mirror of https://github.com/hashicorp/consul
Backport of docs: link fixes for Envoy proxy page into release/1.14.x (#16026)
* backport of commitpull/16027/head9ffd2063ba
* backport of commit6b3344481c
* backport of commit09ec40e48b
* backport of commitd3f1cf4eea
Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
parent
085cb1a207
commit
c625d55ad2
|
@ -24,9 +24,9 @@ Consul can configure Envoy sidecars to proxy traffic over the following protocol
|
||||||
|
|
||||||
On Consul 1.5.0 and older, Envoy proxies can only proxy TCP traffic at L4.
|
On Consul 1.5.0 and older, Envoy proxies can only proxy TCP traffic at L4.
|
||||||
|
|
||||||
Some [L7 features](/docs/connect/l7-traffic) can be configured using [configuration entries](/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/docs/connect/registration/service-registration) to use Envoy features that are not currently exposed through configuration entries. Adding custom Envoy configurations to the service definition is an interim solution that enables you to use the more powerful features of Envoy.
|
Some [L7 features](/consul/docs/connect/l7-traffic) can be configured using [configuration entries](/consul/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/consul/docs/connect/registration/service-registration) to use Envoy features that are not currently exposed through configuration entries. Adding custom Envoy configurations to the service definition is an interim solution that enables you to use the more powerful features of Envoy.
|
||||||
|
|
||||||
~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/commands/connect/envoy)
|
~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/consul/commands/connect/envoy)
|
||||||
Envoy must be run with the `--max-obj-name-len` option set to `256` or greater for Envoy versions prior to 1.11.0.
|
Envoy must be run with the `--max-obj-name-len` option set to `256` or greater for Envoy versions prior to 1.11.0.
|
||||||
|
|
||||||
## Supported Versions
|
## Supported Versions
|
||||||
|
@ -78,7 +78,7 @@ The dynamic configuration Consul Connect provides to each Envoy instance include
|
||||||
- Service-discovery results for upstreams to enable each sidecar proxy to load-balance
|
- Service-discovery results for upstreams to enable each sidecar proxy to load-balance
|
||||||
outgoing connections.
|
outgoing connections.
|
||||||
- L7 configuration including timeouts and protocol-specific options.
|
- L7 configuration including timeouts and protocol-specific options.
|
||||||
- Configuration to [expose specific HTTP paths](/docs/connect/registration/service-registration#expose-paths-configuration-reference).
|
- Configuration to [expose specific HTTP paths](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference).
|
||||||
|
|
||||||
For more information on the parts of the Envoy proxy runtime configuration
|
For more information on the parts of the Envoy proxy runtime configuration
|
||||||
that are currently controllable via Consul Connect see [Dynamic
|
that are currently controllable via Consul Connect see [Dynamic
|
||||||
|
@ -94,8 +94,8 @@ responsibility for correctly configuring Envoy and ensuring version support etc.
|
||||||
|
|
||||||
## Intention Enforcement
|
## Intention Enforcement
|
||||||
|
|
||||||
[Intentions] are enforced using Envoy's RBAC filters. Depending on the
|
[Intentions](/consul/docs/connect/intentions) are enforced using Envoy's RBAC filters. Depending on the
|
||||||
configured [protocol] of the proxied service, intentions are either enforced
|
configured [protocol](/consul/docs/connect/config-entries/service-defaults#protocol) of the proxied service, intentions are either enforced
|
||||||
per-connection (L4) using a network filter, or per-request (L7) using an HTTP
|
per-connection (L4) using a network filter, or per-request (L7) using an HTTP
|
||||||
filter.
|
filter.
|
||||||
|
|
||||||
|
@ -104,17 +104,17 @@ per-connection (L4) using an `ext_authz` network filter.
|
||||||
|
|
||||||
## Fetching Certificates
|
## Fetching Certificates
|
||||||
|
|
||||||
Envoy will use the [`CONSUL_HTTP_TOKEN`](/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/commands#consul_http_addr) environment variables to contact Consul to fetch certificates if the following conditions are met:
|
Envoy will use the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/consul/commands#consul_http_addr) environment variables to contact Consul to fetch certificates if the following conditions are met:
|
||||||
|
|
||||||
- The `CONSUL_HTTP_TOKEN` environment variable contains a Consul ACL token.
