-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathexample.conf
More file actions
330 lines (252 loc) · 12.6 KB
/
Copy pathexample.conf
File metadata and controls
330 lines (252 loc) · 12.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
############################
# Basic Config
############################
# The address GRPC requests will listen on
GUBER_GRPC_ADDRESS=0.0.0.0:1051
# The address HTTP requests will listen on
GUBER_HTTP_ADDRESS=0.0.0.0:1050
# The address gubernator peers will connect to. Ignored if using k8s peer
# discovery method.
#
# Should be the same as GUBER_GRPC_ADDRESS unless you are running behind a NAT
# or running in a docker container without host networking.
#
# If unset, will default to the hostname or if that fails will attempt
# to guess at a non loopback interface
GUBER_ADVERTISE_ADDRESS=localhost:1051
# A unique id which identifies this instance of gubernator. This
# id is used in tracing and logging to identify this instance.
# This can be set by kubernetes pod definitions or nomad job files.
# If not set, will default to the Docker CID or a random generated id
GUBER_INSTANCE_ID=<unique-id>
# Max size of the cache; This is the cache that holds
# all the rate limits. The cache size will never grow
# beyond this size.
# GUBER_CACHE_SIZE=50000
# The name of the datacenter this gubernator instance is in.
# GUBER_DATA_CENTER=datacenter1
# Time in seconds that the GRPC server will keep a client connection alive.
# If value is zero (default) time is infinity
# GUBER_GRPC_MAX_CONN_AGE_SEC=30
# Defines the delay added in seconds before the graceful termination starts.
# Default is 0
# GUBER_GRACEFUL_TERMINATION_DELAY_SEC=20
# A list of optional prometheus metric collection
# os - collect process metrics
# See https://pkg.go.dev/github.com/prometheus/client_golang@v1.11.0/prometheus/collectors#NewProcessCollector
# golang - collect golang internal metrics
# See https://pkg.go.dev/github.com/prometheus/client_golang@v1.11.0/prometheus/collectors#NewGoCollector
# GUBER_METRIC_FLAGS=os,golang
############################
# Log Config
############################
# Log Level, these are the log levels for logrus.
# GUBER_LOG_LEVEL=trace
# Log Format, currently supports either json or text
# GUBER_LOG_FORMAT=json
############################
# Behavior Config
############################
# How long a forwarding peer will wait for a response before timing out
#GUBER_BATCH_TIMEOUT=500ms
# The max number of requests in a single batch a node will forward to a peer
#GUBER_BATCH_LIMIT=1000
# How long a node will wait before sending a batch of requests to a peer
#GUBER_BATCH_WAIT=500ns
# How long a owning peer will wait for a response when sending GLOBAL updates to peers
#GUBER_GLOBAL_TIMEOUT=500ms
# The max number of requests in a single batch to a node when sending GLOBAL updates to peers
#GUBER_GLOBAL_BATCH_LIMIT=1000
# How long a node will wait before sending a batch of GLOBAL updates to a peer
#GUBER_GLOBAL_SYNC_WAIT=500ns
############################
# TLS Config
############################
# Path to the CA certificate. This is primarily used by gubernator
# when connecting to other gubernator peers.
# GUBER_TLS_CA=/path/to/ca.pem
# Path to the CA private key. See GUBER_TLS_AUTO for details
# GUBER_TLS_CA_KEY=/path/to/ca.key
# Path to the server certificate. Certificate used by the server/clients for TLS connections.
# Support hot reload on receiving the SIGHUB signal
# GUBER_TLS_CERT=/path/to/server.pem
# Path to the server private key. This is the key for the certificate. Must be unencrypted.
# Support hot reload on receiving the SIGHUB signal
# GUBER_TLS_KEY=/path/to/server.key
# If set to `true` gubernator will generate both the CA and self-signed server certificates.
# If GUBER_TLS_CA and GUBER_TLS_CA_KEY are set but no GUBER_TLS_KEY or GUBER_TLS_CERT is set
# then gubernator will generate a self-signed key using the provided GUBER_TLS_CA and
# GUBER_TLS_CA_KEY. This avoids the need to distribute a new server cert for each gubernator
# instance at the cost of distributing the CA private key. If set but no CA or TLS certs are
# provided gubernator will generate a CA and certs needed TLS.
# Hot reload is disabled when GUBER_TLS_AUTO set to `true`.
