-
Notifications
You must be signed in to change notification settings - Fork 12
/
tr1d1um.yaml
410 lines (352 loc) · 15.1 KB
/
tr1d1um.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
---
## SPDX-FileCopyrightText: 2022 Comcast Cable Communications Management, LLC
## SPDX-License-Identifier: Apache-2.0
########################################
# Labeling/Tracing via HTTP Headers Configuration
########################################
# The unique fully-qualified-domain-name of the server. It is provided to
# the X-Tr1d1um-Server header for showing what server fulfilled the request
# sent.
# (Optional)
server: "tr1d1um-local-instance-123.example.com"
# Provides this build number to the X-Tr1d1um-Build header for
# showing machine version information. The build number SHOULD
# match the scheme `version-build` but there is not a strict requirement.
# (Optional)
build: "0.1.3-434"
# Provides the region information to the X-Tr1d1um-Region header
# for showing what region this machine is located in. The region
# is arbitrary and optional.
# (Optional)
region: "east"
# Provides the flavor information to the X-Tr1d1um-Flavor header
# for showing what flavor this machine is associated with. The flavor
# is arbitrary and optional.
# (Optional)
flavor: "mint"
prometheus:
defaultNamespace: webpa
defaultSubsystem: tr1d1um
constLabels:
development: "true"
handler:
maxRequestsInFlight: 5
timeout: 5s
instrumentMetricHandler: true
health:
disableLogging: false
custom:
server: development
########################################
# Primary Endpoint Configuration
########################################
servers:
primary:
address: :6100
disableHTTPKeepAlives: true
header:
X-Midt-Server:
- tr1d1um
X-Midt-Version:
- development
alternate:
address: :8090
header:
X-Midt-Server:
- tr1d1um
X-Midt-Version:
- development
metrics:
address: :6101
disableHTTPKeepAlives: true
header:
X-Midt-Server:
- tr1d1um
X-Midt-Version:
- development
health:
address: :6102
disableHTTPKeepAlives: true
header:
X-Midt-Server:
- tr1d1um
X-Midt-Version:
- development
pprof:
address: :6103
########################################
# Logging Related Configuration
########################################
logging:
# OutputPaths is a list of URLs or file paths to write logging output to.
outputPaths:
- stdout
# - /var/log/tr1d1um/tr1d1um.log
# Level is the minimum enabled logging level. Note that this is a dynamic
# level, so calling Config.Level.SetLevel will atomically change the log
# level of all loggers descended from this config.
level: debug
# EncoderConfig sets options for the chosen encoder. See
# zapcore.EncoderConfig for details.
errorOutputPaths:
- stderr
- denopink-tr1d1um.log
# EncoderConfig sets options for the chosen encoder. See
# zapcore.EncoderConfig for details.
encoderConfig:
messageKey: message
levelKey: key
levelEncoder: lowercase
# reducedLoggingResponseCodes allows disabling verbose transaction logs for
# benign responses from the target server given HTTP status codes.
# (Optional)
# reducedLoggingResponseCodes: [200, 504]
# Encoding sets the logger's encoding. Valid values are "json" and
# "console", as well as any third-party encodings registered via
# RegisterEncoder.
encoding: json
##############################################################################
# Webhooks Related Configuration
##############################################################################
# webhook provides configuration for storing and obtaining webhook
# information using Argus.
# Optional: if key is not supplied, webhooks would be disabled.
webhook:
# disablePartnerIDs, if true, will allow webhooks to register without
# checking the validity of the partnerIDs in the request
# Defaults to 'false'.
disablePartnerIDs: false
# validation provides options for validating the webhook's URL and TTL
# related fields. Some validation happens regardless of the configuration:
# URLs must be a valid URL structure, the Matcher.DeviceID values must
# compile into regular expressions, and the Events field must have at
# least one value and all values must compile into regular expressions.
validation:
# url provides options for additional validation of the webhook's
# Config.URL, FailureURL, and Config.AlternativeURLs fields.
url:
