mirror of https://github.com/status-im/consul.git
634 lines
18 KiB
Plaintext
634 lines
18 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: 'Configuration Entry Kind: Proxy Defaults'
|
|
description: >-
|
|
The proxy-defaults config entry kind allows for configuring global config
|
|
defaults across all services for Connect proxy configuration. Currently, only
|
|
one global entry is supported.
|
|
---
|
|
|
|
# Proxy Defaults
|
|
|
|
|
|
The `proxy-defaults` configuration entry (`ProxyDefaults` on Kubernetes) allows you
|
|
to configure global defaults across all services for Connect proxy
|
|
configurations. Only one global entry is supported.
|
|
|
|
## Introduction
|
|
|
|
You can customize some service registration settings for service mesh sidecar
|
|
proxies centrally using the `proxy-defaults` configuration entry in the `kind`
|
|
field.
|
|
|
|
You can still override this centralized configuration for specific services
|
|
with the [`service-defaults`](/docs/connect/config-entries/service-defaults)
|
|
configuration entry `kind` or for individual proxy instances in their [sidecar
|
|
service definitions](/docs/connect/registration/sidecar-service).
|
|
|
|
## Requirements
|
|
|
|
The following Consul binaries are supported:
|
|
* Consul 1.8.4+ on Kubernetes.
|
|
* Consul 1.5.0+ on other platforms.
|
|
|
|
## Usage
|
|
|
|
1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements).
|
|
1. Determine the settings you want to implement (see [Configuration](#configuration)). You can create a file containing the configuration or pass them to the state store directly to apply the configuration.
|
|
1. Apply the configuration using one of the following methods:
|
|
- Kubernetes CRD: Refer to the [Custom Resource Definitions](/docs/k8s/crds) documentation for details.
|
|
- Issue the `consul config write` command: Refer to the [Consul Config Write](/commands/config/write) documentation for details.
|
|
|
|
## Configuration
|
|
|
|
Configure the following parameters to define a `proxy-defaults` configuration entry:
|
|
|
|
<Tabs>
|
|
<Tab heading="Consul OSS">
|
|
|
|
<CodeTabs heading="Proxy defaults configuration syntax" tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Meta {
|
|
<arbitrary string key> = "<arbitrary string value>"
|
|
}
|
|
Config {
|
|
<arbitrary string key> = <arbitrary value>
|
|
}
|
|
Mode = "<name of proxy mode>"
|
|
TransparentProxy {
|
|
OutboundListenerPort = <port the proxy should listen on for outbound traffic>
|
|
DialedDirectly = <true if proxy instances should be dialed directly>
|
|
}
|
|
MeshGateway {
|
|
Mode = "<name of mesh gatweay configuration for all proxies>"
|
|
}
|
|
Expose {
|
|
Checks = <true to expose all HTTP and gRPC checks through Envoy>
|
|
|
|
Paths = [
|
|
{
|
|
Path = "<the HTTP path to expose>"
|
|
LocalPathPort = <port where the local service is listening for connections to the path>
|
|
ListenerPort = <port where the proxy will listen for connections>
|
|
Protocol = "<protocol of the listener>"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
meta:
|
|
<arbitrary string key>: <arbitrary string value>
|
|
config:
|
|
<arbitrary string key>: <arbitrary value>
|
|
mode: <name of proxy mode>
|
|
transparentProxy:
|
|
outboundListenerPort: <port the proxy should listen on for outbound traffic>
|
|
dialedDirectly: <true if proxy instances should be dialed directly>
|
|
meshGateway:
|
|
mode: <name of mesh gatweay configuration for all proxies>
|
|
expose:
|
|
checks: <true to expose all HTTP and gRPC checks through Envoy>
|
|
paths:
|
|
- path: <the HTTP path to expose>
|
|
localPathPort: <port where the local service is listening for connections to the path>
|
|
listenerPort: <port where the proxy will listen for connections>
|
|
protocol:= <protocol of the listener>
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Meta": {
|
|
"<arbitrary string key>": "<arbitrary string value>"
