-
Notifications
You must be signed in to change notification settings - Fork 9
/
argus.yaml
264 lines (232 loc) · 10.3 KB
/
argus.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
## SPDX-FileCopyrightText: 2021 Comcast Cable Communications Management, LLC
## SPDX-License-Identifier: Apache-2.0
---
prometheus:
defaultNamespace: xmidt
defaultSubsystem: argus
constLabels:
development: "true"
handler:
maxRequestsInFlight: 5
timeout: 5s
instrumentMetricHandler: true
logging:
level: debug
development: true
encoderConfig:
messageKey: message
levelKey: key
levelEncoder: lowercase
health:
disableLogging: false
custom:
server: development
servers:
primary:
address: :6600
disableHTTPKeepAlives: true
header:
X-Xmidt-Server:
- argus
X-Xmidt-Version:
- development
metrics:
address: :6601
disableHTTPKeepAlives: true
header:
X-Xmidt-Server:
- argus
X-Xmidt-Version:
- development
health:
address: :6602
disableHTTPKeepAlives: true
header:
X-Xmidt-Server:
- argus
X-Xmidt-Version:
- development
store:
# dynamo is the configuration block to communicate with dynamoDB.
dynamo:
# endpoint is used to set a custom aws endpoint.
# (Optional)
endpoint: "http://localhost:8000"
# table is the name of the table that is already configured with bucket and id as the key.
table: "gifnoc"
# region is where request should go to.
region: "us-east-2"
# maxRetires is the maximum times the application will retry the request to the db.
# (Optional) default: 3
maxRetries: 3
# getAllLimit is the maximum number of items to get at a time.
# (Optional) defaults to no limit
getAllLimit: 50
# accessKey is the AWS accessKey to access dynamodb.
accessKey: "accessKey"
# secretKey is the AWS secretKey to go with the accessKey to access dynamodb.
secretKey: "secretKey"
# If roleBasedAccess is enabled, accessKey and secretKey will be fetched using IAM temporary credentials
roleBasedAccess: false
#yugabyte:
# # hosts is and array of address and port used to connect to the cluster.
# hosts:
# - "localhost:9042"
# # database is the name of the database being connected to.
# database: "argus"
# # opTimeout is the timeout for database calls after argus is connected.
# # If the opTimeout is set to 0, it defaults to 10s.
# # (Optional) defaults to 10s
# opTimeout: 100ms
# # username is the username to use when connecting to the database.
# # (Optional)
# username: "cassandra"
#
# # password is the password to use when connecting to the database.
# # (Optional)
# password: "cassandra"
#
# # SSLRootCert is the root cert to use when connecting to the database.
# # The SSLKey and SSLCert must also be provided in order to connect securely.
# # (Optional)
# #sslRootCert: "/etc/argus/ca.crt"
#
# # SSLKey is the SSL key to use when connecting to the database. The
# # SSLRootCert and SSLCert must also be provided in order to connect securely.
# # (Optional)
# #sslKey: "/etc/argus/node.0.0.0.0.key"
#
# # SSLCert is the SSL cert to use when connecting to the database. The SSLKey
# # and SSLRootCert must also be provided in order to connect securely.
# # (Optional)
# #sslCert: "/etc/argus/node.0.0.0.0.crt"
#
# # If you want to verify the hostname and server cert (like a wildcard for cass cluster) then you should turn this on
# # This option is basically the inverse of InSecureSkipVerify
# # See InSecureSkipVerify in http://golang.org/pkg/crypto/tls/ for more info
# # (Optional) defaults to false
# #enableHostVerification: false
# userInputValidation groups options around validating data on incoming requests.
# (Optional) The default values are those listed above the fields below.
userInputValidation:
# itemMaxTTL defines the limit for TTL values provided by users of the API.
# refer to https://golang.org/pkg/time/#ParseDuration for valid strings.
# (Optional) default: 24h (a day)
itemMaxTTL: "24h"
# bucketFormatRegex helps define the validity of a bucket through a regular expression.
# (Optional) default: ^[0-9a-z][0-9a-z-]{1,61}[0-9a-z]$
bucketFormatRegex: "^[0-9a-z][0-9a-z-]{1,61}[0-9a-z]$"
# ownerFormatRegex helps define the validity of a bucket through a regular expression.
# (Optional) default: ^.{10,60}$
ownerFormatRegex: "^.{4,60}$"
