Envoy Proxy使用介绍教程(五):envoy的配置文件完全展开介绍

作者: 李佶澳   转载请保留:原文地址   更新时间:2019-02-12 16:13:40 +0800

说明

该系列所有笔记可以在系列教程汇总中找到。

Envoy(三):envoy设计思路、配置文件和功能特性概览中给出了envoy配置模板的完整定义,这里将envoy的配置文件完全展开,形成全景式认识。

这里使用的是envoy 1.8.0,对应文档是1.8.0

《Envoy Proxy使用介绍教程(一):新型L3~L7层访问代理软件Envoy的使用》

《Envoy Proxy使用介绍教程(二):envoy源代码阅读、集成开发环境(IDE)》

《Envoy Proxy使用介绍教程(三):envoy设计思路、配置文件和功能特性概览》

《Envoy Proxy使用介绍教程(四):envoy源代码走读&启动过程分析》

《Envoy Proxy使用介绍教程(五):envoy的配置文件完全展开介绍》

《Envoy Proxy使用介绍教程(六):envoy一些简单功能/基础配置的使用方法》

《Envoy Proxy使用介绍教程(七):envoy动态配置xDS的使用方法》

《Envoy Proxy使用介绍教程(八):envoy动态配置-聚合发现ADS的使用方法》

《Envoy Proxy使用介绍教程(九):envoy的应用方法与使用约束》

都是边学习边记录的,时间比较紧,难免有些地方记录的比较粗糙,查看更多相关内容

配置文件概览

{
  "node": {
  	"id": "...",
  	"cluster": "...",
  	"metadata": "{...}",
  	"locality": "{...}",
  	"build_version": "..."
  },
  "static_resources": {
  	"listeners": [],
  	"clusters": [],
  	"secrets": []
  },
  "dynamic_resources": {
  	"lds_config": "{...}",
  	"cds_config": "{...}",
  	"ads_config": "{...}"
  },
  "cluster_manager": {
  	"local_cluster_name": "...",
  	"outlier_detection": "{...}",
  	"upstream_bind_config": "{...}",
  	"load_stats_config": "{...}"
  },
  "hds_config": {
  	"api_type": "...",
  	"cluster_names": [],
  	"grpc_services": [],
  	"refresh_delay": "{...}",
  	"request_timeout": "{...}",
  	"rate_limit_settings": "{...}"
  },
  "flags_path": "...",
  "stats_sinks": [
  	{
  		"name": "...",
  		"config": "{...}"
  	}
  ],
  "stats_config": {
  	"stats_tags": [],
  	"use_all_default_tags": "{...}",
  	"stats_matcher": "{...}"
  },
  "stats_flush_interval": "{...}",
  "watchdog": {
  	"miss_timeout": "{...}",
  	"megamiss_timeout": "{...}",
  	"kill_timeout": "{...}",
  	"multikill_timeout": "{...}"
  },
  "tracing": {
  	"http": "{...}"
  },
  "rate_limit_service": {
  	"grpc_service": "{...}"
  },
  "runtime": {
  	"symlink_root": "...",
  	"subdirectory": "...",
  	"override_subdirectory": "..."
  },
  "admin": {
  	"access_log_path": "...",
  	"profile_path": "...",
  	"address": "{...}"
  },
  "overload_manager": {
  	"refresh_interval": "{...}",
  	"resource_monitors": [],
  	"actions": []
  }
}

node – 节点信息

core.Node

node中配置的是envoy的标记信息,是呈现给management server的。

{
  "id": "...",
  "cluster": "...",
  "metadata": "{...}",
  "locality": {
    "region": "...",
    "zone": "...",
    "sub_zone": "..."
  },
  "build_version": "..."
}

