mirror of https://github.com/hashicorp/consul
Backport of docs: remove multiport docs, add v1dns flag into release/1.19.x (#21294)
docs: remove multiport docs, add v1dns flag (#21278) * docs: remove multiport docs, add v1dns flag * v2 catalog notice + redirects * redirect fixes * Update website/content/docs/k8s/helm.mdx --------- Co-authored-by: Dan Stough <dan.stough@hashicorp.com> Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>pull/21306/head
parent
c8ee4b1c2f
commit
67d3576665
@ -1,391 +0,0 @@
|
||||
---
|
||||
layout: commands
|
||||
page_title: 'Commands: Resource'
|
||||
description: >-
|
||||
The `consul resource` command interacts with Consul's v2 catalog of services and its resources. It exposes top-level commands for reading and filtering data from the registry.
|
||||
---
|
||||
|
||||
# Consul Resource
|
||||
|
||||
Command: `consul resource`
|
||||
|
||||
<Note>
|
||||
|
||||
You must enable the [v2 catalog API](/consul/docs/concept/catalog/v2) to use this command.
|
||||
|
||||
</Note>
|
||||
|
||||
Use the `resource` command to apply, list, read, and delete resources when interacting with Consul's v2 catalog through the command line. For more information, refer to [v2 catalog API](/consul/docs/concept/catalog/v2).
|
||||
|
||||
## Usage
|
||||
|
||||
```text
|
||||
Usage: consul resource <subcommand> [options]
|
||||
|
||||
# ...
|
||||
|
||||
Subcommands:
|
||||
|
||||
apply Write or update resource information
|
||||
delete Delete resource information
|
||||
list Read all resources by type
|
||||
read Read resource information
|
||||
```
|
||||
|
||||
## Subcommands
|
||||
|
||||
You can issue the following subcommands with the `consul resource` command.
|
||||
|
||||
### `apply`
|
||||
|
||||
`consul resource apply` writes or updates a resource at a given file path.
|
||||
|
||||
The following table shows the required [ACLs permission](/consul/api-docs/api-structure#authentication) to run the `apply` command:
|
||||
|
||||
| ACL Required |
|
||||
| ------------ |
|
||||
| `operator:write` |
|
||||
|
||||
#### Command Options
|
||||
|
||||
- `-f=<filepath>` - (Required) The path to the file that defines the Consul resource. When the file that defines the resource is in the current working directory, you may optionally omit this flag and pass the resource filename only.
|
||||
|
||||
#### Example usage
|
||||
|
||||
The following command applies a traffic permissions resource to Consul that restricts service-to-service communication to authorized services only.
|
||||
|
||||
```shell-session hideClipboard
|
||||
$ consul resource apply -f=trafficpermissions.hcl
|
||||
```
|
||||
|
||||
### `delete`
|
||||
|
||||
`consul resource delete` removes a Consul resource at a given file path.
|
||||
|
||||
The following table shows the required [ACL permissions](/consul/api-docs/api-structure#authentication) to run the `delete` command:
|
||||
|
||||
| ACL Required |
|
||||
| ------------ |
|
||||
| `operator:write` |
|
||||
|
||||
#### Command Options
|
||||
|
||||
- `-f=<filepath>` - (Required) The path to the file that defines the Consul resource. When the file that defines the resource is in the current working directory, you may optionally omit this flag and pass the resource filename only.
|
||||
|
||||
#### Example usage
|
||||
|
||||
The following command removes a traffic permissions resource from Consul that restricts service-to-service communication to authorized services only.
|
||||
|
||||
```shell-session hideClipboard
|
||||
$ consul resource delete -f=trafficpermissions.hcl
|
||||
```
|
||||
|
||||
### `list`
|
||||
|
||||
`consul resource list` outputs information about resources according to the type of resource and the location where the resource is applied.
|
||||
|
||||
This command must be issued with a resource type. By formatting the type on the command line as `group.groupVersion.kind`, you can return all matching resources. For example, you can list information about services with `catalog.v2beta1.Service` and TCP routes with `mesh.v2beta1.TCPRoute`. Refer to [v2 catalog](/consul/docs/architecture/v2/catalog#catalog-structure) for more information.
|
||||
|
||||
Do not include a resource name when listing resources.
|
||||
|
||||
The following table shows the required [ACL permissions](/consul/api-docs/api-structure#authentication) to run the `list` command:
|
||||
|
||||
| ACL Required |
|
||||
| ------------ |
|
||||
| `operator:read` |
|
||||
|
||||
#### Command Options
|
||||
|
||||
The following flags enable you to filter results.
|
||||
|
||||
- `-partition=<string>` - The partition where the resources apply.
|
||||
- `-namespace=<string>` - The namespace where the resources apply.
|
||||
|
||||
#### Example usage
|
||||
|
||||
The following command lists resources that apply to services registered with the v2 catalog API, and includes a sample output for the `api` and `web` services registered in [configure multi-port services](/consul/docs/k8s/multiport/configure):
|
||||
|
||||
```shell-session hideClipboard
|
||||
$ consul resource list catalog.v2beta1.Service
|
||||
|
||||
{
|
||||
"resources": [
|
||||
{
|
||||
"data": {
|
||||
"ports": [
|
||||
{
|
||||
"protocol": "PROTOCOL_TCP",
|
||||
"targetPort": "api",
|
||||
"virtualPort": 80
|
||||
},
|
||||
{
|
||||
"protocol": "PROTOCOL_MESH",
|
||||
"targetPort": "mesh"
|
||||
}
|
||||
],
|
||||
"virtualIps": [
|
||||
"10.96.216.242"
|
||||
],
|
||||
"workloads": {
|
||||
"prefixes": [
|
||||
"api-7c86cd8cb9"
|
||||
]
|
||||
}
|
||||
},
|
||||
"generation": "01HE8QWYFCTNEC2Q5JXKNXH6QW",
|
||||
"id": {
|
||||
"name": "api",
|
||||
"tenancy": {
|
||||
"namespace": "default",
|
||||
"partition": "default",
|
||||
},
|
||||
"type": {
|
||||
"group": "catalog",
|
||||
"groupVersion": "v2beta1",
|
||||
"kind": "Service"
|
||||
},
|
||||
"uid": "01HE8QWYFCTNEC2Q5JXJ97M429"
|
||||
},
|
||||
"metadata": {
|
||||
"k8s-namespace": "default",
|
||||
"managed-by": "consul-k8s-endpoints-controller-v2"
|
||||
},
|
||||
"status": {
|
||||
"consul.io/endpoint-manager": {
|
||||
"conditions": [
|
||||
{
|
||||
"message": "A valid workload selector is present within the service.",
|
||||
"reason": "SelectorFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "EndpointsManaged"
|
||||
},
|
||||
{
|
||||
"message": "Found workload identities associated with this service: \"api\".",
|
||||
"reason": "WorkloadIdentitiesFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "BoundIdentities"
|
||||
}
|
||||
],
|
||||
"observedGeneration": "01HE8QWYFCTNEC2Q5JXKNXH6QW",
|
||||
"updatedAt": "2023-11-02T19:24:27.295564638Z"
|
||||
}
|
||||
},
|
||||
"version": "118"
|
||||
},
|
||||
{
|
||||
"data": {
|
||||
"ports": [
|
||||
{
|
||||
"protocol": "PROTOCOL_TCP",
|
||||
"targetPort": "admin",
|
||||
"virtualPort": 90
|
||||
},
|
||||
{
|
||||
"protocol": "PROTOCOL_MESH",
|
||||
"targetPort": "mesh"
|
||||
}
|
||||
],
|
||||
"virtualIps": [
|
||||
"10.96.231.41"
|
||||
],
|
||||
"workloads": {
|
||||
"prefixes": [
|
||||
"api-7c86cd8cb9"
|
||||
]
|
||||
}
|
||||
},
|
||||
"generation": "01HE8QWYFJCXYXT2F4SBZE95Q4",
|
||||
"id": {
|
||||
"name": "api-admin",
|
||||
"tenancy": {
|
||||
"namespace": "default",
|
||||
"partition": "default",
|
||||
},
|
||||
"type": {
|
||||
"group": "catalog",
|
||||
"groupVersion": "v2beta1",
|
||||
"kind": "Service"
|
||||
},
|
||||
"uid": "01HE8QWYFJCXYXT2F4SAHV7KG8"
|
||||
},
|
||||
"metadata": {
|
||||
"k8s-namespace": "default",
|
||||
"managed-by": "consul-k8s-endpoints-controller-v2"
|
||||
},
|
||||
"status": {
|
||||
"consul.io/endpoint-manager": {
|
||||
"conditions": [
|
||||
{
|
||||
"message": "A valid workload selector is present within the service.",
|
||||
"reason": "SelectorFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "EndpointsManaged"
|
||||
},
|
||||
{
|
||||
"message": "Found workload identities associated with this service: \"api\".",
|
||||
"reason": "WorkloadIdentitiesFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "BoundIdentities"
|
||||
}
|
||||
],
|
||||
"observedGeneration": "01HE8QWYFJCXYXT2F4SBZE95Q4",
|
||||
"updatedAt": "2023-11-02T19:24:27.589881680Z"
|
||||
}
|
||||
},
|
||||
"version": "122"
|
||||
},
|
||||
{
|
||||
"data": {
|
||||
"ports": [
|
||||
{
|
||||
"protocol": "PROTOCOL_TCP",
|
||||
"targetPort": "80",
|
||||
"virtualPort": 80
|
||||
},
|
||||
{
|
||||
"protocol": "PROTOCOL_MESH",
|
||||
"targetPort": "mesh"
|
||||
}
|
||||
],
|
||||
"virtualIps": [
|
||||
"10.96.157.170"
|
||||
],
|
||||
"workloads": {
|
||||
"prefixes": [
|
||||
"web-6fd5c8bf57"
|
||||
]
|
||||
}
|
||||
},
|
||||
"generation": "01HE8QWYA9RSW2RS8GS5P538ZB",
|
||||
"id": {
|
||||
"name": "web",
|
||||
"tenancy": {
|
||||
"namespace": "default",
|
||||
"partition": "default",
|
||||
},
|
||||
"type": {
|
||||
"group": "catalog",
|
||||
"groupVersion": "v2beta1",
|
||||
"kind": "Service"
|
||||
},
|
||||
"uid": "01HE8QWYA9RSW2RS8GS3922SK0"
|
||||
},
|
||||
"metadata": {
|
||||
"k8s-namespace": "default",
|
||||
"managed-by": "consul-k8s-endpoints-controller-v2"
|
||||
},
|
||||
"status": {
|
||||
"consul.io/endpoint-manager": {
|
||||
"conditions": [
|
||||
{
|
||||
"message": "A valid workload selector is present within the service.",
|
||||
"reason": "SelectorFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "EndpointsManaged"
|
||||
},
|
||||
{
|
||||
"message": "Found workload identities associated with this service: \"web\".",
|
||||
"reason": "WorkloadIdentitiesFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "BoundIdentities"
|
||||
}
|
||||
],
|
||||
"observedGeneration": "01HE8QWYA9RSW2RS8GS5P538ZB",
|
||||
"updatedAt": "2023-11-02T19:24:27.190972222Z"
|
||||
}
|
||||
},
|
||||
"version": "115"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### `read`
|
||||
|
||||
`consul resource read` outputs information about resources according to the type and name of the resource.
|
||||
|
||||
This command must be issued with a resource type and a resource name. By formatting the type on the command line as `group.groupVersion.kind`, you can return all matching resources. For example, you can read information about services with `catalog.v2beta1.Service`, TCP routes with `mesh.v2beta1.TCPRoute`, and traffic permissions with `auth.v2beta1.TrafficPermissions`. Refer to [v2 catalog](/consul/docs/architecture/v2/catalog#catalog-structure) for more information.
|
||||
|
||||
The following table shows the required [ACL permissions](/consul/api-docs/api-structure#authentication) to run the `read` command:
|
||||
|
||||
| ACL Required |
|
||||
| ------------ |
|
||||
| `operator:read` |
|
||||
|
||||
#### Command Options
|
||||
|
||||
- `-partition=<string>` - The partition where the resource applies.
|
||||
- `-namespace=<string>` - The namespace where the resource applies.
|
||||
- `-stale` - Permits any Consul server to respond to the request. This flag enables for lower latency and higher throughput, but may result in stale data. This option has no effect on non-read operations.
|
||||
- `-token` - A Consul ACL token to include with the request.
|
||||
|
||||
#### Example usage
|
||||
|
||||
The following example demonstrates a command to read the `web` service and includes an example output that includes information such as ports, virtual IPs, and status.
|
||||
|
||||
```shell-session hideClipboard
|
||||
$ consul resource read catalog.v2beta1.Service web
|
||||
|
||||
{
|
||||
"data": {
|
||||
"ports": [
|
||||
{
|
||||
"protocol": "PROTOCOL_TCP",
|
||||
"targetPort": "80",
|
||||
"virtualPort": 80
|
||||
},
|
||||
{
|
||||
"protocol": "PROTOCOL_MESH",
|
||||
"targetPort": "mesh"
|
||||
}
|
||||
],
|
||||
"virtualIps": [
|
||||
"10.96.98.157"
|
||||
],
|
||||
"workloads": {
|
||||
"prefixes": [
|
||||
"web-6fd5c8bf57"
|
||||
]
|
||||
}
|
||||
},
|
||||
"generation": "01HE6MPDXC1J6ZMEMPN1460Z6K",
|
||||
"id": {
|
||||
"name": "web",
|
||||
"tenancy": {
|
||||
"namespace": "default",
|
||||
"partition": "default",
|
||||
},
|
||||
"type": {
|
||||
"group": "catalog",
|
||||
"groupVersion": "v2beta1",
|
||||
"kind": "Service"
|
||||
},
|
||||
"uid": "01HE6MPDXC1J6ZMEMPN0648FVB"
|
||||
},
|
||||
"metadata": {
|
||||
"k8s-namespace": "default",
|
||||
"managed-by": "consul-k8s-endpoints-controller-v2"
|
||||
},
|
||||
"status": {
|
||||
"consul.io/endpoint-manager": {
|
||||
"conditions": [
|
||||
{
|
||||
"message": "A valid workload selector is present within the service.",
|
||||
"reason": "SelectorFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "EndpointsManaged"
|
||||
},
|
||||
{
|
||||
"message": "Found workload identities associated with this service: \"web\".",
|
||||
"reason": "WorkloadIdentitiesFound",
|
||||
"state": "STATE_TRUE",
|
||||
"type": "BoundIdentities"
|
||||
}
|
||||
],
|
||||
"observedGeneration": "01HE6MPDXC1J6ZMEMPN1460Z6K",
|
||||
"updatedAt": "2023-11-01T23:49:59.172604219Z"
|
||||
}
|
||||
},
|
||||
"version": "137"
|
||||
}
|
||||
```
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: Consul resource groups
|
||||
description: Learn about resource groups in version 2 of Consul's internal architecture. The auth, catalog, and mesh groups structure Consul's ability to target individual workloads or an entire collection of workload endpoints.
