consul/website/content/docs/connect/config-entries/proxy-defaults.mdx

760 lines
26 KiB
Plaintext

---
layout: docs
page_title: Proxy Defaults - Configuration Entry Reference
description: >-
The proxy defaults configuration entry kind defines default behaviors for proxies in the service mesh. Use the reference guide to learn about `""proxy-defaults""` config entry parameters.
---
# Proxy Defaults Configuration Entry
The `proxy-defaults` configuration entry (`ProxyDefaults` on Kubernetes) allows you to globally configure passthrough Envoy settings for proxies in the service mesh, including both sidecars and gateways.
It is different from the [`mesh` configuration entry](/consul/docs/connect/config-entries/mesh), which sets Consul features for cluster peering, transparent proxy, and TLS behavior that also affect Consul servers.
Only one global entry is supported.
For Consul Enterprise, only the global entry in the `default` partition is recognized.
## Introduction
You can customize some service registration settings for service mesh proxies centrally using the `proxy-defaults` configuration entry in the `kind` field.
You can still override this centralized configuration for specific services
with the [`service-defaults`](/consul/docs/connect/config-entries/service-defaults)
configuration entry `kind` or for individual proxy instances in their [sidecar
service definitions](/consul/docs/connect/registration/sidecar-service).
## Usage
1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements).
1. Determine the settings you want to implement (see [Configuration](#configuration)). You can create a file containing the configuration or pass them to the state store directly to apply the configuration.
1. Apply the configuration using one of the following methods:
- Kubernetes CRD: Refer to the [Custom Resource Definitions](/consul/docs/k8s/crds) documentation for details.
- Issue the `consul config write` command: Refer to the [Consul Config Write](/consul/commands/config/write) documentation for details.
## Configuration
Configure the following parameters to define a `proxy-defaults` configuration entry:
<Tabs>
<Tab heading="Consul OSS">
<CodeTabs heading="Proxy defaults configuration syntax" tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Meta {
<arbitrary string key> = "<arbitrary string value>"
}
Config {
<arbitrary string key> = <arbitrary value>
}
Mode = "<name of proxy mode>"
TransparentProxy {
OutboundListenerPort = <port the proxy should listen on for outbound traffic>
DialedDirectly = <true if proxy instances should be dialed directly>
}
MutualTLSMode = "<mutual TLS mode for all proxies>"
MeshGateway {
Mode = "<name of mesh gateway configuration for all proxies>"
}
Expose {
Checks = <true to expose all HTTP and gRPC checks through Envoy>
Paths = [
{
Path = "<the HTTP path to expose>"
LocalPathPort = <port where the local service is listening for connections to the path>
ListenerPort = <port where the proxy will listen for connections>
Protocol = "<protocol of the listener>"
}
]
}
AccessLogs {
Enabled = < true | false >
DisableListenerLogs = < true | false , disables listener access logs for unrecognized traffic>
Type = "< file | stdout | stdout, the destination for access logs >"
Path = "< set the output path for 'file' based access logs >"
JSONFormat = "< json representation of access log format >"
TextFormat = "< text representation of access log format >"
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
spec:
meta:
<arbitrary string key>: <arbitrary string value>
config:
<arbitrary string key>: <arbitrary value>
mode: <name of proxy mode>
transparentProxy:
outboundListenerPort: <port the proxy should listen on for outbound traffic>
dialedDirectly: <true if proxy instances should be dialed directly>
mutualTLSMode: <mutual TLS mode for all proxies>
meshGateway:
mode: <name of mesh gateway configuration for all proxies>
expose:
checks: <true to expose all HTTP and gRPC checks through Envoy>
paths:
- path: <the HTTP path to expose>
localPathPort: <port where the local service is listening for connections to the path>
listenerPort: <port where the proxy will listen for connections>
protocol:= <protocol of the listener>
accessLogs:
enabled: < true | false >
disableListenerLogs: < true | false , disables listener access logs for unrecognized traffic>
type: < file | stdout | stdout, the destination for access logs >
path: < set the output path for 'file' based access logs >
jsonFormat: < json representation of access log format >
textFormat: < text representation of access log format >
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Meta": {
"<arbitrary string key>": "<arbitrary string value>"
},
"Config": {
"<arbitrary string key>": <arbitrary value>
},
"MutualTLSMode": "<mutual TLS mode for all proxies>",
"Mode": "<name of proxy mode>",
"TransparentProxy": {
"OutboundListenerPort": <port the proxy should listen on for outbound traffic>,
"DialedDirectly": <true if proxy instances should be dialed directly>
},
"MeshGateway": {
"Mode": = "<name of mesh gateway configuration for all proxies>"
},
"Expose": {
"Checks": <true to expose all HTTP and gRPC checks through Envoy>,
"Paths": [
{
"Path": "<the HTTP path to expose>",
"LocalPathPort": <port where the local service is listening for connections to the path>,
"ListenerPort": <port where the proxy will listen for connections>,
"Protocol": "<protocol of the listener>"
}
]
},
"AccessLogs": {
"Enabled": < true | false >,
"DisableListenerLogs": < true | false , disables listener access logs for unrecognized traffic>,
"Type": "< file | stdout | stdout, the destination for access logs >",
"Path": "< set the output path for 'file' based access logs >",
"JSONFormat": "< json representation of access log format >",
"TextFormat": "< text representation of access log format >"
}
}
```
</CodeTabs>
</Tab>
<Tab heading="Consul Enterprise">
-> **NOTE:** The `proxy-defaults` config entry can only be created in the `default`
namespace and it will configure proxies in **all** namespaces.
