in docker/generic/start_proxy.py [0:0]
def gen_proxy_config(args):
# Copy Google default application credential file between the flag and the environment variable.
# We need to set both, the flag is used for calling service_control and service management,
# the environment variable is used for calling StackDriver for tracing.
if args.service_account_key is None:
if GOOGLE_CREDS_KEY in os.environ:
args.service_account_key = os.environ[GOOGLE_CREDS_KEY]
else:
if GOOGLE_CREDS_KEY not in os.environ:
os.environ[GOOGLE_CREDS_KEY] = args.service_account_key
check_conflict_result = enforce_conflict_args(args)
if check_conflict_result:
logging.error(check_conflict_result)
sys.exit(1)
proxy_conf = [
CONFIGMANAGER_BIN,
"--logtostderr",
"--rollout_strategy", args.rollout_strategy,
]
if "://" not in args.backend:
proxy_conf.extend(["--backend_address", "http://" + args.backend])
else:
proxy_conf.extend(["--backend_address", args.backend])
if args.healthz:
proxy_conf.extend(["--healthz", args.healthz])
# The flag "--health_check_grpc_backend" can be independent of the flag "--healthz"
# If the flag "--healthz" is not used, ESPv2 still periodically checks the gRPC backend. If its status
# is not healthy, any requests routed to the backend will be replied with 503 right away.
if args.health_check_grpc_backend:
proxy_conf.append("--health_check_grpc_backend")
if args.health_check_grpc_backend_service:
proxy_conf.extend(["--health_check_grpc_backend_service", args.health_check_grpc_backend_service])
if args.health_check_grpc_backend_interval:
proxy_conf.extend(["--health_check_grpc_backend_interval", args.health_check_grpc_backend_interval])
if args.health_check_grpc_backend_no_traffic_interval:
proxy_conf.extend(["--health_check_grpc_backend_no_traffic_interval", args.health_check_grpc_backend_no_traffic_interval])
if args.enable_debug:
proxy_conf.extend(["--v", "1"])
else:
proxy_conf.extend(["--v", "0"])
if args.envoy_xff_num_trusted_hops:
proxy_conf.extend(["--envoy_xff_num_trusted_hops",
args.envoy_xff_num_trusted_hops])
elif args.on_serverless:
proxy_conf.extend(["--envoy_xff_num_trusted_hops",
'{}'.format(SERVERLESS_XFF_NUM_TRUSTED_HOPS)])
if args.disable_jwks_async_fetch:
proxy_conf.append("--disable_jwks_async_fetch")
if args.jwks_async_fetch_fast_listener:
proxy_conf.append("--jwks_async_fetch_fast_listener")
if args.jwt_cache_size:
proxy_conf.extend(["--jwt_cache_size", args.jwt_cache_size])
if args.jwks_cache_duration_in_s:
proxy_conf.extend(["--jwks_cache_duration_in_s", args.jwks_cache_duration_in_s])
if args.jwks_fetch_num_retries:
proxy_conf.extend(["--jwks_fetch_num_retries", args.jwks_fetch_num_retries])
if args.jwks_fetch_retry_back_off_base_interval_ms:
proxy_conf.extend(["--jwks_fetch_retry_back_off_base_interval_ms", args.jwks_fetch_retry_back_off_base_interval_ms])
if args.jwks_fetch_retry_back_off_max_interval_ms:
proxy_conf.extend(["--jwks_fetch_retry_back_off_max_interval_ms", args.jwks_fetch_retry_back_off_max_interval_ms])
if args.jwt_pad_forward_payload_header:
proxy_conf.append("--jwt_pad_forward_payload_header")
if args.disable_jwt_audience_service_name_check:
proxy_conf.append("--disable_jwt_audience_service_name_check")
if args.management:
proxy_conf.extend(["--service_management_url", args.management])
if args.log_request_headers:
proxy_conf.extend(["--log_request_headers", args.log_request_headers])
if args.log_response_headers:
proxy_conf.extend(["--log_response_headers", args.log_response_headers])
if args.log_jwt_payloads:
proxy_conf.extend(["--log_jwt_payloads", args.log_jwt_payloads])
if args.http_port:
proxy_conf.extend(["--listener_port", str(args.http_port)])
if args.http2_port:
proxy_conf.extend(["--listener_port", str(args.http2_port)])
if args.listener_port:
proxy_conf.extend(["--listener_port", str(args.listener_port)])
if args.ssl_server_cert_path:
proxy_conf.extend(["--ssl_server_cert_path", str(args.ssl_server_cert_path)])
if args.ssl_server_root_cert_path:
proxy_conf.extend(["--ssl_server_root_cert_path", str(args.ssl_server_root_cert_path)])
