docs: document how envoy escape hatches work with the discovery chain (#6350)

- Bootstrap escape hatches are OK.
- Public listener/cluster escape hatches are OK.
- Upstream listener/cluster escape hatches are not supported.

If an unsupported escape hatch is configured and the discovery chain is
activated log a warning and act like it was not configured.

Fixes #6160
pull/6372/head
R.B. Boyer 2019-08-21 15:10:12 -05:00 committed by GitHub
parent 52041cc278
commit 7a6faccf2f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 67 additions and 10 deletions

View File

@ -235,6 +235,10 @@ func (s *Server) makeUpstreamClustersForDiscoveryChain(
s.Logger.Printf("[WARN] envoy: failed to parse Upstream[%s].Config: %s",
upstream.Identifier(), err)
}
if cfg.ClusterJSON != "" {
s.Logger.Printf("[WARN] envoy: ignoring escape hatch setting Upstream[%s].Config[%s] because a discovery chain for %q is configured",
upstream.Identifier(), "envoy_cluster_json", chain.ServiceName)
}
if chain == nil {
panic("chain must be provided")

View File

@ -17,10 +17,14 @@ type ProxyConfig struct {
// validation context will be injected overriding any TLS settings present. An
// AuthZ filter will also be prepended to each filterChain provided to enforce
// Connect's access control.
//
// Note: This escape hatch is compatible with the discovery chain.
PublicListenerJSON string `mapstructure:"envoy_public_listener_json"`
// LocalClusterJSON is a complete override ("escape hatch") for the
// local application cluster.
//
// Note: This escape hatch is compatible with the discovery chain.
LocalClusterJSON string `mapstructure:"envoy_local_cluster_json"`
// LocalConnectTimeoutMs is the number of milliseconds to timeout making a new
@ -105,11 +109,17 @@ func ParseMeshGatewayConfig(m map[string]interface{}) (MeshGatewayConfig, error)
type UpstreamConfig struct {
// ListenerJSON is a complete override ("escape hatch") for the upstream's
// listener.
//
// Note: This escape hatch is NOT compatible with the discovery chain and
// will be ignored if a discovery chain is active.
ListenerJSON string `mapstructure:"envoy_listener_json"`
// ClusterJSON is a complete override ("escape hatch") for the upstream's
// cluster. The Connect client TLS certificate and context will be injected
// overriding any TLS settings present.
//
// Note: This escape hatch is NOT compatible with the discovery chain and
// will be ignored if a discovery chain is active.
ClusterJSON string `mapstructure:"envoy_cluster_json"`
// Protocol describes the upstream's service protocol. Valid values are "tcp",

View File

@ -378,7 +378,6 @@ func (s *Server) makeUpstreamListenerForDiscoveryChain(
chain *structs.CompiledDiscoveryChain,
cfgSnap *proxycfg.ConfigSnapshot,
) (proto.Message, error) {
// TODO(rb): make the listener escape hatch work again
cfg, err := ParseUpstreamConfigNoDefaults(u.Config)
if err != nil {
// Don't hard fail on a config typo, just warn. The parse func returns
@ -386,6 +385,10 @@ func (s *Server) makeUpstreamListenerForDiscoveryChain(
s.Logger.Printf("[WARN] envoy: failed to parse Upstream[%s].Config: %s",
u.Identifier(), err)
}
if cfg.ListenerJSON != "" {
s.Logger.Printf("[WARN] envoy: ignoring escape hatch setting Upstream[%s].Config[%s] because a discovery chain for %q is configured",
u.Identifier(), "envoy_listener_json", chain.ServiceName)
}
addr := u.LocalBindAddress
if addr == "" {

View File

@ -9,8 +9,9 @@ description: |-
# L7 Traffic Management <sup>(beta)</sup>
-> **Note:** This feature is not compatible with the
[built-in proxy](/docs/connect/proxies/built-in.html)
or [native proxies](/docs/connect/native.html).
[built-in proxy](/docs/connect/proxies/built-in.html),
[native proxies](/docs/connect/native.html),
and some [Envoy proxy escape hatches](/docs/connect/proxies/envoy.html#escape-hatch-overrides).
Layer 7 traffic management allows operators to divide L7 traffic between
different

