mirror of
https://github.com/status-im/consul.git
synced 2025-01-12 06:44:41 +00:00
f1d18f1a9b
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
872 lines
34 KiB
Plaintext
872 lines
34 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Service Defaults - Configuration Entry Reference
|
|
description: >-
|
|
The service defaults configuration entry kind defines sets of default configurations that apply to all services in the mesh. Use the examples learn how to define a default protocol, default upstream configuration, and default terminating gateway.
|
|
---
|
|
|
|
# Service Defaults Configuration Entry
|
|
The `service-defaults` config entry kind (`ServiceDefaults` on Kubernetes) controls default global values for a
|
|
service, such as its protocol.
|
|
|
|
## Sample Config Entries
|
|
|
|
### Default protocol
|
|
|
|
-> **NOTE**: The default protocol can also be configured globally for all proxies
|
|
using the [proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#default-protocol)
|
|
config entry. However, if the protocol value is specified in a service defaults
|
|
config entry for a given service, that value will take precedence over the
|
|
globally configured value from proxy defaults.
|
|
|
|
Set the default protocol for a service in the default namespace to HTTP:
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "web"
|
|
Namespace = "default"
|
|
Protocol = "http"
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: web
|
|
spec:
|
|
protocol: http
|
|
```
|
|
|
|
```json
|
|
{
|
|
"Kind": "service-defaults",
|
|
"Name": "web",
|
|
"Namespace": "default",
|
|
"Protocol": "http"
|
|
}
|
|
```
|
|
|
|
</CodeTabs>
|
|
|
|
### Upstream configuration
|
|
|
|
<Tabs>
|
|
<Tab heading="Consul OSS">
|
|
|
|
Set default connection limits and mesh gateway mode across all upstreams
|
|
of "dashboard", and also override the mesh gateway mode used when dialing
|
|
its upstream "counting" service.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "dashboard"
|
|
|
|
UpstreamConfig = {
|
|
Defaults = {
|
|
MeshGateway = {
|
|
Mode = "local"
|
|
}
|
|
Limits = {
|
|
MaxConnections = 512
|
|
MaxPendingRequests = 512
|
|
MaxConcurrentRequests = 512
|
|
}
|
|
}
|
|
|
|
Overrides = [
|
|
{
|
|
Name = "counting"
|
|
MeshGateway = {
|
|
Mode = "remote"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: dashboard
|
|
spec:
|
|
upstreamConfig:
|
|
defaults:
|
|
meshGateway:
|
|
mode: local
|
|
limits:
|
|
maxConnections: 512
|
|
maxPendingRequests: 512
|
|
maxConcurrentRequests: 512
|
|
overrides:
|
|
- name: counting
|
|
meshGateway:
|
|
mode: remote
|
|
```
|
|
|
|
```json
|
|
{
|
|
"Kind": "service-defaults",
|
|
"Name": "dashboard",
|
|
"UpstreamConfig": {
|
|
"Defaults": {
|
|
"MeshGateway": {
|
|
"Mode": "local"
|
|
},
|
|
"Limits": {
|
|
"MaxConnections": 512,
|
|
"MaxPendingRequests": 512,
|
|
"MaxConcurrentRequests": 512
|
|
}
|
|
},
|
|
"Overrides": [
|
|
{
|
|
"Name": "counting",
|
|
"MeshGateway": {
|
|
"Mode": "remote"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
<Tab heading="Consul Enterprise">
|
|
|
|
Set default connection limits and mesh gateway mode across all upstreams
|
|
of "dashboard" in the "product" namespace,
|
|
and also override the mesh gateway mode used when dialing
|
|
its upstream "counting" service in the "backend" namespace.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "dashboard"
|
|
Namespace = "product"
|
|
|
|
UpstreamConfig = {
|
|
Defaults = {
|
|
MeshGateway = {
|
|
Mode = "local"
|
|
}
|
|
Limits = {
|
|
MaxConnections = 512
|
|
MaxPendingRequests = 512
|
|
MaxConcurrentRequests = 512
|
|
}
|
|
}
|
|
|
|
Overrides = [
|
|
{
|
|
Name = "counting"
|
|
Namespace = "backend"
|
|
MeshGateway = {
|
|
Mode = "remote"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: dashboard
|
|
namespace: product
|
|
spec:
|
|
upstreamConfig:
|
|
defaults:
|
|
meshGateway:
|
|
mode: local
|
|
limits:
|
|
maxConnections: 512
