The Grey Matter project maintains its own build of the Envoy proxy with additional filters built in at compile time.
Environment Variables
Environment variables are the primary configuration method for the proxy.
ACCEPT_HTTP_10
- Accept HTTP/1.0 connections on the Envoy static listener.ACL_ENABLED
- Enables 2-Way SSL impersonation REST filter.ACL_SERVER_LIST
- A list of server DNs to be whitelisted (pipe delimited).AWS_ACCESS_KEY_ID
- AWS provided access key credential.AWS_CONFIG_FILE
- Location of the local AWS config.AWS_PROFILE
- A locally defined AWS profile name associated with valid AWS credentials.AWS_REGION
- AWS defined region.AWS_SECRET_ACCESS_KEY
- AWS provided secret access key credentialCW_DIMENSIONS
- The dimension names/values that the specified metrics will be stored under.CW_ENABLED
- Enable Amazon CloudWatch metrics collection.CW_METRICS_ROUTES
- Regular expression describing routes to be recognizedCW_METRICS_VALUES
- Values reported to Amazon CloudwatchCW_NAMESPACE
- Customize namespace where metrics will be storedDELAY_MEAN
- Obfuscation delay meanDELAY_STD
- Obfuscation delay stdDELTA_XDS
- Enable dynamic configuration from Grey Matter xDS using the incremental protocol variant.DRAIN_TIMEOUT
- Listener drain timeout.EGRESS_CA_CERT_PATH
- Egress trust certificate path.EGRESS_CERT_PATH
- Egress certificate path.EGRESS_KEY_PATH
- Egress key certificate path.EGRESS_TLS_CERT
- Base64 encoded cert written out to ./certs/egress_localhost.crtEGRESS_TLS_KEY
- Base64 encoded key written out to ./certs/egress_localhost.keyEGRESS_TLS_TRUST
- Base64 encoded trust written out to ./certs/egress_intermediate.crtEGRESS_USE_TLS
(default: false)
- Enable 2-way SSL to the proxied service.ENVOY_ADMIN_HOST
(default:
0.0.0.0)
- The host the envoy admin server will listen on.ENVOY_ADMIN_LOG_PATH
(default: **/dev/null**)
- File descriptor envoy writes logs to.ENVOY_ADMIN_PORT
(default: **8001**)
- The port the envoy admin server will listen onENVOY_CONFIG
- Base64 encoded string of envoy configuration fileENVOY_LOG_LEVEL
GM_CONFIG
- Base64 encoded string of gm-config.yaml configuration fileHOST
(default:
0.0.0.0)
- Host for Envoy listenerIDLE_TIMEOUT
- Cluster idle timeout, in seconds; example 3000sINGRESS_CA_CERT_PATH
- Ingress trust certificate pathINGRESS_CERT_PATH
- Ingress certificate pathINGRESS_KEY_PATH
- Ingress key certificate pathINGRESS_TLS_CERT
- Base64 encoded cert written out to./certs/ingress_localhost.crt
.INGRESS_TLS_KEY
- Base64 encoded key written out to./certs/ingress_localhost.key
.INGRESS_TLS_TRUST
- Base64 encoded key written out to ?????INGRESS_USE_TLS
- Whether to use TLS for Ingress.INHEADERS_ENABLED
(default: false)
- Setup Impersonation headers.KAFKA_ENABLED
(default: false)
- Enable event emission to a Kafka topic.KAFKA_SERVER_CONNECTION
(default:
localhost:9091)
- Comma-separated list of of Kafka brokers.KAFKA_SERVER_NAME
- Server name to be used when connecting to Kafka over TLS.KAFKA_TLS_CERT
- Certificate to be used when connecting to Kafka over TLS; example:file:///opt/certs/certificate.pem
.KAFKA_TLS_KEY
- Certificate key to be used when connecting to Kafka over TLS.KAFKA_TLS_TRUSTS
- Certificate authorities to be used when connecting to Kafka over TLS (command de-limited).KAFKA_ZK_DISCOVER
(default: false)
- Discovery of Kafka brokers from ZooKeeper.LISTAUTH_BLACKLIST
- List of DNs to be blacklisted (pipe delimited).LISTAUTH_ENABLED
- Enable/disable the whitelist/blacklist feature.LISTAUTH_WHITELIST
- List of DNs to be whitelisted (pipe delimited).METRICS_FABRIC_PATH
(default: **/metrics**)
- Route for metrics collection.METRICS_PORT
(default: 8081)
- Port for metrics listener.METRICS_PROMETHEUS_PATH
(default: **/prometheus**)
- Route for Prometheus metrics collection.METRICS_USE_TLS
(default: **false**)
- Metrics listener uses TLS.OAUTH_CLIENT_ID
- Client ID issued by the authorization server.OAUTH_CLIENT_SECRET
- Client secret issued by the authorization server.OAUTH_DOMAIN
- Provider domain.OAUTH_ENABLED
- Enable full OAuth 2.0 functionality.OAUTH_SERVER_INSECURE
(default: false)
- Skip verification for OAuth server.OAUTH_SERVER_NAME
- Authorization server name.OAUTH_SESSION_SECRET
- OAuth session secret.OBS_ENABLED
(default: false)
- Enables event emission to various brokers.OBS_FULL_RESPONSE
(default: false)
- If true, dump full request and response bodies to Observables pipeline.OBS_KAFKA_TOPIC