if args.ssl_port:
proxy_conf.extend(["--ssl_server_cert_path", "/etc/nginx/ssl"])
proxy_conf.extend(["--listener_port", str(args.ssl_port)])
if args.ssl_backend_client_cert_path:
proxy_conf.extend(["--ssl_backend_client_cert_path", str(args.ssl_backend_client_cert_path)])
if args.ssl_client_cert_path:
proxy_conf.extend(["--ssl_backend_client_cert_path", str(args.ssl_client_cert_path)])
if args.enable_grpc_backend_ssl and args.grpc_backend_ssl_root_certs_file:
proxy_conf.extend(["--ssl_backend_client_root_certs_path", str(args.grpc_backend_ssl_root_certs_file)])
if args.ssl_backend_client_root_certs_file:
proxy_conf.extend(["--ssl_backend_client_root_certs_path", str(args.ssl_backend_client_root_certs_file)])
if args.ssl_client_root_certs_file:
proxy_conf.extend(["--ssl_backend_client_root_certs_path", str(args.ssl_client_root_certs_file)])
if args.ssl_server_cipher_suites:
proxy_conf.extend(["--ssl_server_cipher_suites", str(args.ssl_server_cipher_suites)])
if args.ssl_backend_client_cipher_suites:
proxy_conf.extend(["--ssl_backend_client_cipher_suites", str(args.ssl_backend_client_cipher_suites)])
if args.tls_mutual_auth:
proxy_conf.extend(["--ssl_backend_client_cert_path", "/etc/nginx/ssl"])
if args.ssl_minimum_protocol:
proxy_conf.extend(["--ssl_minimum_protocol", args.ssl_minimum_protocol])
if args.ssl_maximum_protocol:
proxy_conf.extend(["--ssl_maximum_protocol", args.ssl_maximum_protocol])
if args.ssl_protocols:
args.ssl_protocols.sort()
proxy_conf.extend(["--ssl_minimum_protocol", args.ssl_protocols[0]])
proxy_conf.extend(["--ssl_maximum_protocol", args.ssl_protocols[-1]])
if args.add_request_header:
proxy_conf.extend(["--add_request_headers", ";".join(args.add_request_header)])
if args.append_request_header:
proxy_conf.extend(["--append_request_headers", ";".join(args.append_request_header)])
if args.add_response_header:
proxy_conf.extend(["--add_response_headers", ";".join(args.add_response_header)])
if args.append_response_header:
proxy_conf.extend(["--append_response_headers", ";".join(args.append_response_header)])
if args.enable_operation_name_header:
proxy_conf.append("--enable_operation_name_header")
if args.enable_response_compression:
proxy_conf.append("--enable_response_compression")
# Generate self-signed cert if needed
if args.generate_self_signed_cert:
if not os.path.exists("/tmp/ssl/endpoints"):
os.makedirs("/tmp/ssl/endpoints")
logging.info("Generating self-signed certificate...")
if os.system(("openssl req -x509 -newkey rsa:2048"
" -keyout /tmp/ssl/endpoints/server.key -nodes"
" -out /tmp/ssl/endpoints/server.crt"
' -days 3650 -subj "/CN=localhost"')) != 0:
logging.fatal("Failed to create self-signed cert using openssl.")
sys.exit(1)
proxy_conf.extend(["--ssl_server_cert_path", "/tmp/ssl/endpoints"])
if args.enable_strict_transport_security:
proxy_conf.append("--enable_strict_transport_security")
if args.service:
proxy_conf.extend(["--service", args.service])
if args.version:
proxy_conf.extend(["--service_config_id", args.version])
if args.http_request_timeout_s:
proxy_conf.extend( ["--http_request_timeout_s", str(args.http_request_timeout_s)])
if args.service_control_url:
proxy_conf.extend([
"--service_control_url", args.service_control_url
])
if args.service_control_check_retries:
proxy_conf.extend([
"--service_control_check_retries",
args.service_control_check_retries
])
if args.service_control_quota_retries:
proxy_conf.extend([
"--service_control_quota_retries",
args.service_control_quota_retries
])
if args.service_control_report_retries:
proxy_conf.extend([
"--service_control_report_retries",
args.service_control_report_retries
])
if args.service_control_check_timeout_ms:
proxy_conf.extend([
"--service_control_check_timeout_ms",
args.service_control_check_timeout_ms
])
if args.service_control_quota_timeout_ms:
proxy_conf.extend([
"--service_control_quota_timeout_ms",
args.service_control_quota_timeout_ms
])
if args.service_control_report_timeout_ms:
proxy_conf.extend([
"--service_control_report_timeout_ms",
args.service_control_report_timeout_ms
])
