Template Config

Config File

The Grey Matter Proxy receives its initial configuration in the form of a YAML configuration file on disk. This file takes any configuration available in the Envoy Bootstrap Config File, as well as the additional Grey Matter filters that are made available through the SDK.

Since the full bootstrap config file has a large number of complex options, a select number of common options have been exposed via template files and environment variables.

Sample Dynamic Configuration

The dynamic configuration template is used if PROXY_DYNAMIC=true. In this case, the bootstrap configuration sets up the proxy to receive all other configuration through the control plane. In this case, the proxy starts with almost no configuration (no listeners, routes, clusters, filters, etc), but will receive them through actions end users take.

PROXY_DYNAMIC="true"
XDS_CLUSTER="example"
XDS_HOST="gm-control.fabric.svc"
XDS_PORT="50000"

Sample Static Configuration

The static configuration template is used if PROXY_DYNAMIC=false (default). In this case, the environment variables set certain behavior and options in the bootstrap config file that the Grey Matter Proxy will use at startup. A simple example of setting a static config is shown below. Note that these options (and all other defaults) are then locked in while this proxy is running. You will need to restart it to receive any modifications.

HOST="0.0.0.0"
PORT=8080
SERVICE_HOST="localhost"
SERVICE_PORT=9080
METRICS_PORT=8081
OBS_ENABLED=true

Full Config Options

The following tables lists the full configuration options.