|
|
maxPendingRequests: 512
|
|
maxConcurrentRequests: 512
|
|
overrides:
|
|
- name: counting
|
|
namespace: backend
|
|
meshGateway:
|
|
mode: remote
|
|
```
|
|
|
|
```json
|
|
{
|
|
"Kind": "service-defaults",
|
|
"Name": "dashboard",
|
|
"Namespace": "product",
|
|
"UpstreamConfig": {
|
|
"Defaults": {
|
|
"MeshGateway": {
|
|
"Mode": "local"
|
|
},
|
|
"Limits": {
|
|
"MaxConnections": 512,
|
|
"MaxPendingRequests": 512,
|
|
"MaxConcurrentRequests": 512
|
|
}
|
|
},
|
|
"Overrides": [
|
|
{
|
|
"Name": "counting",
|
|
"Namespace": "backend",
|
|
"MeshGateway": {
|
|
"Mode": "remote"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeTabs>
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
### Terminating gateway destination
|
|
|
|
Create a default destination that will be assigned to a terminating gateway. A destination
|
|
represents a location outside the Consul cluster. They can be dialed directly when transparent proxy mode is enabled.
|
|
|
|
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "test-destination"
|
|
Protocol = "tcp"
|
|
Destination {
|
|
Addresses = ["test.com","test.org"]
|
|
Port = 443
|
|
}
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: test-destination
|
|
spec:
|
|
destination:
|
|
addresses:
|
|
- "test.com"
|
|
- "test.org"
|
|
port: 443
|
|
```
|
|
|
|
```json
|
|
{
|
|
"Kind": "service-defaults",
|
|
"Name": "test-destination",
|
|
"Protocol": "http",
|
|
"Destination": {
|
|
"Addresses": ["test.com","test.org"],
|
|
"Port": 443
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeTabs>
|
|
|
|
## Available Fields
|
|
|
|
<ConfigEntryReference
|
|
keys={[
|
|
{
|
|
name: 'apiVersion',
|
|
description: 'Must be set to `consul.hashicorp.com/v1alpha1`',
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'Kind',
|
|
description: {
|
|
hcl: 'Must be set to `service-defaults`',
|
|
yaml: 'Must be set to `ServiceDefaults`',
|
|
},
|
|
},
|
|
{
|
|
name: 'Name',
|
|
description: 'Set to the name of the service being configured.',
|
|
type: 'string: <required>',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Namespace',
|
|
type: `string: "default"`,
|
|
enterprise: true,
|
|
description: 'Specifies the namespace the config entry will apply to.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Partition',
|
|
type: `string: "default"`,
|
|
enterprise: true,
|
|
description:
|
|
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/consul/docs/enterprise/admin-partitions) for additional information.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Meta',
|
|
type: 'map<string|string>: nil',
|
|
description:
|
|
'Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'metadata',
|
|
children: [
|
|
{
|
|
name: 'name',
|
|
description: 'Set to the name of the service being configured.',
|
|
},
|
|
{
|
|
name: 'namespace',
|
|
description:
|
|
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/consul/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for more details.',
|
|
},
|
|
{
|
|
name: 'partition',
|
|
enterprise: true,
|
|
description:
|
|
'Specifies the admin partition in which the configuration will apply. The current partition is used if unspecified. Refer to the [Admin Partitions documentation](/consul/docs/enterprise/admin-partitions) for details. The partitions parameter is not supported in Consul OSS.',
|
|
},
|
|
],
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'Protocol',
|
|
type: `string: "tcp"`,
|
|
description: `Sets the protocol of the service. This is used
|
|
by Connect proxies for things like observability features and to unlock usage
|
|
of the [\`service-splitter\`](/consul/docs/connect/config-entries/service-splitter) and
|
|
[\`service-router\`](/consul/docs/connect/config-entries/service-router) config entries
|
|
for a service. It also unlocks the ability to define L7 intentions via
|
|
[\`service-intentions\`](/consul/docs/connect/config-entries/service-intentions).
