Service Defaults Configuration Reference

This topic describes how to configure service defaults configuration entries. The service defaults configuration entry contains common configuration settings for service mesh services, such as upstreams and gateways. Refer to Define service defaults for usage information.

Configuration model

The following outline shows how to format the service defaults configuration entry. Click on a property name to view details about the configuration.

Complete configuration

When every field is defined, a service-defaults configuration entry has the following form:

  1. Kind      = "service-defaults"
  2. Name      = "service_name"
  3. Namespace = "namespace"
  4. Partition = "partition"
  5. Meta = {
  6.   Key = "value"
  7. }
  8. Protocol                  = "tcp"
  9. BalanceInboundConnections = "exact_balance"
  10. Mode                      = "transparent"
  11. UpstreamConfig = {
  12.   Overrides = {
  13.     Name             = "name-of-upstreams-to-override"
  14.     Namespace        = "namespace-containing-upstreams-to-override"
  15.     Peer             = "peer-name-of-upstream-service"
  16.     Protocol         = "http"
  17.     ConnectTimeoutMs = 100
  18.     MeshGateway = {
  19.       mode = "remote"
  20.     }
  21.     BalanceOutboundConnections = "exact_balance"
  22.     Limits = {
  23.       MaxConnections        = 10
  24.       MaxPendingRequests    = 50
  25.       MaxConcurrentRequests = 100
  26.     }
  27.     PassiveHealthCheck = {
  28.       Interval                = "5s"
  29.       MaxFailures             = 5
  30.       EnforcingConsecutive5xx = 99
  31.     }
  32.   }
  33.   Defaults = {
  34.     Protocol         = "http2"
  35.     ConnectTimeoutMs = 2000
  36.     MeshGateway = {
  37.       mode = "local"
  38.     }
  39.     BalanceOutboundConnections = "exact_balance"
  40.     Limits = {
  41.       MaxConnections        = 100
  42.       MaxPendingRequests    = 500
  43.       MaxConcurrentRequests = 1000
  44.     }
  45.     PassiveHealthCheck = {
  46.       Interval                = "1s"
  47.       MaxFailures             = 1
  48.       EnforcingConsecutive5xx = 89
  49.     }
  50.   }
  51. }
  52. TransparentProxy = {
  53.   OutboundListenerPort = 15002
  54.   DialedDirectly       = true
  55. }
  56. MutualTLSMode = "strict"
  57. Destination = {
  58.   Addresses = [
  59.     "First IP address",
  60.     "Second IP address"
  61.   ]
  62.   Port = 88
  63. }
  64. MaxInboundConnections = 100
  65. LocalConnectTimeoutMs = 10
  66. LocalRequestTimeoutMs = 10
  67. MeshGateway = {
  68.   Mode = "remote"
  69. }
  70. ExternalSNI = "sni-server-host"
  71. Expose = {
  72.   Checks = true
  73.   Paths = [
  74.     {
  75.       Path          = "/local/dir"
  76.       LocalPathPort = 99
  77.       LocalListenerPort = 98
  78.       Protocol      = "http2"
  79.     }
  80.   ]
  81. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: ServiceDefaults
  3. metadata: 
  4.   name: <name of the service you are configuring>
  5.   namespace: <Consul Enterprise namespace>
  6. spec: 
  7.   protocol: tcp
  8.   balanceInboundConnnections: exact_balance
  9.   mode: transparent
  10.   upstreamConfig:
  11.     overrides: 
  12.     - name: <name of upstream>
  13.       namespace: <namespace containing upstream - Consul Enterprise>
  14.       peer: <peer name of the upstream service>
  15.       protocol: <protocol for the upstream listener>
  16.       connectTimeoutMs: 5000
  17.       meshGateway:
  18.         mode: <type of mesh gateway>
  19.       balanceOutboundConnections: exact_balance
  20.       limits: 
  21.         maxConnections: 0
  22.         maxPendingRequests: 0
  23.         maxConcurrentRequests: 0
  24.       passiveHealthCheck: 
  25.         interval: 0s
  26.         maxFailures: 0
  27.         enforcingConsecutive5xx: 100
  28.     defaults: 
  29.       protocol: <protocol for the upstream listener>
  30.       connectTimeoutMs: 5000
