Proxy Template

This policy allows to configure low-level Envoy resourcesProxy Template - 图1 directly in those situations where Kuma-native policies do not expose the Envoy functionality we are looking for.

Please open a new issue on GitHubProxy Template - 图2 describing what missing functionality couldn’t be found as a Kuma-native policy and we will make sure to prioritize it in the roadmap for future versions of Kuma.

Specifically by using the ProxyTemplate policy we can provide custom definitions of:

The custom definitions will either complement or replace the resources that Kuma generates automatically.

Usage

By default Kuma uses the following default ProxyTemplate resource for every data plane proxy (kuma-dp, which embeds Envoy) that is being added to a Mesh. With a custom ProxyTemplate resource it is possible to extend or replace the default Envoy configuration that Kuma provides to every data plane proxy.

The default ProxyTemplate resource that by default Kuma applies to every data plane proxy looks like:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ProxyTemplate
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: custom-template-1
  7. spec:
  8.   selectors:
  9.     - match:
  10.         service: '*'
  11.   conf:
  12.     # `imports` allows us to reuse the dataplane configuration that Kuma
  13.     # generates automatically and add more customizations on top of it
  14.     imports:
  15.       # `default-proxy` is a reference name for the default
  16.       # data plane proxy configuration generated by Kuma
  17.       - default-proxy
  1. type: ProxyTemplate
  2. mesh: default
  3. name: custom-template-1
  4. selectors:
  5.   - match:
  6.       service: '*'
  7. conf:
  8.   # `imports` allows us to reuse the dataplane configuration that Kuma
  9.   # generates automatically and add more customizations on top of it
  10.   imports:
  11.     # `default-proxy` is a reference name for the default
  12.     # data plane proxy configuration generated by Kuma
  13.     - default-proxy

In order to customize the configuration of a particular data plane proxy (or a group of data plane proxies), we can create a ProxyTemplate resource like:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ProxyTemplate
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: custom-template-1
  7. spec:
  8.   selectors:
  9.     - match:
  10.         service: backend
  11.   conf:
  12.     # `imports` allows us to reuse the dataplane configuration that Kuma
  13.     # generates automatically and add more customizations on top of it
  14.     imports:
  15.       # `default-proxy` is a reference name for the default
  16.       # data plane proxy configuration generated by Kuma
  17.       - default-proxy
  19.     # `resources` defines a list of raw Envoy resources that will either
  20.     # complement or replace the auto-generated ones
  21.     resources:
  22.       - name: localhost:9901
  23.         version: v1
  24.         # `resource` is a raw Envoy resource provided either in YAML or 
  25.         # in JSON format
  26.         resource: |
  27.           '@type': type.googleapis.com/envoy.api.v2.Cluster
  28.           connectTimeout: 5s
  29.           name: localhost:9901
  30.           ...

We will apply the configuration with kubectl apply -f [..].

  1. type: ProxyTemplate
  2. mesh: default
  3. name: custom-template-1
  4. selectors:
  5.   - match:
  6.       service: backend
  7. conf:
  8.   # `imports` allows us to reuse the data plane configuration that Kuma
  9.   # generates automatically and add more customizations on top of it
  10.   imports:
  11.     # `default-proxy` is a reference name for the default
  12.     # data plane proxy configuration generated by Kuma
  13.     - default-proxy
  15.   # `resources` defines a list of raw Envoy resources that will either
  16.   # complement or replace the auto-generated ones
  17.   resources:
  18.     - name: localhost:9901
  19.       version: v1
  20.       # `resource` is a raw Envoy resource provided either in YAML or 
  21.       # in JSON format
  22.       resource: |
  23.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  24.         connectTimeout: 5s
  25.         name: localhost:9901
  26.         ...

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

In the examples described above, please note that:

  1. The selectors object allows us to determine what data plane proxies will be targeted by the ProxyTemplate resource (accordingly to the Kuma Tags specified).
  2. The imports object allows us to reuse the configuration that Kuma generates automatically so that it can be extended by our own custom configuration.
  3. The resources object allow us to provide the raw Envoy resource definitions that will either complement or replace the auto-generated ones.

The only available canned configuration that can be used inside the imports section is called default-proxy.

At runtime, whenever kuma-cp generates the configuration for a given data plane proxy, it will proceed as follows:

  1. Kuma will search for all the ProxyTemplates resources that have been defined in the specified Mesh.
  2. Then, it will load in memory those ProxyTemplates resources whose selectors match either an inbound or a gateway definition of any data plane proxy accordingly to the Kuma Tags selected.
  3. Every matching ProxyTemplate will be then ranked. The ProxyTemplate resource with the highest ranking will be used to generate the configuration for that specific data plane proxy (or proxies).
  4. If the ProxyTemplate resource specifies an imports object, these resource will be generated first.
  5. If a ProxyTemplate defines a resources object, their definition will be copied “as is” and they will replace any auto-generated resource with the same name.

By defining resources in a ProxyTemplate you can:

  • Add new resources in addition to those auto-generated by the imports object.
  • Replace resources auto-generated from the imports spefification by creating new ones with the same name.

It is not possible to patch or delete resources that have been auto-generated from the configuration specified in the imports object. This limitation may be removed in the past if enough users require this feature, please open a new issue on GitHubProxy Template - 图7 if you would like this limitation to be removed.