|
||||
---
|
||||
|
||||
<Warning>
|
||||
|
||||
The v2 catalog API and Traffic Permissions API are currently in beta. This documentation supports testing and development scenarios. Do not use these APIs in secure production environments.
|
||||
|
||||
</Warning>
|
||||
|
||||
# Consul resource groups
|
||||
|
||||
This topic provides an overview of resource groups in Consul's v2 architecture.
|
||||
|
||||
Refer to the [`consul resource` CLI command reference](/consul/docs/commands/resource) to learn about using the Consul CLI to interact with resources.
|
||||
|
||||
## Introduction
|
||||
|
||||
Consul's v2 architecture manages workloads using _resources_. Each resource is part of a _resource group_.
|
||||
|
||||
These resource groups structure Consul's ability to target either an _individual workload identity_ or an _entire collection of workload endpoints_ when managing service mesh traffic. There are three resource groups in the v2 API:
|
||||
|
||||
- `auth` group: Resources apply to workload identity
|
||||
- `catalog` group: Resources apply to all workloads associated with a service
|
||||
- `mesh` group: Resources apply to either workload identities or all workloads
|
||||
|
||||
For example, traffic permissions are part of the `auth` group. Permissions allow or deny traffic according to the other v2 catalog resource in the `auth` group, the workload identity. Meanwhile, when Consul routes service mesh traffic it applies rules to workloads based on the Service, which is a resource in the `catalog` group.
|
||||
|
||||
One practical impact of resource groups is that the [HTTPRoute](/consul/docs/k8s/multiport/reference/httproute), [GRPCRoute](/consul/docs/k8s/multiport/reference/grpcroute), and [TCPRoute](/consul/docs/k8s/multiport/reference/tcproute) CRDs require you to specify a `name` and `type` in configuration blocks. The `catalog.v2beta1.Service` type indicates that the rules defined in these CRDs apply to all workloads registered in the Consul catalog under the given name.
|
||||
|
||||
You can also use the `consul resource` command to return information about Consul resources in each group using a `group.groupVersion.kind` syntax. Refer to [`consul resource`](/consul/docs/commands/resource) for more information.
|
||||
|
||||
## Resource group reference
|
||||
|
||||
The following table describes the Consul resources that belong to each resource group and the resource's `group.groupVersion.kind` syntax.
|
||||
|
||||
| Resource `group` | v2 resource | Consul resource syntax |
|
||||
| :------------------ | :-------- | :---- |
|
||||
| `auth` | Traffic permissions | `auth.v2beta1.TrafficPermissions` |
|
||||
| `auth` | Workload identity | `auth.v2beta1.WorkloadIdentity` |
|
||||
| `catalog` | Service | `catalog.v2beta1.Service` |
|
||||
| `catalog` | Node | `catalog.v2beta1.Node` |
|
||||
| `catalog` | Workload | `catalog.v2beta1.Workload` |
|
||||
| `catalog` | Health status | `catalog.v2beta1.HealthStatus` |
|
||||
| `catalog` | Destinations | `catalog.v2beta1.Destination` |
|
||||
| `mesh` | GRPCRoute | `mesh.v2beta1.GRPCRoute` |
|
||||
| `mesh` | HTTPRoute | `mesh.v2beta1.HTTPRoute` |
|
||||
| `mesh` | Proxy configuration | `mesh.v2beta1.ProxyConfiguration` |
|
||||
| `mesh` | TCPRoute | `mesh.v2beta1.TCPRoute` |
|
@ -1,491 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: Configure multi-port services
|
||||
description: Learn how to enable the v2 catalog and configure services to support multiple ports in Consul on Kubernetes. You can configure multiple ports on a single service or multiple services and ports in a single container.
|
||||
---
|
||||
|
||||
# Configure multi-port services
|
||||
|
||||
<Warning>
|
||||
|
||||
The v2 catalog API and Traffic Permissions API are currently in beta. This documentation supports testing and development scenarios. Do not use these APIs in secure production environments.
|
||||
|
||||
</Warning>
|
||||
|
||||
<Note>
|
||||
|
||||
Multi-port services and selecting workloads using multiple services require enabling [Consul's v2 architecture](/consul/docs/architecture/v2).
|
||||
|
||||
</Note>
|
||||
|
||||
This page describes the process for integrating a service that uses multiple ports in a single container when running Consul on Kubernetes deployments. It includes example configurations to demonstrate an end-to-end deployment test of Consul's multi-port features.
|
||||
|
||||
## Requirements
|
||||
|
||||
Registering multi-port services with Consul requires Kubernetes. Multi-port services are not supported on VM deployments.
|
||||
|
||||
### Version requirements
|
||||
|
||||
Consul deployments that use the v2 catalog enabled must meet the following minimum version requirements:
|
||||
|
||||
- `consul` v1.18.0
|
||||
- `consul-k8s` CLI v1.4.0 or `hashicorp/consul` Helm chart release v1.4.0
|
||||
- `consul-dataplane` v1.4.0
|
||||
|
||||
To install or update the `consul-k8s CLI`, refer to [install the latest version](/consul/docs/k8s/installation/install-cli#install-the-latest-version) or [upgrade the CLI](/consul/docs/k8s/upgrade/upgrade-cli#upgrade-the-cli).
|
||||
|
||||
The required version of Consul dataplanes deploy automatically when using the latest version of `consul-k8s`. Dataplane version is configured manually when you [modify `imageConsulDataplane`](/consul/docs/k8s/helm#v-global-imageconsuldataplane) in the Helm chart.
|
||||
|
||||
For more information about upgrading Helm charts, refer to [Upgrade Helm chart version](/consul/docs/k8s/upgrade#upgrade-helm-chart-version).
|
||||
|
||||
### Annotation requirements
|
||||
|
||||
The examples on this page include the following required annotations in Kubernetes Deployment resources:
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
"consul.hashicorp.com/mesh-inject": "true"
|
||||
"consul.hashicorp.com/transparent-proxy": "true"
|
||||
```
|
||||
|
||||
These annotations inject Consul dataplanes and enable transparent proxy mode so that the services can curl each other on ports configured in the Kubernetes Service resource. Refer to [annotations and labels](/consul/docs/k8s/annotations-and-labels) for more information.
|
||||
|
||||
## Enable the v2 catalog
|
||||
|
||||
To enable the v2 catalog and its support for multi-port services, set `global.experiments: ["resource-apis"]` and `ui.enabled: false`. The following example includes these parameters in a Helm chart with additional configurations for the Consul installation:
|
||||
|
||||
<CodeBlockConfig name="values.yaml">
|
||||
|
||||
```yaml
|
||||
global:
|
||||
enabled: true
|
||||
name: consul
|
||||
image: hashicorp/consul:1.18.0
|
||||
datacenter: dc1
|
||||
tls:
|
||||
enabled: true
|
||||
acls:
|
||||
manageSystemACLs: true
|
||||
experiments: ["resource-apis"]
|
||||
server:
|
||||
enabled: true
|
||||
replicas: 1
|
||||
connectInject:
|
||||
enabled: true
|
||||
ui:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
Then install Consul to your Kubernetes cluster using either the `consul-k8s` CLI or Helm.
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="consul-k8s CLI" group="consul-k8s">
|
||||
|
||||
```shell-session
|
||||
$ consul-k8s install -config-file=values.yaml
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Helm" group="helm">
|
||||
|
||||
```shell-session
|
||||
$ helm install consul hashicorp/consul --create-namespace --namespace consul --version 1.4.0 --values values.yaml
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
## Define the multi-port service
|
||||
|
||||
Consul's v2 catalog supports two new methods for registering services on the mesh in Kubernetes:
|
||||
|
||||
- **Method 1**: Register a Kubernetes service that select workloads which expose multiple ports
|
||||
- **Method 2**: Register multiple Kubernetes Services that direct traffic to an explicit port on the same workload
|
||||
|
||||
These methods affect how the Services are addressed in Kubernetes.
|
||||
|
||||
Each tab in the following example contains a configuration that defines an `api` service using one of these methods. Both definitions schedule a Pod running two containers that each support traffic to one of the ports exposed by the Service. In `Method 1`, both services are addressed using `api` because both services are exposed by a single service. In `Method 2`, `api` and `api-admin` are defined as separate services and can be addressed using distinct names.
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
<CodeBlockConfig filename="api.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: api
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: api
|
||||
spec:
|
||||
selector:
|
||||
app: api
|
||||
ports:
|
||||
- name: api
|
||||
port: 80
|
||||
targetPort: api
|
||||
- name: admin
|
||||
port: 90
|
||||
targetPort: admin
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: api
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: api
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: api
|
||||
annotations:
|
||||
"consul.hashicorp.com/mesh-inject": "true"
|
||||
"consul.hashicorp.com/transparent-proxy": "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: api
|
||||
image: hashicorp/http-echo:latest
|
||||
args:
|
||||
- -text="hello world"
|
||||
- -listen=:8080
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: api
|
||||
- name: api-admin
|
||||
image: hashicorp/http-echo:latest
|
||||
args:
|
||||
- -text="hello world from 9090 admin"
|
||||
- -listen=:9090
|
||||
ports:
|
||||
- containerPort: 9090
|
||||
name: admin
|
||||
serviceAccountName: api
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
<CodeBlockConfig filename="api.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: api
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: api
|
||||
spec:
|
||||
selector:
|
||||
app: api
|
||||
ports:
|
||||
- name: api
|
||||
port: 80
|
||||
targetPort: api
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: api-admin
|
||||
spec:
|
||||
selector:
|
||||
app: api
|
||||
ports:
|
||||
- name: admin
|
||||
port: 90
|
||||
targetPort: admin
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: api
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: api
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: api
|
||||
annotations:
|
||||
"consul.hashicorp.com/mesh-inject": "true"
|
||||
"consul.hashicorp.com/transparent-proxy": "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: api
|
||||
image: hashicorp/http-echo:latest
|
||||
args:
|
||||
- -text="hello world"
|
||||
- -listen=:8080
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: api
|
||||
- name: api-admin
|
||||
image: hashicorp/http-echo:latest
|
||||
args:
|
||||
- -text="hello world from 9090 admin"
|
||||
- -listen=:9090
|
||||
ports:
|
||||
- containerPort: 9090
|
||||
name: admin
|
||||
serviceAccountName: api
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
For testing purposes, the following example defines a Service to function as a static client that you can use to verify that the multi-port services function correctly.
|
||||
|
||||
<CodeBlockConfig filename="web.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: web
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: web
|
||||
spec:
|
||||
selector:
|
||||
app: web
|
||||
ports:
|
||||
- port: 80
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: web
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: web
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: web
|
||||
annotations:
|
||||
"consul.hashicorp.com/mesh-inject": "true"
|
||||
"consul.hashicorp.com/transparent-proxy": "true"
|
||||
spec:
|
||||
containers:
|
||||
- name: web
|
||||
image: curlimages/curl:latest
|
||||
# Just spin & wait forever, we'll use `kubectl exec` to demo
|
||||
command: ['/bin/sh', '-c', '--']
|
||||
args: ['while true; do sleep 30; done;']
|
||||
serviceAccountName: web
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
To apply these services to your Kubernetes deployment and register them with Consul, run the following command:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f api.yaml -f web.yaml
|
||||
```
|
||||
|
||||
## Configure traffic permissions
|
||||
|
||||
Consul uses traffic permissions to validate communication between services based on L4 identity. When ACLs are enabled for the service mesh, traffic permissions deny all services by default. In order to allow traffic between the static client and the multi-port service, create CRDs that allow traffic to each port.
|
||||
|
||||
The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service. When following the instructions on this page, apply these permissions individually when you validate the ports.
|
||||
|
||||
<CodeTabs tabs={[ "Allow port 80", "Allow port 90" ]}>
|
||||
|
||||
<CodeBlockConfig filename="allow-80.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: auth.consul.hashicorp.com/v2beta1
|
||||
kind: TrafficPermissions
|
||||
metadata:
|
||||
name: web-to-api
|
||||
spec:
|
||||
destination:
|
||||
identityName: api
|
||||
action: ACTION_ALLOW
|
||||
permissions:
|
||||
- sources:
|
||||
- identityName: web
|
||||
destinationRules:
|
||||
- portNames: ["api"]
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
<CodeBlockConfig filename="allow-90.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: auth.consul.hashicorp.com/v2beta1
|
||||
kind: TrafficPermissions
|
||||
metadata:
|
||||
name: web-to-admin
|
||||
spec:
|
||||
destination:
|
||||
identityName: api
|
||||
action: ACTION_ALLOW
|
||||
permissions:
|
||||
- sources:
|
||||
- identityName: web
|
||||
destinationRules:
|
||||
- portNames: ["admin"]
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
</CodeTabs>
|
||||
|
||||
## Validate multi-port connection
|
||||
|
||||
To open a shell to the `web` container, you need the name of the Pod it currently runs on. Run the following command to return a list of Pods:
|
||||
|
||||
```shell-session
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
api-5784b54bcc-tp98l 3/3 Running 0 6m55s
|
||||
web-6dcbd684bc-gk8n5 2/2 Running 0 6m55s
|
||||
```
|
||||
|
||||
Set environment variables to remember the pod name for the web workload for use in future commands.
|
||||
|
||||
<CodeBlockConfig hideClipboard>
|
||||
|
||||
```shell-session
|
||||
$ export WEB_POD=web-6dcbd684bc-gk8n5
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
### Apply traffic permissions
|
||||
|
||||
Use the `web` Pod's name to open a shell session and test the `api` service on both ports. When ACLs are enabled, these commands fail until you apply a traffic permissions resource.