# NOTE: It is true by default in configmangager's flags.
if args.service_control_network_fail_policy == "close":
proxy_conf.extend(["--service_control_network_fail_open=false"])
if args.service_control_enable_api_key_uid_reporting:
proxy_conf.append("--service_control_enable_api_key_uid_reporting")
if args.service_json_path:
proxy_conf.extend(["--service_json_path", args.service_json_path])
if args.check_metadata:
proxy_conf.append("--check_metadata")
if args.underscores_in_headers:
proxy_conf.append("--underscores_in_headers")
if args.disable_normalize_path:
proxy_conf.append("--normalize_path=false")
if args.disable_merge_slashes_in_path:
proxy_conf.append("--merge_slashes_in_path=false")
if args.disallow_escaped_slashes_in_path:
proxy_conf.append("--disallow_escaped_slashes_in_path")
if args.backend_retry_ons:
proxy_conf.extend(["--backend_retry_ons", args.backend_retry_ons])
if args.backend_retry_on_status_codes:
proxy_conf.extend(["--backend_retry_on_status_codes", args.backend_retry_on_status_codes])
if args.backend_retry_num:
proxy_conf.extend(["--backend_retry_num", args.backend_retry_num])
if args.backend_per_try_timeout:
proxy_conf.extend(["--backend_per_try_timeout", args.backend_per_try_timeout])
if args.access_log:
proxy_conf.extend(["--access_log",
args.access_log])
if args.access_log_format:
proxy_conf.extend(["--access_log_format",
args.access_log_format])
if args.disable_tracing:
proxy_conf.append("--disable_tracing")
else:
if args.tracing_project_id:
proxy_conf.extend(["--tracing_project_id", args.tracing_project_id])
if args.tracing_incoming_context:
proxy_conf.extend(
["--tracing_incoming_context", args.tracing_incoming_context])
if args.tracing_outgoing_context:
proxy_conf.extend(
["--tracing_outgoing_context", args.tracing_outgoing_context])
if args.cloud_trace_url_override:
proxy_conf.extend(["--tracing_stackdriver_address",
args.cloud_trace_url_override])
if args.disable_cloud_trace_auto_sampling:
proxy_conf.extend(["--tracing_sample_rate", "0"])
elif args.tracing_sample_rate:
proxy_conf.extend(["--tracing_sample_rate",
str(args.tracing_sample_rate)])
# TODO(nareddyt): Enable if we find it's helpful for gRPC streaming.
# if args.enable_debug:
# proxy_conf.append("--tracing_enable_verbose_annotations")
if args.transcoding_always_print_primitive_fields:
proxy_conf.append("--transcoding_always_print_primitive_fields")
if args.transcoding_always_print_enums_as_ints:
proxy_conf.append("--transcoding_always_print_enums_as_ints")
if args.transcoding_stream_newline_delimited:
proxy_conf.append("--transcoding_stream_newline_delimited")
if args.transcoding_case_insensitive_enum_parsing:
proxy_conf.append("--transcoding_case_insensitive_enum_parsing")
if args.transcoding_preserve_proto_field_names:
proxy_conf.append("--transcoding_preserve_proto_field_names")
if args.transcoding_ignore_query_parameters:
proxy_conf.extend(["--transcoding_ignore_query_parameters",
args.transcoding_ignore_query_parameters])
if args.transcoding_ignore_unknown_query_parameters:
proxy_conf.append("--transcoding_ignore_unknown_query_parameters")
if args.transcoding_query_parameters_disable_unescape_plus:
proxy_conf.append("--transcoding_query_parameters_disable_unescape_plus")
if args.transcoding_match_unregistered_custom_verb:
proxy_conf.append("--transcoding_match_unregistered_custom_verb")
if args.disallow_colon_in_wildcard_path_segment:
proxy_conf.append("--disallow_colon_in_wildcard_path_segment")
if args.on_serverless:
proxy_conf.extend([
"--compute_platform_override", SERVERLESS_PLATFORM])
if args.backend_dns_lookup_family:
proxy_conf.extend(
["--backend_dns_lookup_family", args.backend_dns_lookup_family])
if args.dns_resolver_addresses:
proxy_conf.extend(
["--dns_resolver_addresses", args.dns_resolver_addresses])
if args.dns:
proxy_conf.extend(
["--dns_resolver_addresses", args.dns]
)
if args.envoy_use_remote_address:
proxy_conf.append("--envoy_use_remote_address")
if args.cors_preset:
proxy_conf.extend([
"--cors_preset",
args.cors_preset,
"--cors_allow_origin",
args.cors_allow_origin,
"--cors_allow_origin_regex",
args.cors_allow_origin_regex,
"--cors_allow_methods",
args.cors_allow_methods,
"--cors_allow_headers",
args.cors_allow_headers,
"--cors_expose_headers",
args.cors_expose_headers,
"--cors_max_age",
args.cors_max_age,
])
if args.cors_allow_credentials:
proxy_conf.append("--cors_allow_credentials")
if args.enable_application_default_credentials:
proxy_conf.append("--enable_application_default_credentials")
if args.service_account_key:
proxy_conf.extend(["--service_account_key", args.service_account_key])
if args.non_gcp:
proxy_conf.append("--non_gcp")
if args.enable_debug:
proxy_conf.append("--suppress_envoy_headers=false")
if args.envoy_connection_buffer_limit_bytes:
proxy_conf.extend(["--connection_buffer_limit_bytes",
args.envoy_connection_buffer_limit_bytes])
if args.enable_backend_address_override:
proxy_conf.append("--enable_backend_address_override")
if args.ads_named_pipe:
proxy_conf.extend(["--ads_named_pipe", args.ads_named_pipe])
return proxy_conf