Proxy Template

When out-of-the-box Kuma‘s capabilities aren’t enough, you can use ProxyTemplate policy to configure low-level Envoy resourcesProxy Template - 图1 directly.

Technically, it means that you can provide definitions of ListenersProxy Template - 图2, ClustersProxy Template - 图3, ClusterLoadAssignmentsProxy Template - 图4 and RouteConfigurationsProxy Template - 图5 that will either complement or replace those resources that Kuma generates automatically.

Internally, Kuma assumes that configuration of every dataplane (Envoy) is defined by one of ProxyTemplate policies.

If you don’t specify one manually, the implicit default ProxyTemplate policy will be used, i.e.

  1. type: ProxyTemplate
  2. mesh: <any>
  3. name: <implicit default template>
  5. # `selectors` define a subset of `Dataplanes`
  6. # this `ProxyTemplate` should apply to
  7. selectors:
  8.   # selector matches tags either on an `inbound` or
  9.   # on a `gateway` interface of a `Dataplane`
  10.   - match:
  11.       # since every interface of a `Dataplane` is required
  12.       # to have `service` tag, the following selector
  13.       # will match every `Dataplane` in the `Mesh`
  14.       service: '*'
  16. # `conf` defines the desired dataplane (Envoy) configuration
  17. conf:
  18.   # `imports` let you reuse dataplane configuration that Kuma
  19.   # can generate automatically and add a few tweaks on top of it
  20.   imports:
  21.     # `default-proxy` is a reference name for the default
  22.     # dataplane configuration generated by Kuma
  23.     - default-proxy

In order to customize configuartion of a particular Dataplane (or a group of Dataplanes), you will need to provide a custom ProxyTemplate policy with proper values for selectors and conf, e.g.

  1. type: ProxyTemplate
  2. mesh: default
  3. name: my-custom-template
  5. # `selectors` define a subset of `Dataplanes`
  6. # this `ProxyTemplate` should apply to
  7. selectors:
  8.   # selector matches tags either on an `inbound` or
  9.   # on a `gateway` interface of a `Dataplane`
  10.   - match:
  11.       # the following selector will match a very specific
  12.       # subset of `Dataplanes` in the `Mesh`
  13.       service: backend
  14.       role:    api
  16. # `conf` defines the desired dataplane (Envoy) configuration
  17. conf:
  18.   # `imports` let you reuse dataplane configuration that Kuma
  19.   # can generate automatically and add a few tweaks on top of it
  20.   imports:
  21.     # `default-proxy` is a reference name for the default
  22.     # dataplane configuration generated by Kuma
  23.     - default-proxy
  25.   # `resources` define a list of raw Envoy resources
  26.   # that will either complement or replace auto-generated ones
  27.   resources:
  28.     - name: localhost:9901
  29.       version: v1
  30.       # `resource` is a raw Envoy resource
  31.       # provided either in YAML or in JSON format
  32.       resource: |
  33.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  34.         connectTimeout: 5s
  35.         name: localhost:9901
  36.         ...

Notice that:

  1. selectors allow you to limit the scope of Dataplanes this ProxyTemplate should apply to
  2. imports allow you to reuse configuration that Kuma can generate automatically and add a few tweaks on top of it
  3. resources allow you to provide raw Envoy resources that will either complement or replace auto-generated ones

To clarify, the above ProxyTemplate will match either of the following 2 Dataplanes.

  • A regular Dataplane (one with an inbound interface):

    1. type: Dataplane
    2. mesh: default
    3. name: backend-01
    4. networking:
    5.   address: 192.168.0.1
    6.   inbound:
    7.   - port: 80
    8.     servicePort: 8080
    9.     tags:
    10.       service:  backend    # Notice that both tags from the ProxyTemplate selector - `service` and `role` - must match
    11.       role:     api
    12.       version:  v1.2.3
    13.       protocol: http

  • A gateway Dataplane (one with a gateway interface):

    1. type: Dataplane
    2. mesh: default
    3. name: gateway
    4. networking:
    5.   address: 10.0.0.1
    6.   gateway:
    7.     tags:
    8.       service:  backend    # Notice that both tags from the ProxyTemplate selector - `service` and `role` - must match
    9.       role:     api
    10.       env:      production

In the current release, the only available canned configuration that can be used inside imports section is called default-proxy.

In future releases, more of these will be available and you will be able to define profiles to re-use them across the infrastructure.