id可以用命令行参数--service-node指定,cluster可以用命令行参数--service-cluster指定。

metadata是自定义的结构,会被原原本本地发送给management server。

admin – 管理接口

config.bootstrap.v2.Admin

{
  "access_log_path": "...",
  "profile_path": "...",
  "address": {
    "socket_address": {
      "protocol": "...",
      "address": "...",
      "port_value": "...",
      "named_port": "...",
      "resolver_name": "...",
      "ipv4_compat": "..."
    },
    "pipe": {
      "path": "..."
    }
  }
}

flags_path – 参数

flags_path

string,指定文件参数目录。

runtime – 运行时状态

config.bootstrap.v2.Runtime

{
  "symlink_root": "...",
  "subdirectory": "...",
  "override_subdirectory": "..."
}

watchdog – 看门狗设置

config.bootstrap.v2.Watchdog

{
  "miss_timeout": "{...}",
  "megamiss_timeout": "{...}",
  "kill_timeout": "{...}",
  "multikill_timeout": "{...}"
}

overload_manager – 过载管理

config.overload.v2alpha.OverloadManager

{
  "refresh_interval": "{...}",
  "resource_monitors": [
    {
      "name": "...",
      "config": "{...}"
    }
  ],
  "actions": [
    {
      "name": "This is just a well-known string that listeners can use for registering callbacks. ",
      "triggers": [
        {
          "name": "...",
          "threshold": "{...}"
        }
      ]
    }
  ]
}

目前支持的resource_monitors有两个:

envoy.resource_monitors.fixed_heap
envoy.resource_monitors.injected_resource

目前支持的Action

envoy.overload_actions.stop_accepting_requests:   
    Envoy will immediately respond with a 503 response code to new requests
envoy.overload_actions.disable_http_keepalive
    Envoy will disable keepalive on HTTP/1.x responses
envoy.overload_actions.stop_accepting_connections
    Envoy will stop accepting new network connections on its configured listeners

stats_* – 状态数据

通过envoy admin的/stats/prometheus接口,可以获得prometheus格式的状态数据,感觉有这个功能就足够了。stats_sinks或许是为了支持prometheus之外的监控系统。

stats_sinks – 状态输出插件

config.metrics.v2.StatsSink

Envoy可以将状态数据输出到多种采集系统中,在stats_sinks中配置:

{
  "name": "...",
  "config": "{...}"
}

envoy内置了以下stats sinks:

envoy.statsd
envoy.dog_statsd
envoy.metrics_service
envoy.stat_sinks.hystrix

分别对应不同的收集、展示系统。

stats_config – 状态指标配置

config.metrics.v2.StatsConfig

{
  "stats_tags": [],
  "use_all_default_tags": "{...}",
  "stats_matcher": "{...}"
}

stats_flush_interval – 状态刷新时间

stats_flush_interval

直接定义状态刷新时间。

tracing – 调用跟踪

config.trace.v2.Tracing

对接外部的tracing服务。

{
  "http": {
    "name": "...",
    "config": "{...}"
  }
}

支持下列的tracing服务

envoy.lightstep
envoy.zipkin
envoy.dynamic.ot
envoy.tracers.datadog

rate_limit_service – 限速服务

config.ratelimit.v2.RateLimitServiceConfig

Envoy采用的限速方案是Global rate limiting。限速时需要对接外部的限速服务,Lyft共享了一个基于redis的限速服务:lyft/ratelimit

对接外部的限速服务:

{
  "grpc_service": "{...}"
}

支持Network levelHTTP level级别的限速,前者在连接建立时限速,后者在发送http请求时限速。

具体的限制规则在每个listener的filter中设置。

static_resources – 静态配置

config.bootstrap.v2.Bootstrap.StaticResources

static_resources中是静态配置的资源,是envoy核心工作需要的资源,由listenersclusterssecrets三部分组成。

{
  "listeners": [],
  "clusters": [],
  "secrets": []
}

listeners – 监听器

listener

listener是envoy要监听的地址:

{
  "name": "...",
  "address": {
    "socket_address": {
      "protocol": "...",
      "address": "...",
      "port_value": "...",
      "named_port": "...",
      "resolver_name": "...",
      "ipv4_compat": "..."
    },
    "pipe": {
      "path": "..."
    }
  },
  "filter_chains": [
    {
      "name": "...",
      "config": "{...}"
    }
  ],
  "use_original_dst": "BoolValue",
  "per_connection_buffer_limit_bytes": "UInt32Value",
  "metadata": "{...}",
  "drain_type": "DEFAULT/MODIFY_ONLY",
  "listener_filters": [
    {
      "name": "...",
      "config": "{...}"
    }
  ],
  "transparent": "BoolValue",
  "freebind": "BoolValue",
  "socket_options": [
    {
      "description": "...",
      "level": "...",
      "name": "...",
      "int_value": "...",
      "buf_value": "...",
      "state": "..."
    }
  ],
  "tcp_fast_open_queue_length": "UInt32Value",
  "bugfix_reverse_write_filter_order": "BoolValue"
}

name是listener的名字,不能重复。

addresssocket(对应socket_address)和unix socket(对应pipe)两种类型。

filter_chains是为listener配置的插件,支持下面这些插件,listener.Filter

envoy.client_ssl_auth
envoy.echo
envoy.http_connection_manager
envoy.mongo_proxy
envoy.ratelimit
envoy.redis_proxy
envoy.tcp_proxy

listener_filters中的插件在filter_chains之前执行,支持下面这些插件,listener.ListenerFilter

envoy.listener.original_dst
envoy.listener.tls_inspector

每个插件的配置都不相同,可以在各自的详情页中看到。

需要特别注意的是envoy.http_connection_managerhttp_connection_manager插件中还有http_filters插件。

envoy.http_connection_manager

config.filter.network.http_connection_manager.v2.HttpConnectionManager

{
  "codec_type": "...",
  "stat_prefix": "...",
  "rds": "{...}",
  "route_config": "{...}",
  "http_filters": [
    {
      "name": "...",
      "config": "{...}"
    }
  ],
  "add_user_agent": "{...}",
  "tracing": "{...}",
  "http_protocol_options": "{...}",
  "http2_protocol_options": "{...}",
  "server_name": "...",
  "idle_timeout": "{...}",
  "stream_idle_timeout": "{...}",
  "request_timeout": "{...}",
  "drain_timeout": "{...}",
  "delayed_close_timeout": "{...}",
  "access_log": [],
  "use_remote_address": "{...}",
  "xff_num_trusted_hops": "...",
  "internal_address_config": "{...}",
  "skip_xff_append": "...",
  "via": "...",
  "generate_request_id": "{...}",
  "forward_client_cert_details": "...",
  "set_current_client_cert_details": "{...}",
  "proxy_100_continue": "...",
  "represent_ipv4_remote_address_as_ipv4_mapped_ipv6": "...",
  "upgrade_configs": [],
  "bugfix_reverse_encode_order": "{...}"
}

正如前面说的,它包含有http_filters,支持下面这些插件

envoy.buffer
envoy.cors
envoy.fault
envoy.gzip
envoy.http_dynamo_filter
envoy.grpc_http1_bridge
envoy.grpc_json_transcoder
envoy.grpc_web
envoy.health_check
envoy.header_to_metadata
envoy.ip_tagging
envoy.lua
envoy.rate_limit
envoy.router
envoy.squash