# httpsOnly will allow only URLs with https schemes through if true.
# (Optional). Defaults to 'false'.
httpsOnly: false
# allowLoopback will allow any canonical or IP loopback address if
# true. Otherwise, loopback addresses are considered invalid.
# (Optional). Defaults to 'false'.
allowLoopback: true
# allowIP allows the different webhook URLs to have IP hostnames if set to true.
# (Optional). Defaults to 'false'.
allowIP: true
# allowSpecialUseHosts allows URLs that include reserved domains if set to true.
# Read more here: https://en.wikipedia.org/wiki/Top-level_domain#Reserved_domains
# (Optional). Defaults to 'false'.
allowSpecialUseHosts: true
# allowSpecialUseIPs, if set to true, allows URLs that contain or route to IPs that have
# been marked as reserved through various RFCs: rfc6761, rfc6890, rfc8190.
# (Optional). Defaults to 'false'.
allowSpecialUseIPs: true
# invalidHosts is a slice that contains strings that we do not want
# allowed in URLs, providing a way to deny certain domains or hostnames.
# (Optional). Defaults to an empty slice.
invalidHosts: []
# invalidSubnets is a list of IP subnets. If a URL contains an
# IP or resolves to an IP in one of these subnets, the webhook is
# considered invalid.
# (Optional). Defaults to an empty slice.
invalidSubnets: []
# ttl provides information for what is considered valid for time-related
# fields (Duration and Until) in the webhook. A webhook set to expire
# too far in the future is considered invalid, while a time in the past
# is considered equivalent to a request to delete the webhook.
# Regardless of this configuration, either Until or Duration must have a
# non-zero value.
ttl:
# max is the length of time a webhook is allowed to live. The Duration
# cannot be larger than this value, and the Until value cannot be set
# later than the current time + max + jitter.
max: 1m
# jitter is the buffer time added when checking that the Until value is
# valid. If there is a slight clock skew between servers or some delay
# in the http request, jitter should help account for that when ensuring
# that Until is not a time too far in the future.
jitter: 10s
# JWTParserType establishes which parser type will be used by the JWT token
# acquirer used by Argus. Options include 'simple' and 'raw'.
# Simple: parser assumes token payloads have the following structure: https://github.com/xmidt-org/bascule/blob/c011b128d6b95fa8358228535c63d1945347adaa/acquire/bearer.go#L77
# Raw: parser assumes all of the token payload == JWT token
# (Optional). Defaults to 'simple'.
JWTParserType: "raw"
BasicClientConfig:
# listen is the subsection that configures the listening feature of the argus client
# (Optional)
listen:
# pullInterval provides how often the current webhooks list gets refreshed.
pullInterval: 5s
# bucket is the partition name where webhooks will be stored.
bucket: "webhooks"
# address is Argus' network location.
address: "http://localhost:6600"
# auth the authentication method for argus.
auth:
# basic configures basic authentication for argus.
# Must be of form: 'Basic xyz=='
basic: "Basic dXNlcjpwYXNz"
#
# # jwt configures jwt style authentication for argus.
# JWT:
# # requestHeaders are added to the request for the token.
# # (Optional)
# # requestHeaders:
# # "": ""
#
# # authURL is the URL to access the token.
# authURL: ""
#
# # timeout is how long the request to get the token will take before
# # timing out.
# timeout: "1m"
#
# # buffer is the length of time before a token expires to get a new token.
# buffer: "2m"
##############################################################################
# Authorization Credentials
##############################################################################
# jwtValidator provides Bearer auth configuration
jwtValidator:
config:
resolve:
# Template is a URI template used to fetch keys. This template may
# use a single parameter named keyID, e.g. http://keys.com/{keyID}.
# This field is required and has no default.
template: "http://localhost/{keyID}"
refresh:
sources:
# URI is the location where keys are served. By default, clortho supports
# file://, http://, and https:// URIs, as well as standard file system paths
# such as /etc/foo/bar.jwk.
#
# This field is required and has no default.
- uri: "http://localhost/available"
authx:
inbound:
# basic is a list of Basic Auth credentials intended to be used for local testing purposes
# WARNING! Be sure to remove this from your production config
basic: ["dXNlcjpwYXNz"]
