On This Page

Home / Stream/ Reference/ Config Files/leader.yml

leader.yml

leader.yml contains configuration for a Leader Node in a Leader High Availability (HA) deployment, and is located under $CRIBL_HOME/local/cribl in the volume of that Leader.

Cribl Stream creates this file when you configure a Leader for failover. For background on how leader.yml relates to instance.yml, the role of the shared failover volume, and how settings flow between the two files, see Leader High Availability/Failover.

leader.yml
# Address - Address to bind on for incoming Worker Node connections. Defaults to 0.0.0.0
# (all addresses).
# [string; default: 0.0.0.0; required]
host:
# Port - Port to listen on for incoming Worker Node connections.
# [number; max: 65535; default: 4200; required]
port:
# Protocol - Transport protocol used for distributed communication.
# One of: tcp | http2
# [string; default: tcp]
protocol:
# Auth Token - Authentication token used by Worker Nodes to communicate with the Leader.
# [string; default: criblmaster]
authToken:
# IP allowlist regex - Regex matching IP addresses that are allowed to establish a connection.
# [string; default: /.*/]
ipWhitelistRegex:
# Proxy settings - SOCKS proxy used for Leader/Worker communication.
proxy:
  # Disabled - Whether to proxy Leader comms through SOCKS.
  # [boolean; default: true; required]
  disabled:
  # Username - Username for SOCKS proxy authentication.
  # [string]
  userId:
  # Password - Password for SOCKS proxy authentication.
  # [string]
  password:
  # Proxy port - Proxy server port.
  # [number; min: 1; max: 65535; default: 1080]
  port:
  # Proxy host - Proxy server host. Allowed formats are ipv4, ipv6, or hostname.
  # [string]
  host:
  # Protocol version - Version of the SOCKS protocol. Defaults to 5 for socks5.
  # One of: 4 | 5
  # [number; default: 5]
  type:
# Compression - Codec to use to compress data before sending it.
# One of: none | gzip
# [string; default: gzip]
compression:
# Connection timeout (ms) - Amount of time, in milliseconds, to wait before assuming the
# connection has failed.
# [number; min: 0; default: 10000]
connectionTimeout:
# Write timeout (ms) - Amount of time, in milliseconds, to wait for a write to complete
# before assuming the connection has failed.
# [number; min: 0; default: 60000]
writeTimeout:
# Max buffer bytes - Maximum buffer size, in bytes, for outbound traffic before subsequent
# sends fail.
# [number]
maxBufferBytes:
# Forward to Leader API - Respond to API requests from the distributed port. True by default.
# [boolean; default: true]
forwardToLeaderApi:
# TLS settings - TLS configuration for incoming Worker Node connections.
tls:
  # Disabled - Whether TLS is disabled for the distributed listener.
  # [boolean; default: true; required]
  disabled:
  # Certificate name - Name of a predefined certificate to use.
  # [string]
  certificateName:
  # Private key path - Path on server containing the private key to use. PEM format. Can
  # reference $ENV_VARS.
  # [string; required]
  privKeyPath:
  # Passphrase - Passphrase to use to decrypt the private key.
  # [string]
  passphrase:
  # Certificate path - Path on server containing the certificates to use. PEM format. Can
  # reference $ENV_VARS.
  # [string; required]
  certPath:
  # CA certificate path - Path on server containing CA certificates to use. PEM format. Can
  # reference $ENV_VARS.
  # [string]
  caPath:
  # Authenticate client (mutual auth) - Require Worker Nodes to present their certificates.
  # Used to perform client authentication with SSL certs.
  # [boolean; default: false]
  requestCert:
  # Validate client certificates - Reject certificates not authorized by a CA in the CA
  # certificate path or by another trusted CA, such as the system's.
  # [boolean; default: true]
  rejectUnauthorized:
  # Common name - Regex matching allowable common names in peer certificates' subject
  # attribute.
  # [string; default: /.*/]
  commonNameRegex:
  # Minimum TLS version - Minimum TLS version accepted on the listener. Defaults to TLS 1.2.
  # One of: TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
  # [string]
  minVersion:
  # Maximum TLS version - Maximum TLS version accepted on the listener. Defaults to TLS 1.3.
  # One of: TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
  # [string]
  maxVersion:
  # Server Name - TLS server name (SNI) used by clients to verify the Leader's identity.
  # [string]
  servername:
# Helper processes socket dir - Directory to hold sockets for inter-process communication
# (IPC) between the Leader and processes such as Config Helpers and services. Defaults to
# your system's temp directory.
# [string]
configHelperSocketDir:
# Active connection limit - Maximum number of active connections allowed from Worker Nodes.
# Use 0 for unlimited.
# [number; min: 0; default: 0]
maxActiveCxn:
# Config bundles - Remote bundle storage used to distribute configuration to standby Leaders.
configBundles:
  # S3 Bundle Bucket URL - Bucket to use for remote bundle storage, in s3://${bucket} format.
  # [string]
  remoteUrl:
# Disable SNI-based connection routing - Advanced setting; do not change unless under
# supervision of Cribl Support. This affects how connections are routed within the Cribl
# Control Plane and could affect the scalability of your system.
# [boolean; default: false]
disableSNIRouting: