open-consul/website/source/docs/agent/config-entries/proxy-defaults.html.md
Freddy 5eace88ce2
Expose HTTP-based paths through Connect proxy (#6446)
Fixes: #5396

This PR adds a proxy configuration stanza called expose. These flags register
listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only
listening on the loopback interface, while still accepting traffic from non
Connect-enabled services.

Under expose there is a boolean checks flag that would automatically expose all
registered HTTP and gRPC check paths.

This stanza also accepts a paths list to expose individual paths. The primary
use case for this functionality would be to expose paths for third parties like
Prometheus or the kubelet.

Listeners for requests to exposed paths are be configured dynamically at run
time. Any time a proxy, or check can be registered, a listener can also be
created.

In this initial implementation requests to these paths are not
authenticated/encrypted.
2019-09-25 20:55:52 -06:00

3.8 KiB

layout page_title sidebar_current description
docs Configuration Entry Kind: Proxy Defaults docs-agent-cfg_entries-proxy_defaults The proxy-defaults config entry kind allows for configuring global config defaults across all services for Connect proxy configuration. Currently, only one global entry is supported.

Proxy Defaults

The proxy-defaults config entry kind allows for configuring global config defaults across all services for Connect proxy configuration. Currently, only one global entry is supported.

Sample Config Entries

Set the default protocol for all sidecar proxies:

kind = "proxy-defaults"
name = "global"
config {
  protocol = "http"
}

Set proxy-specific defaults:

kind = "proxy-defaults"
name = "global"
config {
  local_connect_timeout_ms = 1000
  handshake_timeout_ms = 10000
}

Available Fields

  • Kind - Must be set to proxy-defaults

  • Name - Must be set to global

  • Config (map[string]arbitrary) - An arbitrary map of configuration values used by Connect proxies. The available configurations depend on the Connect proxy you use. Any values that your proxy allows can be configured globally here. To explore these options please see the documentation for your chosen proxy.

  • MeshGateway (MeshGatewayConfig: <optional>) - Controls the default mesh gateway configuration for all proxies. Added in v1.6.0.

    • Mode (string: "") - One of none, local, or remote.
  • Expose (ExposeConfig: <optional>) - Controls the default expose path configuration for Envoy. Added in v1.6.2.

    Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing non-Connect-enabled applications to contact an HTTP endpoint. Some examples include: exposing a /metrics path for Prometheus or /healthz for kubelet liveness checks.

    • Checks (bool: false) - If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy. Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's advertise address. The port for these listeners are dynamically allocated from expose_min_port to expose_max_port. This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running Consul on Kubernetes, and Consul agents run in their own pods.
    • Paths array<Path>: [] - A list of paths to expose through Envoy.
      • Path (string: "") - The HTTP path to expose. The path must be prefixed by a slash. ie: /metrics.
      • LocalPathPort (int: 0) - The port where the local service is listening for connections to the path.
      • ListenerPort (int: 0) - The port where the proxy will listen for connections. This port must be available for the listener to be set up. If the port is not free then Envoy will not expose a listener for the path, but the proxy registration will not fail.
      • Protocol (string: "http") - Sets the protocol of the listener. One of http or http2. For gRPC use http2.

ACLs

Configuration entries may be protected by ACLs.

Reading a proxy-defaults config entry requires no specific privileges.

Creating, updating, or deleting a proxy-defaults config entry requires operator:write.