Option	Description	Example	Default	Required
HOST	Host for Envoy listener	0.0.0.0	0.0.0.0	Yes
PORT	Port for Envoy listener	8080	8080	Yes
TIMEOUT	Cluster route timeout	3000s		No
IDLE_TIMEOUT	Cluster idle timeout	3000s		No
DRAIN_TIMEOUT	Listener drain timeout	3000s		No
USE_HTTP2	Enable HTTP/2 for static cluster connection (doesn't work with HTTP/1.0)	true	false	No
ACCEPT_HTTP_10	Accept HTTP/1.0 connections on the Envoy static listener	true	false	No
SERVICE_DNS_TYPE	The type of DNS envoy will use to connect to the static cluster	LOGICAL_DNS	STRICT_DNS	No
SERVICE_HOST	Proxied service host	example-service	0.0.0.0	Yes
SERVICE_PORT	Proxied service port	3000		Yes
ZK_ANNOUNCE_PATH	Zookeeper discovery path	/services/example-servic/1.0.0		Yes
ZK_ANNOUNCE_HOST	Host of the original service	172.0.3.18	0.0.0.0	No
ZK_ADDRS	List of host:port locations for ZooKeeper nodes	zk1:2181,zk2:2181	localhost:2181	Yes
METRICS_PORT	Port for metrics listener	8081	8081	Yes
METRICS_FABRIC_PATH	Route for Grey Matter Dashboard metrics collection	/metrics	/metrics	No
METRICS_PROMETHEUS_PATH	Route for Prometheus metrics collection	/prometheus	/prometheus	No
METRICS_USE_TLS	Expose metrics over 2-way SSL	false	false	No
INGRESS_USE_TLS	Enable ingress TLS to the Envoy listener	false	false	No
INGRESS_CA_CERT_PATH	Ingress trust certificate path	./ingress/trust.pem		No
INGRESS_CERT_PATH	Ingress certificate path	./ingress/cert.pem		No
INGRESS_KEY_PATH	Ingress key certificate path	./ingress/key.pem		No
EGRESS_USE_TLS	Enable 2-way SSL to the proxied service	false	false	No
EGRESS_CA_CERT_PATH	Egress trust certificate path	./egress/trust.pem		No
EGRESS_CERT_PATH	Egress certificate path	./egress/cert.pem		No
EGRESS_KEY_PATH	Egress key certificate path	./egress/key.pem		No
DELAY_MEAN	Obfuscation delay mean	1		No
DELAY_STD	Obfuscation delay std	4		No
OAUTH_ENABLED	Full OAuth 2.0 Functionality	true		No
OAUTH_CLIENT_ID	Client ID issued by the authorization server	client-id		No
OAUTH_CLIENT_SECRET	Client secret issued by the authorization server	client-secret		No
OAUTH_SERVER_NAME	Authorization server name	server		No
OAUTH_SERVER_INSECURE	Enable if the OAuth authorization server is insecure	true	false	No
OAUTH_SESSION_SECRET	OAuth session secret	secret		No
OAUTH_DOMAIN	Provider domain	``		No
CW_ENABLED	Enable Amazon CloudWatch metrics collection	false	false	No
CW_NAMESPACE	Customize namespace where metrics will be stored	GM/EC2	GM/EC2	No
CW_METRICS_ROUTES	Regular expression describing routes to be recognized	^all$	^all$	No
CW_METRICS_VALUES	Values reported to Amazon Cloudwatch	latency_ms.count,latency_ms.p50,latency_ms.p9999,in_throughput,out_throughput	latency_ms.count,latency_ms.p50,latency_ms.p9999,in_throughput,out_throughput	No
CW_DIMENSIONS	The dimension names/values that the specified metrics will be stored under	AutoScalingGroupName: test-proxy-asg, ServiceName: gm-fabric-proxy	AutoScalingGroupName: test-proxy-asg, ServiceName: gm-fabric-proxy	No
AWS_REGION	AWS defined region	us-east-1	us-east-1	No
AWS_ACCESS_KEY_ID	AWS provided access key credential			No
AWS_SECRET_ACCESS_KEY	AWS provided secret access key credential			No
AWS_PROFILE	A locally defined AWS profile name associated with valid AWS credentials	default	default	No
AWS_CONFIG_FILE	Location of the local AWS config	/root/.aws/config	~/.aws/config	No
OBS_ENABLED	Enables event emission to various brokers	true	false	No
OBS_KAFKA_TOPIC	Kafka topic to send observables on	gm-sidecar-events	false	No
OBS_TOPIC	Topic for the observable event. Sets eventType in the payload.	``	false	No
OBS_ENFORCED	Audit all events which pass through the proxy	false	false	No
OBS_FULL_RESPONSE	If true, dump the request/response bodies as well as the regular audit event. If KAFKA_ENABLED also dumps into Kafka.	false	false	No
KAFKA_ENABLED	Enable event emission to a Kafka topic	false	false	No
KAFKA_ZK_DISCOVER	Discovery of Kafka brokers from ZooKeeper	false	false	No
KAFKA_SERVER_CONNECTION	List of Kafka node locations	kafka:9091,kafka2:9091	localhost:9091	No
USE_KAFKA_TLS	Enable TLS communication with Kafka nodes	false	false	No
KAFKA_TLS_TRUSTS	Certificate authorities to be used when connecting to Kafka over TLS (command de-limited)	file:///opt/certs/truststore.pem	``	No
KAFKA_TLS_CERT	Certificate to be used when connecting to Kafka over TLS	file:///opt/certs/certificate.pem	``	No
KAFKA_TLS_KEY	Certificate key to be used when connecting to Kafka over TLS	file:///opt/certs/key.pem	``	No
KAFKA_SERVER_NAME	Server name to be used when connecting to Kafka over TLS	cn=kafka-node	``	No
ACL_ENABLED	Enables 2-Way SSL impersonation REST filter	false	false	No
ACL_SERVER_LIST	A list of server DNs to be whitelisted (pipe delimited)	C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost		No
LISTAUTH_ENABLED	Enable/disable the whitelist/blacklist feature	false	false	No
LISTAUTH_WHITELIST	List of DNs to be whitelisted (pipe delimited)	C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost		No
LISTAUTH_BLACKLIST	List of DNs to be blacklisted (pipe delimited)	C=US,ST=Virginia,L=Alexandria,O=Decipher Technology Studios,OU=Engineering,CN=localhost		No