clusters – 集群

cluster

{
  "name": "string, 名称,必须",
  "alt_stat_name": "string, 发送状态时使用的名字,名称中:会被转换成_",
  "type": "cluster 发现方式, STATIC/STRICT_DNS/LOGICAL_DNS/EDS/ORIGINAL_DST",
  "eds_cluster_config": {
    "eds_config": {
      "path": "string,用来观测配置文件更新的路径",
      "api_config_source": {
        "api_type": "string,REST_LEGACY/REST/GRPC",
        "cluster_names": ["string,只用于REST_LEGACY/REST,可以配置多个"],
        "grpc_services": ["string,只用于GRPC,可以配置多个"],
        "refresh_delay": "{...}",
        "request_timeout": "{...}",
        "rate_limit_settings": {
          "max_tokens": "Uint32Value,默认值100",
          "fill_rate": "DoubleValue,默认100 token/s"
        }
      },
      "ads": "{ This is currently empty }"
    },
    "service_name": "..."
  },
  "connect_timeout": "{...}",
  "per_connection_buffer_limit_bytes": "{...}",
  "lb_policy": "负责均衡策略,ROUND_ROBIN/LEAST_REQUEST/RING_HASH/RANDOM/ORIGINAL_DST_LB/MAGLEV",
  "hosts": [
    {
      "socket_address": "{...}",
      "pipe": "{...}"
    }
  ],
  "load_assignment": {
    {
      "cluster_name": "...",
      "endpoints": [],
      "policy": {
        "drop_overloads": [],
        "overprovisioning_factor": "{...}"
      }
    }
  },
  "health_checks": [
    {
      "timeout": "{...}",
      "interval": "{...}",
      "interval_jitter": "{...}",
      "interval_jitter_percent": "...",
      "unhealthy_threshold": "{...}",
      "healthy_threshold": "{...}",
      "reuse_connection": "{...}",
      "http_health_check": {
        "host": "...",
        "path": "...",
        "service_name": "...",
        "request_headers_to_add": [],
        "request_headers_to_remove": [],
        "use_http2": "..."
      },
      "tcp_health_check": {
        "send": "{...}",
        "receive": []
      },
      "grpc_health_check": {
        "service_name": "...",
        "authority": "..."
      },
      "custom_health_check": {
        "name": "...",
        "config": "{...}"
      },
      "no_traffic_interval": "{...}",
      "unhealthy_interval": "{...}",
      "unhealthy_edge_interval": "{...}",
      "healthy_edge_interval": "{...}",
      "event_log_path": "...",
      "always_log_health_check_failures": "..."
    }
  ],
  "max_requests_per_connection": "{...}",
  "circuit_breakers": {
    "thresholds": []
  },
  "tls_context": {
    "common_tls_context": "{...}",
    "sni": "...",
    "allow_renegotiation": "...",
    "max_session_keys": "{...}"
  },
  "common_http_protocol_options": {
    "idle_timeout": "{...}"
  },
  "http_protocol_options": {
    "allow_absolute_url": "{...}",
    "accept_http_10": "...",
    "default_host_for_http_10": "..."
  },
  "http2_protocol_options": {
    "hpack_table_size": "{...}",
    "max_concurrent_streams": "{...}",
    "initial_stream_window_size": "{...}",
    "initial_connection_window_size": "{...}",
    "allow_connect": "..."
  },
  "extension_protocol_options": "{...}",
  "dns_refresh_rate": "{...}",
  "dns_lookup_family": "AUTO/V4_ONLY/V6_ONLY",
  "dns_resolvers": [],
  "outlier_detection": {
    "consecutive_5xx": "{...}",
    "interval": "{...}",
    "base_ejection_time": "{...}",
    "max_ejection_percent": "{...}",
    "enforcing_consecutive_5xx": "{...}",
    "enforcing_success_rate": "{...}",
    "success_rate_minimum_hosts": "{...}",
    "success_rate_request_volume": "{...}",
    "success_rate_stdev_factor": "{...}",
    "consecutive_gateway_failure": "{...}",
    "enforcing_consecutive_gateway_failure": "{...}"
  },
  "cleanup_interval": "{...}",
  "upstream_bind_config": {
    "source_address": "{...}",
    "freebind": "{...}",
    "socket_options": []
  },
  "lb_subset_config": {
    "fallback_policy": "...",
    "default_subset": "{...}",
    "subset_selectors": [],
    "locality_weight_aware": "...",
    "scale_locality_weight": "..."
  },
  "ring_hash_lb_config": {
    "minimum_ring_size": "{...}"
  },
  "original_dst_lb_config": {
    "use_http_header": "..."
  },
  "least_request_lb_config": {
    "choice_count": "{...}"
  },
  "common_lb_config": {
    "healthy_panic_threshold": "{...}",
    "zone_aware_lb_config": "{...}",
    "locality_weighted_lb_config": "{...}",
    "update_merge_window": "{...}"
  },
  "transport_socket": {
    "name": "...",
    "config": "{...}"
  },
  "metadata": "{...}",
  "protocol_selection": "USE_CONFIGURED_PROTOCOL/USE_DOWNSTREAM_PROTOCOL",
  "upstream_connection_options": {
    "tcp_keepalive": "{...}"
  },
  "close_connections_on_host_health_failure": "...",
  "drain_connections_on_host_removal": "..."
}

