diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index c3981540a7..2843b2a43e 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -24,9 +24,9 @@ Consul can configure Envoy sidecars to proxy traffic over the following protocol On Consul 1.5.0 and older, Envoy proxies can only proxy TCP traffic at L4. -Some [L7 features](/docs/connect/l7-traffic) can be configured using [configuration entries](/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/docs/connect/registration/service-registration) to use Envoy features that are not currently exposed through configuration entries. Adding custom Envoy configurations to the service definition is an interim solution that enables you to use the more powerful features of Envoy. +Some [L7 features](/consul/docs/connect/l7-traffic) can be configured using [configuration entries](/consul/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/consul/docs/connect/registration/service-registration) to use Envoy features that are not currently exposed through configuration entries. Adding custom Envoy configurations to the service definition is an interim solution that enables you to use the more powerful features of Envoy. -~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/commands/connect/envoy) +~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/consul/commands/connect/envoy) Envoy must be run with the `--max-obj-name-len` option set to `256` or greater for Envoy versions prior to 1.11.0. ## Supported Versions @@ -78,7 +78,7 @@ The dynamic configuration Consul Connect provides to each Envoy instance include - Service-discovery results for upstreams to enable each sidecar proxy to load-balance outgoing connections. - L7 configuration including timeouts and protocol-specific options. -- Configuration to [expose specific HTTP paths](/docs/connect/registration/service-registration#expose-paths-configuration-reference). +- Configuration to [expose specific HTTP paths](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference). For more information on the parts of the Envoy proxy runtime configuration that are currently controllable via Consul Connect see [Dynamic @@ -94,8 +94,8 @@ responsibility for correctly configuring Envoy and ensuring version support etc. ## Intention Enforcement -[Intentions] are enforced using Envoy's RBAC filters. Depending on the -configured [protocol] of the proxied service, intentions are either enforced +[Intentions](/consul/docs/connect/intentions) are enforced using Envoy's RBAC filters. Depending on the +configured [protocol](/consul/docs/connect/config-entries/service-defaults#protocol) of the proxied service, intentions are either enforced per-connection (L4) using a network filter, or per-request (L7) using an HTTP filter. @@ -104,17 +104,17 @@ per-connection (L4) using an `ext_authz` network filter. ## Fetching Certificates -Envoy will use the [`CONSUL_HTTP_TOKEN`](/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/commands#consul_http_addr) environment variables to contact Consul to fetch certificates if the following conditions are met: +Envoy will use the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/consul/commands#consul_http_addr) environment variables to contact Consul to fetch certificates if the following conditions are met: - The `CONSUL_HTTP_TOKEN` environment variable contains a Consul ACL token. - The Consul ACL token has the necessary permissions to read configuration for that service. If TLS is enabled on Consul, you will also need to add the following environment variables _prior_ to starting Envoy: -- [`CONSUL_CACERT`](/commands#consul_cacert) -- [`CONSUL_CLIENT_CERT`](/commands#consul_client_cert) -- [`CONSUL_CLIENT_KEY`](/commands#consul_client_key) -- [`CONSUL_HTTP_SSL`](/commands#consul_http_ssl) +- [`CONSUL_CACERT`](/consul/commands#consul_cacert) +- [`CONSUL_CLIENT_CERT`](/consul/commands#consul_client_cert) +- [`CONSUL_CLIENT_KEY`](//consulcommands#consul_client_key) +- [`CONSUL_HTTP_SSL`](/consul/commands#consul_http_ssl) ## Bootstrap Configuration @@ -122,27 +122,27 @@ Envoy requires an initial bootstrap configuration file. You can either create th ### Generate the bootstrap file on the Consul CLI -Connect to a local Consul client agent and run the [`consul connect envoy` command](/commands/connect/envoy) to create the Envoy bootstrap configuration. The command either outputs the bootstrap configuration directly to stdout or generates the configuration and issues an `exec` command to the Envoy binary as a convenience wrapper. For more information about using `exec` to bootstrap Envoy, refer to [Exec Security Details](/consul/commands/connect/envoy#exec-security-details). +Connect to a local Consul client agent and run the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration. The command either outputs the bootstrap configuration directly to stdout or generates the configuration and issues an `exec` command to the Envoy binary as a convenience wrapper. For more information about using `exec` to bootstrap Envoy, refer to [Exec Security