  31.       meshGateway:
  32.         mode: <type of mesh gateway>
  33.       balanceOutboundConnections: exact_balance
  34.       limits: 
  35.         maxConnections: 0
  36.         maxPendingRequests: 0
  37.         maxConcurrentRequests: 0
  38.       passiveHealthCheck: 
  39.         interval: 0s
  40.         maxFailures: 0
  41.         enforcingConsecutive5xx: 100
  42.   transparentProxy:
  43.     outboundListenerPort: 15001
  44.     dialedDirectly: false
  45.   mutualTLSMode: strict
  46.   destination:
  47.     addresses:
  48.     - <First hostname or IP address>
  49.       <Second hostname or IP address>
  50.     port:  0
  51.   maxInboundConnections: 0
  52.   meshGateway:
  53.     mode: <type of mesh gateway>
  54.   externalSNI: <name of TLS SNI outside o f the mesh>
  55.   expose: 
  56.     checks: false
  57.     paths: 
  58.     - path: <HTTP path to expose through Envoy>
  59.       localPathPort: 0
  60.       listenerPort: 0
  61.       protocol: http
  1. {
  2.   "apiVersion": "consul.hashicorp.com/v1alpha1",
  3.   "kind": "ServiceDefaults",
  4.   "metadata": {
  5.     "name": "<name of the service you are configuring>",
  6.     "namespace": "<Consul Enterprise namespace>",
  7.     "partition": "<Consul Enterprise admin partition>"
  8.   },
  9.   "spec": {
  10.     "protocol": "tcp",
  11.     "balanceInboundConnnections": "exact_balance",
  12.     "mode": "transparent",
  13.     "upstreamConfig": {
  14.       "overrides": [
  15.         {
  16.           "name": "<name of upstream>",
  17.           "namespace": "<namespace containing upstream - Consul Enterprise>",
  18.           "peer": "<peer name of the upstream service>",
  19.           "protocol": "<protocol for the upstream listener>",
  20.           "connectTimeoutMs": 5000,
  21.           "meshGateway": {
  22.             "mode": "<type of mesh gateway>"
  23.           },
  24.           "balanceOutboundConnections": "exact_balance",
  25.           "limits": {
  26.             "maxConnections": 0,
  27.             "maxPendingRequests": 0,
  28.             "maxConcurrentRequests": 0
  29.           },
  30.           "passiveHealthCheck": {
  31.             "interval": "0s",
  32.             "maxFailures": 0,
  33.             "enforcingConsecutive5xx": 100
  34.           }
  35.         }
  36.       ],
  37.       "defaults": {
  38.         "protocol": "<protocol for the upstream listener>",
  39.         "connectTimeoutMs": 5000,
  40.         "meshGateway": {
  41.           "mode": "<type of mesh gateway>"
  42.         },
  43.         "balanceOutboundConnections": "exact_balance",
  44.         "limits": {
  45.           "maxConnections": 0,
  46.           "maxPendingRequests": 0,
  47.           "maxConcurrentRequests": 0
  48.         },
  49.         "passiveHealthCheck": {
  50.           "interval": "0s",
  51.           "maxFailures": 0,
  52.           "enforcingConsecutive5xx": 100
  53.         }
  54.       }
  55.     },
  56.     "transparentProxy": {
  57.       "outboundListenerPort": 15001,
  58.       "dialedDirectly": false
  59.     },
  60.     "mutualTLSMode": "strict",
  61.     "destination": {
  62.       "addresses": [
  63.         "<First hostname or IP address>",
  64.         "<Second hostname or IP address>"
  65.       ],
  66.       "port": 0
  67.     },
  68.     "maxInboundConnections": 0,
  69.     "meshGateway": {
  70.       "mode": "<type of mesh gateway>"
  71.     },
  72.     "externalSNI": "<name of TLS SNI outside o f the mesh>",
  73.     "expose": {
  74.       "checks": false,
  75.       "paths": [
  76.         {
  77.           "path": "<HTTP path to expose through Envoy>",
  78.           "localPathPort": 0,
  79.           "listenerPort": 0,
  80.           "protocol": "http"
  81.         }
  82.       ]
  83.     }
  84.   }
  85. }

Specification

This section provides details about the fields you can configure in the service defaults configuration entry.