<CodeTabs heading="Proxy defaults configuration syntax" tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Namespace = "default" # Can only be set to "default".
Meta {
<arbitrary string key> = "<arbitrary string value>"
}
Config {
<arbitrary string key> = <arbitrary value>
}
Mode = "<name of proxy mode>"
TransparentProxy {
OutboundListenerPort = <port the proxy should listen on for outbound traffic>
DialedDirectly = <true if proxy instances should be dialed directly>
}
MutualTLSMode = "<mutual TLS mode for all proxies>"
MeshGateway {
Mode = "<name of mesh gateway configuration for all proxies>"
}
Expose {
Checks = <true to expose all HTTP and gRPC checks through Envoy>
Paths = [
{
Path = "<the HTTP path to expose>"
LocalPathPort = <port where the local service is listening for connections to the path>
ListenerPort = <port where the proxy will listen for connections>
Protocol = "<protocol of the listener>"
}
]
}
AccessLogs {
Enabled = < true | false >
DisableListenerLogs = < true | false , disables listener access logs for unrecognized traffic>
Type = "< file | stdout | stdout, the destination for access logs >"
Path = "< set the output path for 'file' based access logs >"
JSONFormat = "< json representation of access log format >"
TextFormat = "< text representation of access log format >"
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
namespace: default
spec:
meta:
<arbitrary string key>: <arbitrary string value>
config:
<arbitrary string key>: <arbitrary value>
mode: <name of proxy mode>
transparentProxy:
outboundListenerPort: <port the proxy should listen on for outbound traffic>
dialedDirectly: <true if proxy instances should be dialed directly>
mutualTLSMode: <mutual TLS mode for all proxies>
meshGateway:
mode: <name of mesh gateway configuration for all proxies>
expose:
checks: <true to expose all HTTP and gRPC checks through Envoy>
paths:
- path: <the HTTP path to expose>
localPathPort: <port where the local service is listening for connections to the path>
listenerPort: <port where the proxy will listen for connections>
protocol:= <protocol of the listener>
accessLogs:
enabled: < true | false >
disableListenerLogs: < true | false , disables listener access logs for unrecognized traffic>
type: < file | stdout | stdout, the destination for access logs >
path: < set the output path for 'file' based access logs >
jsonFormat: < json representation of access log format >
textFormat: < text representation of access log format >
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Namespace": "default",
"Meta": {
"<arbitrary string key>": "<arbitrary string value>"
},
"Config": {
"<arbitrary string key>": <arbitrary value>
},
"Mode": "<name of proxy mode>",
"TransparentProxy": {
"OutboundListenerPort": <port the proxy should listen on for outbound traffic>,
"DialedDirectly": <true if proxy instances should be dialed directly>
},
"MutualTLSMode": "<mutual TLS mode for all proxies>",
"MeshGateway": {
"Mode": = "<name of mesh gateway configuration for all proxies>"
},
"Expose": {
"Checks": <true to expose all HTTP and gRPC checks through Envoy>,
"Paths": [
{
"Path": "<the HTTP path to expose>",
"LocalPathPort": <port where the local service is listening for connections to the path>,
"ListenerPort": <port where the proxy will listen for connections>,
"Protocol": "<protocol of the listener>"
}
]
},
"AccessLogs": {
"Enabled": < true | false >,
"DisableListenerLogs": < true | false , disables listener access logs for unrecognized traffic>,
"Type": "< file | stdout | stdout, the destination for access logs >",
"Path": "< set the output path for 'file' based access logs >",
"JSONFormat": "< json representation of access log format >",
"TextFormat": "< text representation of access log format >"
}
}
```
</CodeTabs>
</Tab>
</Tabs>
### Configuration Parameters
<ConfigEntryReference
keys={[
{
name: 'apiVersion',
description: 'Must be set to `consul.hashicorp.com/v1alpha1`',
hcl: false,
},
{
name: 'Kind',
description: {
hcl: 'Must be set to `proxy-defaults`',
yaml: 'Must be set to `ProxyDefaults`',
},
},
{
name: 'Name',
description: 'Must be set to `global`',
yaml: false,
},
{
name: 'Namespace',
type: `string: "default"`,
enterprise: true,
description:
'Must be set to `default`. The configuration will apply to all namespaces.',
yaml: false,
},
{
name: 'Partition',
type: `string: "default"`,
enterprise: true,
description:
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/consul/docs/enterprise/admin-partitions) for additional information.',
yaml: false,
},
{
name: 'Meta',
type: 'map<string|string>: nil',
description:
'Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.',
yaml: false,
},
{
name: 'metadata',
children: [
{
name: 'name',
description: 'Must be set to `global`',
},
{
name: 'namespace',
enterprise: true,
description:
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/consul/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for more details.',
},
],
hcl: false,
},
{
name: 'Config',
type: 'map[string]arbitrary',
description: `An arbitrary map of configuration values used by service mesh proxies.