Details](/consul/commands/connect/envoy#exec-security-details). ### Generate the bootstrap file from Consul Dataplane -Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/docs/connect/dataplane/consul-dataplane). +Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/consul/docs/connect/dataplane/consul-dataplane). ### Control bootstrap configuration from proxy configuration Consul service mesh can control some parts of the bootstrap configuration by specifying Envoy proxy configuration options. Add the following configuration items to the [global `proxy-defaults` configuration -entry](/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` -field of a [proxy service definition](/docs/connect/registration/service-registration). When +entry](/consul/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` +field of a [proxy service definition](/consul/docs/connect/registration/service-registration). When connected to a Consul client agent, you can place the configuration in the `proxy.config` field of -the [`sidecar_service`](/docs/connect/registration/sidecar-service) block. +the [`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block. - `envoy_statsd_url` - A URL in the form `udp://ip:port` identifying a UDP StatsD listener that Envoy should deliver metrics to. For example, this may be `udp://127.0.0.1:8125` if every host has a local StatsD listener. In this case users can configure this property once in the [global `proxy-defaults` - configuration entry](/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported. + configuration entry](/consul/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported. ~> **Note:** currently the url **must use an ip address** not a dns name due to the way Envoy is setup for StatsD. @@ -156,7 +156,7 @@ the [`sidecar_service`](/docs/connect/registration/sidecar-service) block. pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD when the Envoy instance is bootstrapped while still allowing global configuration of all proxies to use StatsD in the [global `proxy-defaults` - configuration entry](/docs/connect/config-entries/proxy-defaults). The env + configuration entry](/consul/docs/connect/config-entries/proxy-defaults). The env variable must contain a full valid URL value as specified above and nothing else. - `envoy_dogstatsd_url` - The same as `envoy_statsd_url` with the following @@ -190,7 +190,7 @@ The [Advanced Configuration](#advanced-configuration) section describes addition ### Bootstrap Envoy on Windows VMs -> Complete the [Connect Services on Windows Workloads to Consul Service Mesh tutorial](https://learn.hashicorp.com/tutorials/consul/consul-windows-workloads?utm_source=docs) to learn how to deploy Consul and use its service mesh on Windows VMs. +> Complete the [Connect Services on Windows Workloads to Consul Service Mesh tutorial](/consu/tutorials/consul-windows-workloads?utm_source=docs) to learn how to deploy Consul and use its service mesh on Windows VMs. If you are running Consul on a Windows VM, attempting to bootstrap Envoy with the `consul connect envoy` command returns the following output: @@ -254,13 +254,13 @@ $ envoy -c bootstrap.json Consul automatically generates Envoy's dynamic configuration based on its knowledge of the cluster. Users may specify default configuration options for a service through the available fields in the [`service-defaults` configuration -entry](/docs/connect/config-entries/service-defaults). Consul will use this +entry](/consul/docs/connect/config-entries/service-defaults). Consul will use this information to configure appropriate proxy settings for that service's proxies and also for the upstream listeners used by the service. One example is how users can define a service's protocol in the `Protocol` field of [`service-defaults` configuration -entry](/docs/connect/config-entries/service-defaults). Agents with -[`enable_central_service_config`](/docs/agent/config/config-files#enable_central_service_config) +entry](/consul/docs/connect/config-entries/service-defaults). Agents with +[`enable_central_service_config`](/consul/docs/agent/config/config-files#enable_central_service_config) set to true will automatically discover the protocol when configuring a proxy for a service. The proxy will discover the main protocol of the service it represents and use this to configure its main public listener. It will also @@ -269,18 +269,18 @@ automatically configure its upstream listeners appropriately too as below. This automated discovery results in Consul auto-populating the `proxy.config` and `proxy.upstreams[*].config` fields of the [proxy service -definition](/docs/connect/registration/service-registration) that is +definition](/consul/docs/connect/registration/service-registration) that is actually registered. To learn about other options that can be configured centrally see the -[Configuration Entries](/docs/agent/config-entries) docs. +[Configuration Entries](/consul/docs/agent/config-entries) docs. ### Proxy Config Options These fields may also be overridden explicitly in `proxy.config` of the [proxy service -definition](/docs/connect/registration/service-registration), or defined in +definition](/consul/docs/connect/registration/service-registration), or defined in the [global `proxy-defaults` configuration -entry](/docs/connect/config-entries/proxy-defaults) to act as +entry](/consul/docs/connect/config-entries/proxy-defaults) to act as defaults that are inherited by all services. - `protocol` - The protocol the service speaks. Connect's Envoy integration @@ -307,12 +307,12 @@ defaults that are inherited by all services. metrics with `gRPC-status` trailer codes. ~> **Note:** The protocol of a service should ideally be configured via the - [`protocol`](/docs/connect/config-entries/service-defaults#protocol) + [`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol) field of a - [`service-defaults`](/docs/connect/config-entries/service-defaults) + [`service-defaults`](/consul/docs/connect/config-entries/service-defaults) config entry for the service. Configuring it in a proxy config will not fully enable some [L7 - features](/docs/connect/l7-traffic). + features](/consul/docs/connect/l7-traffic). It is supported here for backwards compatibility with Consul versions prior to 1.6.0. - `bind_address` - Override the address Envoy's public listener binds to. By @@ -350,19 +350,19 @@ defaults that are inherited by all services. The following configuration items may be overridden directly in the `proxy.upstreams[].config` field of a [proxy service -definition](/docs/connect/registration/service-registration) or -[`sidecar_service`](/docs/connect/registration/sidecar-service) block. +definition](/consul/docs/connect/registration/service-registration) or +[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block. - `protocol` - Same as above in main config but affects the listener setup for the upstream. ~> **Note:** The protocol of a service should ideally be configured via the - [`protocol`](/docs/connect/config-entries/service-defaults#protocol) + [`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol) field of a - [`service-defaults`](/docs/connect/config-entries/service-defaults) + [`service-defaults`](/consul/docs/connect/config-entries/service-defaults) config entry for the upstream destination service. Configuring it in a proxy upstream config will not fully enable some [L7 - features](/docs/connect/l7-traffic). + features](/consul/docs/connect/l7-traffic). It is supported here for backwards compatibility with Consul versions prior to 1.6.0. - `connect_timeout_ms` - The number of milliseconds to allow when making upstream @@ -371,9 +371,9 @@ definition](/docs/connect/registration/service-registration) or ~> **Note:** The connection timeout for a service should ideally be configured via the - [`connect_timeout`](/docs/connect/config-entries/service-resolver#connecttimeout) + [`connect_timeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) field of a - [`service-resolver`](/docs/connect/config-entries/service-resolver) + [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) config entry for the upstream destination service. Configuring it in a proxy upstream config will override any values defined in config entries. It is supported here for backwards compatibility with Consul versions prior to 1.6.0. @@ -416,9 +416,9 @@ definition](/docs/connect/registration/service-registration) or ### Gateway Options These fields may also be overridden explicitly in the [proxy service -definition](/docs/connect/registration/service-registration), or defined in +definition](/consul/docs/connect/registration/service-registration), or defined in the [global `proxy-defaults` configuration -entry](/docs/connect/config-entries/proxy-defaults) to act as +entry](/consul/docs/connect/config-entries/proxy-defaults) to act as defaults that are inherited by all services. Prior to 1.8.0 these settings were specific to Mesh Gateways. The deprecated @@ -428,7 +428,7 @@ will continue to be supported. - `connect_timeout_ms` - The number of milliseconds to allow when making upstream connections before timing out. Defaults to 5000 (5 seconds). If the upstream service has the configuration option - [`connect_timeout_ms`](/docs/connect/config-entries/service-resolver#connecttimeout) + [`connect_timeout_ms`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) set for the `service-resolver`, that timeout value will take precedence over this gateway option. @@ -588,12 +588,12 @@ EOF Users may add the following configuration items to the [global `proxy-defaults` configuration -entry](/docs/connect/config-entries/proxy-defaults) or +entry](/consul/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` field of a [proxy service -definition](/docs/connect/registration/service-registration) or -[`sidecar_service`](/docs/connect/registration/sidecar-service) block. +definition](/consul/docs/connect/registration/service-registration) or +[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block. -- `envoy_extra_static_clusters_json` - Specifies one or more [Envoy clusters][pb-cluster] +- `envoy_extra_static_clusters_json` - Specifies one or more [Envoy clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) that will be appended to the array of [static clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-clusters) in the bootstrap config. This enables you to add custom clusters for tracing sinks, @@ -631,7 +631,7 @@ definition](/docs/connect/registration/service-registration) or - `envoy_extra_static_listeners_json` - Similar to - `envoy_extra_static_clusters_json` but appends one or more [Envoy listeners][pb-listener] to the array of [static + `envoy_extra_static_clusters_json` but appends one or more [Envoy listeners](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to the array of [static listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-listeners) definitions. Can be used to setup limited access that bypasses Connect mTLS or authorization for health checks or metrics. @@ -769,23 +769,23 @@ definition](/docs/connect/registration/service-registration) or Users may add the following configuration items to the [global `proxy-defaults` configuration -entry](/docs/connect/config-entries/proxy-defaults) or +entry](/consul/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` field of a [proxy service -definition](/docs/connect/registration/service-registration) or -[`sidecar_service`](/docs/connect/registration/sidecar-service) block. +definition](/consul/docs/connect/registration/service-registration) or +[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block. - `envoy_bootstrap_json_tpl` - Specifies a template in Go template syntax that is used in place of [the default template](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L129) when generating bootstrap via [`consul connect envoy` - command](/commands/connect/envoy). The variables that are available + command](/consul/commands/connect/envoy). The variables that are available to be interpolated are [documented here](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L5). This offers complete control of the proxy's bootstrap although major deviations from the default template may break Consul's ability to correctly manage the proxy or enforce its security model. -- `envoy_public_listener_json` - Specifies a complete [Envoy listener][pb-listener] +- `envoy_public_listener_json` - Specifies a complete [Envoy listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to be delivered in place of the main public listener that the proxy used to accept inbound connections. This will be used verbatim with the following exceptions: @@ -921,7 +921,7 @@ definition](/docs/connect/registration/service-registration) or -- `envoy_local_cluster_json` - Specifies a complete [Envoy cluster][pb-cluster] +- `envoy_local_cluster_json` - Specifies a complete [Envoy cluster](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) to be delivered in place of the local application cluster. This allows customization of timeouts, rate limits, load balancing strategy etc. @@ -968,17 +968,17 @@ definition](/docs/connect/registration/service-registration) or The following configuration items may be overridden directly in the `proxy.upstreams[].config` field of a [proxy service -definition](/docs/connect/registration/service-registration) or -[`sidecar_service`](/docs/connect/registration/sidecar-service) block. +definition](/consul/docs/connect/registration/service-registration) or +[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block. ~> **Note:** - When a -[`service-router`](/docs/connect/config-entries/service-router), -[`service-splitter`](/docs/connect/config-entries/service-splitter), or -[`service-resolver`](/docs/connect/config-entries/service-resolver) config +[`service-router`](/consul/docs/connect/config-entries/service-router), +[`service-splitter`](/consul/docs/connect/config-entries/service-splitter), or +[`service-resolver`](/consul/docs/connect/config-entries/service-resolver) config entry exists for a service the below escape hatches are ignored and will log a warning. -- `envoy_listener_json` - Specifies a complete [Listener][pb-listener] +- `envoy_listener_json` - Specifies a complete [Listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to be delivered in place of the upstream listener that the proxy exposes to the application for outbound connections. This will be used verbatim with the following exceptions: @@ -1062,7 +1062,7 @@ warning. ``` -- `envoy_cluster_json` - Specifies a complete [Envoy cluster][pb-cluster] +- `envoy_cluster_json` - Specifies a complete [Envoy cluster](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) to be delivered in place of the discovered upstream cluster. This allows customization of timeouts, circuit breaking, rate limits, load balancing strategy etc. @@ -1094,10 +1094,4 @@ warning. } } ``` - - -[protocol]: /docs/connect/config-entries/service-defaults#protocol -[intentions]: /docs/connect/intentions -[intentions]: /docs/connect/intentions -[pb-cluster]: https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto -[pb-listener]: https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto + \ No newline at end of file