|
|
Supported values are one of \`tcp\`, \`http\`, \`http2\`, or \`grpc\`.`,
|
|
},
|
|
{
|
|
name: 'BalanceInboundConnections',
|
|
type: `string: ""`,
|
|
description: `Sets the strategy for allocating inbound connections to the service across proxy threads.
|
|
The only supported value is \`exact_balance\`. By default, no connection balancing is used.
|
|
Refer to the
|
|
[Envoy Connection Balance config](https://cloudnative.to/envoy/api-v3/config/listener/v3/listener.proto.html#config-listener-v3-listener-connectionbalanceconfig)
|
|
for details.`
|
|
},
|
|
{
|
|
name: 'EnvoyExtensions',
|
|
type: 'array<EnvoyExtension>: []',
|
|
description: `A list of extensions to modify Envoy proxy configuration.`,
|
|
children: [
|
|
{
|
|
name: 'Name',
|
|
type: `string: ""`,
|
|
description: `Name of the extension.`,
|
|
},
|
|
{
|
|
name: 'Required',
|
|
type: `string: ""`,
|
|
description: `When \`Required\` is true and the extension does not update any Envoy resources, an error is
|
|
returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally
|
|
bypassed.`,
|
|
},
|
|
{
|
|
name: 'Arguments',
|
|
type: 'map<string|Any>: nil',
|
|
description: `Arguments to pass to the extension executable.`,
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'Mode',
|
|
type: `string: ""`,
|
|
description: `One of \`direct\` or \`transparent\`.
|
|
\`transparent\` represents that inbound and outbound application traffic is being
|
|
captured and redirected through the proxy. This mode does not enable the traffic redirection
|
|
itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected.
|
|
\`direct\` represents that the proxy's listeners must be dialed directly by the local
|
|
application and other proxies.
|
|
Added in v1.10.0.`,
|
|
},
|
|
{
|
|
name: 'UpstreamConfig',
|
|
type: 'UpstreamConfiguration: <optional>',
|
|
description: `Controls default configuration settings that apply across all upstreams, and per-upstream
|
|
configuration overrides. Note that per-upstream configuration applies across all federated datacenters
|
|
to the pairing of source and upstream destination services.
|
|
Added in v1.10.0.`,
|
|
children: [
|
|
{
|
|
name: 'Overrides',
|
|
type: 'array<UpstreamConfig>: []',
|
|
description: `A list of optional overrides for per-upstream configuration.`,
|
|
children: [
|
|
{
|
|
name: 'Name',
|
|
type: 'string: ""',
|
|
description:
|
|
'The upstream name to apply the configuration to. This should not be set to the wildcard specifier `*`.',
|
|
},
|
|
{
|
|
name: 'Namespace',
|
|
type: 'string: ""',
|
|
description:
|
|
'The namespace of the upstream. This should not be set to the wildcard specifier `*`.',
|
|
},
|
|
{
|
|
name: 'Peer',
|
|
type: 'string: ""',
|
|
description:
|
|
`The name of the peer containing the upstream. Do not use a wildcard specifier ( \`*\`).<br><br>
|
|
If the \`peer\` field is not set in any \`Overrides\` configuration, then Consul applies overrides to peered services with the same [\`name\`](/consul/docs/connect/config-entries/service-defaults#name).
|
|
This maintains backward compatibility with Consul 1.14.0.
|
|
If the \`peer\` field is specified in any override, then backward compatibility with Consul 1.14.0 is disabled.
