The broker can be configured though environment variables or configuration files or a combo of both.
A configuration file can be provided at run time to the broker.
cloud-service-broker serve --config <config file name>A configuration file can be YAML or JSON. Config file values that are . delimited represent hierarchy in the config file.
Example:
db:
host: hostname
represents a config file value of db.host
Connection details for the backing database for the service broker.
You can configure the following values:
| Environment Variable | Config File Value | Type | Description |
|---|---|---|---|
| DB_HOST * | db.host | string | Database host |
| DB_USERNAME | db.user | string | Database username |
| DB_PASSWORD | db.password | secret | Database password |
| DB_PORT * | db.port | string | Database port (defaults to 3306) Default: |
| DB_NAME * | db.name | string | Database name Default: |
| CA_CERT | db.ca.cert | text | Server CA cert |
| CLIENT_CERT | db.client.cert | text | Client cert |
| CLIENT_KEY | db.client.key | text | Client key |
| ENCRYPTION_ENABLED | db.encryption.enabled | Boolean | Enable encryption of sensitive data in the database |
| ENCRYPTION_PASSWORDS | db.encryption.passwords | text | JSON collection of passwords |
Example:
db:
host: hostname
encryption:
enabled: true
passwords: "[{\"label\":\"first-password\",{\"password\":{\"secret\": \"veryStrongSecurePassword\"}},\"primary\": true}]"
Example Encryption Passwords JSON object:
[
{
"label": "first-password",
"password": {
"secret": "veryStrongSecurePassword"
},
"primary": true
}
]
- Set
encryption.enabledtotrueand add a password to the collection of passwords and mark it as primary. - Restart the CSB app.
- Add a new password to the collection of passwords and mark it as primary. The previous primary password should still be provided and no longer marked as primary.
- Restart the CSB app.
- Once the app has successfully started, the old password(s) can be removed from the configuration.
- Set
encryption.enabledtofalse. The previous primary password should still be provided and no longer marked as primary. - Restart the CSB app.
- Once the app has successfully started, the old password(s) can be removed from the configuration.
Broker service configuration values:
| Environment Variable | Config File Value | Type | Description |
|---|---|---|---|
| SECURITY_USER_NAME * | api.user | string | Broker authentication username |
| SECURITY_USER_PASSWORD * | api.password | string | Broker authentication password |
| PORT | api.port | string | Port to bind broker to |
Feature flags can be toggled through the following configuration values. See also Feature Flags section in tile.yml or source code occurences of "toggles.Features.Toggle"
| Environment Variable | Config File Value | Type | Description | Default |
|---|---|---|---|---|
| GSB_COMPATIBILITY_ENABLE_BUILTIN_BROKERPAKS * | compatibility.enable_builtin_brokerpaks | Boolean | Load brokerpaks that are built-in to the software. |
"true" |
| GSB_COMPATIBILITY_ENABLE_BUILTIN_SERVICES * | compatibility.enable_builtin_services | Boolean | Enable services that are built in to the broker i.e. not brokerpaks. |
"true" |
| GSB_COMPATIBILITY_ENABLE_CATALOG_SCHEMAS * | compatibility.enable_catalog_schemas | Boolean | Enable generating JSONSchema for the service catalog. |
"false" |
| GSB_COMPATIBILITY_ENABLE_CF_SHARING * | compatibility.enable_cf_sharing | Boolean | Set all services to have the Sharable flag so they can be shared |
"false" |
| GSB_COMPATIBILITY_ENABLE_EOL_SERVICES * | compatibility.enable_eol_services | Boolean | Enable broker services that are end of life. |
"false" |
| GSB_COMPATIBILITY_ENABLE_GCP_BETA_SERVICES * | compatibility.enable_gcp_beta_services | Boolean | Enable services that are in GCP Beta. These have no SLA or support |
"true" |
| GSB_COMPATIBILITY_ENABLE_GCP_DEPRECATED_SERVICES * | compatibility.enable_gcp_deprecated_services | Boolean | Enable services that use deprecated GCP components. |
"false" |
| GSB_COMPATIBILITY_ENABLE_PREVIEW_SERVICES * | compatibility.enable_preview_services | Boolean | Enable services that are new to the broker this release. |
"true" |
| GSB_COMPATIBILITY_ENABLE_TERRAFORM_SERVICES * | compatibility.enable_terraform_services | Boolean | Enable services that use the experimental, unstable, Terraform back-end. |
"false" |
| GSB_COMPATIBILITY_ENABLE_UNMAINTAINED_SERVICES * | compatibility.enable_unmaintained_services | Boolean | Enable broker services that are unmaintained. |
"false" |
The broker supports passing credentials to apps via credhub references, thus keeping them private to the application (they won't show up in cf env app_name output.)
| Environment Variable | Config File Value | Type | Description |
|---|---|---|---|
| CH_CRED_HUB_URL | credhub.url | URL | credhub service URL - usually https://credhub.service.cf.internal:8844 |
| CH_UAA_URL | credhub.uaa_url | URL | uaa service URL - usually https://uaa.service.cf.internal:8443 |
| CH_UAA_CLIENT_NAME | credhub.uaa_client_name | string | uaa username - usually credhub_admin_client |
| CH_UAA_CLIENT_SECRET | credhub.uaa_client_secret | string | uaa client secret - "Credhub Admin Client Credentials" from Operations Manager > PAS > Credentials tab. |
| CH_SKIP_SSL_VALIDATION | credhub.skip_ssl_validation | boolean | skip SSL validation if true |
| CH_CA_CERT_FILE | credhub.ca_cert_file | path | path to cert file |
azure:
subscription_id: your subscription id
tenant_id: your tenant id
client_id: your client id
client_secret: your client secret
db:
host: your mysql host
password: your mysql password
user: your mysql username
api:
user: someusername
password: somepassword
credhub:
url: ...
uaa_url: ...
uaa_client_name: ...
uaa_client_secret: ...
Brokerpak configuration values:
| Environment Variable | Config File Value | Type | Description |
|---|---|---|---|
| GSB_BROKERPAK_BUILTIN_PATH | brokerpak.builtin.path | string | Path to search for .brokerpak files, default: |
| GSB_BROKERPAK_CONFIG | brokerpak.config | string | JSON global config for broker pak services |
| GSB_PROVISION_DEFAULTS | provision.defaults | string | JSON global provision defaults |
| GSB_SERVICE_SERVICE_NAME_PROVISION_DEFAULTS | service.service-name.provision.defaults | string | JSON provision defaults override for service-name |
| GSB_SERVICE_SERVICE_NAME_PLANS | service.service-name.plans | string | JSON plan collection to augment plans for service-name |