Template Config

Config File

The Grey Matter Proxy receives its initial configuration in the form of a YAML configuration file on disk. This file takes any configuration available in the Envoy Bootstrap Config File, as well as the additional Grey Matter filters that are made available through the SDK.

Since the full bootstrap config file has a large number of complex options, a select number of common options have been exposed via template files and environment variables.

Sample Dynamic Configuration

The dynamic configuration template is used if PROXY_DYNAMIC=true. In this case, the bootstrap configuration sets up the proxy to receive all other configuration through the control plane. In this case, the proxy starts with almost no configuration (no listeners, routes, clusters, filters, etc), but will receive them through actions end users take.

PROXY_DYNAMIC="true"
XDS_CLUSTER="example"
XDS_HOST="gm-control.fabric.svc"
XDS_PORT="50000"

Sample Static Configuration

The static configuration template is used if PROXY_DYNAMIC=false (default). In this case, the environment variables set certain behavior and options in the bootstrap config file that the Grey Matter Proxy will use at startup. A simple example of setting a static config is shown below. Note that these options (and all other defaults) are then locked in while this proxy is running. You will need to restart it to receive any modifications.

HOST="0.0.0.0"
PORT=8080
SERVICE_HOST="localhost"
SERVICE_PORT=9080
METRICS_PORT=8081
OBS_ENABLED=true

Full Config Options

The following tables lists the full configuration options.

Option

Description

Example

Default

Required

HOST

Host for Envoy listener

0.0.0.0

Yes

PORT

Port for Envoy listener

8080

Yes

TIMEOUT

Cluster route timeout

3000s

IDLE_TIMEOUT

Cluster idle timeout

3000s

DRAIN_TIMEOUT

Listener drain timeout

3000s

USE_HTTP2

Enable HTTP/2 for static cluster connection (doesn't work with HTTP/1.0)

