File: //snap/google-cloud-cli/current/lib/googlecloudsdk/command_lib/edge_cache/flags.yaml
origin:
description:
arg_name: description
api_field: edgeCacheOrigin.description
help_text: |
Human-readable description of the resource.
labels:
arg_name: labels
api_field: edgeCacheOrigin.labels.additionalProperties
metavar: KEY=VALUE
type:
arg_dict:
flatten: true
spec:
- api_field: key
- api_field: value
help_text: |
List of KEY=VALUE labels to attach to this resource.
failover_origin:
arg_name: failover-origin
api_field: edgeCacheOrigin.failoverOrigin
help_text: |
Origin resource to try when the current origin cannot be reached. After
maxAttempts is reached, the configured failoverOrigin will be used to
fulfil the request.
For example, the following are both valid URLs to an EdgeCacheOrigin
resource:
- /projects/PROJECT/locations/global/edgeCacheOrigins/yourOrigin
- yourOrigin
The value of timeout.maxAttemptsTimeout dictates the timeout across all
origins.
max_attempts:
arg_name: max-attempts
api_field: edgeCacheOrigin.maxAttempts
help_text: |
Maximum number of attempts to cache fill from this origin.
Another attempt is made when a cache fill fails with one of
the retry_conditions.
Once max_attempts to this origin have failed the failover_origin
will be used, if one is specified. That failover_origin may
specify its own max_attempts, retry_conditions and
failover_origin to control its own cache fill failures.
The total number of allowed attempts to cache fill across this
and failover origins is limited to four. The total time allowed
for cache fill attempts across this and failover origins can be
controlled with max_attempts_timeout.
The last valid response from an origin will be returned to the
client. If no origin returns a valid response, an HTTP 503 will
be returned to the client.
Defaults to 1. Must be a value greater than 0 and less than 4.
origin_address:
arg_name: origin-address
api_field: edgeCacheOrigin.originAddress
help_text: |
A fully qualified domain name (FQDN) or IP address reachable over the
public Internet, or the address of a Google Cloud Storage bucket.
This address will be used as the origin for cache requests - e.g.
- FQDN: media-backend.example.com
- IPv4: 35.218.1.1
- IPv6: [2607:f8b0:4012:809::200e]
- Cloud Storage: gs://bucketname
When providing an FQDN (hostname), it must be publicly resolvable (e.g. via
Google public DNS) and IP addresses must be publicly routable. If a Cloud
Storage bucket is provided, it must be in the canonical "gs://bucketname"
format. Other forms, such as "storage.googleapis.com", will be rejected.
port:
arg_name: port
api_field: edgeCacheOrigin.port
help_text: |
Port to connect to the origin on. Defaults to port 443 for HTTP2 and
HTTPS protocols, and port 80 for HTTP.
protocol:
arg_name: protocol
api_field: edgeCacheOrigin.protocol
choices:
- arg_value: "HTTP2"
enum_value: HTTP2
help_text: |
HTTP/2 protocol. HTTP/2 refers to "h2", which requires TLS (HTTPS).
Requires a valid (public, unexpired) TLS
certificate to be present on the origin.
- arg_value: "HTTPS"
enum_value: HTTPS
help_text: |
HTTP/1.1 with TLS (SSL). Requires a valid (public, unexpired) TLS
certificate to be present on the origin.
- arg_value: "HTTP"
enum_value: HTTP
help_text: |
HTTP without TLS (SSL). This is not recommended, as communication outside
of Google's network will be unencrypted to the public endpoint (origin).
help_text: |
Protocol to use to connect to the configured origin. Defaults to HTTP2,
and it is strongly recommended that users use HTTP2 for both security &
performance.
When using HTTP2 or HTTPS as the protocol, a valid, publicly-signed,
unexpired TLS (SSL) certificate must be presented by the origin server.
retry_conditions:
arg_name: retry-conditions
api_field: edgeCacheOrigin.retryConditions
repeated: true
help_text: |
Specifies one or more retry conditions for the configured origin.
If the failure mode during a connection attempt to the origin matches the
configured retryCondition(s), the origin request will be retried up to
maxAttempts times. The failoverOrigin, if configured, will then be used to
satisfy the request.
The default retryCondition is "connect-failure".
retryConditions apply to this origin, and not subsequent failoverOrigin(s),
which may specify their own retryConditions and maxAttempts.
Valid values are:
- connect-failure: Retry on failures connecting to origins, for example due
to connection timeouts.
- http-5xx: Retry if the origin responds with any 5xx response code, or if
the origin does not respond at all, example: disconnects, reset, read
timeout, connection failure, and refused streams.