|
- The `CONSUL_HTTP_TOKEN` environment variable contains a Consul ACL token.
|
||||||
- The Consul ACL token has the necessary permissions to read configuration for that service.
|
- The Consul ACL token has the necessary permissions to read configuration for that service.
|
||||||
|
|
||||||
If TLS is enabled on Consul, you will also need to add the following environment variables _prior_ to starting Envoy:
|
If TLS is enabled on Consul, you will also need to add the following environment variables _prior_ to starting Envoy:
|
||||||
|
|
||||||
- [`CONSUL_CACERT`](/commands#consul_cacert)
|
- [`CONSUL_CACERT`](/consul/commands#consul_cacert)
|
||||||
- [`CONSUL_CLIENT_CERT`](/commands#consul_client_cert)
|
- [`CONSUL_CLIENT_CERT`](/consul/commands#consul_client_cert)
|
||||||
- [`CONSUL_CLIENT_KEY`](/commands#consul_client_key)
|
- [`CONSUL_CLIENT_KEY`](//consulcommands#consul_client_key)
|
||||||
- [`CONSUL_HTTP_SSL`](/commands#consul_http_ssl)
|
- [`CONSUL_HTTP_SSL`](/consul/commands#consul_http_ssl)
|
||||||
|
|
||||||
## Bootstrap Configuration
|
## Bootstrap Configuration
|
||||||
|
|
||||||
|
@ -122,27 +122,27 @@ Envoy requires an initial bootstrap configuration file. You can either create th
|
||||||
|
|
||||||
### Generate the bootstrap file on the Consul CLI
|
### Generate the bootstrap file on the Consul CLI
|
||||||
|
|
||||||
Connect to a local Consul client agent and run the [`consul connect envoy` command](/commands/connect/envoy) to create the Envoy bootstrap configuration. The command either outputs the bootstrap configuration directly to stdout or generates the configuration and issues an `exec` command to the Envoy binary as a convenience wrapper. For more information about using `exec` to bootstrap Envoy, refer to [Exec Security Details](/consul/commands/connect/envoy#exec-security-details).
|
Connect to a local Consul client agent and run the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration. The command either outputs the bootstrap configuration directly to stdout or generates the configuration and issues an `exec` command to the Envoy binary as a convenience wrapper. For more information about using `exec` to bootstrap Envoy, refer to [Exec Security Details](/consul/commands/connect/envoy#exec-security-details).
|
||||||
|
|
||||||
### Generate the bootstrap file from Consul Dataplane
|
### Generate the bootstrap file from Consul Dataplane
|
||||||
|
|
||||||
Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/docs/connect/dataplane/consul-dataplane).
|
Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/consul/docs/connect/dataplane/consul-dataplane).
|
||||||
|
|
||||||
### Control bootstrap configuration from proxy configuration
|
### Control bootstrap configuration from proxy configuration
|
||||||
|
|
||||||
Consul service mesh can control some parts of the bootstrap configuration by specifying Envoy proxy configuration options.
|
Consul service mesh can control some parts of the bootstrap configuration by specifying Envoy proxy configuration options.
|
||||||
|
|
||||||
Add the following configuration items to the [global `proxy-defaults` configuration
|
Add the following configuration items to the [global `proxy-defaults` configuration
|
||||||
entry](/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config`
|
entry](/consul/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config`
|
||||||
field of a [proxy service definition](/docs/connect/registration/service-registration). When
|
field of a [proxy service definition](/consul/docs/connect/registration/service-registration). When
|
||||||
connected to a Consul client agent, you can place the configuration in the `proxy.config` field of
|
connected to a Consul client agent, you can place the configuration in the `proxy.config` field of
|
||||||
the [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
the [`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block.