ENVOY_CONFIG	Base64 encoded string of envoy configuration file			No
GM_CONFIG	Base64 encoded string of gm-config.yaml configuration file			No
INGRESS_TLS_CERT	Base64 encoded cert written out to ./certs/ingress_localhost.crt			No
INGRESS_TLS_KEY	Base64 encoded key written out to ./certs/ingress_localhost.key			No
INGRESS_TLS_TRUST	Base64 encoded trust written out to ./certs/ingress_intermediate.crt			No
EGRESS_TLS_CERT	Base64 encoded cert written out to ./certs/egress_localhost.crt			No
EGRESS_TLS_KEY	Base64 encoded key written out to ./certs/egress_localhost.key			No
EGRESS_TLS_TRUST	Base64 encoded trust written out to ./certs/egress_intermediatet.crt			No
PROXY_DYNAMIC	Enable dynamic configuration from Grey Matter xDS	true	false	No
XDS_CLUSTER	Envoy xDS proxy cluster identifier	catalog	us-east-1	Yes (only for dynamic config)
XDS_NODE_ID	Envoy node id per xds configuration	default-node	default	Yes (only for dynamic config)
XDS_HOST	Host of Grey Matter xDS Server	gm-xds	localhost	Yes (only for dynamic config)
XDS_PORT	Port of Grey Matter xDS Server	18000	18000	Yes (only for dynamic config)
XDS_ENABLE_TLS	Enable TLS when communicating with the xDS server	true	false	No (only for dynamic config)
XDS_SERVER_CERT_PATH	Path to certificate file to be used for connecting to xDS	certs/xds_server_cert.crt	certs/xds_server_cert.crt	No (only for dynamic config)
XDS_SERVER_KEY_PATH	Path to key file to be used for connecting to xDS	certs/xds_server_key.key	certs/xds_server_key.key	No (only for dynamic config)
XDS_SERVER_CA_PATH	Path to ca file to be used for connecting to xDS	certs/xds_server_ca.crt	certs/xds_server_ca.crt	No (only for dynamic config)
HOST	Host for Envoy listener	false	false	No
INHEADERS_ENABLED	Setup Impersonation headers	false	false	No
ENVOY_ADMIN_LOG_PATH	Determine the path of logs the envoy admin server will emit too	/dev/stdout	/dev/null	No
ENVOY_ADMIN_HOST	The host the envoy admin server will listen on	0.0.0.0	0.0.0.0	No
ENVOY_ADMIN_PORT	The port the envoy admin server will listen on	8001	8001	No
SPIRE_PATH	The Unix domain socket path Envoy will use to connect to a Spire agent	/tmp/agent.sock	``	No
SPIRE_PORT	The port a Spire agent is listening on if connecting over mTLS	9090	``	No
SPIRE_HOST	The host a Spire agent is listening on if connecting over mTLS	0.0.0.0	``	No
SPIRE_CERT_PATH	The path of a Spire agent certificate used to create an mTLS connection	/certs/spire.crt	``	No
SPIRE_KEY_PATh	The path of a Spire agent certificate key used to create an mTLS connection	/certs/spire.key	``	No
TRACING_ENABLED	Turn on request tracing using the Zipkin config	false	false	No
TRACING_ADDRESS	The host of the trace collector server	localhost		No
TRACING_PORT	The port of the trace collector server	9411		No
TRACING_USE_TLS	Communicate to the trace server via TLS	false	false	No
TRACING_CA_CERT_PATH	Trace server trust certificate path	./certs/egress_intermediate.crt		No
TRACING_CERT_PATH	Trace server certificate path	./certs/egress_localhost.crt		No
TRACING_KEY_PATH	Trace server key certificate path	./certs/egress_localhost.key		No
TRACING_DRIVER	Receives "zipkin", "lightstep", "datadog", "opencensus", "instana"	datadog	zipkin	No
TRACING_COLLECTOR_ENDPOINT	Used by Zipkin and Opencensus (only when exporting to Zipkin). Endpoint on the tracing server to send spans.	/api/v1/spans	/api/v1/spans	No
TRACING_COLLECTOR_ENDPOINT_VERSION	API Version of the tracing collector endpoint	HTTP_JSON	HTTP_JSON	No
TRACING_LIGHTSTEP_ACCESS_TOKEN_PATH	Used by Lightstep. Path to file containing the access token to the LightStep API.	./cfg/lightstep	./cfg/lightstep_access_token	No
TRACING_DATADOG_SERVICE_NAME	Used by Datadog. A unique identifier to display in the Datadog dashboard.	my-traced-service	gm-proxy	No
TRACING_OPENCENSUS_CONTEXT_HEADER	Header for manually tracking traces across services. Accepts "traceparent", "grpc-trace-bin", "x-cloud-trace-context", "x-b3-*".	x-cloud-trace-context	NONE	No
TRACING_OPENCENSUS_EXPORTER	Receives "ocagent", "stackdriver", "zipkin"	ocagent	zipkin	No
TRACING_OPENCENSUS_STACKDRIVER_PROJECT_ID	The cloud project_id to use when exporting to Stackdriver.	my-project		No
TRACING_INSTANA_LIBRARY_PATH	The path of the Instana library file to run when sending spans to Instana.	/app/instana_sensor.so	/app/instana_sensor.so	No
TCP_CLUSTER	Name to assign the cluster that will be used for proxying requests with a configured TCP proxy filter	tcp_proxy	``	No
TCP_HOST	The host of a server that receives TCP connections	tcp_server	tcp_server	No
TCP_PORT	The port of a server that receives TCP connections	3000	3000	No
TCP_SNI	What Server Name Indication (SNI) to assign to the TCP cluster	www.google.com	``	No
REDIS_CLUSTER	Name to assign the cluster that will be used for proxying Redis requests with a configured Redis proxy filter	redis_proxy	``	No
REDIS_HOST	The host of a Redis server	redis_server	redis_server	No
REDIS_PORT	The port of a Redis server	6379	3679	No
REDIS_SNI	What Server Name Indication (SNI) to assign to the Redis cluster	www.google.com	``	No

Questions

Need help?

Create an account at Grey Matter Support to reach our team.