Kind

Specifies the configuration entry type.

Values

  • Default: none
  • This field is required.
  • Data type: String value that must be set to service-defaults.

Name

Specifies the name of the service you are setting the defaults for.

Values

  • Default: none
  • This field is required.
  • Data type: string

Namespace

Specifies the Consul namespace that the configuration entry applies to.

Values

  • Default: default
  • Data type: string

Partition

Specifies the name of the name of the Consul admin partition that the configuration entry applies to. Refer to Admin Partitions for additional information.

Values

  • Default: default
  • Data type: string

Meta

Specifies a set of custom key-value pairs to add to the Consul KV store.

Values

  • Default: none
  • Data type: Map of one or more key-value pairs.
    • keys: string
    • values: string, integer, or float

Protocol

Specifies the default protocol for the service. In service mesh use cases, the protocol configuration is required to enable the following features and components:

You can set the global protocol for proxies in the proxy-defaults configuration entry, but the protocol specified in the service-defaults configuration entry overrides the proxy-defaults configuration.

Values

  • Default: tcp
  • You can speciyf one of the following string values:

Refer to Set the default protocol for an example configuration.

BalanceInboundConnections

Specifies the strategy for allocating inbound connections to the service across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

Values

  • Default: none
  • Data type: string

Mode

Specifies a mode for how the service directs inbound and outbound traffic.

  • Default: none
  • You can specify the following string values:
    • direct: The proxy’s listeners must be dialed directly by the local application and other proxies.
    • transparent: The service captures inbound and outbound traffic and redirects it through the proxy. The mode does not enable the traffic redirection. It instructs Consul to configure Envoy as if traffic is already being redirected.

UpstreamConfig

Controls default upstream connection settings and custom overrides for individual upstream services. If your network contains federated datacenters, individual upstream configurations apply to all pairs of source and upstream destination services in the network. Refer to the following fields for details:

Values

  • Default: none
  • Data type: map

UpstreamConfig.Overrides[]

Specifies options that override the default upstream configurations for individual upstreams.

Values

  • Default: none
  • Data type: list

UpstreamConfig.Overrides[].Name

Specifies the name of the upstream service that the configuration applies to. We recommend that you do not use the * wildcard to avoid applying the configuration to unintended upstreams.

Values

  • Default: none
  • Data type: string

UpstreamConfig.Overrides[].Namespace

Specifies the namespace containing the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from appling to unintended upstreams.

Values

  • Default: none
  • Data type: string

UpstreamConfig.Overrides[].Peer

Specifies the peer name of the upstream service that the configuration applies to. The * wildcard is not supported.

Values

  • Default: none
  • Data type: string

UpstreamConfig.Overrides[].Protocol

Specifies the protocol to use for requests to the upstream listener.

We recommend configuring the protocol in the main Protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

Values

  • Default: none
  • Data type: string

UpstreamConfig.Overrides[].ConnectTimeoutMs

Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out.

We recommend configuring the upstream timeout in the connection_timeout field of the service-resolver configuration entry for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the service-defaults upstream configuration limits L7 management functionality.

Values

  • Default: 5000
  • Data type: integer

UpstreamConfig.Overrides[].MeshGateway

Map that contains the default mesh gateway mode field for the upstream. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

Values

  • Default: none
  • You can specify the following string values for the mode field:
    • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
    • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
    • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

UpstreamConfig.Overrides[].BalanceOutboundConnections

Sets the strategy for allocating outbound connections from the upstream across Envoy proxy threads.

Values

The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

  • Default: none
  • Data type: string

UpstreamConfig.Overrides[].Limits

Map that specifies a set of limits to apply to when connecting to individual upstream services.

Values

The following table describes limits you can configure:

LimitDescriptionData typeDefault
MaxConnectionsSpecifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.integer0
MaxPendingRequestsSpecifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0
MaxConcurrentRequestsSpecifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0

Refer to the upstream configuration example for additional guidance.

UpstreamConfig.Overrides[].PassiveHealthCheck

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

Values

The following table describes passive health check parameters you can configure:

LimitDescriptionData typeDefault
IntervalSpecifies the time between checks.string0s
MaxFailuresSpecifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.integer0
EnforcingConsecutive5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.integer100

UpstreamConfig.Defaults

Specifies configurations that set default upstream settings. For information about overriding the default configurations for in for individual upstreams, refer to UpstreamConfig.Overrides.

Values

  • Default: none
  • Data type: map

UpstreamConfig.Defaults.Protocol

Specifies default protocol for upstream listeners.

We recommend configuring the protocol in the main Protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

  • Default: none
  • Data type: string

UpstreamConfig.Defaults.ConnectTimeoutMs

Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out.

For non-Kubernetes environments, we recommend configuring the upstream timeout in the connection_timeout field of the service-resolver configuration entry for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the service-defaults upstream configuration limits L7 management functionality.

  • Default: 5000
  • Data type: integer

UpstreamConfig.Defaults.MeshGateway

Specifies the default mesh gateway mode field for all upstreams. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

You can specify the following string values for the mode field:

  • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
  • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
  • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

UpstreamConfig.Defaults.BalanceOutboundConnections

Sets the strategy for allocating outbound connections from upstreams across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

  • Default: none
  • Data type: string

UpstreamConfig.Defaults.Limits

Map that specifies a set of limits to apply to when connecting upstream services. The following table describes limits you can configure:

LimitDescriptionData typeDefault
MaxConnectionsSpecifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.integer0
MaxPendingRequestsSpecifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0
MaxConcurrentRequestsSpecifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0

UpstreamConfig.Defaults.PassiveHealthCheck

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors. The following table describes the health check parameters you can configure:

LimitDescriptionData typeDefault
IntervalSpecifies the time between checks.string0s
MaxFailuresSpecifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.integer0
EnforcingConsecutive5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.integer100

TransparentProxy

Controls configurations specific to proxies in transparent mode. Refer to Transparent Proxy for additional information.

You can configure the following parameters in the TransparentProxy block:

ParameterDescriptionData typeDefault
OutboundListenerPortSpecifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected.integer15001
DialedDirectlyEnables transparent proxies to dial the proxy instance’s IP address directly when set to true. Transparent proxies commonly dial upstreams at the “virtual” tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader.booleanfalse

MutualTLSMode

Controls whether mutual TLS is required for incoming connections to this service. This setting is only supported for services with transparent proxy enabled. We recommend only using permissive mode if necessary while onboarding services to the service mesh.

You can specify the following string values for the MutualTLSMode field:

  • “”: When this field is empty, the value is inherited from the proxy-defaults config entry.
  • strict: The sidecar proxy requires mutual TLS for incoming traffic.
  • permissive: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, and accepts any traffic on the destination service’s port.

EnvoyExtensions

List of extensions to modify Envoy proxy configuration. Refer to Envoy Extensions for additional information.

You can configure the following parameters in the EnvoyExtensions block:

ParameterDescriptionData typeDefault
NameName of the extension.string“”
RequiredWhen Required is true and the extension does not update any Envoy resources, an error is returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed.string“”
ArgumentsArguments to pass to the extension executable.mapnil

Destination[]

Configures the destination for service traffic through terminating gateways. Refer to Terminating Gateway for additional information.

You can configure the following parameters in the Destination block:

ParameterDescriptionData typeDefault
AddressSpecifies a list of addresses for the destination. You can configure a list of hostnames and IP addresses. Wildcards are not supported.listnone
PortSpecifies the port number of the destination.integer0

MaxInboundConnections

Specifies the maximum number of concurrent inbound connections to each service instance.

  • Default: 0
  • Data type: integer

LocalConnectTimeoutMs

Specifies the number of milliseconds allowed for establishing connections to the local application instance before timing out.

  • Default: 5000
  • Data type: integer

LocalRequestTimeoutMs

Specifies the timeout for HTTP requests to the local application instance. Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts.

  • Default: Inherits 15s from Envoy as the default
  • Data type: string

MeshGateway

Specifies the default mesh gateway mode field for the service. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

You can specify the following string values for the mode field:

  • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
  • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
  • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

ExternalSNI

Specifies the TLS server name indication (SNI) when federating with an external system.