|
||||||
|
|
||||||
- `envoy_statsd_url` - A URL in the form `udp://ip:port` identifying a UDP
|
- `envoy_statsd_url` - A URL in the form `udp://ip:port` identifying a UDP
|
||||||
StatsD listener that Envoy should deliver metrics to. For example, this may be
|
StatsD listener that Envoy should deliver metrics to. For example, this may be
|
||||||
`udp://127.0.0.1:8125` if every host has a local StatsD listener. In this case
|
`udp://127.0.0.1:8125` if every host has a local StatsD listener. In this case
|
||||||
users can configure this property once in the [global `proxy-defaults`
|
users can configure this property once in the [global `proxy-defaults`
|
||||||
configuration entry](/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported.
|
configuration entry](/consul/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported.
|
||||||
|
|
||||||
~> **Note:** currently the url **must use an ip address** not a dns name due
|
~> **Note:** currently the url **must use an ip address** not a dns name due
|
||||||
to the way Envoy is setup for StatsD.
|
to the way Envoy is setup for StatsD.
|
||||||
|
@ -156,7 +156,7 @@ the [`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
||||||
pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD
|
pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD
|
||||||
when the Envoy instance is bootstrapped while still allowing global
|
when the Envoy instance is bootstrapped while still allowing global
|
||||||
configuration of all proxies to use StatsD in the [global `proxy-defaults`
|
configuration of all proxies to use StatsD in the [global `proxy-defaults`
|
||||||
configuration entry](/docs/connect/config-entries/proxy-defaults). The env
|
configuration entry](/consul/docs/connect/config-entries/proxy-defaults). The env
|
||||||
variable must contain a full valid URL value as specified above and nothing else.
|
variable must contain a full valid URL value as specified above and nothing else.
|
||||||
|
|
||||||
- `envoy_dogstatsd_url` - The same as `envoy_statsd_url` with the following
|
- `envoy_dogstatsd_url` - The same as `envoy_statsd_url` with the following
|
||||||
|
@ -190,7 +190,7 @@ The [Advanced Configuration](#advanced-configuration) section describes addition
|
||||||
|
|
||||||
### Bootstrap Envoy on Windows VMs
|
### Bootstrap Envoy on Windows VMs
|
||||||
|
|
||||||
> Complete the [Connect Services on Windows Workloads to Consul Service Mesh tutorial](https://learn.hashicorp.com/tutorials/consul/consul-windows-workloads?utm_source=docs) to learn how to deploy Consul and use its service mesh on Windows VMs.
|
> Complete the [Connect Services on Windows Workloads to Consul Service Mesh tutorial](/consu/tutorials/consul-windows-workloads?utm_source=docs) to learn how to deploy Consul and use its service mesh on Windows VMs.
|
||||||
|
|
||||||
If you are running Consul on a Windows VM, attempting to bootstrap Envoy with the `consul connect envoy` command returns the following output:
|
If you are running Consul on a Windows VM, attempting to bootstrap Envoy with the `consul connect envoy` command returns the following output:
|
||||||
|
|
||||||
|
@ -254,13 +254,13 @@ $ envoy -c bootstrap.json
|
||||||
Consul automatically generates Envoy's dynamic configuration based on its
|
Consul automatically generates Envoy's dynamic configuration based on its
|
||||||
knowledge of the cluster. Users may specify default configuration options for
|
knowledge of the cluster. Users may specify default configuration options for
|
||||||
a service through the available fields in the [`service-defaults` configuration
|
a service through the available fields in the [`service-defaults` configuration
|
||||||
entry](/docs/connect/config-entries/service-defaults). Consul will use this
|
entry](/consul/docs/connect/config-entries/service-defaults). Consul will use this
|
||||||
information to configure appropriate proxy settings for that service's proxies
|
information to configure appropriate proxy settings for that service's proxies
|
||||||
and also for the upstream listeners used by the service.
|
and also for the upstream listeners used by the service.