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
Test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
```
|
||||
|
||||
Then test the `api` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
Test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
```
|
||||
|
||||
Then test the `api-admin` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
Apply the CRD to allow traffic to port 80:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f allow-80.yaml
|
||||
```
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
Apply the CRD to allow traffic to port 90:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f allow-90.yaml
|
||||
```
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api-admin` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
## Next steps
|
||||
|
||||
After applying traffic permissions and validating service-to-service communication within your service mesh, you can manage traffic between multi-port services, filter traffic between ports based on L7 header information, or direct match HTTP query parameters to a specific port.
|
||||
|
||||
Refer to the following pages for more information:
|
||||
|
||||
- [Split traffic between services](/consul/docs/k8s/multiport/traffic-split)
|
||||
- [gRPC route example: route traffic by matching header](/consul/docs/k8s/multiport/reference/httproute#route-traffic-by-matching-header)
|
||||
- [HTTP route example: route traffic by matching header](/consul/docs/k8s/multiport/reference/httproute#route-traffic-by-matching-header)
|
||||
- [HTTP route example: route traffic by matching header and query parameter](/consul/docs/k8s/multiport/reference/httproute#route-traffic-by-matching-header-and-query-parameter)
|
@ -1,808 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: GRPCRoute resource configuration reference
|
||||
description: The GRPCRoute resource CRD configures L7 gRPC traffic behavior within the service mesh. GRPCRoute requires the v2 catalog API. Learn how to configure the GRPCRoute CRD with specifications and example configurations.
|
||||
---
|
||||
|
||||
# GRPCRoute resource configuration reference
|
||||
|
||||
This page provides reference information for the `GRPCRoute` resource, which defines L7 gRPC traffic within the service mesh.
|
||||
|
||||
This custom resource definition (CRD) describes a resource related to the [Kubernetes GAMMA initiative](https://gateway-api.sigs.k8s.io/concepts/gamma/) that requires the [v2 catalog API](/consul/docs/architecture/v2/catalog). It is not compatible with the [v1 catalog API](/consul/docs/architecture/catalog). For more information about GAMMA resources, refer to the [Kubernetes Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/gamma/).
|
||||
|
||||
## Configuration model
|
||||
|
||||
The following list outlines field hierarchy, language-specific data types, and requirements in a gRPC route CRD. Click on a property name to view additional details, including default values.
|
||||
|
||||
- [`apiVersion`](#apiversion): string | required | must be set to `mesh.consul.hashicorp.com/v2beta1`
|
||||
- [`kind`](#kind): string | required | must be set to `GRPCRoute`
|
||||
- [`metadata`](#metadata): map | required
|
||||
- [`name`](#metadata-name): string | required
|
||||
- [`namespace`](#metadata-namespace): string | optional <EnterpriseAlert inline />
|
||||
- [`spec`](#spec): map | required
|
||||
- [`parentRefs`](#spec-parentrefs): map | required
|
||||
- [`port`](#spec-parentrefs-port): string
|
||||
- [`ref`](#spec-parentrefs-ref): string | required
|
||||
- [`name`](#spec-parentrefs-ref-name): string
|
||||
- [`type`](#spec-parentrefs-ref-type): map
|
||||
- [`group`](#spec-parentrefs-ref-type): string
|
||||
- [`groupVersion`](#spec-parentrefs-ref-type): string
|
||||
- [`kind`](#spec-parentrefs-ref-type): string
|
||||
- [`rules`](#spec-rules): map | required
|
||||
- [`backendRefs`](#spec-rules-backendrefs): map
|
||||
- [`backendRef`](#spec-rules-backendrefs-backendref): map
|
||||
- [`datacenter`](#spec-rules-backendrefs-backendref-datacenter): string
|
||||
- [`port`](#spec-rules-backendrefs-backendref-port): string
|
||||
- [`ref`](#spec-rules-backendrefs-backendref-ref): map
|
||||
- [`name`](#spec-rules-backendrefs-backendref-ref-name): string
|
||||
- [`type`](#spec-rules-backendrefs-backendref-ref-type): map
|
||||
- [`group`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`groupVersion`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`kind`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`filters`](#spec-rules-backendrefs-filters): map
|
||||
- [`requestHeaderModifier`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`add`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`set`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`remove`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`responseHeaderModifier`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`add`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`set`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`remove`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`urlRewrite`](#spec-rules-backendrefs-filters-urlrewrite): map
|
||||
- [`pathPrefix`](#spec-rules-backendrefs-filters-urlrewrite): string
|
||||
- [`weight`](#spec-rules-backendrefs-weight): number | `1`
|
||||
- [`filters`](#spec-rules-filters): map
|
||||
- [`requestHeaderModifier`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`add`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`set`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`remove`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`responseHeaderModifier`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`add`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`set`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`remove`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`urlRewrite`](#spec-rules-filters-urlrewrite): map
|
||||
- [`pathPrefix`](#spec-rules-filters-urlrewrite): string
|
||||
- [`matches`](#spec-rules-matches): map
|
||||
- [`headers`](#spec-rules-matches-headers): map
|
||||
- [`name`](#spec-rules-matches-headers-name): string
|
||||
- [`type`](#spec-rules-matches-headers-type): string
|
||||
- [`value`](#spec-rules-matches-headers-value): string
|
||||
- [`method`](#spec-rules-matches-method): map
|
||||
- [`method`](#spec-rules-matches-method-method): string
|
||||
- [`service`](#spec-rules-matches-method-service): string
|
||||
- [`type`](#spec-rules-matches-method-type): string
|
||||
- [`retries`](#spec-rules-retries): map
|
||||
- [`number`](#spec-rules-retries-number): map
|
||||
- [`value`](#spec-rules-retries-number): number
|
||||
- [`onConditions`](#spec-rules-retries-onconditions): map of strings
|
||||
- [`onConnectFailure`](#spec-rules-retries-onconnectfailure): boolean | `false`
|
||||
- [`onStatusCodes`](#spec-rules-retries-onconditions): map of numbers
|
||||
- [`timeouts`](#spec-rules-timeouts): map
|
||||
- [`idle`](#spec-rules-timeouts-idle): string
|
||||
- [`request`](#spec-rules-timeouts-request): string
|
||||
|
||||
## Complete configuration
|
||||
|
||||
When every field is defined, a gRPC route resource CRD has the following form:
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1 # required
|
||||
kind: GRPCRoute # required
|
||||
metadata:
|
||||
name: <CRDName>
|
||||
namespace: <namespace>
|
||||
spec:
|
||||
parentRefs:
|
||||
port: <portRoutedFrom>
|
||||
- ref:
|
||||
name: <nameRoutedFrom>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
datacenter: <datacenterRoutedTo>
|
||||
port: "<portRoutedTo>"
|
||||
ref:
|
||||
name: <nameRoutedTo>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
- responseHeaderModifier:
|
||||
set:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
urlRewrite:
|
||||
pathPrefix: <path/prefix>
|
||||
weight: 1
|
||||
filters:
|
||||
requestHeaderModifier:
|
||||
remove:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
responseHeaderModifier:
|
||||
add:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
urlRewrite:
|
||||
pathPrefix: <path/prefix>
|
||||
matches:
|
||||
headers:
|
||||
name: <nameToMatch>
|
||||
type: <typeToMatch>
|
||||
value: <valueToMatch>
|
||||
method:
|
||||
method: <methodToMatch>
|
||||
service: <serviceToMatch>
|
||||
type: <typeToMatch>
|
||||
retries:
|
||||
number:
|
||||
value: 1
|
||||
onConditions: ["cancelled", "unavailable"]
|
||||
onConnectFailure: false
|
||||
onStatusCodes: [400, 404]
|
||||
timeouts:
|
||||
idle: <1s>
|
||||
request: <1s>
|
||||
```
|
||||
|
||||
## Specification
|
||||
|
||||
This section provides details about the fields you can configure in the `GRPCRoute` custom resource definition (CRD).
|
||||
|
||||
### `apiVersion`
|
||||
|
||||
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- String value that must be set to `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
### `kind`
|
||||
|
||||
Specifies the type of CRD to implement. Must be set to `GRPCRoute`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String value that must be set to `GRPCRoute`.
|
||||
|
||||
### `metadata`
|
||||
|
||||
Map that contains an arbitrary name for the CRD and the namespace it applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `metadata.name`
|
||||
|
||||
Specifies a name for the CRD. The name is metadata that you can use to reference the resource when performing Consul operations, such as using the `consul resource` command. Refer to [`consul resource`](/consul/docs/k8s/connect/multiport/reference/resource-command) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String
|
||||
|
||||
### `metadata.namespace` <EnterpriseAlert inline />
|
||||
|
||||
Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec`
|
||||
|
||||
Map that contains the details about the `GRPCRoute` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
|
||||
|
||||
When using this CRD, the `spec` field closely resembles the `GRPCRoute` GAMMA resource. Refer to [GRPCRoute in the Kubernetes documentation](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs`
|
||||
|
||||
Specifies the services and other resources to attach the route to. You can only define one `parentsRefs` configuration for each route. To attach the route to multiple resources, specify additional [`spec.parentRefs.ref`](#spec-parentrefs-ref) configurations in the `parentsRefs` block. You can only specify the name of one port for the route. Any resources that send traffic through the route use the same port.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.port`
|
||||
|
||||
Specifies the port for the Consul service that the configuration applies to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref`
|
||||
|
||||
Specifies the resource that the route attaches to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration applies to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------- | :-------- | :------- |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object the resource applies to. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules`
|
||||
|
||||
Specifies rules for sidecar proxies to direct a service's gRPC traffic within the service mesh, including filtering, retry, and timeout behavior.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs`
|
||||
|
||||
Specifies the Kubernetes Service backend to direct GRPC traffic to when a request matches the service described in [`spec.parentRefs`](#spec-parentrefs). The Service backend is the collection of endpoint IPs for the service. Refer to [the Kubernetes Gateway API specification](https://gateway-api.sigs.k8s.io/concepts/gamma/#an-overview-of-the-gateway-api-for-service-mesh) for more information about Service backends.
|
||||
|
||||
When a valid Service backend cannot be reached and no additional filters apply, traffic that matches the rule returns a 500 status code.
|
||||
|
||||
When different Service backends are specified in [`spec.rules.backendRefs.weight`](#spec-rules-backendrefs-weight) and one of the backends is invalid, Consul continues to apply the specified weights instead of adjusting the relative weights to exclude traffic to the invalid backend. For example, when traffic is configured in a 50-50 split between `api` and `admin` and no valid endpoints for `admin` can be reached, the 50% of traffic intended for `admin` returns with a 500 status code.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef`
|
||||
|
||||
Specifies an individual Service backend where matching requests should be sent.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.datacenter`
|
||||
|
||||
Specifies the name of the Consul datacenter that registered the Service backend that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.port`
|
||||
|
||||
Specifies the port for the Consul service that the configuration routes traffic to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref`
|
||||
|
||||
The Consul service that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration routes traffic to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| --- | --- | --- | --- |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object for the resource. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules.backendRefs.filters`
|
||||
|
||||
Specifies filtering behavior for services configured in the same [`spec.rules.backendRefs`](#spec-rules-backendrefs) block.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.filters.requestHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to requests routed with the gRPC route resource.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | List of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.backendRefs.filters.responseHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to responses routed with the gRPC route resource.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | List of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.backendRefs.filters.urlRewrite`
|
||||
|
||||
Specifies a path to modify the URL with when a request is forwarded.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------------------------------------- | --------- | ------- |
|
||||
| `pathPrefix` | Specifies the path that is prepended to the URL. | String | None |
|
||||
|
||||
### `spec.rules.backendRefs.weight`
|
||||
|
||||
Specifies the proportion of requests routed to the specified service.
|
||||
|
||||
This proportion is relative to the sum of all weights in the [`spec.rules.backendRefs`](#spec-rules-backendrefs) block. As a result, weights do not need to add up to 100. When only one backend is specified and the weight is greater then 0, Consul forwards 100% of traffic to the backend.
|
||||
|
||||
When this parameter is not specified, Consul defaults to `1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `1`
|
||||
- Data type: Integer
|
||||
|
||||
### `spec.rules.filters`
|
||||
|
||||
Specifies filtering behavior for all requests that match the service defined in [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.filters.requestHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to requests that match the service defined in [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | List of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.filters.responseHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to responses from services matching [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | Map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | List of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.filters.urlRewrite`
|
||||
|
||||
Specifies a path to modify the URL with when a request matching [`spec.parentRefs`](#spec-parent-refs) is forwarded.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------------------------------------- | --------- | ------- |
|
||||
| `pathPrefix` | Specifies a path to prepend to the URL when a request matching [`spec.parentRefs`](#spec-parent-refs) is forwarded. | String | None |
|
||||
|
||||
### `spec.rules.matches`
|
||||
|
||||
Specifies rules for matching traffic to services described in [`spec.parentRefs`](#spec-parent-refs) according to the request header or method.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.headers`
|
||||
|
||||
Specifies criteria for matching gRPC request headers.