|
|
As a result, each peered service must have a separate override configuration if desired.` ,
|
|
},
|
|
{
|
|
name: 'Protocol',
|
|
type: 'string: ""',
|
|
description: `The protocol for the upstream listener.<br><br>
|
|
NOTE: The protocol of a service should ideally be configured via the
|
|
[\`protocol\`](/consul/docs/connect/config-entries/service-defaults#protocol)
|
|
field of a
|
|
[\`service-defaults\`](/consul/docs/connect/config-entries/service-defaults)
|
|
config entry for the upstream destination service. Configuring it in a
|
|
proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
In addition, the \`protocol\` of a peered service cannot be overriden. Any value in
|
|
this field is ignored for peered services.
|
|
`,
|
|
},
|
|
{
|
|
name: 'ConnectTimeoutMs',
|
|
type: 'int: 5000',
|
|
description: {
|
|
hcl: `The number of milliseconds to allow when making upstream connections before timing out.<br><br>
|
|
NOTE: The connect timeout of a service should ideally be configured via the
|
|
[\`connect_timeout\`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
|
field of a
|
|
[\`service-resolver\`](/consul/docs/connect/config-entries/service-resolver)
|
|
config entry for the upstream destination service.
|
|
Configuring it in a proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
yaml: `The number of milliseconds to allow when making upstream connections before timing out.<br><br>
|
|
NOTE: The connect timeout of a service should ideally be configured via the
|
|
[\`connectTimeout\`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
|
field of a
|
|
[\`ServiceResolver\`](/consul/docs/connect/config-entries/service-resolver)
|
|
CRD for the upstream destination service.
|
|
Configuring it in a proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
},
|
|
},
|
|
{
|
|
name: 'MeshGateway',
|
|
type: 'MeshGatewayConfig: <optional>',
|
|
description: `Controls the default
|
|
[mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration)
|
|
for this upstream.`,
|
|
children: [
|
|
{
|
|
name: 'Mode',
|
|
type: 'string: ""',
|
|
description: 'One of `none`, `local`, or `remote`.',
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'BalanceOutboundConnections',
|
|
type: `string: ""`,
|
|
description: `Sets the strategy for allocating outbound connections from the upstream across proxy threads.
|
|
The only supported value is \`exact_balance\`. By default, no connection balancing is used.
|
|
Refer to the
|
|
[Envoy Connection Balance config](https://cloudnative.to/envoy/api-v3/config/listener/v3/listener.proto.html#config-listener-v3-listener-connectionbalanceconfig)
|
|
for details.`
|
|
},
|
|
{
|
|
name: 'Limits',
|
|
type: 'Limits: <optional>',
|
|
description: `A set of limits to apply when connecting to the upstream service.
|
|
These limits are applied on a per-service-instance basis.
|
|
The following limits are respected.`,
|
|
children: [
|
|
{
|
|
name: 'MaxConnections',
|
|
type: 'int: 0',
|
|
description: `The maximum number of connections a service instance
|
|
will be allowed to establish against the given upstream. Use this to limit
|
|
HTTP/1.1 traffic, since HTTP/1.1 has a request per connection.`,
|
|
},
|
|
{
|
|
name: 'MaxPendingRequests',
|
|
type: 'int: 0',
|
|
description: `The maximum number of requests that will be queued
|
|
while waiting for a connection to be established. For this configuration to
|
|
be respected, a L7 protocol must be defined in the \`protocol\` field.`,
|
|
},
|
|
{
|
|
name: 'MaxConcurrentRequests',
|
|
type: 'int: 0',
|
|
description: `The maximum number of concurrent requests that
|
|
will be allowed at a single point in time. Use this to limit HTTP/2 traffic,
|
|
since HTTP/2 has many requests per connection. For this configuration to be
|
|
respected, a L7 protocol must be defined in the \`protocol\` field.`,
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'PassiveHealthCheck',
|
|
type: 'PassiveHealthCheck: <optional>',
|
|
description: `Passive health checks are used to remove hosts from
|
|
the upstream cluster which are unreachable or are returning errors..`,
|
|
children: [
|
|
{
|
|
name: 'Interval',
|
|
type: 'duration: 0s',
|
|
description: {
|
|
hcl: `The time between checks. Each check will cause hosts which
|
|
have exceeded \`max_failures\` to be removed from the load balancer, and