# itemDataMaxDepth is the max allowed depth of the Item JSON data field.
# If your DB supports up to N nested objects, itemDataMaxDepth should be set to
# N-1. The value of itemDataMaxDepth must be > 0, otherwise the default value will
# be used.
# (Optional) default: 30
itemDataMaxDepth: 30
##############################################################################
# Authorization Credentials
##############################################################################
# clorthoConfig groups options around clortho configuration.
jwtValidator:
Config:
Resolve:
# Template is a URI template used to fetch keys. This template may
# use a single parameter named keyID, e.g. http://keys.com/{keyID}.
# This field is required and has no default.
Template: "http://localhost/{key_name}"
Refresh:
Sources:
# URI is the location where keys are served. By default, clortho supports
# file://, http://, and https:// URIs, as well as standard file system paths
# such as /etc/foo/bar.jwk.
#
# This field is required and has no default.
- URI: "http://localhost/available"
authx:
inbound:
# basic is a list of Basic Auth credentials intended to be used for local testing purposes.
# WARNING! Be sure to remove this from your production config.
basic: ["dXNlcjpwYXNz"]
# bearer contains all the configuration needed for a JWT validator.
bearer:
key:
factory:
uri: "http://localhost:6500/keys/docker"
purpose: 0
updateInterval: 24h
# accessLevel defines config around the injection of an attribute to bascule tokens
# which application code can leverage to decide if a given request is allowed to execute some operation.
# Note that accessLevel differs from capabilityCheck in that it allows more complex access hierarchy.
# That is, while capabilityCheck verifies whether a user is allowed to use an API endpoint, accessLevel
# assigns a number to the user's request which application code can use for security purposes.
# An access level is defined as a non-negative number and the higher the number, the higher the access the
# request has for the target application.
# (Optional). If section is not provided, the lowest access level value of 0 will be assigned to the attribute.
accessLevel:
# attributeKey is the key that application code can use to fetch the access level from the provided bascule token.
# (Optional) defaults to 'access-level'
attributeKey: access-level
# capabilitySource provides configuration to the component which generates the access level for an incoming request
# based on its endpoint capabilities. This component assigns only two access levels: 1 for elevated access and 0 otherwise.
# Components that assign more than two values might be added in the future.
# (Optional)
capabilitySource:
# name is the capability we will search for inside the capability list pointed by path.
# If this value is found in the list, the access level assigned to the request will be 1. Otherwise, it will be 0.
# (Optional) defaults to 'xmidt:svc:admin'
name: "xmidt:svc:admin"
# path is the list of nested keys to get to the claim which contains the capabilities.
# For example, if your JWT payload looks like this:
# ```
# {
# "iat": 1234567899,
# "nbf": 1234567899,
# "my_company": {
# "capabilities": ["capability0", "capability1"]
# }
# }
# ```
# you'll want to set path to ["my_company", "capabilities"]
# (Optional) default: ["capabilities"]
path: ["capabilities"]
# # capabilities provides the details needed for checking an incoming JWT's
# # capabilities. If the type of check isn't provided, no checking is done. The
# # type can be "monitor" or "enforce". If "monitor" is provided, the capabilities
# # are checked but the request isn't rejected when there isn't a valid capability
# # for the request. Instead, a message is logged. When "enforce" is provided, a
# # request that doesn't have the needed capability is rejected.
# # The capability is expected to have the format:
# # {prefix}{endpoint}:{method}
# # The prefix can be a regular expression. If it's empty, no capability check
# # is done. The endpoint is a regular expression that should match the endpoint
# # the request was sent to. The method is usually the method of the request, such as
# # GET. The accept all method is a catchall string that indicates the capability
# # is approved for all methods.
# # (Optional)
# capabilities:
# # type provides the mode for capability checking.
# type: "monitor"
# # prefix provides the regex to match the capability before the endpoint.
# prefix: "xmidt"
# # acceptAllMethod provides a way to have a capability that allows all
# # methods for a specific endpoint.
# acceptAllMethod: "all"
# # endpointBuckets provides regular expressions to use against the request
# # endpoint in order to group requests for a metric label.
# endpointBuckets:
# - "store\\b"
# - "store/.*\\b"
# tracing provides configuration around traces using OpenTelemetry.
# (Optional). By default, a 'noop' tracer provider is used and tracing is disabled.
tracing:
# provider is the name of the trace provider to use. Currently, otlp/grpc, otlp/http, stdout, jaeger and zipkin are supported.
# 'noop' can also be used as provider to explicitly disable tracing.
provider: "noop"
# skipTraceExport only applies when provider is stdout. Set skipTraceExport to true
# so that trace information is not written to stdout.
# skipTraceExport: true
# endpoint is where trace information should be routed. Applies to otlp, zipkin, and jaegar. OTLP/gRPC uses port 4317 by default.
# OTLP/HTTP uses port 4318 by default.
# endpoint: "http://localhost:9411/api/v2/spans"