---
name: tcp_router

templates:
  tcp_router_ctl.erb: bin/tcp_router_ctl
  haproxy_reloader: bin/haproxy_reloader
  bpm-pre-start.erb: bin/bpm-pre-start
  tcp_router.yml.erb: config/tcp_router.yml
  uaa_ca.crt.erb: config/certs/uaa/ca.crt
  routing_api_client_certificate.crt.erb: config/certs/routing-api/client.crt
  routing_api_client_private.key.erb: config/keys/routing-api/client.key
  routing_api_ca_certificate.crt.erb: config/certs/routing-api/ca_cert.crt
  tcp_router_backend_client_cert_and_key.pem.erb: config/keys/tcp-router/backend/client_cert_and_key.pem
  tcp_router_backend_ca.crt.erb: config/certs/tcp-router/backend/ca.crt
  tcp_router_health_check_certificate.pem.erb: config/certs/health.pem
  # config/haproxy.conf is used for initial haproxy config when starting up
  haproxy.conf.erb: config/haproxy.conf
  # config/haproxy.conf.template is rendered by tcp-router when routes are provided
  haproxy.conf.template.erb: config/haproxy.conf.template 
  bpm.yml.erb: config/bpm.yml
  drain.erb: bin/drain
  post-start.erb: bin/post-start

packages:
  - routing_utils
  - tcp_router
  - haproxy

provides:
  - name: tcp_router
    type: tcp-router
    properties:
    - tcp_router.fail_on_router_port_conflicts

consumes:
  - name: routing_api
    type: routing_api
    optional: true

properties:
  tcp_router.debug_address:
    description: "Address at which to serve debug info"
    default: "127.0.0.1:17002"
  tcp_router.isolation_segments:
    description: "Routes with these isolation segments will be registered. Used in combination with routing_table_sharding_mode."
    default: []
  tcp_router.log_level:
    description: "Log level"
    default: "info"
  tcp_router.tcp_stats_collection_interval:
    description: "String representing interval for collecting statistic metrics from tcp proxy. Units: ms, s, m h"
    default: "1m"
  tcp_router.oauth_secret:
    description: "OAuth client secret used to obtain token for Routing API from UAA."
  tcp_router.backend_tls.enabled:
    description: |
      Turns on support for TLS for TCP Router. Requires tcp_router.backend_tls.ca_cert to
      be set. For mTLS also set tcp_router.backend_tls.client_cert and
      tcp_router.backend_tls.client_key.
    default: false
  tcp_router.backend_tls.client_cert:
    description: "TCP Router's TLS client cert used for mTLS with route backends"
  tcp_router.backend_tls.client_key:
    description: "TCP Router's TLS client private key used for mTLS with route backends"
  tcp_router.backend_tls.ca_cert:
    description: "TCP Router's TLS CA used with route backends"

  routing_api.uri:
    description: "URL where the routing API can be reached internally"
    default: https://routing-api.service.cf.internal
  routing_api.port:
    description: "Port of routing api"
  routing_api.auth_disabled:
    description: "Disables UAA authentication"
    default: false
  routing_api.client_cert:
    description: "Routing API Client Certificate"
  routing_api.client_private_key:
    description: "Routing API Client Private Key"
  routing_api.ca_cert:
    description: "Routing API Certificate Authority"
  reserved_system_component_ports:
    description: "This should come via a bosh link from the routing_api job. This property is here in case it needs to be overwritten."

  tcp_router.request_timeout_in_seconds:
    description: "Server and client timeouts in seconds"
    default: 300

  tcp_router.enable_nontls_health_checks:
    description: "Toggles on/off whether or not to listen for load balancer health check requests on the non-tls `tcp_router.health_check_port` port"
    default: true
  tcp_router.health_check_port:
    description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TCP connection on this port"
    default: 80
  tcp_router.tls_health_check_port:
    description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TLS connection on this port"
    default: 443
  tcp_router.tls_health_check_cert:
    description: "TLS certificate to use on the TCP Router's TLS health check port"
  tcp_router.tls_health_check_key:
    description: "TLS private key to use on the TCP Router's TLS health check port"

  tcp_router.fail_on_router_port_conflicts:
    description: "Fail the tcp router if routing_api.reserved_system_component_ports conflict with ports in existing router groups."
    default: "false"

  tcp_router.drain_wait:
    description: |
      Delay in seconds after shut down is initiated before haproxy stops listening.
      During this time haproxy will reject requests to the /health endpoint.
      This accommodates requests forwarded by a load balancer until it considers the tcp_router unhealthy.
    default: 20
  tcp_router.load_balancer_healthy_threshold:
    description: |
      Time period in seconds to wait until declaring the tcp_router instance
      started after starting the listener socket. This allows an external load
      balancer time to register the instance as healthy."
    default: 20

  uaa.token_endpoint:
    description: "UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA."
    default: uaa.service.cf.internal

  uaa.tls_port:
    description: "Port on which UAA is listening for TLS connections. This is required for obtaining an OAuth token for Routing API."

  skip_ssl_validation:
    description: Skip TLS verification when talking to UAA
    default: false

  dns_health_check_host:
    description: "Host to ping for confirmation of DNS resolution"
    default: uaa.service.cf.internal

  metron.port:
    description: "The port used to emit dropsonde messages to the Metron agent."
    default: 3457

  uaa.ca_cert:
    description : "Certificate authority for communication between clients and uaa."
    default: ""