At runtime, whenever the Kuma Control Plane needs to generate configuration for a given Dataplane, it will proceed as follows:

  • First, it will search for all ProxyTemplates that have been defined in the Mesh a given Dataplane belongs to
  • Next, it will select only those ProxyTemplates whose selectors match either an inbound or a gateway interface of a given Dataplane
  • Next, every matching ProxyTemplate will be ranked
  • Then, ProxyTemplate with the highest rank will be used to generate configuration for that dataplane (Envoy)
  • If a ProxyTemplate defines imports, their resources will be generated first
  • If a ProxyTemplate defines resources, they will be copied “as is” and replace auto-generated resources of the same name

By defining resources in a ProxyTemplate you can:

  • add new resources in addition to those auto-generated from imports
  • replace resources auto-generated from imports by giving yours the same names

At the moment, it’s not possible to patch or delete resources auto-generated from imports.

On Universal:

  1. type: ProxyTemplate
  2. mesh: default
  3. name: my-custom-template
  4. selectors:
  5.   - match:
  6.       service: backend
  7. conf:
  8.   imports:
  9.     - default-proxy
  10.   resources:
  11.     - name: localhost:9901
  12.       version: v1
  13.       resource: |
  14.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  15.         ...
  16.     - name: inbound:0.0.0.0:4040
  17.       version: v1
  18.       resource: |
  19.         '@type': type.googleapis.com/envoy.api.v2.Listener
  20.         ...

On Kubernetes:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ProxyTemplate
  3. metadata:
  4.   namespace: default
  5.   name: my-custom-template
  6. mesh: default
  7. spec:
  8.   selectors:
  9.     - match:
  10.         service: backend
  11.   conf:
  12.     imports:
  13.       - default-proxy
  14.     resources:
  15.       - name: localhost:9901
  16.         version: v1
  17.         resource: |
  18.           '@type': type.googleapis.com/envoy.api.v2.Cluster
  19.           ...
  20.       - name: inbound:0.0.0.0:4040
  21.         version: v1
  22.         resource: |
  23.           '@type': type.googleapis.com/envoy.api.v2.Listener
  24.           ...

As a practical example, lets take a look at a ProxyTemplate policy that will configure matching Dataplanes to proxy requests to internal Envoy Admin API in addition to their default behaviour:

  1. type: ProxyTemplate
  2. mesh: default
  3. name: my-custom-template
  4. # `selectors` define a subset of `Dataplanes`
  5. # this `ProxyTemplate` should apply to
  6. selectors:
  7.   - match:
  8.       # the following selector will match a very specific
  9.       # subset of `Dataplanes` in the `Mesh`
  10.       service: backend
  11. conf:
  12.   # `imports` let you reuse dataplane configuration that Kuma
  13.   # can generate automatically and add a few tweaks on top of it
  14.   imports:
  15.     - default-proxy
  16.   # `resources` define a list of raw Envoy resources
  17.   # that will either complement or replace auto-generated ones
  18.   resources:
  19.     - name: localhost:9901
  20.       version: v1
  21.       resource: |
  22.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  23.         connectTimeout: 5s
  24.         name: localhost:9901
  25.         loadAssignment:
  26.           clusterName: localhost:9901
  27.           endpoints:
  28.           - lbEndpoints:
  29.             - endpoint:
  30.                 address:
  31.                   socketAddress:
  32.                     address: 127.0.0.1
  33.                     # port the Envoy Admin API will be available on
  34.                     # can be configured via `--admin-port` option
  35.                     # of `kuma-dp`
  36.                     portValue: 9901
  37.         type: STATIC
  38.     - name: inbound:0.0.0.0:4040
  39.       version: v1
  40.       resource: |
  41.         '@type': type.googleapis.com/envoy.api.v2.Listener
  42.         name: inbound:0.0.0.0:4040
  43.         address:
  44.           socket_address:
  45.             address: 0.0.0.0
  46.             port_value: 4040
  47.         filter_chains:
  48.         - filters:
  49.           - name: envoy.http_connection_manager
  50.             config:
  51.               route_config:
  52.                 virtual_hosts:
  53.                 - routes:
  54.                   - match:
  55.                       # only proxy requests to the `/stats` endpoint
  56.                       # of the Envoy Admin API
  57.                       prefix: /stats
  58.                     route:
  59.                       cluster: localhost:9901
  60.                   domains:
  61.                   - '*'
  62.                   name: envoy_admin
  63.               codec_type: AUTO
  64.               http_filters:
  65.                 name: envoy.router
  66.               stat_prefix: envoy_stats