|
||||||
|
|
||||||
One example is how users can define a service's protocol in the `Protocol` field of [`service-defaults` configuration
|
One example is how users can define a service's protocol in the `Protocol` field of [`service-defaults` configuration
|
||||||
entry](/docs/connect/config-entries/service-defaults). Agents with
|
entry](/consul/docs/connect/config-entries/service-defaults). Agents with
|
||||||
[`enable_central_service_config`](/docs/agent/config/config-files#enable_central_service_config)
|
[`enable_central_service_config`](/consul/docs/agent/config/config-files#enable_central_service_config)
|
||||||
set to true will automatically discover the protocol when configuring a proxy
|
set to true will automatically discover the protocol when configuring a proxy
|
||||||
for a service. The proxy will discover the main protocol of the service it
|
for a service. The proxy will discover the main protocol of the service it
|
||||||
represents and use this to configure its main public listener. It will also
|
represents and use this to configure its main public listener. It will also
|
||||||
|
@ -269,18 +269,18 @@ automatically configure its upstream listeners appropriately too as below.
|
||||||
|
|
||||||
This automated discovery results in Consul auto-populating the `proxy.config`
|
This automated discovery results in Consul auto-populating the `proxy.config`
|
||||||
and `proxy.upstreams[*].config` fields of the [proxy service
|
and `proxy.upstreams[*].config` fields of the [proxy service
|
||||||
definition](/docs/connect/registration/service-registration) that is
|
definition](/consul/docs/connect/registration/service-registration) that is
|
||||||
actually registered.
|
actually registered.
|
||||||
|
|
||||||
To learn about other options that can be configured centrally see the
|
To learn about other options that can be configured centrally see the
|
||||||
[Configuration Entries](/docs/agent/config-entries) docs.
|
[Configuration Entries](/consul/docs/agent/config-entries) docs.
|
||||||
|
|
||||||
### Proxy Config Options
|
### Proxy Config Options
|
||||||
|
|
||||||
These fields may also be overridden explicitly in `proxy.config` of the [proxy service
|
These fields may also be overridden explicitly in `proxy.config` of the [proxy service
|
||||||
definition](/docs/connect/registration/service-registration), or defined in
|
definition](/consul/docs/connect/registration/service-registration), or defined in
|
||||||
the [global `proxy-defaults` configuration
|
the [global `proxy-defaults` configuration
|
||||||
entry](/docs/connect/config-entries/proxy-defaults) to act as
|
entry](/consul/docs/connect/config-entries/proxy-defaults) to act as
|
||||||
defaults that are inherited by all services.
|
defaults that are inherited by all services.
|
||||||
|
|
||||||
- `protocol` - The protocol the service speaks. Connect's Envoy integration
|
- `protocol` - The protocol the service speaks. Connect's Envoy integration
|
||||||
|
@ -307,12 +307,12 @@ defaults that are inherited by all services.
|
||||||
metrics with `gRPC-status` trailer codes.
|
metrics with `gRPC-status` trailer codes.
|
||||||
|
|
||||||
~> **Note:** The protocol of a service should ideally be configured via the
|
~> **Note:** The protocol of a service should ideally be configured via the
|
||||||
[`protocol`](/docs/connect/config-entries/service-defaults#protocol)
|
[`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol)
|
||||||
field of a
|
field of a
|
||||||
[`service-defaults`](/docs/connect/config-entries/service-defaults)
|
[`service-defaults`](/consul/docs/connect/config-entries/service-defaults)
|
||||||
config entry for the service. Configuring it in a
|
config entry for the service. Configuring it in a
|
||||||
proxy config will not fully enable some [L7
|
proxy config will not fully enable some [L7
|
||||||
features](/docs/connect/l7-traffic).
|
features](/consul/docs/connect/l7-traffic).
|
||||||
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
||||||
|
|
||||||
- `bind_address` - Override the address Envoy's public listener binds to. By
|
- `bind_address` - Override the address Envoy's public listener binds to. By
|
||||||
|
@ -350,19 +350,19 @@ defaults that are inherited by all services.
|
||||||
|
|
||||||
The following configuration items may be overridden directly in the
|
The following configuration items may be overridden directly in the
|
||||||
`proxy.upstreams[].config` field of a [proxy service
|
`proxy.upstreams[].config` field of a [proxy service
|
||||||
definition](/docs/connect/registration/service-registration) or
|
definition](/consul/docs/connect/registration/service-registration) or
|
||||||
[`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block.