|
|
},
|
|
"Config": {
|
|
"<arbitrary string key>": <arbitrary value>
|
|
},
|
|
"Mode": "<name of proxy mode>",
|
|
"TransparentProxy": {
|
|
"OutboundListenerPort": <port the proxy should listen on for outbound traffic>,
|
|
"DialedDirectly": <true if proxy instances should be dialed directly>
|
|
},
|
|
"MeshGateway": {
|
|
"Mode": = "<name of mesh gatweay configuration for all proxies>"
|
|
},
|
|
"Expose": {
|
|
"Checks": <true to expose all HTTP and gRPC checks through Envoy>,
|
|
"Paths": [
|
|
{
|
|
"Path": "<the HTTP path to expose>",
|
|
"LocalPathPort": <port where the local service is listening for connections to the path>,
|
|
"ListenerPort": <port where the proxy will listen for connections>,
|
|
"Protocol": "<protocol of the listener>"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
<Tab heading="Consul Enterprise">
|
|
|
|
-> **NOTE:** The `proxy-defaults` config entry can only be created in the `default`
|
|
namespace and it will configure proxies in **all** namespaces.
|
|
|
|
<CodeTabs heading="Proxy defaults configuration syntax" tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Namespace = "default" # Can only be set to "default".
|
|
Meta {
|
|
<arbitrary string key> = "<arbitrary string value>"
|
|
}
|
|
Config {
|
|
<arbitrary string key> = <arbitrary value>
|
|
}
|
|
Mode = "<name of proxy mode>"
|
|
TransparentProxy {
|
|
OutboundListenerPort = <port the proxy should listen on for outbound traffic>
|
|
DialedDirectly = <true if proxy instances should be dialed directly>
|
|
}
|
|
MeshGateway {
|
|
Mode = "<name of mesh gatweay configuration for all proxies>"
|
|
}
|
|
Expose {
|
|
Checks = <true to expose all HTTP and gRPC checks through Envoy>
|
|
|
|
Paths = [
|
|
{
|
|
Path = "<the HTTP path to expose>"
|
|
LocalPathPort = <port where the local service is listening for connections to the path>
|
|
ListenerPort = <port where the proxy will listen for connections>
|
|
Protocol = "<protocol of the listener>"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
namespace: default
|
|
spec:
|
|
meta:
|
|
<arbitrary string key>: <arbitrary string value>
|
|
config:
|
|
<arbitrary string key>: <arbitrary value>
|
|
mode: <name of proxy mode>
|
|
transparentProxy:
|
|
outboundListenerPort: <port the proxy should listen on for outbound traffic>
|
|
dialedDirectly: <true if proxy instances should be dialed directly>
|
|
meshGateway:
|
|
mode: <name of mesh gatweay configuration for all proxies>
|
|
expose:
|
|
checks: <true to expose all HTTP and gRPC checks through Envoy>
|
|
paths:
|
|
- path: <the HTTP path to expose>
|
|
localPathPort: <port where the local service is listening for connections to the path>
|
|
listenerPort: <port where the proxy will listen for connections>
|
|
protocol:= <protocol of the listener>
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Namespace": "default",
|
|
"Meta": {
|
|
"<arbitrary string key>": "<arbitrary string value>"
|
|
},
|
|
"Config": {
|
|
"<arbitrary string key>": <arbitrary value>
|
|
},
|
|
"Mode": "<name of proxy mode>",
|
|
"TransparentProxy": {
|
|
"OutboundListenerPort": <port the proxy should listen on for outbound traffic>,
|
|
"DialedDirectly": <true if proxy instances should be dialed directly>
|
|
},
|
|
"MeshGateway": {
|
|
"Mode": = "<name of mesh gatweay configuration for all proxies>"
|
|
},
|
|
"Expose": {
|
|
"Checks": <true to expose all HTTP and gRPC checks through Envoy>,
|
|
"Paths": [
|
|
{
|
|
"Path": "<the HTTP path to expose>",
|
|
"LocalPathPort": <port where the local service is listening for connections to the path>,
|
|
"ListenerPort": <port where the proxy will listen for connections>,
|
|
"Protocol": "<protocol of the listener>"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
### Configuration Parameters
|
|
|
|
<ConfigEntryReference
|
|
keys={[
|
|
{
|
|
name: 'apiVersion',
|
|
description: 'Must be set to `consul.hashicorp.com/v1alpha1`',