|
||||
|
||||
When [`spec.rules.matches.headers.value`] is specified multiple times, a request must match all of the specified values for the route to be selected.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.headers.name`
|
||||
|
||||
Specifies the name of a gRPC request header to match on.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.headers.type`
|
||||
|
||||
Specifies a type of match to perform on the gRPC request header. Supported match types include: unspecified, exact, regex, present, prefix, and suffix.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that should match one of the following values:
|
||||
|
||||
- `HEADER_MATCH_TYPE_UNSPECIFIED`
|
||||
- `HEADER_MATCH_TYPE_EXACT`
|
||||
- `HEADER_MATCH_TYPE_REGEX`
|
||||
- `HEADER_MATCH_TYPE_PRESENT`
|
||||
- `HEADER_MATCH_TYPE_PREFIX`
|
||||
- `HEADER_MATCH_TYPE_SUFFIX`
|
||||
|
||||
### `spec.rules.matches.headers.value`
|
||||
|
||||
Specifies the value of the gRPC request header to match. When this field is specified multiple times, a request must match all of the specified values for the route to be selected.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.method`
|
||||
|
||||
Specifies criteria for matching a service and a gRPC request method. When configuring this field, either [`spec.rules.matches.method.method`](#spec-rules-matches-method-method) or [`spec.rules.matches.method.service`](#spec-rules-matches-method-service) must be a non-empty string.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.method.method`
|
||||
|
||||
Specifies the value of the method to match. When empty or omitted, all methods match.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.method.service`
|
||||
|
||||
Specifies the value of the service to match. When empty or omitted, all services match.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.method.type`
|
||||
|
||||
Specifies a type of match to perform on the gRPC request method. Supported match types include: unspecified, exact, and regex.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that should match one of the following values:
|
||||
|
||||
- `GRPC_METHOD_MATCH_TYPE_UNSPECIFIED`
|
||||
- `GRPC_METHOD_MATCH_TYPE_EXACT`
|
||||
- `GRPC_METHOD_MATCH_TYPE_REGEX`
|
||||
|
||||
### `spec.rules.retries`
|
||||
|
||||
Specifies retry logic for routing gRPC traffic.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.retries.number`
|
||||
|
||||
Specifies the number of retries to attempt when a request fails.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map that contains the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :-------- | :------------------------------------------- | --------- | ------- |
|
||||
| `value` | Specifies the number of retries to attempt. | Integer | None |
|
||||
|
||||
### `spec.rules.retries.onConditions`
|
||||
|
||||
Specifies Envoy conditions that cause an automatic retry attempt.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map of strings
|
||||
|
||||
### `spec.rules.retries.onConnectFailure`
|
||||
|
||||
Enables an automatic retry attempt when a connection failure error occurs.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `false`
|
||||
- Data type: Boolean
|
||||
|
||||
### `spec.rules.retries.onStatusCodes`
|
||||
|
||||
Specifies the response status codes that are eligible for retry attempts.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map of integers
|
||||
|
||||
### `spec.rules.timeouts`
|
||||
|
||||
Specifies timeout logic when routing gRPC traffic
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.timeouts.idle`
|
||||
|
||||
Specifies the total amount of time permitted for the request stream to be idle before a timeout occurs.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.timeouts.request`
|
||||
|
||||
Specifies the total amount of time spent processing the entire downstream request, including retries, before triggering a timeout.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples demonstrate common GRPCRoute CRD configuration patterns for specific use cases.
|
||||
|
||||
### Split gRPC traffic between two ports
|
||||
|
||||
The following example splits traffic for the `api` service. GRPC traffic for services registered to the Consul catalog that are available at the `api-workload` port is split so that 50% of the traffic routes to the service at the `api-workload` port and 50% routes to the service at the `admin-workload` port.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: GRPCRoute
|
||||
metadata:
|
||||
name: api-split
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
weight: 50
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
weight: 50
|
||||
```
|
||||
|
||||
### Route traffic by matching header
|
||||
|
||||
The following example routes gRPC traffic for the `api` service according to its header. GRPC traffic for services registered to the Consul catalog that are available at the `api-workload` port are routed according to the following criteria:
|
||||
|
||||
- For traffic with a header that contains a `x-debug` value of exactly `1`, Consul modifies the response and request headers and routes to the `api` service at the `api-workload` port.
|
||||
- For traffic with a header that contains a `x-debug` value of exactly `2`, Consul modifies the response and request headers and routes to the `api-admin` service at the `admin-workload` port.
|
||||
|
||||
This example also includes how to include filters that modify request or response headers.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: GRPCRoute
|
||||
metadata:
|
||||
name: api-match-split
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "1"
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
- name: "request-foo"
|
||||
value: "request-bar"
|
||||
- responseHeaderModifier:
|
||||
add:
|
||||
- name: "response-foo"
|
||||
value: "response-bar"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "2"
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
- name: "request-foo"
|
||||
value: "request-bar"
|
||||
- responseHeaderModifier:
|
||||
add:
|
||||
- name: "response-foo"
|
||||
value: "response-bar"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api-admin
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
```
|
@ -1,925 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: HTTPRoute resource configuration reference
|
||||
description: The HTTPRoute resource CRD configures L7 HTTP traffic behavior within the service mesh. HTTPRoute is a GAMMA resource that requires the v2 catalog API. Learn how to configure the HTTPRoute CRD with specifications and example configurations.
|
||||
---
|
||||
|
||||
# HTTPRoute resource configuration reference
|
||||
|
||||
This page provides reference information for the `HTTPRoute` resource, which defines behavior for L7 HTTP traffic within the service mesh.
|
||||
|
||||
This custom resource definition (CRD) describes a resource related to the [Kubernetes GAMMA initiative](https://gateway-api.sigs.k8s.io/concepts/gamma/) that requires the [v2 catalog API](/consul/docs/architecture/v2/catalog). It is not compatible with the [v1 catalog API](/consul/docs/architecture/catalog). For more information about GAMMA resources, refer to the [Kubernetes Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/gamma/).
|
||||
|
||||
## Configuration model
|
||||
|
||||
The following list outlines field hierarchy, language-specific data types, and requirements in an HTTP route CRD. Click on a property name to view additional details, including default values.
|
||||
|
||||
- [`apiVersion`](#apiversion): string | required | must be set to `mesh.consul.hashicorp.com/v2beta1`
|
||||
- [`kind`](#kind): string | required | must be set to `HTTPRoute`
|
||||
- [`metadata`](#metadata): map | required
|
||||
- [`name`](#metadata-name): string | required
|
||||
- [`namespace`](#metadata-namespace): string | optional <EnterpriseAlert inline />
|
||||
- [`spec`](#spec): map | required
|
||||
- [`parentRefs`](#spec-parentrefs): map | required
|
||||
- [`port`](#spec-parentrefs-port): string
|
||||
- [`ref`](#spec-parentrefs-ref): string | required
|
||||
- [`name`](#spec-parentrefs-ref-name): string
|
||||
- [`type`](#spec-parentrefs-ref-type): map
|
||||
- [`group`](#spec-parentrefs-ref-type): string
|
||||
- [`groupVersion`](#spec-parentrefs-ref-type): string
|
||||
- [`kind`](#spec-parentrefs-ref-type): string
|
||||
- [`rules`](#spec-rules): map | required
|
||||
- [`backendRefs`](#spec-rules-backendrefs): map
|
||||
- [`backendRef`](#spec-rules-backendrefs-backendref): map
|
||||
- [`datacenter`](#spec-rules-backendrefs-backendref-datacenter): string
|
||||
- [`port`](#spec-rules-backendrefs-backendref-port): string
|
||||
- [`ref`](#spec-rules-backendrefs-backendref-ref): map
|
||||
- [`name`](#spec-rules-backendrefs-backendref-ref-name): string
|
||||
- [`type`](#spec-rules-backendrefs-backendref-ref-type): map
|
||||
- [`group`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`groupVersion`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`kind`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`filters`](#spec-rules-backendrefs-filters): map
|
||||
- [`requestHeaderModifier`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`add`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`set`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`remove`](#spec-rules-backendrefs-filters-requestheadermodifier): map
|
||||
- [`responseHeaderModifier`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`add`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`set`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`remove`](#spec-rules-backendrefs-filters-responseheadermodifier): map
|
||||
- [`urlRewrite`](#spec-rules-backendrefs-filters-urlrewrite): map
|
||||
- [`pathPrefix`](#spec-rules-backendrefs-filters-urlrewrite): string
|
||||
- [`weight`](#spec-rules-backendrefs-weight): number | `1`
|
||||
- [`filters`](#spec-rules-filters): map
|
||||
- [`requestHeaderModifier`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`add`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`set`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`remove`](#spec-rules-filters-requestheadermodifier): map
|
||||
- [`responseHeaderModifier`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`add`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`set`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`remove`](#spec-rules-filters-responseheadermodifier): map
|
||||
- [`urlRewrite`](#spec-rules-filters-urlrewrite): map
|
||||
- [`pathPrefix`](#spec-rules-filters-urlrewrite): string
|
||||
- [`matches`](#spec-rules-matches): map
|
||||
- [`headers`](#spec-rules-matches-headers): map
|
||||
- [`name`](#spec-rules-matches-headers-name): string
|
||||
- [`type`](#spec-rules-matches-headers-type): string
|
||||
- [`value`](#spec-rules-matches-headers-value): string
|
||||
- [`method`](#spec-rules-matches-method): string
|
||||
- [`path`](#spec-rules-matches-path): map
|
||||
- [`type`](#spec-rules-matches-path-type): string
|
||||
- [`value`](#spec-rules-matches-path-value): string
|
||||
- [`queryParams`](#spec-rules-matches-queryparams): map
|
||||
- [`name`](#spec-rules-matches-queryparams-name): string
|
||||
- [`type`](#spec-rules-matches-queryparams-type): string
|
||||
- [`value`](#spec-rules-matches-queryparams-value): string
|
||||
- [`retries`](#spec-rules-retries): map
|
||||
- [`number`](#spec-rules-retries-number): map
|
||||
- [`value`](#spec-rules-retries-number): number
|
||||
- [`onConditions`](#spec-rules-retries-onconditions): map of strings
|
||||
- [`onConnectFailure`](#spec-rules-retries-onconnectfailure): boolean | `false`
|
||||
- [`onStatusCodes`](#spec-rules-retries-onconditions): map of integers
|
||||
- [`timeouts`](#spec-rules-timeouts): map
|
||||
- [`idle`](#spec-rules-timeouts-idle): string
|
||||
- [`request`](#spec-rules-timeouts-request): string
|
||||
|
||||
## Complete configuration
|
||||
|
||||
When every field is defined, an HTTP route CRD has the following form:
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1 # required
|
||||
kind: HTTPRoute # required
|
||||
metadata:
|
||||
name: <crdName>
|
||||
namespace: <namespace>
|
||||
spec:
|
||||
parentRefs:
|
||||
port: <portRoutedFrom>
|
||||
- ref:
|
||||
name: <nameRoutedFrom>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
datacenter: <datacenterRoutedTo>
|
||||
port: <portRoutedTo>
|
||||
ref:
|
||||
name: <nameRoutedTo>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
- responseHeaderModifier:
|
||||
set:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
urlRewrite:
|
||||
pathPrefix: <path/prefix>
|
||||
weight: 1
|
||||
filters:
|
||||
requestHeaderModifier:
|
||||
remove:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
responseHeaderModifier:
|
||||
add:
|
||||
name: <headerName>
|
||||
value: <headerValue>
|
||||
urlRewrite:
|
||||
pathPrefix: <path/prefix>
|
||||
matches:
|
||||
headers:
|
||||
name: <nameToMatch>
|
||||
type: <HEADER_MATCH_TYPE_EXACT>
|
||||
value: <valueToMatch>
|
||||
method: <methodToMatch>
|
||||
path:
|
||||
type: <PATH_MATCH_TYPE_EXACT>
|
||||
value: /
|
||||
queryParams:
|
||||
name: <nameToMatch>
|
||||
type: <QUERY_PARAM_MATCH_TYPE_EXACT>
|
||||
value: <valueToMatch>
|
||||
retries:
|
||||
number:
|
||||
value: 1
|
||||
onConditions: ["cancelled", "unavailable"]
|
||||
onConnectFailure: false
|
||||
onStatusCodes: [400, 404]
|
||||
timeouts:
|
||||
idle: <1s>
|
||||
request: <1s>
|
||||
```
|
||||
|
||||
## Specification
|
||||
|
||||
This section provides details about the fields you can configure in the `HTTPRoute` custom resource definition (CRD).
|
||||
|
||||
### `apiVersion`
|
||||
|
||||
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- String value that must be set to `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
### `kind`
|
||||
|
||||
Specifies the type of CRD to implement. Must be set to `HTTPRoute`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String value that must be set to `HTTPRoute`.
|
||||
|
||||
### `metadata`
|
||||
|
||||
Map that contains an arbitrary name for the CRD and the namespace it applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `metadata.name`
|
||||
|
||||
Specifies a name for the CRD. The name is metadata that you can use to reference the resource when performing Consul operations, such as using the `consul resource` command. Refer to [`consul resource`](/consul/docs/k8s/connect/multiport/reference/resource-command) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String
|
||||
|
||||
### `metadata.namespace` <EnterpriseAlert inline />
|
||||
|
||||
Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec`
|
||||
|
||||
Map that contains the details about the `HTTPRoute` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
|
||||
|
||||
When using this CRD, the `spec` field closely resembles the `HTTPRoute` GAMMA resource. Refer to [HTTPRoute in the Kubernetes documentation](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs`
|
||||
|
||||
Specifies the services and other resources to attach the route to. You can only define one `parentsRefs` configuration for each route. To attach the route to multiple resources, specify additional [`spec.parentRefs.ref`](#spec-parentrefs-ref) configurations in the `parentsRefs` block. You can only specify the name of one port for the route. Any resources that send traffic through the route use the same port.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.port`
|
||||
|
||||
Specifies the port for the Consul service that the configuration applies to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref`
|
||||
|
||||
Specifies the resource that the route attaches to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration applies to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------- | :-------- | :------- |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object the resource applies to. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules`
|
||||
|
||||
Specifies rules for sidecar proxies to direct a service's HTTP traffic within the service mesh, including filtering, retry, and timeout behavior.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs`
|
||||
|
||||
Specifies the Kubernetes Service backend to direct HTTP traffic to when a request matches the service described in [`spec.parentRefs`](#spec-parentrefs). The Service backend is the collection of endpoint IPs for the service. Refer to [the Kubernetes Gateway API specification](https://gateway-api.sigs.k8s.io/concepts/gamma/#an-overview-of-the-gateway-api-for-service-mesh) for more information about Service backends.