true

false

ACCEPT_HTTP_10

Accept HTTP/1.0 connections on the Envoy static listener

true

false

SERVICE_DNS_TYPE

The type of DNS envoy will use to connect to the static cluster

LOGICAL_DNS

STRICT_DNS

SERVICE_HOST

Proxied service host

example-service

0.0.0.0

Yes

SERVICE_PORT

Proxied service port

3000

Yes

ZK_ANNOUNCE_PATH

Zookeeper discovery path

/services/example-servic/1.0.0

Yes

ZK_ANNOUNCE_HOST

Host of the original service

172.0.3.18

0.0.0.0

ZK_ADDRS

List of host:port locations for ZooKeeper nodes

zk1:2181,zk2:2181

localhost:2181

Yes

METRICS_PORT

Port for metrics listener

8081

Yes

METRICS_FABRIC_PATH

Route for Grey Matter Dashboard metrics collection

/metrics

METRICS_PROMETHEUS_PATH

Route for Prometheus metrics collection

/prometheus

METRICS_USE_TLS

Expose metrics over 2-way SSL

false

INGRESS_USE_TLS

Enable ingress TLS to the Envoy listener

false

INGRESS_CA_CERT_PATH

Ingress trust certificate path

./ingress/trust.pem

INGRESS_CERT_PATH

Ingress certificate path

./ingress/cert.pem

INGRESS_KEY_PATH

Ingress key certificate path

./ingress/key.pem

EGRESS_USE_TLS

Enable 2-way SSL to the proxied service

false

EGRESS_CA_CERT_PATH

Egress trust certificate path

./egress/trust.pem

EGRESS_CERT_PATH

Egress certificate path

./egress/cert.pem

EGRESS_KEY_PATH

Egress key certificate path

./egress/key.pem

DELAY_MEAN

Obfuscation delay mean

1

DELAY_STD

Obfuscation delay std

4

OAUTH_ENABLED

Full OAuth 2.0 Functionality

true

OAUTH_CLIENT_ID

Client ID issued by the authorization server

client-id

OAUTH_CLIENT_SECRET

Client secret issued by the authorization server

client-secret

OAUTH_SERVER_NAME

Authorization server name

server

OAUTH_SERVER_INSECURE

Enable if the OAuth authorization server is insecure

true

false

OAUTH_SESSION_SECRET

OAuth session secret

secret

OAUTH_DOMAIN

Provider domain

CW_ENABLED

Enable Amazon CloudWatch metrics collection

false

CW_NAMESPACE

Customize namespace where metrics will be stored

GM/EC2

CW_METRICS_ROUTES

Regular expression describing routes to be recognized

^all$

CW_METRICS_VALUES

Values reported to Amazon Cloudwatch

latency_ms.count,latency_ms.p50,latency_ms.p9999,in_throughput,out_throughput

CW_DIMENSIONS

The dimension names/values that the specified metrics will be stored under

AutoScalingGroupName: test-proxy-asg, ServiceName: gm-fabric-proxy

AWS_REGION

AWS defined region

us-east-1

AWS_ACCESS_KEY_ID

AWS provided access key credential

AWS_SECRET_ACCESS_KEY

AWS provided secret access key credential

AWS_PROFILE

A locally defined AWS profile name associated with valid AWS credentials

default

AWS_CONFIG_FILE

Location of the local AWS config

/root/.aws/config

~/.aws/config

OBS_ENABLED

Enables event emission to various brokers

true

false

OBS_KAFKA_TOPIC

Kafka topic to send observables on

gm-sidecar-events

false

OBS_TOPIC

Topic for the observable event. Sets eventType in the payload.

false

OBS_ENFORCED

Audit all events which pass through the proxy

false

OBS_FULL_RESPONSE

If true, dump the request/response bodies as well as the regular audit event. If KAFKA_ENABLED also dumps into Kafka.

false

KAFKA_ENABLED

Enable event emission to a Kafka topic

false

KAFKA_ZK_DISCOVER

Discovery of Kafka brokers from ZooKeeper

false

KAFKA_SERVER_CONNECTION

List of Kafka node locations

kafka:9091,kafka2:9091

localhost:9091

USE_KAFKA_TLS

Enable TLS communication with Kafka nodes

false

KAFKA_TLS_TRUSTS

Certificate authorities to be used when connecting to Kafka over TLS (command de-limited)

file:///opt/certs/truststore.pem

KAFKA_TLS_CERT

Certificate to be used when connecting to Kafka over TLS

file:///opt/certs/certificate.pem

KAFKA_TLS_KEY

Certificate key to be used when connecting to Kafka over TLS

file:///opt/certs/key.pem

KAFKA_SERVER_NAME

Server name to be used when connecting to Kafka over TLS

cn=kafka-node

ACL_ENABLED

Enables 2-Way SSL impersonation REST filter

false

ACL_SERVER_LIST

A list of server DNs to be whitelisted (pipe delimited)

C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost

LISTAUTH_ENABLED

Enable/disable the whitelist/blacklist feature

false

LISTAUTH_WHITELIST

List of DNs to be whitelisted (pipe delimited)

C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost

LISTAUTH_BLACKLIST

List of DNs to be blacklisted (pipe delimited)

C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost

ENVOY_CONFIG

Base64 encoded string of envoy configuration file

GM_CONFIG

Base64 encoded string of gm-config.yaml configuration file

INGRESS_TLS_CERT

Base64 encoded cert written out to ./certs/ingress_localhost.crt

INGRESS_TLS_KEY

Base64 encoded key written out to ./certs/ingress_localhost.key

INGRESS_TLS_TRUST

Base64 encoded trust written out to ./certs/ingress_intermediate.crt

EGRESS_TLS_CERT

Base64 encoded cert written out to ./certs/egress_localhost.crt

EGRESS_TLS_KEY

Base64 encoded key written out to ./certs/egress_localhost.key

EGRESS_TLS_TRUST

Base64 encoded trust written out to ./certs/egress_intermediatet.crt

PROXY_DYNAMIC

Enable dynamic configuration from Grey Matter xDS

true

false

XDS_CLUSTER

Envoy xDS proxy cluster identifier

catalog

us-east-1

Yes (only for dynamic config)

XDS_NODE_ID

Envoy node id per xds configuration

default-node

default

Yes (only for dynamic config)

XDS_HOST

Host of Grey Matter xDS Server

gm-xds

localhost

Yes (only for dynamic config)

XDS_PORT

Port of Grey Matter xDS Server

18000

Yes (only for dynamic config)

XDS_ENABLE_TLS

Enable TLS when communicating with the xDS server

true

false

No (only for dynamic config)

