status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx

204 lines
7.3 KiB
Plaintext
Raw Normal View History

Add new Consul 1.16 docs (#17651) * Merge pull request #5773 from hashicorp/docs/rate-limiting-from-ip-addresses-1.16 updated docs for rate limiting for IP addresses - 1.16 * Merge pull request #5609 from hashicorp/docs/enterprise-utilization-reporting Add docs for enterprise utilization reporting * Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16 Docs/envoy ext 1.16 * Merge pull request #5773 from hashicorp/docs/rate-limiting-from-ip-addresses-1.16 updated docs for rate limiting for IP addresses - 1.16 * Merge pull request #5609 from hashicorp/docs/enterprise-utilization-reporting Add docs for enterprise utilization reporting * Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16 Docs/envoy ext 1.16 * fix build errors --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-06-12 17:30:04 +00:00
---
layout: docs
page_title: Configure Envoy proxy properties
description: Learn how to use the property-override extension for Envoy proxies to set and remove individual properties for the Envoy resources Consul generates.
---
# Configure Envoy proxy properties
This topic describes how to use the `property-override` extension to set and remove individual properties for the Envoy resources Consul generates. The extension uses the [protoreflect](https://pkg.go.dev/google.golang.org/protobuf/reflect/protoreflect), which enables Consul to dynamically manipulate messages.
## Workflow
- Complete the following steps to use the `property-override` extension:
- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry.
- Apply the configuration entry.
!> **Security warning**: The property override extension is an advanced feature capable of introducing unintended consequences or reducing cluster security if used incorrectly. Consul does not enforce TLS retention, intentions, or other security-critical components of the Envoy configuration. Additionally, Consul does not verify that the configuration does not contain errors that affect service traffic.
## Add the `EnvoyExtensions`
Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
- When you configure Envoy extensions on proxy defaults, they apply to every service.
- When you configure Envoy extensions on service defaults, they apply to a specific service.
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
In the following service defaults configuration entry example, Consul adds a new `/upstream_connection_options/tcp_keepalive/keepalive_probes-5` field to each of the proxy's cluster configuration for the outbound `db`service upstream. The configuration applies to all `connect-proxy` proxies with services configured to communicate over HTTP:
<Tabs>
<Tab heading="HCL" group="hcl">
<CodeBlockConfig filename="property-override-extension-service-defaults.hcl">
```hcl
Kind = "service-defaults"
Name = "global"
Protocol = "http"
EnvoyExtensions = [
{
Name = "builtin/property-override"
Arguments = {
ProxyType = "connect-proxy",
Patches = [
{
ResourceFilter = {
ResourceType = "cluster",
TrafficDirection = "outbound"
Services = [{
Name = "other-svc"
}],
Op = "add"
Path = "/upstream_connection_options/tcp_keepalive/keepalive_probes",
Value = 5,
}
]
}
]
```
</CodeBlockConfig>
</Tab>
<Tab heading="JSON" group="json">
<CodeBlockConfig filename="property-override-extension-service-defaults.json">
```json
"kind": "service-defaults",
"name": "global",
"protocol": "http",
"envoy_extensions": [{
"name": "builtin/property-override",
"arguments": {
"proxyType": "connect-proxy",
"patches": [{
"resourceFilter": {
"resourceType": "cluster",
"trafficDirection": "outbound",
"services": [{ "name": "other-svc" }],
"op": "add",
"path": "/upstream_connection_options/tcp_keepalive/keepalive_probes",
"value": 5
}
}]
}
}]
```
</CodeBlockConfig>
</Tab>
<Tab heading="Kubernetes" group="kubernetes">
<CodeBlockConfig filename="property-override-extension-proxy-defaults.yaml">
```yaml
apiversion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: global
spec:
protocol: http
envoyExtensions:
name = "builtin/property-override"
arguments:
proxyType: "connect-proxy",
patches:
- resourceFilter:
resourceType: "cluster"
trafficDirection: "outbound"
services:
- name: "other-svc"
op: "add"
path: "/upstream_connection_options/tcp_keepalive/keepalive_probes",
value: 5
```
</CodeBlockConfig>
</Tab>
</Tabs>
Refer to the [property override configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override) for details on how to configure the extension.
Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries.
!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
### Constructing paths
To target the properties for an Envoy resource type, you must specify the path where the properties exist in the [`Path` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#patches-path) of the property override extension configuration. Set the `Path` field to an empty or partially invalid string when saving the configuration entry and Consul returns an error with a list of supported fields for the first unrecognized segment of the path. By default, Consul only returns the first ten fields, but you can set the [`Debug` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#debug) to `true` to direct Consul to output all possible fields.
In the following example, Consul outputs the top-level fields available for the Envoy cluster resource:
```hcl
Kind = "service-defaults"
Name = "api"
EnvoyExtensions = [
{
Name = "builtin/property-override"
Arguments = {
ProxyType = "connect-proxy"
Patches = [
{
ResourceFilter = {
ResourceType = "cluster"
TrafficDirection = "outbound"
}
Op = "add"
Path = ""
Value = 5
}
]
}
}
]
```
After applying the configuration entry, Consul prints a message that includes the possible fields for the resource:
```shell-session
$ consul config write api.hcl
non-empty, non-root Path is required. available cluster fields:
/outlier_detection
/outlier_detection/enforcing_consecutive_5xx
/outlier_detection/failure_percentage_request_volume
/round_robin_lb_config
/round_robin_lb_config/slow_start_config
```
You can use the output to help you construct the appropriate value for the `Path` field. For example:
```shell-session
$ consul config write api.hcl | grep round_robin
/round_robin_lb_config
```
## Apply the configuration entry
If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
<Tabs>
<Tab heading="HCL" group="hcl">
```shell-session
$ consul config write property-override-extension-service-defaults.hcl
```
</Tab>
<Tab heading="JSON" group="json">
```shell-session
$ consul config write property-override-extension-service-defaults.json
```
</Tab>
<Tab heading="Kubernetes" group="kubernetes">
```shell-session
$ kubectl apply property-override-extension-service-defaults.yaml
```
</Tab>
</Tabs>