-
Notifications
You must be signed in to change notification settings - Fork 29
/
spec
146 lines (135 loc) · 5.2 KB
/
spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
name: loggr-syslog-agent
templates:
bpm.yml.erb: config/bpm.yml
ingress_port.yml.erb: config/ingress_port.yml
prom_scraper_config.yml.erb: config/prom_scraper_config.yml
cache_ca.crt.erb: config/certs/cache_ca.crt
cache_client.crt.erb: config/certs/cache_client.crt
cache_client.key.erb: config/certs/cache_client.key
loggregator_ca.crt.erb: config/certs/loggregator_ca.crt
syslog_agent.crt.erb: config/certs/syslog_agent.crt
syslog_agent.key.erb: config/certs/syslog_agent.key
metrics_ca.crt.erb: config/certs/metrics_ca.crt
metrics.crt.erb: config/certs/metrics.crt
metrics.key.erb: config/certs/metrics.key
drain_ca.crt.erb: config/certs/drain_ca.crt
packages:
- syslog-agent
consumes:
- name: binding_cache
type: binding_cache
optional: true
properties:
enabled:
description: "Syslog agent is enabled on VM"
default: true
port:
description: "Port the agent is serving gRPC via mTLS"
default: 3458
drain_skip_cert_verify:
description: If set to true the SSL hostname validation will be disabled.
default: false
drain_ca_cert:
description: The CA certificate for key/cert verification.
drain_cipher_suites:
description: |
An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
The following cipher suites are supported:
- TLS_RSA_WITH_RC4_128_SHA
- AES128-SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-RC4-SHA
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-RC4-SHA
- ECDHE-RSA-DES-CBC3-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-CHACHA20-POLY1305
aggregate_drains:
description: "Syslog server URLs that will receive the logs from all sources"
default: ""
example: "syslog-tls://some-drain-1,syslog-tls://some-drain-1"
blacklisted_syslog_ranges:
description: |
A list of IP address ranges that are not allowed to be specified in
syslog drain binding URLs.
default: []
example: [{start: 10.10.10.1, end: 10.10.10.10}]
tls.ca_cert:
description: |
TLS loggregator root CA certificate. It is required for key/cert
verification.
tls.cert:
description: "TLS certificate for syslog signed by the loggregator CA"
tls.key:
description: "TLS private key for syslog signed by the loggregator CA"
tls.cipher_suites:
description: |
An ordered list of supported SSL cipher suites. Allowed cipher suites are
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
default: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
cache.tls.ca_cert:
description: |
When the syslog communicates with the Cloud Controller it must
validate the Cloud Controller's certificate was signed by a trusted CA.
This is the CA trusted by the syslog for that communication.
This field is required if binding cache is included.
default: ""
cache.tls.cert:
description: |
This certificate is sent to the Cloud Controller when initiating a
connection. It must be signed by a CA that is trusted by the Cloud
Controller.
This field is required if binding cache is included.
default: ""
cache.tls.key:
description: |
This is the private key for the certificate sent to the Cloud Controller
when initiating a connection.
This field is required if binding cache is included.
default: ""
cache.tls.cn:
description: |
When the syslog communicates with the cache it must
validate the Cloud Controller's common name (CN) or subject alternative
names (SANs) against the hostname or IP address used to initiate the
connection. Most of the time this should be the hostname defined in
api.url.
This field is required if binding cache is included.
default: ""
cache.polling_interval:
description: |
The interval at which the syslog will poll the Cloud Controller for
bindings.
default: 15s
cache.batch_size:
description: |
The batch size the syslog will request the Cloud Controller for
bindings.
default: 1000
metrics.port:
description: "Port the agent uses to serve metrics and debug information"
default: 14822
metrics.ca_cert:
description: "TLS CA cert to verify requests to metrics endpoint."
metrics.cert:
description: "TLS certificate for metrics server signed by the metrics CA"
metrics.key:
description: "TLS private key for metrics server signed by the metrics CA"
metrics.server_name:
description: "The server name used in the scrape configuration for the metrics endpoint"