|
|
any hosts which have passed their ejection time to be returned to the
|
|
load balancer.`,
|
|
yaml: `The time between checks. Each check will cause hosts which
|
|
have exceeded \`maxFailures\` to be removed from the load balancer, and
|
|
any hosts which have passed their ejection time to be returned to the
|
|
load balancer.`,
|
|
},
|
|
},
|
|
{
|
|
name: 'MaxFailures',
|
|
type: 'int: 0',
|
|
description: `The number of consecutive failures which cause a host to be
|
|
removed from the load balancer.`,
|
|
},
|
|
{
|
|
name: 'EnforcingConsecutive5xx',
|
|
type: 'int: 100',
|
|
description: {
|
|
hcl: `Measured in percent (%), the probability of a host's ejection
|
|
after a passive health check detects an outlier status through consecutive 5xx.`,
|
|
yaml: `Measured in percent (%), the probability of a host's ejection
|
|
after a passive health check detects an outlier status through consecutive 5xx.`,
|
|
},
|
|
},
|
|
],
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'Defaults',
|
|
type: 'UpstreamConfig: <optional>',
|
|
description: `Default configuration that applies to all upstreams of this service.`,
|
|
children: [
|
|
{
|
|
name: 'Protocol',
|
|
type: 'string: ""',
|
|
description: {
|
|
hcl: `The protocol for the upstream listener.<br><br>
|
|
NOTE: The protocol of a service should ideally be configured via the
|
|
[\`protocol\`](/consul/docs/connect/config-entries/service-defaults#protocol)
|
|
field of a
|
|
[\`service-defaults\`](/consul/docs/connect/config-entries/service-defaults)
|
|
config entry for the upstream destination service. Configuring it in a
|
|
proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
yaml: `The protocol for the upstream listener.<br><br>
|
|
NOTE: The protocol of a service should ideally be configured via the
|
|
[\`protocol\`](/consul/docs/connect/config-entries/service-defaults#protocol)
|
|
field of a
|
|
[\`ServiceDefaults\`](/consul/docs/connect/config-entries/service-defaults)
|
|
CRD for the upstream destination service. Configuring it in a
|
|
proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
},
|
|
},
|
|
{
|
|
name: 'ConnectTimeoutMs',
|
|
type: 'int: 5000',
|
|
description: {
|
|
hcl: `The number of milliseconds to allow when making upstream connections before timing out.<br><br>
|
|
NOTE: The connect timeout of a service should ideally be configured via the
|
|
[\`connect_timeout\`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
|
field of a
|
|
[\`service-resolver\`](/consul/docs/connect/config-entries/service-resolver)
|
|
config entry for the upstream destination service.
|
|
Configuring it in a proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
yaml: `The number of milliseconds to allow when making upstream connections before timing out.<br><br>
|
|
NOTE: The connect timeout of a service should ideally be configured via the
|
|
[\`connectTimeout\`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
|
field of a
|
|
[\`ServiceResolver\`](/consul/docs/connect/config-entries/service-resolver)
|
|
CRD for the upstream destination service.
|
|
Configuring it in a proxy upstream config will not fully enable some
|
|
[L7 features](/consul/docs/connect/l7-traffic).
|
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
|
`,
|
|
},
|
|
},
|
|
{
|
|
name: 'MeshGateway',
|
|
type: 'MeshGatewayConfig: <optional>',
|
|
description: `Controls the default
|
|
[mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#connect-proxy-configuration)
|
|
for this upstream.`,
|
|
children: [
|
|
{
|
|
name: 'Mode',
|
|
type: 'string: ""',
|
|
description: 'One of `none`, `local`, or `remote`.',
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'BalanceOutboundConnections',
|
|
type: `string: ""`,
|
|
description: `Sets the strategy for allocating outbound connections from the upstream across proxy threads.
|
|
The only supported value is \`exact_balance\`. By default, no connection balancing is used.
|
|
Refer to the
|
|
[Envoy Connection Balance config](https://cloudnative.to/envoy/api-v3/config/listener/v3/listener.proto.html#config-listener-v3-listener-connectionbalanceconfig)
|
|
for details.`
|
|
},
|
|
{
|
|
name: 'Limits',
|
|
type: 'Limits: <optional>',
|
|
description: `A set of limits to apply when connecting to the upstream service.
