forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathenvoy_front_proxy_v2.template.yaml
158 lines (158 loc) · 5.12 KB
/
envoy_front_proxy_v2.template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
{% import 'routing_helper_v2.template.yaml' as helper -%}
{% macro router_file_content() -%}{% include kwargs['router_file'] -%}{% endmacro -%}
{% macro listener(protocol, address, port_value, proxy_proto, tls) -%}
name: not_required_for_static_listeners
address:
socket_address:
protocol: {{protocol}}
address: {{address}}
port_value: {{port_value}}
filter_chains:
{% if tls %}
- tls_context:
common_tls_context:
alpn_protocols: h2,http/1.1
tls_certificates:
- certificate_chain:
filename: certs/servercert.pem
private_key:
filename: certs/serverkey.pem
{% if kwargs.get('pin_double_proxy_client', False) %}
validation_context:
trusted_ca:
filename: certs/cacert.pm
#This should be the hash of the /etc/envoy/envoy-double-proxy.pem cert used in the
#double proxy configuration.
verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000"
{% endif %}
{%if proxy_proto%}
use_proxy_proto: true
{%endif%}
{%endif %}
filters:
- name: envoy.http_connection_manager
config:
codec_type: AUTO
stat_prefix: router
{% if proxy_proto -%}
use_remote_address: true
{%endif-%}
stat_prefix: ingress_http
route_config:
{{ router_file_content(router_file='envoy_router_v2.template.yaml')|indent(10) }}
http_filters:
- name: envoy.health_check
config:
pass_through_mode: false
headers:
- name: ":path"
exact_match: "/healthcheck"
- name: envoy.buffer
config:
max_request_bytes: 5242880
max_request_time: 120s
- name: envoy.rate_limit
config:
domain: envoy_front
request_type: external
- name: envoy.router
config: {}
add_user_agent: true
tracing:
operation_name: INGRESS
idle_timeout: 840s
access_log:
- name: envoy.file_access_log
filter:
or_filter:
filters:
- status_code_filter:
comparison:
op: GE
value:
default_value: 500
runtime_key: access_log.access_error.status
- duration_filter:
comparison:
op: GE
value:
default_value: 1000
runtime_key: access_log.access_error.duration
- traceable_filter: {}
config:
path: "/var/log/envoy/access_error.log"
format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%REQ(X-LYFT-USER-ID)%\" \"%RESP(GRPC-STATUS)%\"\n"
{% endmacro -%}
static_resources:
listeners:
# TCP listeners for public HTTP/HTTPS endpoints. Assumes a TCP LB in front such as ELB which
# supports proxy proto.
- {{ listener("TCP", "0.0.0.0", "9300", True, True)|indent(2) }}
- {{ listener("TCP", "0.0.0.0", "9301", True, True)|indent(2) }}
# TCP listener for backhaul traffic from the double proxy.
# See envoy_double_proxy.template.json
- {{ listener("TCP", "0.0.0.0", "9400", True, True, pin_double_proxy_client=True)|indent(2) }}
clusters:
- name: sds
type: STRICT_DNS
connect_timeout: 0.25s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: disccovery.yourcompany.net
port_value: 80
- name: statsd
type: STATIC
connect_timeout: 0.25s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 8125
- name: lightstep_saas
type: LOGICAL_DNS
connect_timeout: 1s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: collector-grpc.lightstep.com
port_value: 443
http2_protocol_options: {}
{% for service, options in clusters.iteritems() -%}
- {{ helper.internal_cluster_definition(service, options)|indent(2) }}
{% endfor %}
dynamic_resources:
deprecated_v1:
sds_config:
api_config_source:
cluster_names:
- sds
refresh_delay: 30s
cluster_manager:
outlier_detection:
event_log_path: /var/log/envoy/outlier_events.log
flags_path: /etc/envoy/flags
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: ratelimit
tracing:
http:
name: envoy.lightstep
config:
collector_cluster: lightstep_saas
access_token_file: "/etc/envoy/lightstep_access_token"
runtime:
symlink_root: /srv/runtime_data/current
subdirectory: envoy
override_subdirectory: envoy_override
admin:
access_log_path: /var/log/envoy/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901