mirror of https://github.com/hashicorp/consul
204 lines
7.3 KiB
Markdown
204 lines
7.3 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Configure Envoy proxy properties
|
|
description: Learn how to use the property-override extension for Envoy proxies to set and remove individual properties for the Envoy resources Consul generates.
|
|
---
|
|
|
|
# Configure Envoy proxy properties
|
|
|
|
This topic describes how to use the `property-override` extension to set and remove individual properties for the Envoy resources Consul generates. The extension uses the [protoreflect](https://pkg.go.dev/google.golang.org/protobuf/reflect/protoreflect), which enables Consul to dynamically manipulate messages.
|
|
|
|
## Workflow
|
|
|
|
- Complete the following steps to use the `property-override` extension:
|
|
- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry.
|
|
- Apply the configuration entry.
|
|
|
|
!> **Security warning**: The property override extension is an advanced feature capable of introducing unintended consequences or reducing cluster security if used incorrectly. Consul does not enforce TLS retention, intentions, or other security-critical components of the Envoy configuration. Additionally, Consul does not verify that the configuration does not contain errors that affect service traffic.
|
|
|
|
## Add the `EnvoyExtensions`
|
|
|
|
Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
|
|
|
|
- When you configure Envoy extensions on proxy defaults, they apply to every service.
|
|
- When you configure Envoy extensions on service defaults, they apply to a specific service.
|
|
|
|
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
|
|
|
|
In the following service defaults configuration entry example, Consul adds a new `/upstream_connection_options/tcp_keepalive/keepalive_probes-5` field to each of the proxy's cluster configuration for the outbound `db`service upstream. The configuration applies to all `connect-proxy` proxies with services configured to communicate over HTTP:
|
|
|
|
<Tabs>
|
|
<Tab heading="HCL" group="hcl">
|
|
<CodeBlockConfig filename="property-override-extension-service-defaults.hcl">
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "global"
|
|
Protocol = "http"
|
|
EnvoyExtensions = [
|
|
{
|
|
Name = "builtin/property-override"
|
|
Arguments = {
|
|
ProxyType = "connect-proxy",
|
|
Patches = [
|
|
{
|
|
ResourceFilter = {
|
|
ResourceType = "cluster",
|
|
TrafficDirection = "outbound"
|
|
Services = [{
|
|
Name = "other-svc"
|
|
}],
|
|
Op = "add"
|
|
Path = "/upstream_connection_options/tcp_keepalive/keepalive_probes",
|
|
Value = 5,
|
|
}
|
|
]
|
|
}
|
|
]
|
|
```
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
|
|
<Tab heading="JSON" group="json">
|
|
<CodeBlockConfig filename="property-override-extension-service-defaults.json">
|
|
|
|
```json
|
|
"kind": "service-defaults",
|
|
"name": "global",
|
|
"protocol": "http",
|
|
"envoy_extensions": [{
|
|
"name": "builtin/property-override",
|
|
"arguments": {
|
|
"proxyType": "connect-proxy",
|
|
"patches": [{
|
|
"resourceFilter": {
|
|
"resourceType": "cluster",
|
|
"trafficDirection": "outbound",
|
|
"services": [{ "name": "other-svc" }],
|
|
"op": "add",
|
|
"path": "/upstream_connection_options/tcp_keepalive/keepalive_probes",
|
|
"value": 5
|
|
}
|
|
}]
|
|
}
|
|
}]
|
|
```
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
<Tab heading="Kubernetes" group="kubernetes">
|
|
<CodeBlockConfig filename="property-override-extension-proxy-defaults.yaml">
|
|
|
|
```yaml
|
|
apiversion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
protocol: http
|
|
envoyExtensions:
|
|
name = "builtin/property-override"
|
|
arguments:
|
|
proxyType: "connect-proxy",
|
|
patches:
|
|
- resourceFilter:
|
|
resourceType: "cluster"
|
|
trafficDirection: "outbound"
|
|
services:
|
|
- name: "other-svc"
|
|
op: "add"
|
|
path: "/upstream_connection_options/tcp_keepalive/keepalive_probes",
|
|
value: 5
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
|
|
Refer to the [property override configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override) for details on how to configure the extension.
|
|
|
|
Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries.
|
|
|
|
!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
|
|
|
|
### Constructing paths
|
|
|
|
To target the properties for an Envoy resource type, you must specify the path where the properties exist in the [`Path` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#patches-path) of the property override extension configuration. Set the `Path` field to an empty or partially invalid string when saving the configuration entry and Consul returns an error with a list of supported fields for the first unrecognized segment of the path. By default, Consul only returns the first ten fields, but you can set the [`Debug` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#debug) to `true` to direct Consul to output all possible fields.
|
|
|
|
In the following example, Consul outputs the top-level fields available for the Envoy cluster resource:
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "api"
|
|
EnvoyExtensions = [
|
|
{
|
|
Name = "builtin/property-override"
|
|
Arguments = {
|
|
ProxyType = "connect-proxy"
|
|
Patches = [
|
|
{
|
|
ResourceFilter = {
|
|
ResourceType = "cluster"
|
|
TrafficDirection = "outbound"
|
|
}
|
|
Op = "add"
|
|
Path = ""
|
|
Value = 5
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
After applying the configuration entry, Consul prints a message that includes the possible fields for the resource:
|
|
|
|
```shell-session
|
|
$ consul config write api.hcl
|
|
non-empty, non-root Path is required. available cluster fields:
|
|
/outlier_detection
|
|
/outlier_detection/enforcing_consecutive_5xx
|
|
/outlier_detection/failure_percentage_request_volume
|
|
/round_robin_lb_config
|
|
/round_robin_lb_config/slow_start_config
|
|
```
|
|
|
|
You can use the output to help you construct the appropriate value for the `Path` field. For example:
|
|
|
|
```shell-session
|
|
$ consul config write api.hcl | grep round_robin
|
|
/round_robin_lb_config
|
|
```
|
|
|
|
|
|
|
|
|
|
## Apply the configuration entry
|
|
|
|
If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
|
|
|
|
<Tabs>
|
|
<Tab heading="HCL" group="hcl">
|
|
|
|
```shell-session
|
|
$ consul config write property-override-extension-service-defaults.hcl
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="JSON" group="json">
|
|
|
|
```shell-session
|
|
$ consul config write property-override-extension-service-defaults.json
|
|
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="Kubernetes" group="kubernetes">
|
|
|
|
```shell-session
|
|
$ kubectl apply property-override-extension-service-defaults.yaml
|
|
```
|
|
|
|
</Tab>
|
|
</Tabs>
|