# GUBER_TLS_AUTO=false
# Sets the minimum TLS version. If not set, defaults to 1.3
# GUBER_TLS_MIN_VERSION=1.3
# Sets the Client Authentication type as defined in the golang standard 'crypto/tls' package.
# Valid types are ('request-cert', 'verify-cert', 'require-any-cert', 'require-and-verify').
# Use `require-and-verify` to achieve secure client authentication which will apply to all
# client and gubernator peer to peer communication. If set then gubernator will attempt to
# load GUBER_TLS_CLIENT_AUTH_CA_CERT, GUBER_TLS_CLIENT_AUTH_KEY and
# GUBER_TLS_CLIENT_AUTH_CERT for use with client authentication. If not provided client
# auth will use GUBER_TLS_CA, GUBER_TLS_CERT and GUBER_TLS_KEY for client authentication.
# GUBER_TLS_CLIENT_AUTH=require-and-verify
# For use with GUBER_TLS_CLIENT_AUTH
# Support hot reload on receiving the SIGHUB signal for GUBER_TLS_CLIENT_AUTH_KEY and GUBER_TLS_CLIENT_AUTH_CERT
# GUBER_TLS_CLIENT_AUTH_KEY=/path/to/client.key
# GUBER_TLS_CLIENT_AUTH_CERT=/path/to/client.pem
# GUBER_TLS_CLIENT_AUTH_CA_CERT=/path/to/client-ca.pem
# If true, TLS peer to peer clients will accept any certificate presented by the remote
# gubernator instance and any host name in that certificate.
# GUBER_TLS_INSECURE_SKIP_VERIFY=false
# Configures the tls client used to make peer GRPC requests to verify that peer certificates
# contain the specified SAN. See ServerName field of https://pkg.go.dev/crypto/tls#Config.
# Useful if your peer certificates do not contain IP SANs, but all contain a common SAN.
# GUBER_TLS_CLIENT_AUTH_SERVER_NAME=gubernator
############################
# Peer Discovery Type
############################
# Which type of peer discovery gubernator will use ('member-list', 'etcd', 'k8s', `none`)
# GUBER_PEER_DISCOVERY_TYPE=member-list
############################
# Member-List Config (GUBER_PEER_DISCOVERY_TYPE=member-list)
############################
# The address peers will connect too. Defaults to GUBER_ADVERTISE_ADDRESS
# GUBER_MEMBERLIST_ADVERTISE_ADDRESS=localhost:1051
# The address the memberlist will listen to for TCP and UDP gossip.
# The default used by memberlist package is 0.0.0.0:7946.
# GUBER_MEMBERLIST_BIND_ADDRESS=0.0.0.0:7946
# The address the member list will listen to in order to discover other list members.
# This should be a different port than GUBER_ADVERTISE_ADDRESS.
# Used for nat traversal in the memberlist package.
# GUBER_MEMBERLIST_ADDRESS=localhost:1051
# This is an initial list or a single domain name that 'member-list' will connect to in order to
# begin discovering other peers.
# GUBER_MEMBERLIST_KNOWN_NODES=peer1:1051,peer2:1051,peer3:1051
# GUBER_MEMBERLIST_KNOWN_NODES=memberlist.example.com
############################
# Kubernetes Config (GUBER_PEER_DISCOVERY_TYPE=k8s)
############################
# The namespace the gubernator instances were deployed into
#GUBER_K8S_NAMESPACE=default
# Should be set to the IP of the pod the gubernator instance is running in.
# This allows gubernator to know which of the peers it discovers is it's self.
#GUBER_K8S_POD_IP=<pod-ip>
# Should be set to the port number of the pod, as defined by `containerPort` in the pod spec.
#GUBER_K8S_POD_PORT=<pod-port>
# The name of the Kubernetes Service that selects gubernator pods.
# Required when using the default 'endpointslices' watch mechanism.
# Gubernator will watch EndpointSlices with the label kubernetes.io/service-name=<service-name>
#GUBER_K8S_SERVICE_NAME=gubernator
# The label selector used when using the 'pods' watch mechanism to find peers.
# Only required if GUBER_K8S_WATCH_MECHANISM=pods
#GUBER_K8S_SELECTOR=app=gubernator
# DEPRECATED: Use GUBER_K8S_SELECTOR instead. This is kept for backward compatibility.
#GUBER_K8S_ENDPOINTS_SELECTOR=app=gubernator
# The mechanism by which gubernator watches for changes in k8s. (defaults to 'endpointslices')
# endpointslices - Watches the discovery.k8s.io/v1.EndpointSlice API for changes (default)
# endpoints - Alias for 'endpointslices' (backward compatible, now uses EndpointSlice API)
# pods - Watches the v1.Pod API for changes
#GUBER_K8S_WATCH_MECHANISM=endpointslices
############################
# Etcd Config (GUBER_PEER_DISCOVERY_TYPE=etcd)
############################
# A Comma separate list of etcd nodes
# GUBER_ETCD_ENDPOINTS=localhost:2379
# The address peers will connect too. Defaults to GUBER_ADVERTISE_ADDRESS
# GUBER_ETCD_ADVERTISE_ADDRESS=localhost:1051
# The prefix gubernator will use to register peers under in etcd
#GUBER_ETCD_KEY_PREFIX=/gubernator-peers