|
||||
|
||||
When a valid Service backend cannot be reached and no additional filters apply, traffic that matches the rule returns a 500 status code.
|
||||
|
||||
When different Service backends are specified in [`spec.rules.backendRefs.weight`](#spec-rules-backendrefs-weight) and one of the backends is invalid, Consul continues to apply the specified weights instead of adjusting the relative weights to exclude traffic to the invalid backend. For example, when traffic is configured in a 50-50 split between `api` and `admin` and no valid endpoints for `admin` can be reached, the 50% of traffic intended for `admin` returns with a 500 status code.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef`
|
||||
|
||||
Specifies an individual Service backend where matching requests should be sent.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.datacenter`
|
||||
|
||||
Specifies the name of the Consul datacenter that registered the Service backend that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.port`
|
||||
|
||||
Specifies the name of the port for the Consul service that the configuration routes traffic to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref`
|
||||
|
||||
The Consul service that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration routes traffic to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object for the resource. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules.backendRefs.filters`
|
||||
|
||||
Specifies filtering behavior for services configured in the same [`spec.rules.backendRefs`](#spec-rules-backendrefs) block.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.filters.requestHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to requests routed with the HTTPRoute resource.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | list of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.backendRefs.filters.responseHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to responses routed with the HTTPRoute resource.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | list of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.backendRefs.filters.urlRewrite`
|
||||
|
||||
Specifies a path to modify the URL with when a request is forwarded.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------------------------------------- | --------- | ------- |
|
||||
| `pathPrefix` | Specifies the path that is prepended to the URL. | String | None |
|
||||
|
||||
### `spec.rules.backendRefs.weight`
|
||||
|
||||
Specifies the proportion of requests routed to the specified service.
|
||||
|
||||
This proportion is relative to the sum of all weights in the [`spec.rules.backendRefs`](#spec-rules-backendrefs) block. As a result, weights do not need to add up to 100. When only one backend is specified and the weight is greater then 0, Consul forwards 100% of traffic to the backend.
|
||||
|
||||
When this parameter is not specified, Consul defaults to `1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `1`
|
||||
- Data type: Integer
|
||||
|
||||
### `spec.rules.filters`
|
||||
|
||||
Specifies filtering behavior for all requests that match the service defined in [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.filters.requestHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to requests that match the service defined in [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | list of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.filters.responseHeaderModifier`
|
||||
|
||||
Specifies a set of header modification rules applied to responses from services matching [`spec.parentRefs`](#spec-parent-refs).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Values: Object containing one or more fields that define header modification rules:
|
||||
- `add`: Map of one or more key-value pairs.
|
||||
- `set`: Map of one or more key-value pairs.
|
||||
- `remove`: Map of one or more key-value pairs.
|
||||
|
||||
The following table describes how to configure values for request headers:
|
||||
|
||||
| Rule | Description | Type |
|
||||
| --- | --- | --- |
|
||||
| `add` | Defines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `set` | Defines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can [use variable placeholders](#use-variable-placeholders). | map of strings |
|
||||
| `remove` | Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive. | list of strings |
|
||||
|
||||
##### Use variable placeholders
|
||||
|
||||
For `add` and `set`, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable `%DOWNSTREAM_REMOTE_ADDRESS%` allows you to pass a value that is generated when the split occurs.
|
||||
|
||||
### `spec.rules.filters.urlRewrite`
|
||||
|
||||
Specifies a path to modify the URL with when a request matching [`spec.parentRefs`](#spec-parent-refs) is forwarded.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------------------------------------- | --------- | ------- |
|
||||
| `pathPrefix` | Specifies a path to prepend to the URL when a request matching [`spec.parentRefs`](#spec-parent-refs) is forwarded. | String | None |
|
||||
|
||||
### `spec.rules.matches`
|
||||
|
||||
Specifies rules for matching traffic to services described in [`spec.parentRefs`](#spec-parent-refs) according to the request header or method.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.headers`
|
||||
|
||||
Specifies criteria for matching HTTP request headers.
|
||||
|
||||
When [`spec.rules.matches.headers.value`] is specified multiple times, a request must match all of the specified values for the route to be selected.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.headers.name`
|
||||
|
||||
Specifies the name of a HTTP request header to match on.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.headers.type`
|
||||
|
||||
Specifies a type of match to perform on the HTTP request header. Supported match types include: unspecified, exact, regex, present, prefix, and suffix.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that should match one of the following values:
|
||||
|
||||
- `HEADER_MATCH_TYPE_UNSPECIFIED`
|
||||
- `HEADER_MATCH_TYPE_EXACT`
|
||||
- `HEADER_MATCH_TYPE_REGEX`
|
||||
- `HEADER_MATCH_TYPE_PRESENT`
|
||||
- `HEADER_MATCH_TYPE_PREFIX`
|
||||
- `HEADER_MATCH_TYPE_SUFFIX`
|
||||
|
||||
### `spec.rules.matches.headers.value`
|
||||
|
||||
Specifies the value of the HTTP request header to match. When this field is specified multiple times, a request must match all of the specified values for the route to be selected.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.method`
|
||||
|
||||
Specifies the value of the HTTP method to match.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.path`
|
||||
|
||||
Specifies an HTTP request path to match. When this field is not specified, the CRD matches on the `/` path by default.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.path.type`
|
||||
|
||||
Specifies a type of match to perform on the HTTP path. Supported match types include: unspecified, exact, prefix, and regex.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that should match one of the following values:
|
||||
|
||||
- `PATH_MATCH_TYPE_UNSPECIFIED`
|
||||
- `PATH_MATCH_TYPE_EXACT`
|
||||
- `PATH_MATCH_TYPE_PREFIX`
|
||||
- `PATH_MATCH_TYPE_REGEX`
|
||||
|
||||
### `spec.rules.matches.path.value`
|
||||
|
||||
Value of the HTTP path to match on.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `/`
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.queryParams`
|
||||
|
||||
Specifies HTTP query parameters to match on. When [`spec.rules.matches.queryParams.value`] is specified multiple times, a request must match all of the specified values for the route to be selected.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.matches.queryParams.name`
|
||||
|
||||
Specifies the name of the HTTP query parameter to match. Query parameters matches require exact matches between strings.
|
||||
|
||||
If multiple entries specify identical query parameter names, only the first entry with an equivalent name matches. Subsequent entries with an equivalent query parameter name are ignored. If an HTTP request repeats a query parameter, the behavior is intentionally undefined because different data planes have different capabilities. However, we recommend that matching against the first value of the parameter if the data plane supports it, as this behavior is expected in other load balancing contexts.
|
||||
|
||||
Do not route traffic based on repeated query parameters, as differences in data plane implementations may produce errors.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.matches.queryParams.type`
|
||||
|
||||
Specifies a type of match to perform on the HTTP request header. Supported match types include: unspecified, exact, regex, and present.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that should match one of the following values:
|
||||
|
||||
- `HEADER_MATCH_TYPE_UNSPECIFIED`
|
||||
- `HEADER_MATCH_TYPE_EXACT`
|
||||
- `HEADER_MATCH_TYPE_REGEX`
|
||||
- `HEADER_MATCH_TYPE_PRESENT`
|
||||
|
||||
### `spec.rules.matches.queryParams.value`
|
||||
|
||||
Specifies the value of the HTTP query parameter to match.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.retries`
|
||||
|
||||
Specifies retry logic for routing HTTP traffic.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.retries.number`
|
||||
|
||||
Specifies the number of retries to attempt when a request fails.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map that contains the following parameter:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :-------- | :------------------------------------------- | --------- | ------- |
|
||||
| `value` | Specifies the number of retries to attempt. | Integer | None |
|
||||
|
||||
### `spec.rules.retries.onConditions`
|
||||
|
||||
Specifies Envoy conditions that cause an automatic retry attempt.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map of strings
|
||||
|
||||
### `spec.rules.retries.onConnectFailure`
|
||||
|
||||
Enables an automatic retry attempt when a connection failure error occurs.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `false`
|
||||
- Data type: Boolean
|
||||
|
||||
### `spec.rules.retries.onStatusCodes`
|
||||
|
||||
Specifies the response status codes that are eligible for retry attempts.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map of integers
|
||||
|
||||
### `spec.rules.timeouts`
|
||||
|
||||
Specifies timeout logic when routing HTTP traffic
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.timeouts.idle`
|
||||
|
||||
Specifies the total amount of time permitted for the request stream to be idle before a timeout occurs.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.timeouts.request`
|
||||
|
||||
Specifies the total amount of time spent processing the entire downstream request, including retries, before triggering a timeout.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples demonstrate common HTTP route CRD configuration patterns for specific use cases.
|
||||
|
||||
### Split HTTP traffic between two ports
|
||||
|
||||
The following example splits traffic for the `api` service. HTTP traffic for services registered to the Consul catalog that are available at the `api` port is split so that 50% of the traffic routes to the service at the `api` port and 50% routes to the service at the `admin` port.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: api-split
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
weight: 50
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
weight: 50
|
||||
```
|
||||
|
||||
### Route traffic by matching header
|
||||
|
||||
The following examples routes HTTP traffic for the `api` service according to its header HTTP traffic for services registered to the Consul catalog that are available at the `api-workload` port are routed according to the following criteria:
|
||||
|
||||
- For traffic with a header that contains a `x-debug` value of exactly `1`, Consul routes to the `api` service at the `api-workload` port.
|
||||
- For traffic with a header that contains a `x-debug` value of exactly `2`, Consul routes to the `api-admin` service at the `admin-workload` port.
|
||||
|
||||
This example also configures Consul to modify request and response headers when routing traffic.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: api-filter
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "1"
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
- name: "request-foo"
|
||||
value: "request-bar"
|
||||
- responseHeaderModifier:
|
||||
add:
|
||||
- name: "response-foo"
|
||||
value: "response-bar"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "2"
|
||||
filters:
|
||||
- requestHeaderModifier:
|
||||
add:
|
||||
- name: "request-foo"
|
||||
value: "request-bar"
|
||||
- responseHeaderModifier:
|
||||
add:
|
||||
- name: "response-foo"
|
||||
value: "response-bar"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api-admin
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
```
|
||||
|
||||
### Route traffic by matching header and query parameter
|
||||
|
||||
The following examples routes HTTP traffic for the `api` service according to its header HTTP traffic for services registered to the Consul catalog that are available at the `api-workload` port are routed according to the following criteria:
|
||||
|
||||
- For traffic with a header _and_ a query parameter that both contain `x-debug` values of exactly `1`, Consul routes to the `api` service at the `api-workload` port.
|
||||
- For traffic with a header _and_ a query parameter that both contain `x-debug` values of exactly `2`, Consul routes to the `api-admin` service at the `admin-workload` port.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: api-match-split
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "1"
|
||||
queryParams:
|
||||
- type: "QUERY_PARAM_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "1"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
- matches:
|
||||
- headers:
|
||||
- type: "HEADER_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "2"
|
||||
queryParams:
|
||||
- type: "QUERY_PARAM_MATCH_TYPE_EXACT"
|
||||
name: "x-debug"
|
||||
value: "2"
|
||||
backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api-admin
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
```
|
@ -1,691 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: ProxyConfiguration resource configuration reference
|
||||
description: The ProxyConfiguration resource CRD configures sidecar proxy behavior within the service mesh. Learn how to configure bootstrap and dynamic configurations for proxies according to Workload characteristics with specifications and example configurations.
|
||||
---
|
||||
|
||||
# ProxyConfiguration resource configuration reference
|
||||
|
||||
This page provides reference information for the `ProxyConfigurations` resource, which defines proxy behavior for traffic within the service mesh. The resource specifies both bootstrap and dynamic configurations for proxies.
|
||||
|
||||
This custom resource definition (CRD) describes a resource related to the [Kubernetes GAMMA initiative](https://gateway-api.sigs.k8s.io/concepts/gamma/) that requires the [v2 catalog API](/consul/docs/architecture/v2/catalog). It is not compatible with the [v1 catalog API](/consul/docs/architecture/catalog). For more information about GAMMA resources, refer to the [Kubernetes Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/gamma/).
|
||||
|
||||
## Configuration model
|
||||
|
||||
The following list outlines field hierarchy, language-specific data types, and requirements in a ProxyConfiguration CRD. Click on a property name to view additional details, including default values.