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'Kind',
|
|
description: {
|
|
hcl: 'Must be set to `proxy-defaults`',
|
|
yaml: 'Must be set to `ProxyDefaults`',
|
|
},
|
|
},
|
|
{
|
|
name: 'Name',
|
|
description: 'Must be set to `global`',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Namespace',
|
|
type: `string: "default"`,
|
|
enterprise: true,
|
|
description:
|
|
'Must be set to `default`. The configuration will apply to all namespaces.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Partition',
|
|
type: `string: "default"`,
|
|
enterprise: true,
|
|
description:
|
|
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for additional information.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Meta',
|
|
type: 'map<string|string>: nil',
|
|
description:
|
|
'Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'metadata',
|
|
children: [
|
|
{
|
|
name: 'name',
|
|
description: 'Must be set to `global`',
|
|
},
|
|
{
|
|
name: 'namespace',
|
|
enterprise: true,
|
|
description:
|
|
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
|
},
|
|
],
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'Config',
|
|
type: 'map[string]arbitrary',
|
|
description: `An arbitrary map of configuration values used by Connect proxies.
|
|
The available configurations depend on the Connect proxy you use.
|
|
Any values that your proxy allows can be configured globally here. To explore these options please see the documentation for your chosen proxy.
|
|
<ul><li>[Envoy](/docs/connect/proxies/envoy#proxy-config-options)</li>
|
|
<li>[Consul's built-in proxy](/docs/connect/proxies/built-in#proxy-config-key-reference)</li></ul>`,
|
|
},
|
|
{
|
|
name: 'Mode',
|
|
type: `string: ""`,
|
|
description: `One of \`direct\` or \`transparent\`.
|
|
\`transparent\` represents that inbound and outbound application traffic is being
|
|
captured and redirected through the proxy. This mode does not enable the traffic redirection
|
|
itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected.
|
|
\`direct\` represents that the proxy's listeners must be dialed directly by the local
|
|
application and other proxies.
|
|
Added in v1.10.0.`,
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'TransparentProxy',
|
|
type: 'TransparentProxyConfig: <optional>',
|
|
description: `Controls configuration specific to proxies in transparent mode. Added in v1.10.0.`,
|
|
children: [
|
|
{
|
|
name: 'OutboundListenerPort',
|
|
type: 'int: "15001"',
|
|
description: `The port the proxy should listen on for outbound traffic. This must be the port where
|
|
outbound application traffic is captured and redirected to.`,
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'DialedDirectly',
|
|
type: 'bool: false',
|
|
description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies.
|
|
Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances
|
|
across instances. Dialing individual instances can be helpful in cases like stateful services such
|
|
as a database cluster with a leader. `,
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'MeshGateway',
|
|
type: 'MeshGatewayConfig: <optional>',
|
|
description: `Controls the default
|
|
[mesh gateway configuration](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#connect-proxy-configuration)
|
|
for all proxies. Added in v1.6.0.`,
|
|
children: [
|
|
{
|
|
name: 'Mode',
|
|
type: 'string: ""',
|
|
description: 'One of `none`, `local`, or `remote`.',
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'Expose',
|
|
type: 'ExposeConfig: <optional>',
|
|
description: `Controls the default
|
|
[expose path configuration](/docs/connect/registration/service-registration#expose-paths-configuration-reference)
|
|
for Envoy. Added in v1.6.2.<br><br>
|
|
Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing
|
|
non-Connect-enabled applications to contact an HTTP endpoint.
