---
name: routing-api
templates:
  dns_health_check.erb: bin/dns_health_check

  uaa_ca.crt.erb: config/certs/uaa/ca.crt

  routing-api.yml.erb: config/routing-api.yml
  routing_api_health_check.erb: bin/routing_api_health_check

  locket_ca.crt.erb: config/certs/locket/ca.crt
  locket_client.crt.erb: config/certs/locket/client.crt
  locket_client.key.erb: config/certs/locket/client.key

  api_mtls_client_ca.crt.erb: config/certs/routing-api/client_ca.crt
  api_mtls_client.crt.erb: config/certs/routing-api/client.crt
  api_mtls_client.key.erb: config/certs/routing-api/client.key
  api_mtls_server.crt.erb: config/certs/routing-api/server.crt
  api_mtls_server.key.erb: config/certs/routing-api/server.key

  bbr-metadata: bin/bbr/metadata
  pre-backup-lock.erb: bin/bbr/pre-backup-lock
  post-backup-unlock.erb: bin/bbr/post-backup-unlock
  pre-restore-lock.erb: bin/bbr/pre-restore-lock
  post-restore-unlock.erb: bin/bbr/post-restore-unlock

  bpm.yml.erb: config/bpm.yml
  bpm-pre-start.erb: bin/bpm-pre-start

packages:
- routing-api
- routing_utils

provides:
- name: routing_api
  type: routing_api
  properties:
  - routing_api.clients
  - routing_api.system_domain
  - routing_api.port
  - routing_api.mtls_port
  - routing_api.mtls_ca
  - routing_api.mtls_server_cert
  - routing_api.mtls_server_key
  - routing_api.mtls_client_cert
  - routing_api.mtls_client_key
  - routing_api.reserved_system_component_ports
  - routing_api.enabled_api_endpoints
  - routing_api.max_ttl
  - uaa.token_endpoint
  - uaa.tls_port
  - uaa.ca_cert
  - skip_ssl_validation
- name: routing_api_db
  type: routing_api_db
  properties:
  - routing_api.sqldb
  - release_level_backup

consumes:
  - name: tcp_router
    type: tcp-router
    optional: true
  - name: gorouter
    type: http-router

properties:
  routing_api.max_ttl:
    description: "String representing the maximum TTL a client can request for route registration."
    default: "120s"
  routing_api.auth_disabled:
    description: "Disables UAA authentication"
    default: false
  routing_api.metrics_reporting_interval:
    description: "String representing interval for reporting the following metrics: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events. Units: ms, s, m h"
    default: "30s"
  routing_api.statsd_endpoint:
    description: "The endpoint for the statsd server used to translate the following metrics from statsd to dropsonde: total_http_subscriptions, total_http_routes, total_tcp_subscriptions, total_tcp_routes, total_token_errors, key_refresh_events."
    default: "localhost:8125"
  routing_api.debug_address:
    description: "Address at which to serve debug info"
    default: "127.0.0.1:17002"
  routing_api.statsd_client_flush_interval:
    description: "Buffered statsd client flush interval"
    default: "300ms"
  routing_api.system_domain:
    description: "Domain reserved for CF operator; base URL where the UAA, Cloud Controller, and other non-user apps listen"
  skip_ssl_validation:
    description: Skip TLS verification when talking to UAA
    default: false
  routing_api.log_level:
    description: "Log level"
    default: "info"
  routing_api.port:
    description: "Port on which Routing API is running. If this is changed and routing_api.enabled:true in cf-release, it will break management of routes and domains until routing_api.port is updated in cf-release."
    default: 3000

  routing_api.enabled_api_endpoints:
    description: "Protocols that the routing api will listen on. Possible values: 'mtls', or 'both' (mTLS + HTTP)"
    default: "mtls"
  routing_api.mtls_port:
    description: "Port on which Routing API is running, listening with mTLS."
    default: 3001
  routing_api.mtls_ca:
    description: "Routing API CA cert"
  routing_api.mtls_server_cert:
    description: "Routing API server cert"
  routing_api.mtls_server_key:
    description: "Routing API server key"
  routing_api.mtls_client_cert:
    description: "Routing API client cert (provided to clients by bosh link)"
  routing_api.mtls_client_key:
    description: "Routing API client key (provided to clients by bosh link)"

  routing_api.health_check_timeout_per_retry:
    default: 2
    description: "Maximum health check timeout (in seconds) for each retry attempt in the Routing API's route registration health check"
  routing_api.health_check_total_timeout:
    default: 6
    description: "Maximum health check timeout (in seconds). Health checks will be retried until this time limit is reached. This should be less than or equal to your route_registrar.routes.routing-api.health_check.timeout"