The available configurations depend on the mesh proxy you use.
Any values that your proxy allows can be configured globally here. To explore these options please see the documentation for your chosen proxy.
<ul><li>[Envoy](/consul/docs/connect/proxies/envoy#proxy-config-options)</li>
<li>[Consul's built-in proxy](/consul/docs/connect/proxies/built-in#proxy-config-key-reference)</li></ul>`,
},
{
name: 'EnvoyExtensions',
type: 'array<EnvoyExtension>: []',
description: `A list of extensions to modify Envoy proxy configuration.<br><br>
Applying \`EnvoyExtensions\` to \`ProxyDefaults\` may produce unintended consequences. We recommend enabling \`EnvoyExtensions\` with [\`ServiceDefaults\`](/consul/docs/connect/config-entries/service-defaults#envoyextensions) in most cases.`,
children: [
{
name: 'Name',
type: `string: ""`,
description: `Name of the extension.`,
},
{
name: 'Required',
type: `string: ""`,
description: `When \`Required\` is true and the extension does not update any Envoy resources, an error is
returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally
bypassed.`,
},
{
name: 'Arguments',
type: 'map<string|Any>: nil',
description: `Arguments to pass to the extension executable.`,
},
],
},
{
name: 'Mode',
type: `string: ""`,
description: `One of \`direct\` or \`transparent\`.
\`transparent\` represents that inbound and outbound application traffic is being
captured and redirected through the proxy. This mode does not enable the traffic redirection
itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected.
\`direct\` represents that the proxy's listeners must be dialed directly by the local
application and other proxies.
Added in v1.10.0.`,
},
{
name: 'TransparentProxy',
type: 'TransparentProxyConfig: <optional>',
description: `Controls configuration specific to proxies in transparent mode. Added in v1.10.0.`,
children: [
{
name: 'OutboundListenerPort',
type: 'int: "15001"',
description: `The port the proxy should listen on for outbound traffic. This must be the port where
outbound application traffic is captured and redirected to.`,
},
{
name: 'DialedDirectly',
type: 'bool: false',
description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies.
Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances
across instances. Dialing individual instances can be helpful in cases like stateful services such
as a database cluster with a leader. `,
},
],
},
{
name: 'MutualTLSMode',
type: 'string: ""',
description: `Controls the default mutual TLS mode for all proxies. This setting is only
supported for services with transparent proxy enabled. One of \`""\`, \`strict\`, or \`permissive\`.
When unset or \`""\`, the mode defaults to \`strict\`. When set to \`strict\`, the sidecar proxy
requires mutual TLS for incoming traffic. When set to \`permissive\`, the sidecar proxy accepts
mutual TLS traffic on the sidecar proxy service port and accepts any traffic on the destination
service port. We recommend only using \`permissive\` mode if necessary while onboarding services to
the service mesh. `,
},
{
name: 'MeshGateway',
type: 'MeshGatewayConfig: <optional>',
description: `Controls the default
[mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration)
for all proxies. Added in v1.6.0.`,
children: [
{
name: 'Mode',
type: 'string: ""',
description: 'One of `none`, `local`, or `remote`.',
},
],
},
{
name: 'Expose',
type: 'ExposeConfig: <optional>',
description: `Controls the default
[expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference)
for Envoy. Added in v1.6.2.<br><br>
Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing
non-mesh-enabled applications to contact an HTTP endpoint.
Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`,
children: [
{
name: 'Checks',
type: 'bool: false',
description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
[advertise address](/consul/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
[expose_min_port](/consul/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/consul/docs/agent/config/config-files#expose_max_port).