|
||||||
|
|
||||||
- `protocol` - Same as above in main config but affects the listener setup for
|
- `protocol` - Same as above in main config but affects the listener setup for
|
||||||
the upstream.
|
the upstream.
|
||||||
|
|
||||||
~> **Note:** The protocol of a service should ideally be configured via the
|
~> **Note:** The protocol of a service should ideally be configured via the
|
||||||
[`protocol`](/docs/connect/config-entries/service-defaults#protocol)
|
[`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol)
|
||||||
field of a
|
field of a
|
||||||
[`service-defaults`](/docs/connect/config-entries/service-defaults)
|
[`service-defaults`](/consul/docs/connect/config-entries/service-defaults)
|
||||||
config entry for the upstream destination service. Configuring it in a
|
config entry for the upstream destination service. Configuring it in a
|
||||||
proxy upstream config will not fully enable some [L7
|
proxy upstream config will not fully enable some [L7
|
||||||
features](/docs/connect/l7-traffic).
|
features](/consul/docs/connect/l7-traffic).
|
||||||
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
||||||
|
|
||||||
- `connect_timeout_ms` - The number of milliseconds to allow when making upstream
|
- `connect_timeout_ms` - The number of milliseconds to allow when making upstream
|
||||||
|
@ -371,9 +371,9 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
|
|
||||||
~> **Note:** The connection timeout for a service should ideally be
|
~> **Note:** The connection timeout for a service should ideally be
|
||||||
configured via the
|
configured via the
|
||||||
[`connect_timeout`](/docs/connect/config-entries/service-resolver#connecttimeout)
|
[`connect_timeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
||||||
field of a
|
field of a
|
||||||
[`service-resolver`](/docs/connect/config-entries/service-resolver)
|
[`service-resolver`](/consul/docs/connect/config-entries/service-resolver)
|
||||||
config entry for the upstream destination service. Configuring it in a
|
config entry for the upstream destination service. Configuring it in a
|
||||||
proxy upstream config will override any values defined in config entries.
|
proxy upstream config will override any values defined in config entries.
|
||||||
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
It is supported here for backwards compatibility with Consul versions prior to 1.6.0.
|
||||||
|
@ -416,9 +416,9 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
### Gateway Options
|
### Gateway Options
|
||||||
|
|
||||||
These fields may also be overridden explicitly in the [proxy service
|
These fields may also be overridden explicitly in the [proxy service
|
||||||
definition](/docs/connect/registration/service-registration), or defined in
|
definition](/consul/docs/connect/registration/service-registration), or defined in
|
||||||
the [global `proxy-defaults` configuration
|
the [global `proxy-defaults` configuration
|
||||||
entry](/docs/connect/config-entries/proxy-defaults) to act as
|
entry](/consul/docs/connect/config-entries/proxy-defaults) to act as
|
||||||
defaults that are inherited by all services.
|
defaults that are inherited by all services.
|
||||||
|
|
||||||
Prior to 1.8.0 these settings were specific to Mesh Gateways. The deprecated
|
Prior to 1.8.0 these settings were specific to Mesh Gateways. The deprecated
|
||||||
|
@ -428,7 +428,7 @@ will continue to be supported.
|
||||||
- `connect_timeout_ms` - The number of milliseconds to allow when making upstream
|
- `connect_timeout_ms` - The number of milliseconds to allow when making upstream
|
||||||
connections before timing out. Defaults to 5000 (5 seconds). If the upstream
|
connections before timing out. Defaults to 5000 (5 seconds). If the upstream
|
||||||
service has the configuration option
|
service has the configuration option
|
||||||
[`connect_timeout_ms`](/docs/connect/config-entries/service-resolver#connecttimeout)
|
[`connect_timeout_ms`](/consul/docs/connect/config-entries/service-resolver#connecttimeout)
|
||||||
set for the `service-resolver`, that timeout value will take precedence over
|
set for the `service-resolver`, that timeout value will take precedence over
|
||||||
this gateway option.