  metron.port:
    description: "The port used to emit dropsonde messages to the Metron agent."
    default: 3457

  dns_health_check_host:
    description: "Host to ping for confirmation of DNS resolution"
    default: uaa.service.cf.internal

  routing_api.sqldb.host:
    description: "Host for SQL database"
  routing_api.sqldb.port:
    description: "Port on which SQL database is listening"

  routing_api.sqldb.type:
    description: "Type of SQL database"
    example: "mysql"
  routing_api.sqldb.schema:
    description: "Database name for routing api"
    example: "routing_api"

  routing_api.sqldb.username:
    description: "Username used for connecting to SQL database"
  routing_api.sqldb.password:
    description: "Password used for connecting to SQL database"
  routing_api.sqldb.ca_cert:
    description: (optional, string) When present, force database connections via TLS.
  routing_api.sqldb.skip_hostname_validation:
    description: "skip checking the hostname of the server cert when connecting via TLS"
    default: false

  routing_api.sqldb.max_open_connections:
    description: |
      Maximum number of open connections to the SQL database.
      The number of necessary connections will scale with the number of requests to the `/routing/...` cf api endpoints.
    default: 200

  routing_api.sqldb.max_idle_connections:
    description: |
      Maximum number of idle connections to the SQL database.
      Idle connections will be retained until their `routing_api.sqldb.connections_max_lifetime_seconds` has been reached.
    default: 10

  routing_api.sqldb.connections_max_lifetime_seconds:
    description: |
      Sets the maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse.
      If value <= 0, connections are reused forever.
      If there is a spike in connection usage, all of these connections have the potential to stick around with a high lifetime.
      Lowering the lifetime will result in connections getting reaped sooner, but the routing-api may have to renegotiate connections
      more often, which could add some latency. We recommend using the default unless you have seen specific needs to change it.
    default: 3600

  uaa.ca_cert:
    description : "Certificate authority for communication between clients and UAA."
    default: ""

  uaa.token_endpoint:
    description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
    default: uaa.service.cf.internal

  uaa.tls_port:
    description: "Port on which UAA is listening for TLS connections. This is required for obtaining a key to verify client OAuth tokens."

  routing_api.clients:
    description: "OAuth client ids and secrets provided via link to jobs in other BOSH deployments that need to read and/or write to Routing API. These clients must be configured in UAA via API or using the property uaa.clients with the desired scopes. For a list of scopes supported see https://github.com/cloudfoundry-incubator/routing-api/blob/master/docs/api_docs.md. Jobs consuming the link should use these credentials to fetch a token from UAA with which to authenticate with Routing API."
    example:
      cfcr_routing_api_client:
        secret: "((uaa_clients_cfcr_routing_api_client_secret))"

  routing_api.router_groups:
    description: "Array of router groups that will be seeded into routing_api database. Once some value is included with a deploy, subsequent changes to this property will be ignored. TCP Routing requires a router group of type: tcp."
    default: []
    example: |
      - name: default-tcp
        reservable_ports: 1024-10000,12000
        type: tcp

  routing_api.reserved_system_component_ports:
    description: |
      Array of ports that are reserved for system components.
      Users will not be able to create router_groups with ports that overlap
      with this value. Please see docs for more information about these ports.
    default: [2822,2825,3457,3458,3459,3460,3461,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14920,14922,15821,17002,53035,53080]

  routing_api.fail_on_router_port_conflicts:
    description: "This should come via a bosh link from the tcp_routing job. This property is here in case it needs to be overwritten."

  routing_api.lock_ttl:
    description: "TTL for service lock"
    default: "10s"

  routing_api.lock_retry_interval:
    description: "interval to wait before retrying a failed lock acquisition"
    default: "5s"

  routing_api.locket.api_location:
    description: "Hostname and port of the Locket server. Used to obtain a lock so only one instance of Routing API is active at a time."

  routing_api.locket.ca_cert:
    description: "CA cert for the Locket server."
    default: ""

  routing_api.locket.client_cert:
    description: "Client cert for the Locket server."
    default: ""

  routing_api.locket.client_key:
    description: "Client key for the Locket server."
    default: ""

  routing_api.admin_port:
    description: "Local port to listen on with admin endpoint (used for backup/restore locking)"
    default: 15897


  release_level_backup:
    default: false
    description: "Include routing api database in backup and restore operations"