|
|
Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`,
|
|
children: [
|
|
{
|
|
name: 'Checks',
|
|
type: 'bool: false',
|
|
description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
|
|
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
|
|
[advertise address](/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
|
|
[expose_min_port](/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/docs/agent/config/config-files#expose_max_port).
|
|
This flag is useful when a Consul client cannot reach registered services over localhost.`,
|
|
},
|
|
{
|
|
name: 'Paths',
|
|
type: 'array<Path>: []',
|
|
description: 'A list of paths to expose through Envoy.',
|
|
children: [
|
|
{
|
|
name: 'Path',
|
|
type: 'string: ""',
|
|
description:
|
|
'The HTTP path to expose. The path must be prefixed by a slash. ie: `/metrics`.',
|
|
},
|
|
{
|
|
name: 'LocalPathPort',
|
|
type: 'int: 0',
|
|
description:
|
|
'The port where the local service is listening for connections to the path.',
|
|
},
|
|
{
|
|
name: 'ListenerPort',
|
|
type: 'int: 0',
|
|
description: `The port where the proxy will listen for connections. This port must be available
|
|
for the listener to be set up. If the port is not free then Envoy will not expose a listener for the path,
|
|
but the proxy registration will not fail.`,
|
|
},
|
|
{
|
|
name: 'Protocol',
|
|
type: 'string: "http"',
|
|
description:
|
|
'Sets the protocol of the listener. One of `http` or `http2`. For gRPC use `http2`.',
|
|
},
|
|
],
|
|
},
|
|
],
|
|
},
|
|
]}
|
|
/>
|
|
|
|
## Examples
|
|
|
|
### Default protocol
|
|
|
|
The following example configures the default protocol for all sidecar proxies.
|
|
|
|
<Tabs>
|
|
<Tab heading="Consul OSS">
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Config {
|
|
protocol = "http"
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
config:
|
|
protocol: http
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Config": {
|
|
"protocol": "http"
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
<Tab heading="Consul Enterprise">
|
|
|
|
-> **NOTE:** The `proxy-defaults` config entry can only be created in the `default`
|
|
namespace and it will configure proxies in **all** namespaces.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Namespace = "default" # Can only be set to "default".
|
|
Config {
|
|
protocol = "http"
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
namespace: default
|
|
spec:
|
|
config:
|
|
protocol: http
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Namespace": "default",
|
|
"Config": {
|
|
"protocol": "http"
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
### Prometheus
|
|
|
|
The following example configures all sidecar proxies to expose Prometheus metrics.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Config {
|
|
envoy_prometheus_bind_addr = "0.0.0.0:9102"
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
config:
|
|
envoy_prometheus_bind_addr: '0.0.0.0:9102'
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Config": {
|
|
"envoy_prometheus_bind_addr": "0.0.0.0:9102"
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
### Proxy-specific defaults
|
|
|
|
The following example configures some custom default values for all sidecar proxies.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
<CodeBlockConfig>
|
|
|
|
```hcl
|
|
Kind = "proxy-defaults"
|
|
Name = "global"
|
|
Config {
|
|
local_connect_timeout_ms = 1000
|
|
handshake_timeout_ms = 10000
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
config:
|
|
local_connect_timeout_ms: 1000
|
|
handshake_timeout_ms: 10000
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
<CodeBlockConfig>
|
|
|
|
```json
|
|
{
|
|
"Kind": "proxy-defaults",
|
|
"Name": "global",
|
|
"Config": {
|
|
"local_connect_timeout_ms": 1000,
|
|
"handshake_timeout_ms": 10000
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</CodeTabs>
|
|
|
|
## ACLs
|
|
|
|
Configuration entries may be protected by [ACLs](/docs/security/acl).
|
|
|
|
Reading a `proxy-defaults` config entry requires no specific privileges.
|
|
|
|
Creating, updating, or deleting a `proxy-defaults` config entry requires
|
|
`operator:write`.
|