{% import 'routing_helper.template.yaml' as helper -%} {% macro router_file_content() -%}{% include kwargs['router_file'] -%}{% endmacro -%} {% macro listener(protocol, address, port_value, proxy_proto, tls, tracing) -%} name: not_required_for_static_listeners address: socket_address: protocol: {{protocol}} address: {{address}} port_value: {{port_value}} {% if proxy_proto %} listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol {% endif %} filter_chains: {% if tls %} - transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: alpn_protocols: h2,http/1.1 tls_certificates: - certificate_chain: filename: certs/servercert.pem private_key: filename: certs/serverkey.pem {% if kwargs.get('pin_double_proxy_client', False) %} validation_context: trusted_ca: filename: certs/cacert.pm #This should be the hash of the /etc/envoy/envoy-double-proxy.pem cert used in the #double proxy configuration. verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" {% endif %} {%endif %} filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager codec_type: AUTO stat_prefix: router {% if proxy_proto -%} use_remote_address: true {%endif-%} stat_prefix: ingress_http route_config: {{ router_file_content(router_file='envoy_router.template.yaml')|indent(10) }} http_filters: - name: envoy.filters.http.health_check typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck pass_through_mode: false headers: - name: ":path" exact_match: "/healthcheck" - name: envoy.filters.http.buffer typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer max_request_bytes: 5242880 - name: envoy.filters.http.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: envoy_front request_type: external rate_limit_service: transport_api_version: V3 grpc_service: envoy_grpc: cluster_name: ratelimit - name: envoy.filters.http.router typed_config: {} add_user_agent: true {% if tracing %} tracing: provider: name: envoy.tracers.lightstep typed_config: "@type": type.googleapis.com/envoy.config.trace.v3.LightstepConfig collector_cluster: lightstep_saas access_token_file: "/etc/envoy/lightstep_access_token" {% endif %} common_http_protocol_options: idle_timeout: 840s access_log: - name: envoy.access_loggers.file filter: or_filter: filters: - status_code_filter: comparison: op: GE value: default_value: 500 runtime_key: access_log.access_error.status - duration_filter: comparison: op: GE value: default_value: 1000 runtime_key: access_log.access_error.duration - traceable_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/access_error.log" log_format: text_format_source: inline_string: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%REQ(X-LYFT-USER-ID)%\" \"%RESP(GRPC-STATUS)%\"\n" {% endmacro -%} static_resources: listeners: # TCP listeners for public HTTP/HTTPS endpoints. Assumes a TCP LB in front such as ELB which # supports proxy proto. - {{ listener("TCP", "0.0.0.0", "9300", True, True, tracing)|indent(2) }} - {{ listener("TCP", "0.0.0.0", "9301", True, True, tracing)|indent(2) }} # TCP listener for backhaul traffic from the double proxy. # See envoy_double_proxy.template.json - {{ listener("TCP", "0.0.0.0", "9400", True, True, tracing, pin_double_proxy_client=True)|indent(2) }} clusters: - name: sds type: STRICT_DNS connect_timeout: 0.25s lb_policy: ROUND_ROBIN load_assignment: cluster_name: sds endpoints: - lb_endpoints: - endpoint: address: socket_address: address: discovery.yourcompany.net port_value: 80 protocol: TCP - name: statsd type: STATIC connect_timeout: 0.25s lb_policy: ROUND_ROBIN load_assignment: cluster_name: statsd endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 8125 protocol: TCP - name: lightstep_saas type: LOGICAL_DNS connect_timeout: 1s lb_policy: ROUND_ROBIN load_assignment: cluster_name: lightstep_saas endpoints: - lb_endpoints: - endpoint: address: socket_address: address: collector-grpc.lightstep.com port_value: 443 protocol: TCP typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} {% for service, options in clusters.items() -%} - {{ helper.internal_cluster_definition(service, options)|indent(2) }} {% endfor %} cluster_manager: outlier_detection: event_log_path: /var/log/envoy/outlier_events.log flags_path: /etc/envoy/flags layered_runtime: layers: - name: root disk_layer: symlink_root: /srv/configset/envoydata/current subdirectory: envoy - name: override disk_layer: symlink_root: /srv/configset/envoydata/current subdirectory: envoy_override append_service_cluster: true - name: admin admin_layer: {} admin: access_log_path: /var/log/envoy/admin_access.log address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 9901