# capabilityCheck provides the details needed for checking an incoming JWT's
# capabilities. If the type of check isn't provided, no checking is done. The
# type can be "monitor" or "enforce". If it is empty or a different value, no
# checking is done. If "monitor" is provided, the capabilities are checked but
# the request isn't rejected when there isn't a valid capability for the
# request. Instead, a message is logged. When "enforce" is provided, a request
# that doesn't have the needed capability is rejected.
#
# The capability is expected to have the format:
#
# {prefix}{endpoint}:{method}
#
# The prefix can be a regular expression. If it's empty, no capability check
# is done. The endpoint is a regular expression that should match the endpoint
# the request was sent to. The method is usually the method of the request, such as
# GET. The accept all method is a catchall string that indicates the capability
# is approved for all methods.
# (Optional)
# capabilityCheck:
# # type provides the mode for capability checking.
# type: "enforce"
# # prefix provides the regex to match the capability before the endpoint.
# prefix: "prefix Here"
# # acceptAllMethod provides a way to have a capability that allows all
# # methods for a specific endpoint.
# acceptAllMethod: "all"
# # endpointBuckets provides regular expressions to use against the request
# # endpoint in order to group requests for a metric label.
# endpointBuckets:
# - "hook\\b"
# - "hooks\\b"
# - "device/.*/stat\\b"
# - "device/.*/config\\b"
##############################################################################
# WRP and XMiDT Cloud configurations
##############################################################################
# targetURL is the base URL of the XMiDT cluster
targetURL: http://scytale:6300/api/v3
# WRPSource is used as 'source' field for all outgoing WRP Messages
WRPSource: "dns:tr1d1um.example.com"
# supportedServices is a list of endpoints we support for the WRP producing endpoints
# we will soon drop this configuration
supportedServices:
- "config"
##############################################################################
# HTTP Transaction Configurations
##############################################################################
# timeouts that apply to the Argus HTTP client.
# (Optional) By default, the values below will be used.
argusClientTimeout:
# clientTimeout is the timeout for requests made through this
# HTTP client. This timeout includes connection time, any
# redirects, and reading the response body.
clientTimeout: 50s
# netDialerTimeout is the maximum amount of time the HTTP Client Dialer will
# wait for a connect to complete.
netDialerTimeout: 5s
# timeouts that apply to the XMiDT HTTP client.
# (Optional) By default, the values below will be used.
xmidtClientTimeout:
# clientTimeout is the timeout for the requests made through this
# HTTP client. This timeout includes connection time, any
# redirects, and reading the response body.
clientTimeout: 135s
# requestTimeout is the timeout imposed on requests made by this client
# through context cancellation.
# TODO since clientTimeouts are implemented through context cancellations,
# we might not need this.
requestTimeout: 129s
# netDialerTimeout is the maximum amount of time the HTTP Client Dialer will
# wait for a connect to complete.
netDialerTimeout: 5s
# requestRetryInterval is the time between HTTP request retries against XMiDT
requestRetryInterval: "2s"
# requestMaxRetries is the max number of times an HTTP request is retried against XMiDT in
# case of ephemeral errors
requestMaxRetries: 2
# authAcquirer enables configuring the JWT or Basic auth header value factory for outgoing
# requests to XMiDT. If both types are configured, JWT will be preferred.
# (Optional)
# authAcquirer:
# JWT:
# # requestHeaders are added to the request for the token.
# # (Optional)
# # requestHeaders:
# # "": ""
# # authURL is the URL to access for the token.
# authURL: ""
# # timeout is how long the request to get the token will take before
# # timing out.
# timeout: "1m"
# # buffer is the length of time before a token expires to get a new token.
# buffer: "2m"
# Basic: "" # Must be of form: 'Basic xyz=='
# tracing provides configuration around traces using OpenTelemetry.
# (Optional). By default, a 'noop' tracer provider is used and tracing is disabled.
tracing:
# provider is the name of the trace provider to use. Currently, otlp/grpc, otlp/http, stdout, jaeger and zipkin are supported.
# 'noop' can also be used as provider to explicitly disable tracing.
provider: "noop"
# skipTraceExport only applies when provider is stdout. Set skipTraceExport to true
# so that trace information is not written to stdout.
# skipTraceExport: true
# endpoint is where trace information should be routed. Applies to otlp, zipkin, and jaegar. OTLP/gRPC uses port 4317 by default.
# OTLP/HTTP uses port 4318 by default.
# endpoint: "localhost:4317"
# ParentBased and NoParent dictate if and when new spans should be created.
# ParentBased = "ignore" (default), tracing is effectively turned off and the "NoParent" value is ignored
# ParentBased = "honor", the sampling decision is made by the parent of the span
parentBased: ignore
# NoParent decides if a root span should be initiated in the case where there is no existing parent
# This value is ignored if ParentBased = "ignore"
# NoParent = "never" (default), root spans are not initiated
# NoParent = "always", roots spans are initiated
noParent: never
# previousVersionSupport allows us to support two different major versions of
# the API at the same time from the same application. When this is true,
# tr1d1um will support both "/v2" and "/v3" endpoints. When false, only "/v3"
# endpoints will be supported.
previousVersionSupport: true