  • Default: none
  • Data type: string

Expose

Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to listen on localhost only. Applications that are not Consul service mesh-enabled can still contact an HTTP endpoint. Refer to Expose Paths Configuration Reference for additional information and example configurations.

  • Default: none
  • Data type: map

Expose.Checks

Exposes all HTTP and gRPC checks registered with the agent if set to true. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul’s advertise_addr. The ports for the listeners are dynamically allocated from the agent’s expose_min_port and expose_max_port configurations.

We recommend enabling the Checks configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes.

  • Default: false
  • Data type: boolean

Expose.Paths[]

Specifies a list of configuration maps that define paths to expose through Envoy when Expose.Checks is set to true. You can configure the following parameters for each map in the list:

ParameterDescriptionData typeDefault
PathSpecifies the HTTP path to expose. You must prepend the path with a forward slash (/).stringnone
LocalPathPortSpecifies the port where the local service listens for connections to the path.integer0
ListenPortSpecifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds.integer0
ProtocolSpecifies the protocol of the listener. You can configure one of the following values:
  • http
  • http2: Use with gRPC traffic
    		• integerhttp

    apiVersion

    Specifies the version of the Consul API for integrating with Kubernetes. The value must be consul.hashicorp.com/v1alpha1. The apiVersion field is not supported for non-Kubernetes deployments.

    • Default: none
    • This field is required.
    • String value that must be set to consul.hashicorp.com/v1alpha1.

    kind

    Specifies the configuration entry type. Must be ServiceDefaults.

    • Required: required
    • String value that must be set to ServiceDefaults.

    metadata

    Map that contains the service name, namespace, and admin partition that the configuration entry applies to.

    Values

    metadata.name

    Specifies the name of the service you are setting the defaults for.

    Values

    • Default: none
    • This field is required
    • Data type: string

    metadata.namespace

    Specifies the Consul namespace that the configuration entry applies to. Refer to Consul Enterprise for information about how Consul namespaces map to Kubernetes Namespaces. Open source Consul distributions (Consul OSS) ignore the metadata.namespace configuration.

    • Default: default
    • Data type: string

    spec

    Map that contains the details about the ServiceDefaults configuration entry. The apiVersion, kind, and metadata fields are siblings of the spec field. All other configurations are children.

    spec.protocol

    Specifies the default protocol for the service. In service service mesh use cases, the protocol configuration is required to enable the following features and components:

    You can set the global protocol for proxies in the ProxyDefaults configuration entry, but the protocol specified in the ServiceDefaults configuration entry overrides the ProxyDefaults configuration.

    Values

    • Default: tcp
    • You can specify one of the following string values:

    Refer to Set the default protocol for an example configuration.

    spec.balanceInboundConnections

    Specifies the strategy for allocating inbound connections to the service across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

    Values

    • Default: none
    • Data type: string

    spec.mode

    Specifies a mode for how the service directs inbound and outbound traffic.

    Values

    • Default: none

    • Required: optional

    • You can specified the following string values:

    • direct: The proxy’s listeners must be dialed directly by the local application and other proxies.

    • transparent: The service captures inbound and outbound traffic and redirects it through the proxy. The mode does not enable the traffic redirection. It instructs Consul to configure Envoy as if traffic is already being redirected.

    spec.upstreamConfig

    Specifies a map that controls default upstream connection settings and custom overrides for individual upstream services. If your network contains federated datacenters, individual upstream configurations apply to all pairs of source and upstream destination services in the network.

    Values

    spec.upstreamConfig.overrides[]

    Specifies options that override the default upstream configurations for individual upstreams.

    Values

    • Default: none
    • Data type: list

    spec.upstreamConfig.overrides[].name

    Specifies the name of the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from applying to unintended upstreams.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.overrides[].namespace

    Specifies the namespace containing the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from applying to unintended upstreams.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.overrides[].peer

    Specifies the peer name of the upstream service that the configuration applies to. The * wildcard is not supported.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.overrides[].protocol

    Specifies the protocol to use for requests to the upstream listener. We recommend configuring the protocol in the main protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

    Values

    • Default: inherits the main protocol configuration
    • Data type: string

    spec.upstreamConfig.overrides[].connectTimeoutMs

    Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out.