- gateway-error: Similar to 5xx, but only applies to response codes 502,
503 or 504.
- retriable-4xx: Retry for retriable 4xx response codes, which include HTTP
409 (Conflict) and HTTP 429 (Too Many Requests)
- not-found: Retry if the origin returns a HTTP 404 (Not Found). This can
be useful when generating video content, and the segment is not available
yet.
connect_timeout:
arg_name: connect-timeout
api_field: edgeCacheOrigin.timeout.connectTimeout
type: googlecloudsdk.core.util.times:ParseDuration
processor: googlecloudsdk.core.util.times:FormatDurationForJson
help_text: |
Maximum duration to wait for the origin connection to be established,
including DNS lookup, TLS handshake and TCP/QUIC connection
establishment.
Defaults to 5 seconds. The timeout must be a value between 1s and 15s.
max_attempts_timeout:
arg_name: max-attempts-timeout
api_field: edgeCacheOrigin.timeout.maxAttemptsTimeout
type: googlecloudsdk.core.util.times:ParseDuration
processor: googlecloudsdk.core.util.times:FormatDurationForJson
help_text: |
Maximum time across all connection attempts to the origin, including
failover origins, before returning an error to the client. A HTTP 503
will be returned if the timeout is reached before a response is returned.
Defaults to 5 seconds. The timeout must be a value between 1s and 15s.
If a failoverOrigin is specified, the maxAttemptsTimeout of the first
configured origin takes precedence and determines the timeout for all
requests.
response_timeout:
arg_name: response-timeout
api_field: edgeCacheOrigin.timeout.responseTimeout
type: googlecloudsdk.core.util.times:ParseDuration
processor: googlecloudsdk.core.util.times:FormatDurationForJson
help_text: |
Maximum duration to wait for data to arrive when reading from the
HTTP connection/stream.
Defaults to 5 seconds. The timeout must be a value between 1s and 30s.
flex_shielding:
arg_name: flex-shielding
api_field: edgeCacheOrigin.flexShielding
choices:
- arg_value: "ME_CENTRAL1"
enum_value: ME_CENTRAL1
help_text: |
Origin fetch from near me-central1.
- arg_value: "AFRICA_SOUTH1"
enum_value: AFRICA_SOUTH1
help_text: |
Origin fetch from near africa-south1.
- arg_value: ""
help_text: |
Turn off flexible shielding and use the default global origin shielding.
ALPHA:
processor: googlecloudsdk.command_lib.edge_cache.util:GetFlexShieldingAlpha
GA:
processor: googlecloudsdk.command_lib.edge_cache.util:GetFlexShieldingGA
help_text: |
Whenever possible, content will be fetched from origin and cached in or near the specified region. Best effort.
Defaults to default global origin shielding. You may specify at most one region. An empty flag turns off flex shielding.
keyset:
description:
arg_name: description
api_field: edgeCacheKeyset.description
help_text: |
Human-readable description of the resource.
labels:
arg_name: labels
api_field: edgeCacheKeyset.labels.additionalProperties
metavar: KEY=VALUE
type:
arg_dict:
flatten: true
spec:
- api_field: key
- api_field: value
help_text: |
List of KEY=VALUE labels to attach to this resource.
public_keys:
arg_name: public-key
api_field: edgeCacheKeyset.publicKeys
repeated: true
type:
arg_dict:
spec:
- api_field: id
arg_name: id
- api_field: value
arg_name: value
required: false
- api_field: managed
arg_name: managed
required: false
help_text: |
Set of public keys to use for validating signed requests, when associated with a route.
This flag can be repeated to create a Keyset with multiple public keys.
If you are providing your own public keys, specify the key in the form
`id=ID,value=BASE64ENCODEDPUBLICKEY`.
If you are using Google-managed public keys as part of a dual-token setup, specify the
key in the form `id=ID,managed=true`.
*id*::: id (name) name of the key within the keyset.
*value*::: URL-safe base64 encoded public key. Cannot be specified if `managed=true`.
*managed*::: Boolean indicating this is a Google-managed key. Cannot be specified if
`value=true`.
:::
To create a public key with `id` 'foo', pass `--public-key='id=foo,value=VALUE'` to {command}.
To create a Google-managed public key with `id` 'bar', pass `--public-key='id=foo,managed=true'`
to {command}.
At least one of public-key or validation-shared-key must be specified.
validation_shared_keys:
arg_name: validation-shared-key
api_field: edgeCacheKeyset.validationSharedKeys
repeated: true
type:
arg_dict:
spec:
- api_field: secretVersion
arg_name: secret_version
help_text: |
An ordered list of shared keys to use for validating signed requests.