|
||||
|
||||
- [`apiVersion`](#apiversion): string | required | must be set to `mesh.consul.hashicorp.com/v2beta1`
|
||||
- [`kind`](#kind): string | required | must be set to `ProxyConfiguration`
|
||||
- [`metadata`](#metadata): map | required
|
||||
- [`name`](#metadata-name): string | required
|
||||
- [`namespace`](#metadata-namespace): string | optional <EnterpriseAlert inline />
|
||||
- [`spec`](#spec): map | required
|
||||
- [`workloads`](#spec-workloads): map
|
||||
- [`filter`](#spec-workloads): string
|
||||
- [`names`](#spec-workloads): array of strings
|
||||
- [`prefixes`](#spec-workloads): array of strings
|
||||
- [`bootstrapConfig`](#spec-bootstrapconfig): map
|
||||
- [`dogstatsdUrl`](#spec-bootstrapconfig): string
|
||||
- [`overrideJsonTpl`](#spec-bootstrapconfig): string
|
||||
- [`prometheusBindAddr`](#spec-bootstrapconfig): string
|
||||
- [`readyBindAddr`](#spec-bootstrapconfig): string
|
||||
- [`staticClustersJson`](#spec-bootstrapconfig): string
|
||||
- [`staticListenersJson`](#spec-bootstrapconfig): string
|
||||
- [`statsBindAddr`](#spec-bootstrapconfig): string
|
||||
- [`statsConfigJson`](#spec-bootstrapconfig): string
|
||||
- [`statsFlushInterval`](#spec-bootstrapconfig): string
|
||||
- [`statsSinksJson`](#spec-bootstrapconfig): string
|
||||
- [`statsTags`](#spec-bootstrapconfig): array of strings
|
||||
- [`statsdUrl`](#spec-bootstrapconfig): string
|
||||
- [`telemetryCollectorBindSocketDir`](#spec-bootstrapconfig): string
|
||||
- [`tracingConfigJson`](#spec-bootstrapconfig): string
|
||||
- [`dynamicConfig`](#spec-dynamicconfig): map
|
||||
- [`accessLogs`](#spec-dynamicconfig-accesslogs): map
|
||||
- [`enabled`](#spec-dynamicconfig-accesslogs-enabled): boolean | `false`
|
||||
- [`disableListenerLogs`](#spec-dynamicconfig-accesslogs-disablelistenerlogs): boolean | `false`
|
||||
- [`jsonFormat`](#spec-dynamicconfig-accesslogs-jsonformat): string
|
||||
- [`path`](#spec-dynamicconfig-accesslogs-path): string
|
||||
- [`textFormat`](#spec-dynamicconfig-accesslogs-textformat): string
|
||||
- [`type`](#spec-dynamicconfig-accesslogs-type): string
|
||||
- [`exposeConfig`](#spec-dynamicconfig-exposeconfig): map
|
||||
- [`exposePaths`](#spec-dynamicconfig-exposeconfig-exposepaths): map
|
||||
- [`listenerPort`](#spec-dynamicconfig-exposeconfig-exposepaths-listenerport): integer
|
||||
- [`localPathPort`](#spec-dynamicconfig-exposeconfig-exposepaths-localpathport): integer
|
||||
- [`path`](#spec-dynamicconfig-exposeconfig-exposepaths-path): string
|
||||
- [`protocol`](#spec-dynamicconfig-exposeconfig-exposepaths-protocol): string
|
||||
- [`inboundConnections`](#spec-dynamicconfig-inboundconnections): map
|
||||
- [`balanceInboundConnections`](#spec-dynamicconfig-inboundconnections-balanceinboundconnections): string
|
||||
- [`maxInboundConnections`](#spec-dynamicconfig-exposeconfig-inboundconnections-maxinboundconnections): integer
|
||||
- [`listenerTracingJson`](#spec-dynamicconfig-listenertracingjson): string
|
||||
- [`localClusterJson`](#spec-dynamicconfig-localclusterjson): string
|
||||
- [`localConnection`](#spec-dynamicconfig-localconnection): map
|
||||
- [`connectTimeout`](#spec-dynamicconfig-localconnection-connecttimeout): string
|
||||
- [`requestTimeout`](#spec-dynamicconfig-localconnection-requesttimeout): string
|
||||
- [`meshGatewayMode`](#spec-dynamicconfig-meshgatewaymode): string
|
||||
- [`mode`](#spec-dynamicconfig-mode): string
|
||||
- [`publicListenerJson`](#spec-dynamicconfig-publiclistenerjson): string
|
||||
- [`transparentProxy`](#spec-dynamicconfig-transparentproxy): map
|
||||
- [`dialedDirectly`](#spec-dynamicconfig-transparentproxy-dialeddirectly): boolean | `false`
|
||||
- [`outboundListenerPort`](#spec-dynamicconfig-transparentproxy-outboundlistenerport): integer | `15001`
|
||||
|
||||
## Complete configuration
|
||||
|
||||
When every field is defined, an ProxyConfigurations CRD has the following form:
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1 # required
|
||||
kind: ProxyConfiguration # required
|
||||
metadata:
|
||||
name: <crdName>
|
||||
namespace: <namespace>
|
||||
spec:
|
||||
workloads: # required
|
||||
filter: "Service.Meta.version == v1"
|
||||
names: ["api", "admin"]
|
||||
prefixes: ["<pre>", "<fix>"]
|
||||
bootstrapConfig:
|
||||
dogstatsdUrl: <udp://127.0.0.1:8125>
|
||||
overrideJsonTpl: <escapeHatchTemplate>
|
||||
prometheusBindAddr: <0.0.0.0>
|
||||
readyBindAddr: <ip:port>
|
||||
staticClustersJson: <jsonObject>
|
||||
staticListenersJson: <jsonObject>
|
||||
statsBindAddr: <0.0.0.0>
|
||||
statsConfigJson: <jsonObject>
|
||||
statsFlushInterval: 5000ms
|
||||
statsSinkJson: <jsonObject>
|
||||
statsTags:
|
||||
- <customTag>
|
||||
statsdUrl: <udp://127.0.0.1:8125>
|
||||
telemetryCollectorBindSocketDir: <path/to/directory>
|
||||
tracingConfigJson: <jsonObject>
|
||||
dynamicConfig:
|
||||
accessLogs:
|
||||
enabled: false
|
||||
disableListenerLogs: false
|
||||
jsonFormat: <jsonObject>
|
||||
path: <log/output/path>
|
||||
textFormat: <customFormatString>
|
||||
type: <LOG_SINK_TYPE_DEFAULT>
|
||||
exposeConfig:
|
||||
exposePaths:
|
||||
listenerPort: 42
|
||||
localPathPort: 4242
|
||||
path: </metrics>
|
||||
protocol: <EXPOSE_PATH_PROTOCOL_HTTP>
|
||||
inboundConnections:
|
||||
balanceInboundConnections: <exact_balance>
|
||||
maxInboundConnections: 1024
|
||||
listenerTracingJson: <jsonObject>
|
||||
localClusterJson: <jsonObject>
|
||||
localConnection:
|
||||
connectTimeout: <1s>
|
||||
requestTimeout: <1s>
|
||||
meshGatewayMode: <MESH_GATEWAY_MODE_LOCAL>
|
||||
mode: <PROXY_MODE_TRANSPARENT>
|
||||
publicListenerJson: <jsonObject>
|
||||
transparentProxy:
|
||||
dialedDirectly: false
|
||||
outboundListenerPort: 15001
|
||||
```
|
||||
|
||||
## Specification
|
||||
|
||||
This section provides details about the fields you can configure in the `ProxyConfiguration` custom resource definition (CRD).
|
||||
|
||||
### `apiVersion`
|
||||
|
||||
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- String value that must be set to `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
### `kind`
|
||||
|
||||
Specifies the type of CRD to implement. Must be set to `ProxyConfiguration`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String value that must be set to `ProxyConfiguration`.
|
||||
|
||||
### `metadata`
|
||||
|
||||
Map that contains an arbitrary name for the CRD and the namespace it applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `metadata.name`
|
||||
|
||||
Specifies a name for the CRD. The name is metadata that you can use to reference the resource when performing Consul operations, such as using the `consul resource` command. Refer to [`consul resource`](/consul/docs/k8s/connect/multiport/reference/resource-command) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String
|
||||
|
||||
### `metadata.namespace` <EnterpriseAlert inline />
|
||||
|
||||
Specifies the namespace that the proxy configuration applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec`
|
||||
|
||||
Map that contains the details about the `ProxyConfiguration` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.workloads`
|
||||
|
||||
Specifies the workloads that the proxy configuration applies to. You can select workloads by name, prefix, or by using a filter expression.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map that can contain the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
|
||||
| `filter` | Specifies an expression that filters workloads. For more information about creating and using expressions to filter, refer to [filtering](/consul/api-docs/features/filtering). | String | None |
|
||||
| `names` | Specifies one or more names of workloads the proxy configuration applies to. | Array of strings | None |
|
||||
| `prefixes` | Specifies one or more prefixes. Proxy configurations apply to workloads with one of the prefixes. | Array of strings | None |
|
||||
|
||||
### `spec.bootstrapConfig`
|
||||
|
||||
Specifies initial bootstrap settings for the Envoy proxy, as well as proxy configuration settings that require the proxy to restart when applied. For more information, refer to [Envoy proxy bootstrap configuration](/consul/docs/connect/proxies/envoy#bootstrap-configuration).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.bootstrapConfig.dogstatsdUrl`
|
||||
|
||||
Specifies a URL that identifies a DataDog DogStatsD listener. Envoy sends metrics to this listener.
|
||||
|
||||
Format the URL as `udp://ip:port` or `unix://uds/path`. For example, `udp://127.0.0.1:8125` configures a local UDP DogStatsD listener for every host. TCP is not supported.
|
||||
|
||||
The UDP URL must use an IP address. DNS names are not supported.
|
||||
|
||||
For more information about configuring a UNIX domain socket with DogStatsD, refer to [the DataDog documentation](https://docs.datadoghq.com/developers/dogstatsd/unix_socket?tab=kubernetes#setup).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.overrideJsonTpl`
|
||||
|
||||
<Warning>
|
||||
This field offers complete control of the proxy's bootstrap. Be aware that major deviations from the default template may break Consul's ability to correctly manage the proxy or enforce its security model.
|
||||
</Warning>
|
||||
|
||||
Specifies a template in Go template syntax to use in place of [the default template](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L129) when generating the bootstrap configuration using the [`consul connect envoy` command](/consul/commands/connect/envoy). For information about the variables Consul can interpolate in the template, refer to the [documentation in `bootstrap_tpl.go`](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L5).
|
||||
|
||||
Refer to [Envoy proxy escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.prometheusBindAddr`
|
||||
|
||||
Configures the proxy to expose a Prometheus metrics endpoint to the public network. Format the endpoint as `ip:port`. The port and IP and port combination must be free within the network namespace where the proxy runs. The IP `0.0.0.0` binds to all available interfaces or a pod IP address if supported by your existing network settings.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.readyBindAddr`
|
||||
|
||||
Specifies the location to configure the proxy's readiness probe. Format as `ip:port`.
|
||||
|
||||
By default, the proxy does not have a readiness probe configured on it.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.staticClustersJson`
|
||||
|
||||
Specifies one or more [Envoy clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) to append to the array of [static clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-clusters) in the bootstrap configuration.
|
||||
|
||||
This field enables you to add custom clusters, such as tracing sinks, to the bootstrap configuration. In order to configure a single cluster, specify a single JSON object with the cluster details.
|
||||
|
||||
Refer to [Envoy proxy advanced bootstrap options](/consul/docs/connect/proxies/envoy#advanced-bootstrap-options) for more information and examples.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.staticListenersJson`
|
||||
|
||||
Specifies one or more [Envoy listeners](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to append to the array of [static listeners](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-listeners) definitions.
|
||||
|
||||
You can use this field to set up limited access that bypasses the service mesh's mTLS or authorization for health checks or metrics.
|
||||
|
||||
Refer to [Envoy proxy advanced bootstrap options](/consul/docs/connect/proxies/envoy#advanced-bootstrap-options) for more information and examples.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.statsBindAddr`
|
||||
|
||||
Specifies that the proxy should expose the `/stats` prefix to the _public_ network at the `ip:port` provided. The IP and port combination must be free within the network namespace where the proxy runs. The IP `0.0.0.0` binds to all available interfaces or a pod IP address if supported by your existing network settings.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.statsConfigJson`
|
||||
|
||||
Specifies a complete [stats config](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-stats-config).
|
||||
|
||||
When provided, this field overrides [`spec.bootstrapConfig.statsTags`](#spec-bootstrapconfig-statstags) and enables full control over dynamic tag replacements.
|
||||
|
||||
Refer to [Envoy proxy advanced bootstrap options](/consul/docs/connect/proxies/envoy#advanced-bootstrap-options) for more information and examples.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.statsFlushInterval`
|
||||
|
||||
Configures Envoy's [`stats_flush_interval`](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-stats-flush-interval), which measures the length of the interval between stats sink flushes.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.statsSinkJson`
|
||||
|
||||
Specifies one or more [stats sinks](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-stats-sinks) to append to sinks defined using [`spec.bootstrapConfig.statsdUrl`](#spec-bootstrapconfig-statsdurl) or [`spec.bootstrapConfig.dogstatsdUrl`](#spec-bootstrapconfig-dogstatsdurl).
|
||||
|
||||
Refer to [Envoy proxy advanced bootstrap options](/consul/docs/connect/proxies/envoy#advanced-bootstrap-options) for more information and examples.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.statsTags`
|
||||
|
||||
Specifies one or more static tags to add to all metrics produced by the proxy.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Array of strings
|
||||
|
||||
### `spec.bootstrapConfig.statsdUrl`
|
||||
|
||||
Specifies a URL that identifies a StatsD listener. Envoy sends metrics to this listener.
|
||||
|
||||
Format the URL as `udp://ip:port`. For example, `udp://127.0.0.1:8125` configures a local StatsD listener for every host. TCP is not supported.
|
||||
|
||||
The URL must use an IP address. DNS names are not supported.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.telemetryCollectorBindSocketDir`
|
||||
|
||||
Specifies the directory of the Unix socket Envoy sends metrics to so that the Consul telemetry collector can collect them.
|
||||
|
||||
The socket is not configured by default.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.bootstrapConfig.tracingConfigJson`
|
||||
|
||||
Specifies a configuration for an external tracing provider as described in [the Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-tracing). Most tracing providers also require adding static clusters to define the endpoints to send tracing data to.
|
||||
|
||||
Refer to [Envoy proxy advanced bootstrap options](/consul/docs/connect/proxies/envoy#advanced-bootstrap-options) for more information and examples.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig`
|
||||
|
||||
Specifies configuration settings for the Envoy proxy that are applied without restarting the proxy. For more information, refer to [Envoy proxy dynamic configuration](/consul/docs/connect/proxies/envoy#dynamic-configuration).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.accessLogs`
|
||||
|
||||
Specifies the format and output for the proxy's access logs.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.enabled`
|
||||
|
||||
When set to `true`, this parameter enables access logs for the proxy.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `false`
|
||||
- Data type: Boolean
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.usableListenerLogs`
|
||||
|
||||
When set to `true`, this parameter disables listener logs for connections that the proxy rejected because they did not have a matching listener filter.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `false`
|
||||
- Data type: Boolean
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.jsonFormat`
|
||||
|
||||
Specifies a JSON format dictionary for the access logs. Refer to [format dictionaries in the Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries) for more information.
|
||||
|
||||
When this field is specified, you cannot also specify [`spec.dynamicConfig.accessLogs.textFormat`](#spec-dynamicconfig-accesslogs-textformat) in the same configuration.