Below an example of a ProxyTemplate resource:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ProxyTemplate
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: custom-template-1
  7. spec:
  8.   selectors:
  9.     - match:
  10.         service: backend
  11.   conf:
  12.     imports:
  13.       - default-proxy
  14.     resources:
  15.       - name: localhost:9901
  16.         version: v1
  17.         resource: |
  18.           '@type': type.googleapis.com/envoy.api.v2.Cluster
  19.           ...
  20.       - name: inbound:0.0.0.0:4040
  21.         version: v1
  22.         resource: |
  23.           '@type': type.googleapis.com/envoy.api.v2.Listener
  24.           ...

We will apply the configuration with kubectl apply -f [..].

  1. type: ProxyTemplate
  2. mesh: default
  3. name: custom-template-1
  4. selectors:
  5.   - match:
  6.       service: backend   
  7. conf:
  8.   imports:
  9.     - default-proxy
  10.   resources:
  11.     - name: localhost:9901
  12.       version: v1
  13.       resource: |
  14.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  15.         ...
  16.     - name: inbound:0.0.0.0:4040
  17.       version: v1
  18.       resource: |
  19.         '@type': type.googleapis.com/envoy.api.v2.Listener
  20.         ...

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

Example

Here we will show a more complete example of ProxyTemplate. Let’s assume that we want to apply a new ProxyTemplate policy that will configure any matching data plane proxy (captured by the selectors specified) to proxy requests to the internal Envoy “Admin API” in addition to the default Kuma behavior:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ProxyTemplate
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: custom-template-1
  7. spec:
  8.   selectors:
  9.     - match:
  10.         service: backend
  11.   conf:
  12.     imports:
  13.       - default-proxy
  14.     resources:
  15.       - name: localhost:9901
  16.         version: v1
  17.         resource: |
  18.           '@type': type.googleapis.com/envoy.api.v2.Cluster
  19.           connectTimeout: 5s
  20.           name: localhost:9901
  21.           loadAssignment:
  22.             clusterName: localhost:9901
  23.             endpoints:
  24.             - lbEndpoints:
  25.               - endpoint:
  26.                   address:
  27.                     socketAddress:
  28.                       address: 127.0.0.1
  29.                       # port the Envoy Admin API will be available on
  30.                       # can be configured via `--admin-port` option
  31.                       # of `kuma-dp`
  32.                       portValue: 9901
  33.           type: STATIC
  34.       - name: inbound:0.0.0.0:4040
  35.         version: v1
  36.         resource: |
  37.           '@type': type.googleapis.com/envoy.api.v2.Listener
  38.           name: inbound:0.0.0.0:4040
  39.           address:
  40.             socket_address:
  41.               address: 0.0.0.0
  42.               port_value: 4040
  43.           filter_chains:
  44.           - filters:
  45.             - name: envoy.http_connection_manager
  46.               config:
  47.                 route_config:
  48.                   virtual_hosts:
  49.                   - routes:
  50.                     - match:
  51.                         # only proxy requests to the `/stats` endpoint
  52.                         # of the Envoy Admin API
  53.                         prefix: /stats
  54.                       route:
  55.                         cluster: localhost:9901
  56.                     domains:
  57.                     - '*'
  58.                     name: envoy_admin
  59.                 codec_type: AUTO
  60.                 http_filters:
  61.                   name: envoy.router
  62.                 stat_prefix: envoy_stats

We will apply the configuration with kubectl apply -f [..].

  1. type: ProxyTemplate
  2. mesh: default
  3. name: custom-template-1
  4. selectors:
  5.   - match:
  6.       service: backend 
  7. conf:
  8.   imports:
  9.     - default-proxy
  10.   resources:
  11.     - name: localhost:9901
  12.       version: v1
  13.       resource: |
  14.         '@type': type.googleapis.com/envoy.api.v2.Cluster
  15.         connectTimeout: 5s
  16.         name: localhost:9901
  17.         loadAssignment:
  18.           clusterName: localhost:9901
  19.           endpoints:
  20.           - lbEndpoints:
  21.             - endpoint:
  22.                 address:
  23.                   socketAddress:
  24.                     address: 127.0.0.1
  25.                     # port the Envoy Admin API will be available on
  26.                     # can be configured via `--admin-port` option
  27.                     # of `kuma-dp`
  28.                     portValue: 9901
  29.         type: STATIC
  30.     - name: inbound:0.0.0.0:4040
  31.       version: v1
  32.       resource: |
  33.         '@type': type.googleapis.com/envoy.api.v2.Listener
  34.         name: inbound:0.0.0.0:4040
  35.         address:
  36.           socket_address:
  37.             address: 0.0.0.0
  38.             port_value: 4040
  39.         filter_chains:
  40.         - filters:
  41.           - name: envoy.http_connection_manager
  42.             config:
  43.               route_config:
  44.                 virtual_hosts:
  45.                 - routes:
  46.                   - match:
  47.                       # only proxy requests to the `/stats` endpoint
  48.                       # of the Envoy Admin API
  49.                       prefix: /stats
  50.                     route:
  51.                       cluster: localhost:9901
  52.                   domains:
  53.                   - '*'
  54.                   name: envoy_admin
  55.               codec_type: AUTO
  56.               http_filters:
  57.                 name: envoy.router
  58.               stat_prefix: envoy_stats

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.