    We recommend configuring the upstream timeout in the connectTimeout field of the ServiceResolver CRD for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the ServiceDefaults upstream configuration limits L7 management functionality.

    Values

    • Default: 5000
    • Data type: integer

    spec.upstreamConfig.overrides[].meshGateway.mode

    Map that contains the default mesh gateway mode field for the upstream. Refer to Connect Proxy Configuration in the mesh gateway documentation for additional information.

    Values

    You can specify the following string values for the mode field:

    • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
    • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
    • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

    spec.upstreamConfig.overrides[].balanceInboundConnections

    Sets the strategy for allocating outbound connections from the upstream across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.overrides[].limits

    Map that specifies a set of limits to apply to when connecting to individual upstream services.

    Values

    The following table describes limits you can configure:

    LimitDescriptionData typeDefault
    maxConnectionsSpecifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.integer0
    maxPendingRequestsSpecifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0
    maxConcurrentRequestsSpecifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0

    spec.upstreamConfig.overrides[].passiveHealthCheck

    Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

    Values

    The following table describes passive health check parameters you can configure:

    LimitDescriptionData typeDefault
    intervalSpecifies the time between checks.string0s
    maxFailuresSpecifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.integer0
    enforcingConsecutive5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.integer100

    spec.upstreamConfig.defaults

    Map of configurations that set default upstream configurations for the service. For information about overriding the default configurations for in for individual upstreams, refer to spec.upstreamConfig.overrides.

    Values

    • Default: none
    • Data type: list

    spec.upstreamConfig.defaults.protocol

    Specifies default protocol for upstream listeners. We recommend configuring the protocol in the main Protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.default.connectTimeoutMs

    Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out.

    We recommend configuring the upstream timeout in the connectTimeout field of the ServiceResolver CRD for upstream destination services. Doing so enables you to leverage L7 features. Configuring the timeout in the ServiceDefaults upstream configuration limits L7 management functionality.

    Values

    • Default: 5000
    • Data type: integer

    spec.upstreamConfig.defaults.meshGateway.mode

    Specifies the default mesh gateway mode field for all upstreams. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

    Values

    You can specify the following string values for the mode field:

    • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
    • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
    • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

    spec.upstreamConfig.defaults.balanceInboundConnections

    Sets the strategy for allocating outbound connections from upstreams across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

    Values

    • Default: none
    • Data type: string

    spec.upstreamConfig.defaults.limits

    Map that specifies a set of limits to apply to when connecting upstream services.

    Values

    The following table describes limits you can configure:

    LimitDescriptionData typeDefault
    maxConnectionsSpecifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.integer0
    maxPendingRequestsSpecifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0
    maxConcurrentRequestsSpecifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the protocol field for this limit to take effect.integer0

    spec.upstreamConfig.defaults.passiveHealthCheck

    Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

    Values

    The following table describes the health check parameters you can configure:

    LimitDescriptionData typeDefault
    intervalSpecifies the time between checks.string0s
    maxFailuresSpecifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.integer0
    enforcingConsecutive5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.integer100

    spec.transparentProxy

    Map of configurations specific to proxies in transparent mode. Refer to Transparent Proxy for additional information.

    Values

    You can configure the following parameters in the TransparentProxy block:

    ParameterDescriptionData typeDefault
    outboundListenerPortSpecifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected.integer15001
    dialedDirectlyEnables transparent proxies to dial the proxy instance’s IP address directly when set to true. Transparent proxies commonly dial upstreams at the “virtual” tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader.booleanfalse

    spec.mutualTLSMode

    Controls whether mutual TLS is required for incoming connections to this service. This setting is only supported for services with transparent proxy enabled. We recommend only using permissive mode if necessary while onboarding services to the service mesh.

    Values

    You can specify the following string values for the MutualTLSMode field:

    • “”: When this field is empty, the value is inherited from the proxy-defaults config entry.
    • strict: The sidecar proxy requires mutual TLS for incoming traffic.
    • permissive: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, and accepts any traffic on the destination service’s port.

    spec.envoyExtensions

    List of extensions to modify Envoy proxy configuration. Refer to Envoy Extensions for additional information.