|
this gateway option.
|
||||||
|
|
||||||
|
@ -588,12 +588,12 @@ EOF
|
||||||
|
|
||||||
Users may add the following configuration items to the [global `proxy-defaults`
|
Users may add the following configuration items to the [global `proxy-defaults`
|
||||||
configuration
|
configuration
|
||||||
entry](/docs/connect/config-entries/proxy-defaults) or
|
entry](/consul/docs/connect/config-entries/proxy-defaults) or
|
||||||
override them directly in the `proxy.config` field of a [proxy service
|
override them directly in the `proxy.config` field of a [proxy service
|
||||||
definition](/docs/connect/registration/service-registration) or
|
definition](/consul/docs/connect/registration/service-registration) or
|
||||||
[`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block.
|
||||||
|
|
||||||
- `envoy_extra_static_clusters_json` - Specifies one or more [Envoy clusters][pb-cluster]
|
- `envoy_extra_static_clusters_json` - Specifies one or more [Envoy clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto)
|
||||||
that will be appended to the array of [static
|
that will be appended to the array of [static
|
||||||
clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-clusters)
|
clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-clusters)
|
||||||
in the bootstrap config. This enables you to add custom clusters for tracing sinks,
|
in the bootstrap config. This enables you to add custom clusters for tracing sinks,
|
||||||
|
@ -631,7 +631,7 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
- `envoy_extra_static_listeners_json` - Similar to
|
- `envoy_extra_static_listeners_json` - Similar to
|
||||||
`envoy_extra_static_clusters_json` but appends one or more [Envoy listeners][pb-listener] to the array of [static
|
`envoy_extra_static_clusters_json` but appends one or more [Envoy listeners](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to the array of [static
|
||||||
listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-listeners) definitions.
|
listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-staticresources-listeners) definitions.
|
||||||
Can be used to setup limited access that bypasses Connect mTLS or
|
Can be used to setup limited access that bypasses Connect mTLS or
|
||||||
authorization for health checks or metrics.
|
authorization for health checks or metrics.
|
||||||
|
@ -769,23 +769,23 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
|
|
||||||
Users may add the following configuration items to the [global `proxy-defaults`
|
Users may add the following configuration items to the [global `proxy-defaults`
|
||||||
configuration
|
configuration
|
||||||
entry](/docs/connect/config-entries/proxy-defaults) or
|
entry](/consul/docs/connect/config-entries/proxy-defaults) or
|
||||||
override them directly in the `proxy.config` field of a [proxy service
|
override them directly in the `proxy.config` field of a [proxy service
|
||||||
definition](/docs/connect/registration/service-registration) or
|
definition](/consul/docs/connect/registration/service-registration) or
|
||||||
[`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block.
|
||||||
|
|
||||||
- `envoy_bootstrap_json_tpl` - Specifies a template in Go template syntax that
|
- `envoy_bootstrap_json_tpl` - Specifies a template in Go template syntax that
|
||||||
is used in place of [the default
|
is used in place of [the default
|
||||||
template](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L129)
|
template](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L129)
|
||||||
when generating bootstrap via [`consul connect envoy`
|
when generating bootstrap via [`consul connect envoy`
|
||||||
command](/commands/connect/envoy). The variables that are available
|
command](/consul/commands/connect/envoy). The variables that are available
|
||||||
to be interpolated are [documented
|
to be interpolated are [documented
|
||||||
here](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L5).
|
here](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c6a55cf88fa2fc/command/connect/envoy/bootstrap_tpl.go#L5).
|
||||||
This offers complete control of the proxy's bootstrap although major
|
This offers complete control of the proxy's bootstrap although major
|
||||||
deviations from the default template may break Consul's ability to correctly
|
deviations from the default template may break Consul's ability to correctly
|
||||||
manage the proxy or enforce its security model.
|
manage the proxy or enforce its security model.
