker service configuration values:

Environment Variable Config File Value Type Description
SECURITY_USER_NAME * api.user string

Broker authentication username
SECURITY_USER_PASSWORD * api.password string

Broker authentication password
PORT api.port string

Port to bind broker to
TLS_CERT api.tlsCert string

File path to a pem encoded certificate
TLS_PRIVATE_KEY api.tlsKey string

File path to a pem encoded private key

Debugging

Values for debugging:

Environment Variable Config File Value Type Description
CSB_DEBUG_LEAVE_WORKSPACE_DIR debug.leave_workspace_dir bool Disables the cleanup of workspace directories, so you can inspect the files and run tf commands

Feature flags Configuration

Feature flags can be toggled through the following configuration values. See also source code occurences of "toggles.Features.Toggle"

Environment Variable Config File Value Type Description Default
GSB_COMPATIBILITY_ENABLE_BUILTIN_BROKERPAKS * compatibility.enable_builtin_brokerpaks Boolean

Load brokerpaks that are built-in to the software.

 "true"
GSB_COMPATIBILITY_ENABLE_CATALOG_SCHEMAS * compatibility.enable_catalog_schemas Boolean

Enable generating JSONSchema for the service catalog.

 "false"
GSB_COMPATIBILITY_ENABLE_CF_SHARING * compatibility.enable_cf_sharing Boolean

Set all services to have the Sharable flag so they can be shared

 "false"
GSB_COMPATIBILITY_ENABLE_EOL_SERVICES * compatibility.enable_eol_services Boolean

Enable broker services that are end of life.

 "false"
GSB_COMPATIBILITY_ENABLE_BETA_SERVICES * compatibility.enable_beta_services Boolean

Enable services that are in Beta. These have no SLA or support

 "false"
GSB_COMPATIBILITY_ENABLE_GCP_DEPRECATED_SERVICES * compatibility.enable_gcp_deprecated_services Boolean

Enable services that use deprecated GCP components.

 "false"
GSB_COMPATIBILITY_ENABLE_PREVIEW_SERVICES * compatibility.enable_preview_services Boolean

Enable services that are new to the broker this release.

 "true"
GSB_COMPATIBILITY_ENABLE_TERRAFORM_SERVICES * compatibility.enable_terraform_services Boolean

Enable services that use the experimental, unstable, Terraform back-end.

 "false"
GSB_COMPATIBILITY_ENABLE_UNMAINTAINED_SERVICES * compatibility.enable_unmaintained_services Boolean

Enable broker services that are unmaintained.

 "false"
TERRAFORM_UPGRADES_ENABLED * brokerpak.terraform.upgrades.enabled Boolean

Enables terraform version upgrades when brokerpak specifies an upgrade path and an upgrade is requested for an instance.

 "false"
BROKERPAK_UPDATES_ENABLED * brokerpak.updates.enabled Boolean

Enable update of HCL of existing instances on update. When false, any update will be executed with the same HCL the instance was created with. If true, updates will be executed with newest specification in the brokerpak.

 "false"

Credhub Configuration

The broker supports passing credentials to apps via credhub references, thus keeping them private to the application (they won't show up in cf env app_name output.)

Environment Variable Config File Value Type Description
CH_CRED_HUB_URL credhub.url URL credhub service URL - usually https://credhub.service.cf.internal:8844
CH_UAA_URL credhub.uaa_url URL uaa service URL - usually https://uaa.service.cf.internal:8443
CH_UAA_CLIENT_NAME credhub.uaa_client_name string uaa username - usually credhub_admin_client
CH_UAA_CLIENT_SECRET credhub.uaa_client_secret string uaa client secret - "Credhub Admin Client Credentials" from Operations Manager > PAS > Credentials tab.
CH_SKIP_SSL_VALIDATION credhub.skip_ssl_validation boolean skip SSL validation if true
CH_CA_CERT_FILE credhub.ca_cert_file path path to cert file

Credhub Config Example (Azure)

azure:
  subscription_id: your subscription id
  tenant_id: your tenant id
  client_id: your client id
  client_secret: your client secret
db:
  host: your mysql host
  password: your mysql password
  user: your mysql username
api:
  user: someusername
  password: somepassword
credhub:
  url: ...
  uaa_url: ...
  uaa_client_name: ...
  uaa_client_secret: ...

Brokerpak Configuration

Brokerpak configuration values:

Environment Variable Config File Value Type Description
GSB_BROKERPAK_BUILTIN_PATH brokerpak.builtin.path string

Path to search for .brokerpak files, default: ./
GSB_BROKERPAK_CONFIG brokerpak.config string JSON global config for broker pak services
GSB_PROVISION_DEFAULTS provision.defaults string JSON global provision defaults
GSB_SERVICE_SERVICE_NAME_PROVISION_DEFAULTS service.service-name.provision.defaults string JSON provision defaults override for service-name
GSB_SERVICE_SERVICE_NAME_PLANS service.service-name.plans string JSON plan collection to augment plans for service-name

CLI Configuration

The cloud-service-broker pak command supports the following configuration values:

Environment Variable Config File Value Type Description
PAK_BUILD_CACHE_PATH pak.cache_path string Set to a non-empty file system path to use a cache when csb pak build downloads binaries