    Values

    You can configure the following parameters in the EnvoyExtensions block:

    ParameterDescriptionData typeDefault
    nameName of the extension.string“”
    requiredWhen Required is true and the extension does not update any Envoy resources, an error is returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed.string“”
    argumentsArguments to pass to the extension executable.mapnil

    spec.destination

    Map of configurations that specify one or more destinations for service traffic routed through terminating gateways. Refer to Terminating Gateway for additional information.

    Values

    You can configure the following parameters in the Destination block:

    ParameterDescriptionData typeDefault
    addressSpecifies a list of addresses for the destination. You can configure a list of hostnames and IP addresses. Wildcards are not supported.listnone
    portSpecifies the port number of the destination.integer0

    spec.maxInboundConnections

    Specifies the maximum number of concurrent inbound connections to each service instance.

    Values

    • Default: 0
    • Data type: integer

    spec.localConnectTimeoutMs

    Specifies the number of milliseconds allowed for establishing connections to the local application instance before timing out.

    Values

    • Default: 5000
    • Data type: integer

    spec.localRequestTimeoutMs

    Specifies the timeout for HTTP requests to the local application instance. Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts.

    Values

    • Default of 15s is inherited from Envoy
    • Data type: string

    spec.meshGateway.mode

    Specifies the default mesh gateway mode field for the service. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

    Values

    You can specify the following string values for the mode field:

    • none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
    • local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
    • remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

    spec.externalSNI

    Specifies the TLS server name indication (SNI) when federating with an external system.

    Values

    • Default: none
    • Data type: string

    spec.expose

    Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to listen on localhost only. Applications that are not Consul service mesh-enabled can still contact an HTTP endpoint. Refer to Expose Paths Configuration Reference for additional information and example configurations.

    Values

    • Default: none
    • Data type: string

    spec.expose.checks

    Exposes all HTTP and gRPC checks registered with the agent if set to true. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul’s advertise_addr. The ports for the listeners are dynamically allocated from the agent’s expose_min_port and expose_max_port configurations.

    We recommend enabling the Checks configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes.

    Values

    • Default: false
    • Data type: boolean

    spec.expose.paths[]

    Specifies an list of maps that define paths to expose through Envoy when spec.expose.checks is set to true.

    Values

    The following table describes the parameters for each map:

    ParameterDescriptionData typeDefault
    pathSpecifies the HTTP path to expose. You must prepend the path with a forward slash (/).stringnone
    localPathPortSpecifies the port where the local service listens for connections to the path.integer0
    listenPortSpecifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds.integer0
    protocolSpecifies the protocol of the listener. You can configure one of the following values:
  • http
  • http2: Use with gRPC traffic
    		• integerhttp

    Example configurations

    The following examples describe common service-defaults configurations.

    Set the default protocol

    In the following example, protocol for the web service in the default namespace is set to http:

    1. Kind      = "service-defaults"
    2. Name      = "web"
    3. Namespace = "default"
    4. Protocol  = "http"
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceDefaults
    3. metadata:
    4.   name: web
    5. spec:
    6.   protocol: http
    1. {
    2.   "Kind": "service-defaults",
    3.   "Name": "web",
    4.   "Namespace": "default",
    5.   "Protocol": "http"
    6. }

    You can also set the global default protocol for all proxies in the proxy-defaults configuration entry, but the protocol specified for individual service instances in the service-defaults configuration entry takes precedence over the globally-configured value set in the proxy-defaults.

    Upstream configuration

    The following example sets default connection limits and mesh gateway mode across all upstreams of the dashboard service. It also overrides the mesh gateway mode used when dialing its counting upstream service.