This flag is useful when a Consul client cannot reach registered services over localhost.`,
},
{
name: 'Paths',
type: 'array<Path>: []',
description: 'A list of paths to expose through Envoy.',
children: [
{
name: 'Path',
type: 'string: ""',
description:
'The HTTP path to expose. The path must be prefixed by a slash. ie: `/metrics`.',
},
{
name: 'LocalPathPort',
type: 'int: 0',
description:
'The port where the local service is listening for connections to the path.',
},
{
name: 'ListenerPort',
type: 'int: 0',
description: `The port where the proxy will listen for connections. This port must be available
for the listener to be set up. If the port is not free then Envoy will not expose a listener for the path,
but the proxy registration will not fail.`,
},
{
name: 'Protocol',
type: 'string: "http"',
description:
'Sets the protocol of the listener. One of `http` or `http2`. For gRPC use `http2`.',
},
],
},
],
},
{
name: 'FailoverPolicy',
type: 'ServiceResolverFailoverPolicy: <optional>',
description: `Policy specifies the exact mechanism used for failover.
Added in v1.16.0.`,
children: [
{
name: 'Mode',
type: 'string: ""',
description: 'One of `""`, `default`, or `order-by-locality`.',
},
],
},
{
name: 'AccessLogs',
type: 'AccessLogsConfig: <optional>',
description: `Controls the configuration of [Envoy's access logging](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/observability/access_logging.html?highlight=access%20logs)
for all proxies in the mesh, including gateways. It also configures access logs on [Envoy's administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin.html?highlight=administration%20logs).`,
children: [
{
name: 'Enabled',
type: 'bool: false',
description: 'When enabled, access logs are emitted for all proxies in the mesh, including gateways.',
},
{
name: 'DisableListenerLogs',
type: 'bool: false',
description: `When enabled, access logs for traffic rejected at the listener-level are not emitted.
This traffic includes connections that do not match any of Envoy's configured filters, such as Consul upstream services.
Set this option to \`true\` if you do not want to log unknown requests that Envoy is not forwarding`,
},
{
name: 'Type',
type: 'string: "stdout"',
description: 'The destination for access logs. One of \`stdout\`, \`stderr\`, or \`file\`.',
},
{
name: 'Path',
type: 'string: ""',
description: 'The destination file for access logs. Only valid with \`Type\` set to \`file\`.',
},
{
name: 'JSONFormat',
type: 'string: (default as follows)',
description: `A JSON-formatted string that represents the format of each emitted access log.
By default, it is set to the [default access log format](/consul/docs/connect/observability/access-logs#default-log-format).
You can use Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data.
Nesting is supported.
Invalid if a custom format is specified with TextFormat.`,
},
{
name: 'TextFormat',
type: 'string: ""',
description: `A formatted string that represents the format of each emitted access log.
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) can be used to customize the data emitted.
A new line is added to the string automatically.
Invalid when a custom JSONFormat is already specified.`,
}
],
},
]}
/>
## Examples
### Default protocol
The following example configures the default protocol for all proxies.
<Tabs>
<Tab heading="Consul OSS">
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Config {
protocol = "http"
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
spec:
config:
protocol: http
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Config": {
"protocol": "http"
}
}
```
</CodeTabs>
</Tab>
<Tab heading="Consul Enterprise">
-> **NOTE:** The `proxy-defaults` config entry can only be created in the `default`
namespace and it will configure proxies in **all** namespaces.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Namespace = "default" # Can only be set to "default".
Config {
protocol = "http"
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
namespace: default
spec:
config:
protocol: http
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Namespace": "default",
"Config": {
"protocol": "http"
}
}
```
</CodeTabs>
</Tab>
</Tabs>
### Prometheus
The following example configures all proxies to expose Prometheus metrics.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Config {
envoy_prometheus_bind_addr = "0.0.0.0:9102"
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
spec:
config:
envoy_prometheus_bind_addr: '0.0.0.0:9102'
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Config": {
"envoy_prometheus_bind_addr": "0.0.0.0:9102"
}
}
```
</CodeTabs>
### Access Logs
The following example is a minimal configuration for enabling access logs for all proxies.
Refer to [access logs](/consul/docs/connect/observability/access-logs) for advanced configurations.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
AccessLogs {
Enabled = true
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
spec:
accessLogs:
enabled: true
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"AccessLogs": {
"Enabled": true
}
}
```
</CodeTabs>
### Proxy-specific defaults
The following example configures some custom default values for all proxies.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "proxy-defaults"
Name = "global"
Config {
local_connect_timeout_ms = 1000
handshake_timeout_ms = 10000
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
name: global
spec:
config:
local_connect_timeout_ms: 1000
handshake_timeout_ms: 10000
```
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Config": {
"local_connect_timeout_ms": 1000,
"handshake_timeout_ms": 10000
}
}
```
</CodeTabs>
## ACLs
Configuration entries may be protected by [ACLs](/consul/docs/security/acl).
Reading a `proxy-defaults` config entry requires no specific privileges.
Creating, updating, or deleting a `proxy-defaults` config entry requires
`operator:write`.