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.path`
|
||||
|
||||
Specifies a file output path for the access logs.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.textFormat`
|
||||
|
||||
Specifies a format string for the access logs. Refer to [default format string in the Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#default-format-string) for more information.
|
||||
|
||||
When this field is specified, you cannot also specify [`spec.dynamicConfig.accessLogs.jsonFormat`](#spec-dynamicconfig-accesslogs-jsonformat) in the same configuration.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.accessLogs.type`
|
||||
|
||||
Specifies the output type for the access logs.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String containing one of the following values:
|
||||
|
||||
- `LOG_SINK_TYPE_DEFAULT`
|
||||
- `LOG_SINK_TYPE_FILE`
|
||||
- `LOG_SINK_TYPE_STDERR`
|
||||
- `LOG_SINK_TYPE_STDOUT`
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig`
|
||||
|
||||
Specifies configurations for exposing the proxy.
|
||||
|
||||
Refer to [expose paths configuration reference](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig.exposePaths`
|
||||
|
||||
Specifies a configuration for exposing an HTTP path through the proxy.
|
||||
|
||||
Refer to [expose paths configuration reference](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig.exposePaths.listenerPort`
|
||||
|
||||
Specifies the port where the proxy listens for connections. This port must be available for the listener to be set up. If the port is not free, Envoy does not expose a listener for the path but the proxy registration does not fail.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Integer
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig.exposePaths.localPathPort`
|
||||
|
||||
Specifies the port where the local service is listening for connections to the path.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Integer
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig.exposePaths.path`
|
||||
|
||||
The HTTP path to expose. Prefix the path with a slash. For example, `/metrics`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.exposeConfig.exposePaths.protocol`
|
||||
|
||||
Specifies the protocol of the listener, either HTTP or HTTP/2. For gRPC, use HTTP/2.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String containing one of the following values:
|
||||
|
||||
- `EXPOSE_PATH_PROTOCOL_HTTP`
|
||||
- `EXPOSE_PATH_PROTOCOL_HTTP2`
|
||||
|
||||
### `spec.dynamicConfig.inboundConnections`
|
||||
|
||||
Specifies configurations for how the proxy handles inbound connections.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.inboundConnections.balanceInboundConnections`
|
||||
|
||||
Specifies the strategy for balancing inbound connections across Envoy worker threads. Consul's service mesh Envoy integration supports the following values:
|
||||
|
||||
| Value | Description |
|
||||
| :---- | :---------- |
|
||||
| Empty string | Inbound connections are not balanced. |
|
||||
| `exact_balance` | Balances inbound connections with [Envoy's Exact Balance Strategy](https://cloudnative.to/envoy/api-v3/config/listener/v3/listener.proto.html#config-listener-v3-listener-connectionbalanceconfig-exactbalance). |
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `""`
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.inboundConnections.maxInboundConnections`
|
||||
|
||||
Specifies the maximum number of concurrent inbound connections to the local application instance. If not specified, inherits the Envoy default of `1024`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `1024`
|
||||
- Data type: Integer
|
||||
|
||||
### `spec.dynamicConfig.listenerTracingJson`
|
||||
|
||||
Specifies a tracing configuration to be inserted in the proxy's public and upstreams listeners. Refer to [the Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-tracing) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.localClusterJson`
|
||||
|
||||
Specifies a complete Envoy cluster to be delivered in place of the local application cluster. Use this field to customize timeouts, rate limits, and load balancing strategy.
|
||||
|
||||
Refer to [cluster configuration in the Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.localConnection`
|
||||
|
||||
Specifies timeout settings for the proxy's connection to the local application. Apply settings separately for each port.
|
||||
|
||||
Specify this field as a map containing a key/value. The map keys correspond to port names on the workload. The value contains this parameter's sub-fields.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.localConnection.connectTimeout`
|
||||
|
||||
Specifies the length of time the proxy is allowed to attempt connections to the local application instance before timing out.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.localConnection.requestTimeout`
|
||||
|
||||
Specifies the length of time the proxy is allowed to attempt HTTP requests to the local application instance. Applies to HTTP-based protocols only.
|
||||
|
||||
This field accepts a string indicating the number of seconds. For example, indicate five seconds with `5s` and five milliseconds with `0.005s`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.meshGatewayMode`
|
||||
|
||||
Specifies the proxy's mode of operation for resolving upstreams in remote datacenter destinations. Refer to [Mesh gateway configuration reference](/consul/docs/connect/proxies/proxy-config-reference#mesh-gateway-configuration-reference) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String containing one of the following values:
|
||||
|
||||
- `MESH_GATEWAY_MODE_UNSPECIFIED`
|
||||
- `MESH_GATEWAY_MODE_NONE`
|
||||
- `MESH_GATEWAY_MODE_LOCAL`
|
||||
- `MESH_GATEWAY_MODE_REMOTE`
|
||||
|
||||
### `spec.dynamicConfig.mode`
|
||||
|
||||
Configures the proxy to operate in transparent, direct, or default mode. Refer to [proxy modes](/consul/docs/connect/proxies/proxy-config-reference#proxy-modes) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String containing one of the following values:
|
||||
|
||||
- `PROXY_MODE_DEFAULT`
|
||||
- `PROXY_MODE_TRANSPARENT`
|
||||
- `PROXY_MODE_DIRECT`
|
||||
|
||||
### `spec.dynamicConfig.publicListenerJson`
|
||||
|
||||
Specifies a complete Envoy listener for Consul to deliver in place of the main public listener that the proxy uses to accept inbound connections. Refer to [escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) for more information
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.dynamicConfig.transparentProxy`
|
||||
|
||||
Specifies additional configurations for operating proxies in transparent proxy mode. Refer to [transparent proxy configuration reference](/consul/docs/connect/proxies/proxy-config-reference#transparent-proxy-configuration-reference) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.dynamicConfig.transparentProxy.dialedDirectly`
|
||||
|
||||
Determines whether this proxy instance's IP address can be dialed directly by transparent proxies. Transparent proxies typically dial upstreams using the _virtual_ tagged address, which load balances across instances. A database cluster with a leader is an example where dialing individual instances can be helpful.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `false`
|
||||
- Data type: Boolean
|
||||
|
||||
### `spec.dynamicConfig.transparentProxy.outboundListenerPort`
|
||||
|
||||
Specifies the port the proxy listens on for outbound traffic to capture and redirect.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `15001`
|
||||
- Data type: Integer
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples demonstrate common ProxyConfiguration CRD configuration patterns for specific use cases.
|
||||
|
||||
### Set a timeout on a subset of proxies
|
||||
|
||||
The following example configures sidecar proxies scheduled with workloads whose names begin with `static-server-`. When these workloads attempt connections with the local `web` application, both requests and responses time out after 123 second.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: ProxyConfiguration
|
||||
metadata:
|
||||
name: static-server-override-one
|
||||
spec:
|
||||
workloads:
|
||||
prefixes:
|
||||
- "static-server-"
|
||||
bootstrapConfig:
|
||||
statsBindAddr: "127.0.0.1:6666"
|
||||
dynamicConfig:
|
||||
# Only the web port should be enabled using the TPs
|
||||
localConnection:
|
||||
web:
|
||||
connectTimeout: "123s" # This ALWAYS has to end in 's'. If you want ms, you need to use "0.123s"
|
||||
requestTimeout: "123s"
|
||||
```
|
@ -1,345 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: TCPRoute resource configuration reference
|
||||
description: The TCPRoute resource CRD configures L4 TCP behavior within the service mesh. TCPRoute is a GAMMA resource that requires the v2 catalog API. Learn how to configure the TCPRoute CRD with specifications and example configurations.
|
||||
---
|
||||
|
||||
# TCPRoute resource configuration reference
|
||||
|
||||
This page provides reference information for the `TCPRoute` resource, which defines Transport Layer (L4) TCP traffic within the service mesh.
|
||||
|
||||
This custom resource definition (CRD) describes a resource related to the [Kubernetes GAMMA initiative](https://gateway-api.sigs.k8s.io/concepts/gamma/) that requires the [v2 catalog API](/consul/docs/architecture/v2/catalog). It is not compatible with the [v1 catalog API](/consul/docs/architecture/catalog). For more information about GAMMA resources, refer to the [Kubernetes Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/gamma/).
|
||||
|
||||
## Configuration model
|
||||
|
||||
The following list outlines field hierarchy, language-specific data types, and requirements in an TCP route CRD. Click on a property name to view additional details, including default values.
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="YAML" group="yaml">
|
||||
|
||||
- [`apiVersion`](#apiversion): string | required | must be set to `mesh.consul.hashicorp.com/v2beta1`
|
||||
- [`kind`](#kind): string | required | must be set to `TCPRoute`
|
||||
- [`metadata`](#metadata): map | required
|
||||
- [`name`](#metadata-name): string | required
|
||||
- [`namespace`](#metadata-namespace): string | optional <EnterpriseAlert inline />
|
||||
- [`spec`](#spec): map | required
|
||||
- [`parentRefs`](#spec-parentrefs): map | required
|
||||
- [`port`](#spec-parentrefs-port): string
|
||||
- [`ref`](#spec-parentrefs-ref): string | required
|
||||
- [`name`](#spec-parentrefs-ref-name): string
|
||||
- [`type`](#spec-parentrefs-ref-type): map
|
||||
- [`group`](#spec-parentrefs-ref-type): string
|
||||
- [`groupVersion`](#spec-parentrefs-ref-type): string
|
||||
- [`kind`](#spec-parentrefs-ref-type): string
|
||||
- [`rules`](#spec-rules): map | required
|
||||
- [`backendRefs`](#spec-rules-backendrefs): map
|
||||
- [`backendRef`](#spec-rules-backendrefs-backendref): map
|
||||
- [`datacenter`](#spec-rules-backendrefs-backendref-datacenter): string
|
||||
- [`port`](#spec-rules-backendrefs-backendref-port): string
|
||||
- [`ref`](#spec-rules-backendrefs-backendref-ref): map
|
||||
- [`name`](#spec-rules-backendrefs-backendref-ref-name): string
|
||||
- [`type`](#spec-rules-backendrefs-backendref-ref-type): map
|
||||
- [`group`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`groupVersion`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`kind`](#spec-rules-backendrefs-backendref-ref-type): string
|
||||
- [`weight`](#spec-rules-backendrefs-weight): number
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
## Complete configuration
|
||||
|
||||
When every field is defined, a TCP route CRD has the following form:
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1 # required
|
||||
kind: TCPRoute # required
|
||||
metadata:
|
||||
name: <crdName>
|
||||
namespace: <namespace>
|
||||
spec:
|
||||
parentRefs:
|
||||
port: <portRoutedFrom>
|
||||
- ref:
|
||||
name: <nameRoutedFrom>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
datacenter: <datacenterRoutedTo>
|
||||
port: <portRoutedTo>
|
||||
ref:
|
||||
name: <nameRoutedTo>
|
||||
type:
|
||||
group: <catalog>
|
||||
groupVersion: <v2beta1>
|
||||
kind: <Service>
|
||||
weight: 1
|
||||
```
|
||||
|
||||
## Specification
|
||||
|
||||
This section provides details about the fields you can configure in the `TCPRoute` custom resource definition (CRD).
|
||||
|
||||
### `apiVersion`
|
||||
|
||||
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- String value that must be set to `mesh.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
### `kind`
|
||||
|
||||
Specifies the type of CRD to implement. Must be set to `TCPRoute`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String value that must be set to `TCPRoute`.
|
||||
|
||||
### `metadata`
|
||||
|
||||
Map that contains an arbitrary name for the CRD and the namespace it applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `metadata.name`
|
||||
|
||||
Specifies a name for the CRD. The name is metadata that you can use to reference the resource when performing Consul operations, such as using the `consul resource` command. Refer to [`consul resource`](/consul/docs/k8s/connect/multiport/reference/resource-command) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String
|
||||
|
||||
### `metadata.namespace` <EnterpriseAlert inline />
|
||||
|
||||
Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec`
|
||||
|
||||
Map that contains the details about the `TCPRoute` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
|
||||
|
||||
When using this CRD, the `spec` field closely resembles the `TCPRoute` GAMMA resource. Refer to [TCPRoute in the Kubernetes documentation](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute).