|
|
These limits are applied on a per-service-instance basis.
|
|
The following limits are respected.`,
|
|
children: [
|
|
{
|
|
name: 'MaxConnections',
|
|
type: 'int: 0',
|
|
description: `The maximum number of connections a service instance
|
|
will be allowed to establish against the given upstream. Use this to limit
|
|
HTTP/1.1 traffic, since HTTP/1.1 has a request per connection.`,
|
|
},
|
|
{
|
|
name: 'MaxPendingRequests',
|
|
type: 'int: 0',
|
|
description: `The maximum number of requests that will be queued
|
|
while waiting for a connection to be established. For this configuration to
|
|
be respected, a L7 protocol must be defined in the \`protocol\` field.`,
|
|
},
|
|
{
|
|
name: 'MaxConcurrentRequests',
|
|
type: 'int: 0',
|
|
description: `The maximum number of concurrent requests that
|
|
will be allowed at a single point in time. Use this to limit HTTP/2 traffic,
|
|
since HTTP/2 has many requests per connection. For this configuration to be
|
|
respected, a L7 protocol must be defined in the \`protocol\` field.`,
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'PassiveHealthCheck',
|
|
type: 'PassiveHealthCheck: <optional>',
|
|
description: `Passive health checks are used to remove hosts from
|
|
the upstream cluster which are unreachable or are returning errors..`,
|
|
children: [
|
|
{
|
|
name: 'Interval',
|
|
type: 'duration: 0s',
|
|
description: {
|
|
hcl: `The time between checks. Each check will cause hosts which
|
|
have exceeded \`max_failures\` to be removed from the load balancer, and
|
|
any hosts which have passed their ejection time to be returned to the
|
|
load balancer.`,
|
|
yaml: `The time between checks. Each check will cause hosts which
|
|
have exceeded \`maxFailures\` to be removed from the load balancer, and
|
|
any hosts which have passed their ejection time to be returned to the
|
|
load balancer.`,
|
|
},
|
|
},
|
|
{
|
|
name: 'MaxFailures',
|
|
type: 'int: 0',
|
|
description: `The number of consecutive failures which cause a host to be
|
|
removed from the load balancer.`,
|
|
},
|
|
{
|
|
name: 'EnforcingConsecutive5xx',
|
|
type: 'int: 100',
|
|
description: {
|
|
hcl: `Measured in percent (%), the probability of a host's ejection
|
|
after a passive health check detects an outlier status through consecutive 5xx.`,
|
|
yaml: `Measured in percent (%), the probability of a host's ejection
|
|
after a passive health check detects an outlier status through consecutive 5xx.`,
|
|
},
|
|
},
|
|
],
|
|
},
|
|
],
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'TransparentProxy',
|
|
type: 'TransparentProxyConfig: <optional>',
|
|
description: `Controls configuration specific to proxies in transparent mode. Added in v1.10.0.`,
|
|
children: [
|
|
{
|
|
name: 'OutboundListenerPort',
|
|
type: 'int: "15001"',
|
|
description: `The port the proxy should listen on for outbound traffic. This must be the port where
|
|
outbound application traffic is redirected to.`,
|
|
},
|
|
{
|
|
name: 'DialedDirectly',
|
|
type: 'bool: false',
|
|
description: {
|
|
hcl: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies.
|
|
Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances
|
|
across instances. Dialing individual instances can be helpful in cases like stateful services such
|
|
as a database cluster with a leader.`,
|
|
yaml: `Determines whether the Pod IPs can be dialed directly (versus the Cluster IP).
|
|
Dialing Pod IPs can be helpful in cases like stateful services such
|
|
as a database cluster with a leader or with an ingress controller that dials Pod IPs instead of Cluster IPs.`,
|
|
},
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'Destination',
|
|
type: 'DestinationConfig: <optional>',
|
|
description: `Controls configuration specific to destinations through terminating-gateway. Added in v1.13.0.`,
|
|
children: [
|
|
{
|
|
name: 'Addresses',
|
|
type: 'array<string>: []',
|
|
description:`List of addresses associated with the destination. This can be a hostname or an IP address.