View File

@ -18,13 +18,13 @@ Consul can configure Envoy sidecars to proxy http/1.1, http2 or gRPC traffic at
L7 or any other tcp-based protocol at L4. Prior to Consul 1.5.0 Envoy proxies
could only proxy tcp at L4.
Currently configuration of additional L7 features is limited, however we have
plans to support a wider range of features in the next major release
cycle.
As an interim solution, you can add [custom Envoy configuration](#custom-configuration)
in the [proxy service definition](/docs/connect/registration/service-registration.html) allowing
you to use the more powerful features of Envoy.
Configuration of some [L7 features](/docs/connect/l7-traffic-management.html)
is possible via [configuration entries](/docs/agent/config_entries.html). If
you wish to use an Envoy feature not currently exposed through these config
entries as an interim solution, you can add [custom Envoy
configuration](#advanced-configuration) in the [proxy service
definition](/docs/connect/registration/service-registration.html) allowing you
to use the more powerful features of Envoy.
~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/docs/commands/connect/envoy.html)
Envoy must be run with the `--max-obj-name-len` option set to `256` or greater.
@ -180,6 +180,7 @@ defaults that are inherited by all services.
- `protocol` - The protocol the service speaks. Connect's Envoy integration
currently supports the following `protocol` values:
- `tcp` - Unless otherwise specified this is the default, which causes Envoy
to proxy at L4. This provides all the security benefits of Connect's mTLS
and works for any TCP-based protocol. Load-balancing and metrics are
@ -199,10 +200,22 @@ defaults that are inherited by all services.
filter](https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/http_filters/grpc_http1_bridge_filter#config-http-filters-grpc-bridge)
that translates HTTP/1.1 calls into gRPC, and instruments
metrics with `gRPC-status` trailer codes.
~> **Note:** The protocol of a service should ideally be configured via the
[`protocol`](/docs/agent/config-entries/service-defaults.html#protocol)
field of a
[`service-defaults`](/docs/agent/config-entries/service-defaults.html)
config entry for the service. Configuring it in a
proxy config will not fully enable some [L7
features](/docs/connect/l7-traffic-management.html).
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
- `bind_address` - Override the address Envoy's public listener binds to. By
default Envoy will bind to the service address or 0.0.0.0 if there is not explicit address on the service registration.
- `bind_port` - Override the port Envoy's public listener binds to. By default
Envoy will bind to the service port.
- `local_connect_timeout_ms` - The number of milliseconds allowed to make
connections to the local application instance before timing out. Defaults to 5000
(5 seconds).
@ -216,10 +229,29 @@ definition](/docs/connect/registration/service-registration.html) or
- `protocol` - Same as above in main config but affects the listener setup for
the upstream.
~> **Note:** The protocol of a service should ideally be configured via the
[`protocol`](/docs/agent/config-entries/service-defaults.html#protocol)
field of a
[`service-defaults`](/docs/agent/config-entries/service-defaults.html)
config entry for the upstream destination service. Configuring it in a
proxy upstream config will not fully enable some [L7
features](/docs/connect/l7-traffic-management.html).
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
- `connect_timeout_ms` - The number of milliseconds to allow when making upstream
connections before timing out. Defaults to 5000
(5 seconds).
~> **Note:** The connection timeout for a service should ideally be
configured via the
[`connect_timeout`](/docs/agent/config-entries/service-resolver.html#connecttimeout)
field of a
[`service-resolver`](/docs/agent/config-entries/service-resolver.html)
config entry for the upstream destination service. Configuring it in a
proxy upstream config will override any values defined in config entries.
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
### Mesh Gateway Options <sup>(beta)</sup>
These fields may also be overridden explicitly in the [proxy service
@ -359,6 +391,13 @@ The following configuration items may be overridden directly in the
definition](/docs/connect/registration/service-registration.html) or
[`sidecar_service`](/docs/connect/registration/sidecar-service.html) block.
~> **Note:** - When a
[`service-router`](/docs/agent/config-entries/service-router.html),
[`service-splitter`](/docs/agent/config-entries/service-splitter.html), or
[`service-resolver`](/docs/agent/config-entries/service-resolver.html) config
entry exists for a service the below escape hatches are ignored and will log a
warning.
- `envoy_listener_json` - Specifies a complete
[Listener](https://www.envoyproxy.io/docs/envoy/v1.10.0/api-v2/api/v2/lds.proto)
to be delivered in place of the upstream listener that the proxy exposes to