# How long etcd client will wait for a response when initial dialing a node
#GUBER_ETCD_DIAL_TIMEOUT=5s
# The name of the datacenter this gubernator instance is in.
# GUBER_ETCD_DATA_CENTER=datacenter1
# Authentication
#GUBER_ETCD_USER=my-user
#GUBER_ETCD_PASSWORD=my-password
# Enables TLS config, with an empty config
#GUBER_ETCD_TLS_EABLED=False
# Certificate file locations
#GUBER_ETCD_TLS_CERT=/path/to/cert
#GUBER_ETCD_TLS_KEY=/path/to/key
#GUBER_ETCD_TLS_CA=/path/to/ca
# Skip CERT verification
#GUBER_ETCD_TLS_SKIP_VERIFY=true
############################
# DNS Config (GUBER_PEER_DISCOVERY_TYPE=dns)
############################
# A comma-separated list of fully-qualified domain names that resolve to
# gubernator instance IP addresses. Each FQDN is queried for A/AAAA records
# and the resulting IPs become peers.
# GUBER_DNS_FQDN=gubernator.example.com.
# Path to a resolv.conf-style file listing DNS servers to use for lookups.
# Defaults to /etc/resolv.conf. Override when running in environments where
# the system resolver is not available or should not be used.
# GUBER_RESOLV_CONF=/etc/resolv.conf
# GUBER_DATA_CENTER identifies which FQDN belongs to the local cluster.
# Leave unset for single-datacenter deployments.
#
# Multi-datacenter deployments require one FQDN per cluster in GUBER_DNS_FQDN,
# and each instance must set GUBER_DATA_CENTER to its own cluster's FQDN:
#
# # EKS instances:
# GUBER_DATA_CENTER=gubernator.svc.eks-cluster.
# GUBER_DNS_FQDN=gubernator.svc.eks-cluster.,gubernator.svc.gke-cluster.,gubernator.svc.aks-cluster.
#
# # GKE instances:
# GUBER_DATA_CENTER=gubernator.svc.gke-cluster.
# GUBER_DNS_FQDN=gubernator.svc.eks-cluster.,gubernator.svc.gke-cluster.,gubernator.svc.aks-cluster.
#
# Note: unlike etcd and member-list where peers advertise their datacenter to
# each other directly, DNS has no metadata exchange — the FQDN a peer's IP was
# resolved from is the only signal available. This is why GUBER_DATA_CENTER must
# be the exact FQDN of the local cluster, not a short logical name like "eks".
# It is also why every instance must be configured with the full list of cluster
# FQDNs upfront, and why adding a new cluster requires updating GUBER_DNS_FQDN
# on every existing instance. If your cluster topology changes frequently,
# consider etcd or member-list instead.
#
# GUBER_DATA_CENTER=gubernator.example.com.
############################
# Picker Config
############################
# Choose which picker algorithm to use
# GUBER_PEER_PICKER=consistent-hash
# Choose the hash algorithm for `consistent-hash` (crc32, fnv1a, fnv1)
# GUBER_PEER_PICKER_HASH=crc32
# Choose which picker algorithm to use
# GUBER_PEER_PICKER=replicated-hash
# Choose the hash algorithm for `replicated-hash` (fnv1a, fnv1)
# GUBER_PEER_PICKER_HASH=fnv1a
# Choose the number of replications
# GUBER_REPLICATED_HASH_REPLICAS=512
############################
# OTEL Tracing Config
# See /tracing.md
############################
# Set the name of the service which will be reported in traces
# OTEL_SERVICE_NAME=gubernator
# Set the tracing level, this controls the number of spans included in a single trace.
# Valid options are (ERROR, INFO, DEBUG) Defaults to "ERROR"
# GUBER_TRACING_LEVEL=ERROR
# Set which sampler to use (always_on, always_off, traceidratio, parentbased_always_on,
# parentbased_always_off, parentbased_traceidratio)
# OTEL_TRACES_SAMPLER=always_on
# If traceidratio set the ratio to a value between 0.0 and 1.0
# OTEL_TRACES_SAMPLER_ARG=1.0
# Choose the transport protocol (otlp, grpc or http/protobuf)
# OTEL_EXPORTER_OTLP_PROTOCOL=grpc
# The endpoint to send traces to
# OTEL_EXPORTER_OTLP_ENDPOINT=https://collector:<port>
# If the endpoint is `https` specify the TLS certificate files
# OTEL_EXPORTER_OTLP_CERTIFICATE=/path/to/cert
# OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE=/path/to/client
# OTEL_EXPORTER_OTLP_CLIENT_KEY=/path/to/ca
# Optional headers appended to the http requests in the format key=value,key2=value2
# OTEL_EXPORTER_OTLP_HEADERS=header1=value1
############################
# Honeycomb.io Tracing Config
############################
# OTEL_EXPORTER_OTLP_PROTOCOL=otlp
# OTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io
# OTEL_EXPORTER_OTLP_HEADERS=x-honeycomb-team=<api-key>