{% import 'routing_helper.template.yaml' as helper -%} {% import 'access_log_format_helper.template.yaml' as access_log_helper -%} {% macro ingress_listener(protocol, address, port_value) -%} - address: socket_address: protocol: {{protocol}} address: {{address}} port_value: {{port_value}} traffic_direction: INBOUND filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager codec_type: AUTO stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: local_service domains: - "*" routes: - match: prefix: "/" headers: - name: content-type exact_match: application/grpc route: cluster: local_service_grpc - match: prefix: "/" route: cluster: local_service http_filters: - name: envoy.filters.http.health_check typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck pass_through_mode: true headers: - name: ":path" exact_match: "/healthcheck" cache_time: 2.5s - name: envoy.filters.http.buffer typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer max_request_bytes: 5242880 - name: envoy.filters.http.router typed_config: {} access_log: - name: envoy.access_loggers.file filter: not_health_check_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/ingress_http.log" {{ access_log_helper.ingress_full()|indent(10)}} - name: envoy.access_loggers.file filter: and_filter: filters: - or_filter: filters: - status_code_filter: comparison: op: GE value: default_value: 400 runtime_key: access_log.access_error.status - status_code_filter: comparison: op: EQ value: default_value: 0 runtime_key: access_log.access_error.status - duration_filter: comparison: op: GE value: default_value: 2000 runtime_key: access_log.access_error.duration - not_health_check_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/ingress_http_error.log" {{ access_log_helper.ingress_sampled_log()|indent(10)}} - name: envoy.access_loggers.file filter: and_filter: filters: - not_health_check_filter: {} - runtime_filter: runtime_key: access_log.ingress_http typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/ingress_http_sampled.log" {{ access_log_helper.ingress_sampled_log()|indent(10)}} common_http_protocol_options: idle_timeout: 840s {% endmacro -%} static_resources: listeners: {{ ingress_listener("tcp", "0.0.0.0", 9211) | indent(2)}} - address: socket_address: protocol: TCP port_value: 9001 address: 127.0.0.1 traffic_direction: OUTBOUND filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager codec_type: AUTO stat_prefix: egress_http route_config: name: local_route virtual_hosts: {% for service, options in internal_virtual_hosts.items() %} - name: {{ service }} domains: - {{ service }} routes: - match: prefix: "/" route: {{ helper.make_route_internal(service, options)|indent(16) }} {% endfor %} add_user_agent: true common_http_protocol_options: idle_timeout: 840s access_log: - name: envoy.access_loggers.file filter: or_filter: filters: - status_code_filter: comparison: op: GE value: default_value: 400 runtime_key: access_log.access_error.status - duration_filter: comparison: op: GE value: default_value: 2000 runtime_key: access_log.access_error.duration - traceable_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/egress_http_error.log" {{ access_log_helper.egress_error_log()|indent(10) }} use_remote_address: true http_filters: - name: envoy.filters.http.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: envoy_service_to_service rate_limit_service: grpc_service: envoy_grpc: cluster_name: ratelimit - name: envoy.filters.http.grpc_http1_bridge typed_config: {} - name: envoy.filters.http.router typed_config: {} - address: socket_address: protocol: TCP port_value: 9002 address: 127.0.0.1 traffic_direction: OUTBOUND filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager codec_type: AUTO stat_prefix: egress_http rds: config_source: api_config_source: api_type: GRPC grpc_services: envoy_grpc: cluster_name: "rds" route_config_name: rds_config_for_listener_1 add_user_agent: true common_http_protocol_options: idle_timeout: 840s access_log: - name: envoy.access_loggers.file filter: or_filter: filters: - status_code_filter: comparison: op: GE value: default_value: 400 runtime_key: access_log.access_error.status - duration_filter: comparison: op: GE value: default_value: 2000 runtime_key: access_log.access_error.duration - traceable_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/egress_http_error.log" {{ access_log_helper.egress_error_log()|indent(10) }} use_remote_address: true http_filters: - name: envoy.filters.http.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: envoy_service_to_service rate_limit_service: grpc_service: envoy_grpc: cluster_name: ratelimit - name: envoy.filters.http.grpc_http1_bridge typed_config: {} - name: envoy.filters.http.router typed_config: {} {% if external_virtual_hosts|length > 0 or mongos_servers|length > 0 %}{% endif -%} {% for mapping in external_virtual_hosts -%} - name: "{{ mapping['address']}}" address: socket_address: address: "{{ mapping['address'] }}" protocol: TCP port_value: 9901 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager codec_type: AUTO common_http_protocol_options: idle_timeout: 840s stat_prefix: egress_{{ mapping['name'] }} #update access_logs here route_config: virtual_hosts: {% for host in mapping['hosts'] %} - name: egress_{{ host['name'] }} domains: - "{{ host['domain'] }}" routes: - match: prefix: "/" route: cluster: egress_{{ host['name'] }} retry_policy: retry_on: connect-failure {% if host.get('host_rewrite', False) %} host_rewrite_literal: "{{host['host_rewrite']}}" {% endif %} {% endfor %} http_filters: {% if mapping['name'] in ['dynamodb_iad', 'dynamodb_legacy'] -%} - name: envoy.filters.http.dynamo typed_config: {} {% endif -%} - name: envoy.filters.http.router typed_config: {} access_log: - name: envoy.access_loggers.file filter: or_filter: filters: - status_code_filter: comparison: op: GE value: default_value: 400 runtime_key: access_log.access_error.status - status_code_filter: comparison: op: EQ value: default_value: 0 runtime_key: access_log.access_error.status {% if mapping.get('log_high_latency_requests', True) %} - duration_filter: comparison: op: GE value: default_value: 2000 runtime_key: access_log.access_error.duration {% endif %} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: "/var/log/envoy/egress_{{ mapping['name'] }}_http_error.log" {% if mapping.get('is_amzn_service', False) -%} {{ access_log_helper.egress_error_amazon_service()|indent(10) }} {% else -%} {{ access_log_helper.egress_error_log()|indent(10) }} {% endif %} {% if (mongos_servers|length > 0) or (mongos_servers|length == 0 and not loop.last ) %}{% endif -%} {% endfor -%} {% for key, value in mongos_servers.items() -%} - name : "{{ value['address'] }}" address: socket_address: address: "{{ value['address'] }}" protocol: TCP port_value: 9003 filter_chains: - filters: - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: mongo_{{ key }} cluster: mongo_{{ key }} - name: envoy.filters.network.mongo_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.mongo_proxy.v3.MongoProxy stat_prefix: "{{ key }}" access_log: "/var/log/envoy/mongo_{{ key }}.log" {% if value.get('ratelimit', False) %} - name: envoy.filters.network.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.ratelimit.v3.RateLimit stat_prefix: "{{ key }}" domain: envoy_mongo_cps descriptors: entries: - key: database value: "{{ key }}" {% endif %} {% endfor -%} clusters: {% for service, options in internal_virtual_hosts.items() -%} - {{ helper.internal_cluster_definition(service, options)|indent(2)}} {% endfor -%} {% for mapping in external_virtual_hosts -%} {% for host in mapping['hosts'] -%} - name: egress_{{ host['name'] }} {% if host.get('ssl', False) %} transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: validation_context: trusted_ca: filename: certs/cacert.pem {% if host.get('verify_subject_alt_name', False) %} match_subject_alt_names: exact: "{{host['verify_subject_alt_name'] }}" {% endif %} {% if host.get('sni', False) %} sni: "{{ host['sni'] }}" {% endif %} connect_timeout: 1s {% else %} connect_timeout: 0.25s {% endif %} type: LOGICAL_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: egress_{{ host['name'] }} endpoints: - lb_endpoints: - endpoint: address: socket_address: address: {{ host['remote_address'] }} port_value: {{ host['port_value'] }} protocol: {{ host['protocol'] }} {% endfor -%} {% endfor -%} {% for key, value in mongos_servers.items() -%} - name: mongo_{{ key }} connect_timeout: 0.25s type: STRICT_DNS lb_policy: RANDOM load_assignment: cluster_name: mongo_{{ key }} endpoints: - lb_endpoints: {% for server in value['hosts'] -%} - endpoint: address: socket_address: address: {{ server['address'] }} port_value: {{ server['port_value'] }} protocol: {{ server['protocol'] }} {% endfor -%} {% endfor %} - name: main_website connect_timeout: 0.25s type: LOGICAL_DNS # Comment out the following line to test on v6 networks dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN load_assignment: cluster_name: main_website endpoints: - lb_endpoints: - endpoint: address: socket_address: address: main_website.com port_value: 443 protocol: TCP transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext sni: www.main_website.com - name: local_service connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN load_assignment: cluster_name: main_website endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 8080 protocol: TCP circuit_breakers: thresholds: max_pending_requests: 30 max_connections: 100 - name: local_service_grpc connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} load_assignment: cluster_name: local_service_grpc endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 8081 protocol: TCP circuit_breakers: thresholds: max_requests: 200 dns_lookup_family: V4_ONLY - name: rds connect_timeout: 0.25s type: STRICT_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: rds endpoints: - lb_endpoints: - endpoint: address: socket_address: address: rds.yourcompany.net port_value: 80 protocol: TCP dns_lookup_family: V4_ONLY - name: statsd connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN load_assignment: cluster_name: statsd endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 8125 protocol: TCP dns_lookup_family: V4_ONLY - name: lightstep_saas connect_timeout: 1s type: LOGICAL_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: lightstep_saas endpoints: - lb_endpoints: - endpoint: address: socket_address: address: collector-grpc.lightstep.com port_value: 443 protocol: TCP typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: max_concurrent_streams: 100 transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: validation_context: trusted_ca: filename: certs/cacert.pem match_subject_alt_names: exact: "collector-grpc.lightstep.com" - name: cds_cluster connect_timeout: 0.25s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: cds_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: cds.yourcompany.net port_value: 80 protocol: TCP - name: sds connect_timeout: 0.25s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: sds endpoints: - lb_endpoints: - endpoint: address: socket_address: address: discovery.yourcompany.net port_value: 80 protocol: TCP dynamic_resources: cds_config: api_config_source: api_type: REST cluster_names: - cds_cluster refresh_delay: 30s cluster_manager: {} flags_path: "/etc/envoy/flags" stats_sinks: - name: envoy.stat_sinks.statsd typed_config: "@type": type.googleapis.com/envoy.config.metrics.v3.StatsdSink tcp_cluster_name: statsd layered_runtime: layers: - name: root disk_layer: symlink_root: /srv/configset/envoydata/current subdirectory: envoy - name: override disk_layer: symlink_root: /srv/configset/envoydata/current subdirectory: envoy_override append_service_cluster: true - name: admin admin_layer: {} admin: access_log_path: /var/log/envoy/admin_access.log address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 9901