To create a validation shared key pointing to a Secret Manager secret version with name
`projects/PROJECT/secrets/SECRET/versions/VERSION`, pass
`--validation-shared-key='secret_version=projects/PROJECT/secrets/SECRET/versions/VERSION'`
to {command}.
*secret_version*::: The name of the secret in Secret Manager. Must be in the format
`projects/PROJECT/secrets/SECRET/versions/VERSION`.
:::
At least one of public-key or validation-shared-key must be specified.
service:
description:
arg_name: description
api_field: edgeCacheService.description
help_text: |
Human-readable description of the resource.
labels:
arg_name: labels
api_field: edgeCacheService.labels.additionalProperties
metavar: KEY=VALUE
type:
arg_dict:
flatten: true
spec:
- api_field: key
- api_field: value
help_text: |
List of KEY=VALUE labels to attach to this resource.
disable_quic:
arg_name: disable-quic
api_field: edgeCacheService.disableQuic
type: bool
help_text: |
HTTP/3 (IETF QUIC) and Google QUIC are enabled by default.
edge_security_policy:
arg_name: edge-security-policy
api_field: edgeCacheService.edgeSecurityPolicy
help_text: |
Resource URL that points at the Cloud Armor edge security policy that is
applied on each request against the EdgeCacheService.
Security Policies should be specified as relative resource URLs - for example `projects/my-project/locations/global/securityPolicies/my-policy`
Note that only security policies with a type of `EDGE` can be attached to an EdgeCacheService.
edge_ssl_certificate:
arg_name: edge-ssl-certificate
api_field: edgeCacheService.edgeSslCertificates
repeated: true
help_text: |
URLs to sslCertificate resources that are used to authenticate
connections between users and the EdgeCacheService.
Certificates should be specified as relative resource URLs - for example `projects/my-project/locations/global/certificates/my-cert`
Note that only "global" certificates with a "scope" of `EDGE_CACHE` can be
attached to an EdgeCacheService.
You may specify up to 5 SSL certificates per Service.
enable_logging:
arg_name: enable-logging
api_field: edgeCacheService.logConfig.enable
type: bool
default: null
help_text: |
Specifies whether to enable logging for traffic served by this service.
Defaults to false.
logging_sample_rate:
arg_name: logging-sample-rate
api_field: edgeCacheService.logConfig.sampleRate
type: float
help_text: |
Configures the sampling rate of requests, where 1.0 means all logged
requests are reported and 0.0 means no logged requests are reported. The
default value is 1.0, and the value of the field must be in [0, 1].
This field can only be specified if logging is enabled for this service.
require_tls:
arg_name: require-tls
api_field: edgeCacheService.requireTls
type: bool
default: null
help_text: |
Require TLS (HTTPS) for all clients connecting to this service.
Clients who connect over HTTP (port 80) will receive a HTTP 301 to the same
URL over HTTPS (port 443). You must have at least one (1)
edgeSslCertificate specified to enable this.
import-routes:
arg_name: import-routes
api_field: edgeCacheService.routing
help_text: |
Defines how requests are routed, modified, cached and/or which
origin content is filled from.
To configure routing, you must import an fully-qualified routing configuration,
defined in either YAML or JSON format.
ssl_policy:
arg_name: ssl-policy
api_field: edgeCacheService.sslPolicy
help_text: |
URL of the SslPolicy resource that will be associated with the
EdgeCacheService.
If not set, the EdgeCacheService has no SSL policy configured, and will
default to the "COMPATIBLE" policy.
invalidateCacheRequest:
host:
arg_name: host
api_field: invalidateCacheRequest.host
help_text: |
The hostname to invalidate against. You can specify an exact or wildcard host - e.g.
"video.example.com" or "*.example.com" - based on host component.
path:
arg_name: path
api_field: invalidateCacheRequest.path
help_text: |
The path to invalidate against. You can specify an exact or wildcard host - e.g.
"/videos/hls/139123.mp4" or "/manifests/*" - based on path component.
tags:
arg_name: tags
api_field: invalidateCacheRequest.cacheTags
help_text: |
A list of cache tags used to identify cached objects.
- Cache tags are specified when the response is first cached, by setting the "Cache-Tag"
response header at the origin.
- By default, all objects have a cache tag representing the HTTP status code of the response,
the MIME content-type, and the origin.
- Multiple cache tags in the same revalidation request are treated as boolean OR - e.g. tag1
OR tag2 OR tag3.
- If a host and/or path are also specified, these are treated as boolean AND with any tags.
Up to 10 tags may be specified in a single invalidation request.