ProxyMeshConfig defines variables shared by all Envoy instances in the Istio service mesh.
| Field | Type | Description |
|---|---|---|
egressProxyAddress | string | Address of the egress envoy service (e.g. istio-egress:80). |
discoveryAddress | string | Address of the discovery service exposing SDS, CDS, RDS (e.g. istio-manager:8080). |
mixerAddress | string | Mixer's address (e.g. istio-mixer:9090). |
zipkinAddress | string | Address of the Zipkin service (e.g. zipkin:9411). |
proxyListenPort | int32 | Port on which envoy should listen for incoming connections from other services. |
proxyAdminPort | int32 | Port on which envoy should listen for administrative commands. |
drainDuration | Duration | The time in seconds that Envoy will drain connections during a hot restart. MUST be >=1s (e.g., 1s/1m/1h) |
parentShutdownDuration | Duration | The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h). MUST BE greater than drainDuration parameter. |
istioServiceCluster | string | istioServiceCluster defines the name for the serviceCluster that is shared by all Envoy instances. This setting corresponds to --service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios. Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the --service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address. |
discoveryRefreshDelay | Duration | Polling interval for service discovery. (MUST BE >=1ms) |
connectTimeout | Duration | Connection timeout used by Envoy. (MUST BE >=1ms) |
ingressClass | string | Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of "kubernetes.io/ingress.class" annotation. |
ingressService | string | Name of the Kubernetes service used for the istio ingress controller. |
ingressControllerMode | IngressControllerMode | Defines whether to use Istio ingress controller for annotated or all ingress resources. |
authPolicy | AuthPolicy | Authentication policy defines the global switch to control authentication for Envoy-to-Envoy communication. |
authCertsPath | string | Path to the secrets used by the authentication policy. |
| Value | Description |
|---|---|
| NONE | Do not encrypt Envoy to Envoy traffic. |
| MUTUALTLS | Envoy to Envoy traffic is wrapped into mutual TLS connections. |