(default: **gm-sidecar-events**)
- Kafka topic to send observables on.OBS_TOPIC
- Topic for the observable event. Sets eventType in the payload.PORT
(default: 8080)
- Port for Envoy listener.PROXY_DYNAMIC
- Boolean - if false, only static config is used.REDIS_CLUSTER
- Envoy cluster name for for proxyied Redis requests with a configured Redis proxy filter.REDIS_HOST
(default:
redis_server)
- The host of a Redis server.REDIS_PORT
(default: 3679)
- The port of a Redis server.REDIS_SNI
- What Server Name Indication (SNI) to assign to the Redis cluster.SERVICE_DNS_TYPE
(default:
STRICT_DNS)
- The type of DNS envoy will use to connect to the static cluster.SERVICE_HOST
(default:
0.0.0.0)
- Proxied service host.SERVICE_PORT
- Proxied service port.SPIRE_CERT_PATH
- The path of a Spire agent certificate used to create an mTLS connection.SPIRE_HOST
- The host a Spire agent is listening on if connecting over mTLS.SPIRE_KEY_PATH
- The path of a Spire agent certificate key used to create an mTLS connection.SPIRE_PATH
- The Unix domain socket path Envoy will use to connect to a Spire agent.SPIRE_PORT
- The port a Spire agent is listening on if connecting over mTLS.TCP_CLUSTER
- Name to assign the cluster that will be used for proxying requests with a configured TCP proxy filter.TCP_HOST
- The host of a server that receives TCP connections.TCP_PORT
(default: 3000)
- The port of a server that receives TCP connections.TCP_SNI
- What Server Name Indication (SNI) to assign to the TCP cluster.TIMEOUT
- Cluster route timeout.TRACING_ADDRESS
- The host of the trace collector server.TRACING_CA_CERT_PATH
- Trace server trust certificate path.TRACING_CERT_PATH
- Trace server certificate path.TRACING_COLLECTOR_ENDPOINT_VERSION
(default: **HTTP_JSON**)
- API Version of the tracing collector endpoint.TRACING_COLLECTOR_ENDPOINT
(default: **/api/v1/spans**)
- Used by Zipkin and Opencensus (only when exporting to Zipkin). Endpoint on the tracing server to send spans..TRACING_DATADOG_SERVICE_NAME
(default: **gm-proxy**)
- Used by Datadog. A unique identifier to display in the Datadog dashboard.TRACING_DRIVER
- One of: "zipkin", "lightstep", "datadog", "opencensus", "instana".TRACING_ENABLED
(default: false)
- Turn on request tracing using the Zipkin config.TRACING_INSTANA_LIBRARY_PATH
(default:
/app/instana_sensor.so)
- The path of the Instana library file to run when sending spans to Instana.TRACING_KEY_PATH
- Trace server key certificate path.TRACING_LIGHTSTEP_ACCESS_TOKEN_PATH
- Used by Lightstep. Path to file containing the access token to the LightStep API.TRACING_OPENCENSUS_CONTEXT_HEADER
- Header for manually tracking traces across services. Accepts "traceparent", "grpc-trace-bin", "x-cloud-trace-context", "x-b3-*".TRACING_OPENCENSUS_EXPORTER
- Receives "ocagent", "stackdriver", "zipkin".TRACING_OPENCENSUS_STACKDRIVER_PROJECT_ID
- The cloud project_id to use when exporting to Stackdriver.TRACING_PORT
- The port of the trace collector serve.TRACING_USE_TLS
- Communicate to the trace server via TLS.USE_HTTP2
- Enable HTTP/2 for static cluster connection (doesn't work with HTTP/1.0).USE_KAFKA_TLS
(default: false)
- Enable TLS communication with Kafka nodes.XDS_CLUSTER
- Envoy xDS proxy cluster identifier.XDS_ENABLE_TLS
- Enable TLS when communicating with the xDS server.XDS_HOST
- Host of Grey Matter xDS Server.XDS_NODE_ID
- Envoy node id per xds configuration.XDS_PORT
(default: 18000)
- Port of Grey Matter xDS Server.XDS_SERVER_CA_PATH
(default:
certs/xds_server_ca.crt)
- Path to CA file to be used for connecting to xDS.XDS_SERVER_CERT_PATH
(default:
certs/xds_server_cert.crt)
- Path to certificate file to be used for connecting to xDS.XDS_SERVER_KEY_PATH
(default:
certs/xds_server_key.key)
- Path to key file to be used for connecting to xDS.XDS_ZONE
- The zone this proxy is a member of.ZK_ADDRS
(default:
localhost:2181)
- comma-separated list of host:port of ZooKeeper nodes.ZK_ANNOUNCE_HOST
(default:
0.0.0.0)
- Host of the original service.ZK_ANNOUNCE_PATH
- Zookeeper discovery path.
Command Line Flags
A few proxy features can be configured with command line flags.
--config
- Path to config.yaml; Useful for providing static configuration to gm-proxy. An Envoy bootstrap config is generated, if not provided.--service-cluster
- Cluster announced to control plane.--service-zone
- Zone announced to control plane; must matchapi.zone
configured in gm-control.