    1. Kind = "service-defaults"
    2. Name = "dashboard"
    4. UpstreamConfig = {
    5.   Defaults = {
    6.     MeshGateway = {
    7.       Mode = "local"
    8.     }
    9.     Limits = {
    10.       MaxConnections = 512
    11.       MaxPendingRequests = 512
    12.       MaxConcurrentRequests = 512
    13.     }
    14.   }
    16.   Overrides = [
    17.     {
    18.       Name = "counting"
    19.       MeshGateway = {
    20.         Mode = "remote"
    21.       }
    22.     }
    23.   ]
    24. }
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceDefaults
    3. metadata:
    4.   name: dashboard
    5. spec:
    6.   upstreamConfig:
    7.     defaults:
    8.       meshGateway:
    9.         mode: local
    10.       limits:
    11.         maxConnections: 512
    12.         maxPendingRequests: 512
    13.         maxConcurrentRequests: 512
    14.     overrides:
    15.       - name: counting
    16.         meshGateway:
    17.           mode: remote
    1. {
    2.   "Kind": "service-defaults",
    3.   "Name": "dashboard",
    4.   "UpstreamConfig": {
    5.     "Defaults": {
    6.       "MeshGateway": {
    7.         "Mode": "local"
    8.       },
    9.       "Limits": {
    10.         "MaxConnections": 512,
    11.         "MaxPendingRequests": 512,
    12.         "MaxConcurrentRequests": 512
    13.       }
    14.     },
    15.     "Overrides": [
    16.       {
    17.         "Name": "counting",
    18.         "MeshGateway": {
    19.           "Mode": "remote"
    20.         }
    21.       }
    22.     ]
    23.   }
    24. }

    The following example configures the default connection limits and mesh gateway mode for all of the counting service’s upstreams. It also overrides the mesh gateway mode used when dialing the dashboard service in the frontend namespace.

    1. Kind = "service-defaults"
    2. Name = "dashboard"
    3. Namespace = "product"
    5. UpstreamConfig = {
    6.   Defaults = {
    7.     MeshGateway = {
    8.       Mode = "local"
    9.     }
    10.     Limits = {
    11.       MaxConnections = 512
    12.       MaxPendingRequests = 512
    13.       MaxConcurrentRequests = 512
    14.     }
    15.   }
    17.   Overrides = [
    18.     {
    19.       Name = "counting"
    20.       Namespace = "backend"
    21.       MeshGateway = {
    22.         Mode = "remote"
    23.       }
    24.     }
    25.   ]
    26. }
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceDefaults
    3. metadata:
    4.   name: dashboard
    5.   namespace: product
    6. spec:
    7.   upstreamConfig:
    8.     defaults:
    9.       meshGateway:
    10.         mode: local
    11.       limits:
    12.         maxConnections: 512
    13.         maxPendingRequests: 512
    14.         maxConcurrentRequests: 512
    15.     overrides:
    16.       - name: counting
    17.         namespace: backend
    18.         meshGateway:
    19.           mode: remote
    1. {
    2.   "Kind": "service-defaults",
    3.   "Name": "dashboard",
    4.   "Namespace": "product",
    5.   "UpstreamConfig": {
    6.     "Defaults": {
    7.       "MeshGateway": {
    8.         "Mode": "local"
    9.       },
    10.       "Limits": {
    11.         "MaxConnections": 512,
    12.         "MaxPendingRequests": 512,
    13.         "MaxConcurrentRequests": 512
    14.       }
    15.     },
    16.     "Overrides": [
    17.       {
    18.         "Name": "counting",
    19.         "Namespace": "backend",
    20.         "MeshGateway": {
    21.           "Mode": "remote"
    22.         }
    23.       }
    24.     ]
    25.   }
    26. }

    Terminating gateway destination

    The following examples creates a default destination assigned to a terminating gateway. A destination represents a location outside the Consul cluster. Services can dial destinations dialed directly when transparent proxy mode is enabled.

    1. Kind = "service-defaults"
    2. Name = "test-destination"
    3. Protocol = "tcp"
    4. Destination {
    5.   Addresses = ["test.com","test.org"]
    6.   Port = 443
    7. }
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceDefaults
    3. metadata:
    4.   name: test-destination
    5. spec:
    6.   protocol: tcp
    7.   destination:
    8.     addresses:
    9.       - "test.com"
    10.       - "test.org"
    11.     port: 443
    1. {
    2.   "Kind": "service-defaults",
    3.   "Name": "test-destination",
    4.   "Protocol": "tcp",
    5.   "Destination": {
    6.     "Addresses": ["test.com","test.org"],
    7.     "Port": 443
    8.   }
    9. }