|
|
Wildcards are not accepted.`,
|
|
},
|
|
{
|
|
name: 'Port',
|
|
type: 'int: 0',
|
|
description: `Port number associated with the destination.`,
|
|
},
|
|
]
|
|
},
|
|
{
|
|
name: 'MaxInboundConnections',
|
|
description: 'The maximum number of concurrent inbound connections to each service instance.',
|
|
type: 'int: 0',
|
|
yaml: true,
|
|
},
|
|
{
|
|
name: 'LocalConnectTimeoutMs',
|
|
description: ' The number of milliseconds allowed to make connections to the local application instance before timing out. Defaults to 5000.',
|
|
type: 'int: 0',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'LocalRequestTimeoutMs',
|
|
description: ' In milliseconds, the timeout for HTTP requests to the local application instance. Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts (15s).',
|
|
type: 'int: 0',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'MeshGateway',
|
|
type: 'MeshGatewayConfig: <optional>',
|
|
description: `Controls the default
|
|
[mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#connect-proxy-configuration)
|
|
for this service. Added in v1.6.0.`,
|
|
children: [
|
|
{
|
|
name: 'Mode',
|
|
type: 'string: ""',
|
|
description: 'One of `none`, `local`, or `remote`.',
|
|
},
|
|
],
|
|
},
|
|
{
|
|
name: 'ExternalSNI',
|
|
type: 'string: ""',
|
|
description: `This is an optional setting that allows for
|
|
the TLS [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) value to
|
|
be changed to a non-connect value when federating with an external system.
|
|
Added in v1.6.0.`,
|
|
},
|
|
{
|
|
name: 'Expose',
|
|
type: 'ExposeConfig: <optional>',
|
|
description: `Controls the default
|
|
[expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference)
|
|
for Envoy. Added in v1.6.2.<br><br>
|
|
Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing
|
|
non-Connect-enabled applications to contact an HTTP endpoint.
|
|
Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`,
|
|
children: [
|
|
{
|
|
name: 'Checks',
|
|
type: 'bool: false',
|
|
description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
|
|
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
|
|
[advertise address](/consul/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
|
|
[expose_min_port](/consul/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/consul/docs/agent/config/config-files#expose_max_port).
|
|
This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running
|
|
Consul on Kubernetes, and Consul agents run in their own pods.`,
|
|
},
|
|
{
|
|
name: 'Paths',
|
|
type: 'array<Path>: []',
|
|
description: 'A list of paths to expose through Envoy.',
|
|
children: [
|
|
{
|
|
name: 'Path',
|
|
type: 'string: ""',
|
|
description:
|
|
'The HTTP path to expose. The path must be prefixed by a slash. ie: `/metrics`.',
|
|
},
|
|
{
|
|
name: 'LocalPathPort',
|
|
type: 'int: 0',
|
|
description:
|
|
'The port where the local service is listening for connections to the path.',
|
|
},
|
|
{
|
|
name: 'ListenerPort',
|
|
type: 'int: 0',
|
|
description: `The port where the proxy will listen for connections. This port must be available
|
|
for the listener to be set up. If the port is not free then Envoy will not expose a listener for the path,
|
|
but the proxy registration will not fail.`,
|
|
},
|
|
{
|
|
name: 'Protocol',
|
|
type: 'string: "http"',
|
|
description:
|
|
'Sets the protocol of the listener. One of `http` or `http2`. For gRPC use `http2`.',
|
|
},
|
|
],
|
|
},
|
|
],
|
|
},
|
|
]}
|
|
/>
|
|
|
|
## ACLs
|
|
|
|
Configuration entries may be protected by [ACLs](/consul/docs/security/acl).
|
|
|
|
Reading a `service-defaults` config entry requires `service:read` on the resource.
|
|
|
|
Creating, updating, or deleting a `service-defaults` config entry requires
|
|
`service:write` on the resource.
|