XDS_SERVER_CERT_PATH

Path to certificate file to be used for connecting to xDS

certs/xds_server_cert.crt

No (only for dynamic config)

XDS_SERVER_KEY_PATH

Path to key file to be used for connecting to xDS

certs/xds_server_key.key

No (only for dynamic config)

XDS_SERVER_CA_PATH

Path to ca file to be used for connecting to xDS

certs/xds_server_ca.crt

No (only for dynamic config)

HOST

Host for Envoy listener

false

INHEADERS_ENABLED

Setup Impersonation headers

false

ENVOY_ADMIN_LOG_PATH

Determine the path of logs the envoy admin server will emit too

/dev/stdout

/dev/null

ENVOY_ADMIN_HOST

The host the envoy admin server will listen on

0.0.0.0

ENVOY_ADMIN_PORT

The port the envoy admin server will listen on

8001

SPIRE_PATH

The Unix domain socket path Envoy will use to connect to a Spire agent

/tmp/agent.sock

SPIRE_PORT

The port a Spire agent is listening on if connecting over mTLS

9090

SPIRE_HOST

The host a Spire agent is listening on if connecting over mTLS

0.0.0.0

SPIRE_CERT_PATH

The path of a Spire agent certificate used to create an mTLS connection

/certs/spire.crt

SPIRE_KEY_PATh

The path of a Spire agent certificate key used to create an mTLS connection

/certs/spire.key

TRACING_ENABLED

Turn on request tracing using the Zipkin config

false

TRACING_ADDRESS

The host of the trace collector server

localhost

TRACING_PORT

The port of the trace collector server

9411

TRACING_USE_TLS

Communicate to the trace server via TLS

false

TRACING_CA_CERT_PATH

Trace server trust certificate path

./certs/egress_intermediate.crt

TRACING_CERT_PATH

Trace server certificate path

./certs/egress_localhost.crt

TRACING_KEY_PATH

Trace server key certificate path

./certs/egress_localhost.key

TRACING_DRIVER

Receives "zipkin", "lightstep", "datadog", "opencensus", "instana"

datadog

zipkin

TRACING_COLLECTOR_ENDPOINT

Used by Zipkin and Opencensus (only when exporting to Zipkin). Endpoint on the tracing server to send spans.

/api/v1/spans

TRACING_COLLECTOR_ENDPOINT_VERSION

API Version of the tracing collector endpoint

HTTP_JSON

TRACING_LIGHTSTEP_ACCESS_TOKEN_PATH

Used by Lightstep. Path to file containing the access token to the LightStep API.

./cfg/lightstep

./cfg/lightstep_access_token

TRACING_DATADOG_SERVICE_NAME

Used by Datadog. A unique identifier to display in the Datadog dashboard.

my-traced-service

gm-proxy

TRACING_OPENCENSUS_CONTEXT_HEADER

Header for manually tracking traces across services. Accepts "traceparent", "grpc-trace-bin", "x-cloud-trace-context", "x-b3-*".

x-cloud-trace-context

NONE

TRACING_OPENCENSUS_EXPORTER

Receives "ocagent", "stackdriver", "zipkin"

ocagent

zipkin

TRACING_OPENCENSUS_STACKDRIVER_PROJECT_ID

The cloud project_id to use when exporting to Stackdriver.

my-project

TRACING_INSTANA_LIBRARY_PATH

The path of the Instana library file to run when sending spans to Instana.

/app/instana_sensor.so

TCP_CLUSTER

Name to assign the cluster that will be used for proxying requests with a configured TCP proxy filter

tcp_proxy

TCP_HOST

The host of a server that receives TCP connections

tcp_server

TCP_PORT

The port of a server that receives TCP connections

3000

TCP_SNI

What Server Name Indication (SNI) to assign to the TCP cluster

www.google.com

REDIS_CLUSTER

Name to assign the cluster that will be used for proxying Redis requests with a configured Redis proxy filter

redis_proxy

REDIS_HOST

The host of a Redis server

redis_server

REDIS_PORT

The port of a Redis server

6379

3679

REDIS_SNI

What Server Name Indication (SNI) to assign to the Redis cluster

www.google.com

Questions

Need help?

Create an account at Grey Matter Support to reach our team.

PreviousAnnounce to Fabric NextDirect Config

Last updated 4 years ago

Was this helpful?