Anapaya appliance configuration (management only)
management object
The necessary configuration data for the management of the Anapaya appliance.
api object
Anapaya appliance management API configuration.
basic_auth object
Basic auth configuration that restricts the access to the Anapaya appliance management API.
Enable basic authentication for the Anapaya appliance management API.
users object[]
List of basic auth user credentials that are authorized to access the management API.
The user password hashed based on the hash algorithm indicated by the prefix in the string. The string takes the following form based on the Unix crypt function:
$id[$param=value(,param=value)*][$salt[$hash]]
Supported hash functions are:
- $2y$: bcrypt
The 'appliance-cli' or the 'htpasswd' tool can be used to create a password hash. E.g., 'appliance-cli crypto kdf hash' or 'htpasswd -nB -C 12 admin' prompts for a password.
$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02Name of the user.
adminlisteners object[]
List of management API listeners that define where the API is exposed
An address that is used to expose the Anapaya appliance management API. This can be either a combination of an IP address and a fixed port, or a SCION address. The address must be specified as ip:port for IPv4, [ip]:port for IPv6 and [ISD-AS,ip]:port for SCION.
127.0.0.1:443Description, or comment, for the listener.
oauth object
Open authorization (OAuth) configuration that can authorize users who want to access the Anapaya appliance management API.
Whether the feature is enabled.
falseidentity_providers object[]
The identity providers. Currently only one is supported.
The base URL for the identity provider.
https://anapaya.eu.auth0.com/The client ID for this identity provider.
The client secret for this identity provider.
The identifier of the provider. Must be unique among all providers.
The URL for fetching the open ID configuration.
https://anapaya.eu.auth0.com/.well-known/openid-configurationThe tenant ID for Azure AD
The type of the provider.
Possible values: [GENERIC, AZURE_AD]
roles object[]
Roles configuration used for OAuth.
List of aliases for the role. This is useful for mapping
different role names from different identity providers to the
same role in the appliance. If no alias are configured for a role
the default aliases are 'appliance.
Name of the role.
token_verification_keys object[]
Keys to verify JWTs.
The identifier of the key. Must be unique among all keys.
anapaya.auth0URL for fetching JSON Web Key Sets.
https://anapaya.eu.auth0.com/.well-known/jwks.jsonWhether the management API is allowed to be exposed without authentication. Always make sure to properly protect your API.
falseThe hostname of the Anapaya appliance host. It is used to identify the host in the telemetry data; thus, each host should have a unique hostname.
anapaya-applianceedge.geneva.corpbankremote_repository object
Remote repository configuration.
cloudsmith object
The configuration data for the cloudsmith repository. This section is provided only when the remote repository is cloudsmith.
The token used to access the remote cloudsmith repository. It must be of the form <api_key>#<entitlement_token>
APIKEY#ENTITLEMENTTOKENThe url which is used to access the cloudsmith repository.
https://cloudsmith.io/anapaya/repos/externalThe type of remote repository used for storing the software packages.
Possible values: [CLOUDSMITH]
ssh object
Configuration for SSH access to the Anapaya appliance.
Whether password login is enabled for SSH access to the Anapaya appliance.
falseusers object[]
Users with SSH access to the Anapaya appliance.
ssh_keys object[]
List of SSH keys that are authorized for the given user. This list is authoritative and overwrites the list of existing SSH keys in the user's authorized_keys file.
Description or comment for the key.
The SSH public key of the user.
ssh-rsa AAAAB3NzaC1yc2The unix username of the user.
anapayatelemetry object
Anapaya appliance telemetry configuration.
The address where the telemetry data is exposed. This is a combination of an IP address and a fixed port. The address must be specified as host:port, where host can be empty. An empty address indicates a wildcard address. If the address is not specified or the IP is empty and the port is zero, only the management API address exposes the telemetry data.
:42001flow_metrics object
Configuration for the flow-metrics feature. The gateway collects information about outgoing flows, such as the source and destination ISD-AS and IP address, in order to export then number of gateway users. The flow information is sent to the flow-collector for storage and processing.
DEPRECATED: This is only used in the old flow export mechanism. Time interval at which expired flows are cleaned up.
60sURL of the flow-collector where the flow metric information is sent to. Supports 'http', 'https' and 'grpc' transport
Whether the feature is enabled.
falseDEPRECATED: This is only used in the old flow export mechanism. Time interval at which flow metrics are exported to the collector.
60sTime interval after which inactive flows are considered expired and are marked for cleanup.
180sDEPRECATED: This is only used in the old flow export mechanism. The maximum number of active flows that are expected. A flow is considered active if it has been seen in the last flow expiration interval. If the number of active flows exceeds this limit, the appliance will drop flows without reporting them.
URL of the optional HTTP(S) proxy. If set, the flow metric information is sent to the collector via the proxy.
labels object[]
List of static labels that are added to all telemetry data (e.g. logs, metrics).
Name of the label.
Value of the label.
logging object
Configuration for shipping logs to a remote log aggregation system.
The type of log aggregation system which is used.
Possible values: [LOKI]
loki object
Loki configuration.
basic_auth object
Basic auth configuration for sending log lines to Loki.
The password to use for basic auth.
The username to use for basic auth.
promtailtls_config object
Configuration for TLS connection.
insecure-skip-verify controls whether the client verifies the Loki server's certificate chain and host name. If insecure-skip-verify is true, the appliance accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing.
falseThe url which is used to push logs to Loki.
https://loki.anapaya.net/loki/api/v1/push{
"management": {
"api": {
"basic_auth": {
"enabled": true,
"users": [
{
"password_hashed": "$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02",
"username": "admin"
}
]
},
"listeners": [
{
"address": "127.0.0.1:443",
"description": "string"
}
],
"oauth": {
"enabled": false,
"identity_providers": [
{
"base_auth_url": "https://anapaya.eu.auth0.com/",
"client_id": "string",
"client_secret": "string",
"id": "string",
"metadata_url": "https://anapaya.eu.auth0.com/.well-known/openid-configuration",
"tenant_id": "string",
"type": "GENERIC"
}
],
"roles": [
{
"aliases": [
"string"
],
"role": "string"
}
],
"token_verification_keys": [
{
"id": "anapaya.auth0",
"jwks_url": "https://anapaya.eu.auth0.com/.well-known/jwks.json"
}
]
},
"unprotected": false
},
"hostname": "edge.geneva.corpbank",
"remote_repository": {
"cloudsmith": {
"access_token": "APIKEY#ENTITLEMENTTOKEN",
"url": "https://cloudsmith.io/anapaya/repos/external"
},
"repository_type": "CLOUDSMITH"
},
"ssh": {
"enable_password_login": false,
"users": [
{
"ssh_keys": [
{
"description": "string",
"key": "ssh-rsa AAAAB3NzaC1yc2"
}
],
"username": "anapaya"
}
]
},
"telemetry": {
"address": ":42001",
"flow_metrics": {
"cleanup_task_interval": "60s",
"collector_url": "string",
"enabled": false,
"export_task_interval": "60s",
"flow_expiration_interval": "180s",
"max_active_flows": 0,
"proxy_url": "string"
},
"labels": [
{
"label": "string",
"value": "string"
}
],
"logging": {
"logging_type": "LOKI",
"loki": {
"basic_auth": {
"password": "string",
"username": "promtail"
},
"tls_config": {
"insecure_skip_verify": false
},
"url": "https://loki.anapaya.net/loki/api/v1/push"
}
}
}
}
}