|
||||||
|
|
||||||
- `envoy_public_listener_json` - Specifies a complete [Envoy listener][pb-listener]
|
- `envoy_public_listener_json` - Specifies a complete [Envoy listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto)
|
||||||
to be delivered in place of the main public listener that the proxy used to
|
to be delivered in place of the main public listener that the proxy used to
|
||||||
accept inbound connections. This will be used verbatim with the following
|
accept inbound connections. This will be used verbatim with the following
|
||||||
exceptions:
|
exceptions:
|
||||||
|
@ -921,7 +921,7 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
- `envoy_local_cluster_json` - Specifies a complete [Envoy cluster][pb-cluster]
|
- `envoy_local_cluster_json` - Specifies a complete [Envoy cluster](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto)
|
||||||
to be delivered in place of the local application cluster. This allows
|
to be delivered in place of the local application cluster. This allows
|
||||||
customization of timeouts, rate limits, load balancing strategy etc.
|
customization of timeouts, rate limits, load balancing strategy etc.
|
||||||
|
|
||||||
|
@ -968,17 +968,17 @@ definition](/docs/connect/registration/service-registration) or
|
||||||
|
|
||||||
The following configuration items may be overridden directly in the
|
The following configuration items may be overridden directly in the
|
||||||
`proxy.upstreams[].config` field of a [proxy service
|
`proxy.upstreams[].config` field of a [proxy service
|
||||||
definition](/docs/connect/registration/service-registration) or
|
definition](/consul/docs/connect/registration/service-registration) or
|
||||||
[`sidecar_service`](/docs/connect/registration/sidecar-service) block.
|
[`sidecar_service`](/consul/docs/connect/registration/sidecar-service) block.
|
||||||
|
|
||||||
~> **Note:** - When a
|
~> **Note:** - When a
|
||||||
[`service-router`](/docs/connect/config-entries/service-router),
|
[`service-router`](/consul/docs/connect/config-entries/service-router),
|
||||||
[`service-splitter`](/docs/connect/config-entries/service-splitter), or
|
[`service-splitter`](/consul/docs/connect/config-entries/service-splitter), or
|
||||||
[`service-resolver`](/docs/connect/config-entries/service-resolver) config
|
[`service-resolver`](/consul/docs/connect/config-entries/service-resolver) config
|
||||||
entry exists for a service the below escape hatches are ignored and will log a
|
entry exists for a service the below escape hatches are ignored and will log a
|
||||||
warning.
|
warning.
|
||||||
|
|
||||||
- `envoy_listener_json` - Specifies a complete [Listener][pb-listener]
|
- `envoy_listener_json` - Specifies a complete [Listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto)
|
||||||
to be delivered in place of the upstream listener that the proxy exposes to
|
to be delivered in place of the upstream listener that the proxy exposes to
|
||||||
the application for outbound connections. This will be used verbatim with the
|
the application for outbound connections. This will be used verbatim with the
|
||||||
following exceptions:
|
following exceptions:
|
||||||
|
@ -1062,7 +1062,7 @@ warning.
|
||||||
```
|
```
|
||||||
</CodeTabs>
|
</CodeTabs>
|
||||||
|
|
||||||
- `envoy_cluster_json` - Specifies a complete [Envoy cluster][pb-cluster]
|
- `envoy_cluster_json` - Specifies a complete [Envoy cluster](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto)
|
||||||
to be delivered in place of the discovered upstream cluster. This allows
|
to be delivered in place of the discovered upstream cluster. This allows
|
||||||
customization of timeouts, circuit breaking, rate limits, load balancing
|
customization of timeouts, circuit breaking, rate limits, load balancing
|
||||||
strategy etc.
|
strategy etc.
|
||||||
|
@ -1095,9 +1095,3 @@ warning.
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
</CodeTabs>
|
</CodeTabs>
|
||||||
|
|
||||||
[protocol]: /docs/connect/config-entries/service-defaults#protocol
|
|
||||||
[intentions]: /docs/connect/intentions
|
|
||||||
[intentions]: /docs/connect/intentions
|
|
||||||
[pb-cluster]: https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto
|
|
||||||
[pb-listener]: https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto
|
|
||||||
|
|
Loading…
Reference in New Issue