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs`
|
||||
|
||||
Specifies the services and other resources to attach the route to. You can only define one `parentsRefs` configuration for each route. To attach the route to multiple resources, specify additional [`spec.parentRefs.ref`](#spec-parentrefs-ref) configurations in the `parentsRefs` block. You can only specify one port for the route. Any resources that send traffic through the route use the same port.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.port`
|
||||
|
||||
Specifies the port for the Consul service that the configuration applies to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref`
|
||||
|
||||
Specifies the resource that the route attaches to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.parentRefs.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.parentRefs.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration applies to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------- | :-------- | :------- |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object the resource applies to. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules`
|
||||
|
||||
Specifies rules for sidecar proxies to direct a service's TCP traffic within the service mesh.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs`
|
||||
|
||||
Specifies the Kubernetes Service backend to direct TCP traffic to when a request matches the service described in [`spec.parentRefs`](#spec-parentrefs). The Service backend is the collection of endpoint IPs for the service. Refer to [the Kubernetes Gateway API specification](https://gateway-api.sigs.k8s.io/concepts/gamma/#an-overview-of-the-gateway-api-for-service-mesh) for more information about Service backends.
|
||||
|
||||
When a valid Service backend cannot be reached and no additional filters apply, traffic that matches the rule returns a 500 status code.
|
||||
|
||||
When different Service backends are specified in [`spec.rules.backendRefs.weight`](#spec-rules-backendrefs-weight) and one of the backends is invalid, Consul continues to apply the specified weights instead of adjusting the relative weights to exclude traffic to the invalid backend. For example, when traffic is configured in a 50-50 split between `api` and `admin` and no valid endpoints for `admin` can be reached, the 50% of traffic intended for `admin` returns with a 500 status code.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef`
|
||||
|
||||
Specifies an individual Service backend where matching requests should be sent.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.datacenter`
|
||||
|
||||
Specifies the name of the Consul datacenter that registered the Service backend that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.port`
|
||||
|
||||
Specifies the port for the Consul service that the configuration routes traffic to. This parameter can be either a virtual port number, such as a Kubernetes service port, or a non-numeric target port value representing a named workload port.
|
||||
|
||||
If you are not targeting a virtual port, specify the workload port name directly.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref`
|
||||
|
||||
The Consul service that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.name`
|
||||
|
||||
Specifies the user-defined name of the resource that the configuration routes traffic to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.rules.backendRefs.backendRef.ref.type`
|
||||
|
||||
Specifies the type of resource that the configuration routes traffic to. To reference a service in the Consul catalog, configure the resource type as `catalog.v2beta1.Service`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map containing the following parameters:
|
||||
|
||||
| Parameter | Description | Data type | Default |
|
||||
| :------------ | :------------------------------------------------------------------- | :-------- | :------- |
|
||||
| `group` | Specifies a group for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `catalog`. | String | None |
|
||||
| `groupVersion` | Specifies a groupVersion for the resource type within the Kubernetes cluster. To reference a service in the Consul catalog, set this parameter to `v2beta1`. | String | None |
|
||||
| `kind` | Specifies the kind of the Kubernetes object for the resource. To reference a service in the Consul catalog, set this parameter to `Service`. | String | None |
|
||||
|
||||
### `spec.rules.backendRefs.weight`
|
||||
|
||||
Specifies the proportion of requests routed to the specified service.
|
||||
|
||||
This proportion is relative to the sum of all weights in the [`spec.rules.backendRefs`](#spec-rules-backendrefs) block. As a result, weights do not need to add up to 100. When only one backend is specified and the weight is greater then 0, Consul forwards 100% of traffic to the backend.
|
||||
|
||||
When this parameter is not specified, Consul defaults to `1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: `1`
|
||||
- Data type: Integer
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples demonstrate common TCPRoute CRD configuration patterns for specific use cases.
|
||||
|
||||
### Split TCP traffic between two ports
|
||||
|
||||
The following example splits traffic for the `api` service. TCP traffic for services registered to the Consul catalog that are available at the `api-workload` port is split so that 50% of the traffic routes to the service at the `api-workload` port and 50% routes to the service at the `admin-workload` port.
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: TCPRoute
|
||||
metadata:
|
||||
name: api-split
|
||||
namespace: default
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
weight: 50
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
weight: 50
|
||||
```
|
@ -1,245 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: TrafficPermissions resource configuration reference
|
||||
description: The TrafficPermissions CRD defines rules for allowing and denying traffic between services within the service mesh. Learn how to configure traffic permissions for the v2 catalog to authorize service-to-service communication in a network with zero-trust security.
|
||||
---
|
||||
|
||||
# TrafficPermissions configuration reference
|
||||
|
||||
This page provides reference information for the `TrafficPermissions` resource, which authorizes east-west traffic between services within the service mesh. The traffic permissions CRD replaces the service intentions CRD when using the v2 catalog API. Refer to [changes to Consul's existing architecture](/consul/docs/architecture/v2/catalog#changes-to-consul-s-existing-architecture) for more information.
|
||||
|
||||
This custom resource definition (CRD) describes a resource related to the [Kubernetes GAMMA initiative](https://gateway-api.sigs.k8s.io/concepts/gamma/) that requires the [v2 catalog API](/consul/docs/architecture/v2/catalog). It is not compatible with the [v1 catalog API](/consul/docs/architecture/catalog). For more information about GAMMA resources, refer to the [Kubernetes Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/gamma/).
|
||||
|
||||
## Configuration model
|
||||
|
||||
The following list outlines field hierarchy, language-specific data types, and requirements in a traffic permissions CRD. Click on a property name to view additional details, including default values.
|
||||
|
||||
- [`apiVersion`](#apiversion): string | required | must be set to `auth.consul.hashicorp.com/v2beta1`
|
||||
- [`kind`](#kind): string | required | must be set to `TrafficPermissions`
|
||||
- [`metadata`](#metadata): map | required
|
||||
- [`name`](#metadata-name): string | required
|
||||
- [`namespace`](#metadata-namespace): string | optional <EnterpriseAlert inline />
|
||||
- [`spec`](#spec): map | required
|
||||
- [`destination`](#spec-destination): map
|
||||
- [`identityName`](#spec-destination-identityname): string
|
||||
- [`action`](#spec-action): string
|
||||
- [`permissions`](#spec-permissions): list of maps
|
||||
- [`sources`](#spec-permissions-sources): list of maps
|
||||
- [`identityName`](#spec-permissions-sources-identityname): string
|
||||
- [`destinationRules`](#spec-permissions-destinationrules): list of maps
|
||||
- [`portNames`](#spec-permissions-destinationrules-portnames): array of strings
|
||||
|
||||
## Complete configuration
|
||||
|
||||
When every field is defined, a traffic permissions CRD has the following form:
|
||||
|
||||
```yaml
|
||||
apiVersion: auth.consul.hashicorp.com/v2beta1 # required
|
||||
kind: TrafficPermissions # required
|
||||
metadata:
|
||||
name: <permissionsResourceName>
|
||||
namespace: <default>
|
||||
spec:
|
||||
destination:
|
||||
identityName: <permissionsDestinationService>
|
||||
action: allow
|
||||
permissions:
|
||||
- sources:
|
||||
- identityName: <sourceWorkloadIdentity>
|
||||
destinationRules:
|
||||
- portNames:
|
||||
- <servicePortName>
|
||||
```
|
||||
|
||||
## Specification
|
||||
|
||||
This section provides details about the fields you can configure in the `TrafficPermissions` custom resource definition (CRD).
|
||||
|
||||
### `apiVersion`
|
||||
|
||||
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `auth.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- String value that must be set to `auth.consul.hashicorp.com/v2beta1`.
|
||||
|
||||
### `kind`
|
||||
|
||||
Specifies the type of CRD to implement. Must be set to `TrafficPermissions`.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String value that must be set to `TrafficPermissions`.
|
||||
|
||||
### `metadata`
|
||||
|
||||
Map that contains an arbitrary name for the CRD and the namespace it applies to.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `metadata.name`
|
||||
|
||||
Specifies a name for the CRD. The name is metadata that you can use to reference the resource when performing Consul operations, such as using the `consul resource` command. Refer to [`consul resource`](/consul/docs/k8s/connect/multiport/reference/resource-command) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: String
|
||||
|
||||
### `metadata.namespace` <EnterpriseAlert inline />
|
||||
|
||||
Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec`
|
||||
|
||||
Map that contains the details about the `TrafficPermissions` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- This field is required.
|
||||
- Data type: Map
|
||||
|
||||
### `spec.destination`
|
||||
|
||||
Specifies the proxies of the services where these traffic permissions apply.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: Map
|
||||
|
||||
### `spec.destination.identityName`
|
||||
|
||||
Specifies the Workload identity for a service. The permissions you configure in this `TrafficPermissions` CRD apply to sidecar proxies when a request has this identity as their destination.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.action`
|
||||
|
||||
Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).
|
||||
|
||||
`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`.
|
||||
|
||||
By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String that must contain one of the following values:
|
||||
|
||||
- `ACTION_ALLOW`
|
||||
- `ACTION_DENY` <EnterpriseAlert inline />
|
||||
|
||||
### `spec.permissions`
|
||||
|
||||
Permissions is a list of the traffic permissions Consul evaluates requests against. When the list contains more than one permission, Consul follows OR semantics to select the permission.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: List of maps
|
||||
|
||||
### `spec.permissions.sources`
|
||||
|
||||
Lists sources for traffic in the permission. This block contains information Consul uses to evaluate the service that originated the request when the sidecar proxy authorizes incoming traffic.
|
||||
|
||||
To specify wildcard references in this block using `*`, omit all other fields. For example, you can apply traffic permissions to all namespaces using the wildcard, but you cannot specify an identity name, partition, peer, or sameness group in the same source.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: List of maps
|
||||
|
||||
### `spec.permissions.sources.identityName`
|
||||
|
||||
Specifies the Workload identity for the service that originates the request.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
### `spec.permissions.destinationRules`
|
||||
|
||||
Specifies L7 properties to match against when Consul enforces traffic permissions.
|
||||
|
||||
When [`spec.action`](#spec-action) _allows traffic_, Consul authorizes requests to the destination service when the request matches one or more rules defined in this block. Requests that do not match any rules are denied.
|
||||
|
||||
When [`spec.action`](#spec-action) _denies traffic_, Consul denies authorization to requests that match one or more rules defined in this block. Requests that do not match any rules are allowed.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: List of maps
|
||||
|
||||
### `spec.permissions.destinationRules.portNames`
|
||||
|
||||
Specifies a port name that the Kubernetes Pod's container exposes at the destination.
|
||||
|
||||
#### Values
|
||||
|
||||
- Default: None
|
||||
- Data type: String
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples demonstrate common `TrafficPermissions` CRD configuration patterns for specific use cases.
|
||||
|
||||
### Allow traffic to multiple ports
|
||||
|
||||
The following example configures traffic permissions to allow traffic when the `web` service makes a request to the `api` service on the `api` port or `admin` port.
|
||||
|
||||
```yaml
|
||||
apiVersion: auth.consul.hashicorp.com/v2beta1
|
||||
kind: TrafficPermissions
|
||||
metadata:
|
||||
name: api-allow-web-all
|
||||
spec:
|
||||
destination:
|
||||
identityName: "api"
|
||||
action: ACTION_ALLOW
|
||||
permissions:
|
||||
- sources:
|
||||
- identityName: "web"
|
||||
destinationRules:
|
||||
- portNames: ["api", "admin"]
|
||||
|
||||
```
|
||||
|
||||
### Deny traffic between a service and a specific port <EnterpriseAlert inline />
|
||||
|
||||
The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
|
||||
This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`.
|
||||
|
||||
```yaml
|
||||
apiVersion: auth.consul.hashicorp.com/v2beta1
|
||||
kind: TrafficPermissions
|
||||
metadata:
|
||||
name: web-to-admin-port-deny
|
||||
spec:
|
||||
destination:
|
||||
identityName: api
|
||||
action: ACTION_DENY
|
||||
permissions:
|
||||
- sources:
|
||||
- identityName: web
|
||||
destinationRules:
|
||||
- portNames: ["admin"]
|
||||
```
|
@ -1,113 +0,0 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: Split traffic between multi-port services
|
||||
description: Learn how to configure Consul to split TCP traffic between two ports of a multi-port service using the TCPRoute resource and the v2 catalog API
|
||||
---
|
||||
|
||||
# Split TCP traffic between multi-port services
|
||||
|
||||
<Warning>
|
||||
|
||||
The v2 catalog API is currently in beta. This documentation supports testing and development scenarios. Do not use the v2 catalog API in secure production environments.
|
||||
|
||||
</Warning>
|
||||
|
||||
This page describes the process for splitting TCP, HTTP, and gRPC traffic between two ports of a multi-port service. It includes an example TCPRoute resource configuration to demonstrate Consul's multi-port features.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Splitting traffic between two ports of a multi-port service requires the [v2 catalog API](/consul/docs/architecture/v2/catalog).
|
||||
|
||||
In addition, they are two different workflows for registering Services in Kubernetes using the v2 catalog API. The instructions on this page offer examples for two configuration methods:
|
||||
|
||||
- **Method 1**: Register a Kubernetes service that select workloads which expose multiple ports
|
||||
- **Method 2**: Register multiple Kubernetes Services that direct traffic to an explicit port on the same workload
|
||||
|
||||
For guidance on enabling the v2 catalog, deploying multi-port services using these methods, and applying traffic permissions to the services, refer to [configure multi-port services](/consul/docs/k8s/multiport/configure).
|
||||
|
||||
## Overview
|
||||
|
||||
Complete the following steps to implement a split in TCP traffic between two services:
|
||||
|
||||
1. Define the resource's behavior in a custom resource definition (CRD).
|
||||
1. Apply the resource to your cluster.
|
||||
|
||||
## Define route resource
|
||||
|
||||
The following example splits traffic for the `api` service. TCP traffic for services registered to the Consul catalog that are available at the `api-workload` port is split so that 50% of the traffic routes to the service at the `api-workload` port and 50% routes to the service at the `admin-workload` port.
|
||||
|
||||
<CodeBlockConfig filename="api-split.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: mesh.consul.hashicorp.com/v2beta1
|
||||
kind: TCPRoute
|
||||
metadata:
|
||||
name: api-split
|
||||
spec:
|
||||
parentRefs:
|
||||
- ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
rules:
|
||||
- backendRefs:
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "api-workload" target port.
|
||||
port: "80"
|
||||
weight: 50
|
||||
- backendRef:
|
||||
ref:
|
||||
type:
|
||||
group: catalog
|
||||
groupVersion: v2beta1
|
||||
kind: Service
|
||||
name: api
|
||||
# The virtual port number for the "admin-workload" target port.
|
||||
port: "90"
|
||||
weight: 50
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
## Apply the resource
|
||||
|
||||
Use the `kubectl` command to apply the resource to your Consul cluster.
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f api-split.yaml
|
||||
```
|
||||
|
||||
<Tabs>
|
||||
|
||||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
Then, open a shell session in the `web` container and test the `api-admin` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
Half of the traffic should respond with the `hello world` response from port 80, instead of port 90's response of `hello world from 9090 admin`. Repeat the command several times to verify that you receive both responses.
|
Loading…
Reference in new issue