secrets – 证书

auth.Secret

{
  "name": "...",
  "tls_certificate": {
  	"certificate_chain": "{...}",
  	"private_key": "{...}",
  	"password": "{...}"
  },
  "session_ticket_keys": {
  	"keys": []
  },
  "validation_context": {
  	"trusted_ca": "{...}",
  	"verify_certificate_spki": [],
  	"verify_certificate_hash": [],
  	"verify_subject_alt_name": [],
  	"crl": "{...}",
  	"allow_expired_certificate": "..."
  }
}

cluster_manager – 集群管理

config.bootstrap.v2.ClusterManager

cluster_manager管理所有的upstream cluster,它封装了连接host的操作,当filter认为可以建立连接时,调用cluster_manager的API完成连接创建。 cluster_manager负责处理负载均衡、健康检查等细节。

{
  "local_cluster_name": "...",
  "outlier_detection": {
  	"event_log_path": "..."
  },
  "upstream_bind_config": {
  	"source_address": {
  		"protocol": "...",
  		"address": "...",
  		"port_value": "...",
  		"named_port": "...",
  		"resolver_name": "...",
  		"ipv4_compat": "..."
  	},
  	"freebind": "{...}",
  	"socket_options": [
  		{
  			"description": "...",
  			"level": "...",
  			"name": "...",
  			"int_value": "...",
  			"buf_value": "...",
  			"state": "..."
  		}
  	]
  },
  "load_stats_config": {
  	"api_type": "...",
  	"cluster_names": [],
  	"grpc_services": [],
  	"refresh_delay": "{...}",
  	"request_timeout": "{...}",
  	"rate_limit_settings": "{...}"
  }
}

dynamic_resources – 动态发现

config.bootstrap.v2.Bootstrap.DynamicResources

lds_configcds_configads_config的格式是完全相同的。

{
  "lds_config": {
  	"api_type": "string,REST_LEGACY/REST/GRPC",
  	"cluster_names": ["string,只用于REST_LEGACY/REST,可以配置多个"],
  	"grpc_services": ["string,只用于GRPC,可以配置多个"],
  	"refresh_delay": "{...}",
  	"request_timeout": "{...}",
  	"rate_limit_settings": {
  		"max_tokens": "Uint32Value,默认值100",
  		"fill_rate": "DoubleValue,默认100 token/s"
  	}
  },
  "cds_config": {
  	"api_type": "...",
  	"cluster_names": [],
  	"grpc_services": [],
  	"refresh_delay": "{...}",
  	"request_timeout": "{...}",
  	"rate_limit_settings": "{...}"
  },
  "ads_config": {
  	"api_type": "...",
  	"cluster_names": [],
  	"grpc_services": [],
  	"refresh_delay": "{...}",
  	"request_timeout": "{...}",
  	"rate_limit_settings": "{...}"
  }
}

hds_config – 健康检查

core.ApiConfigSource

{
  "api_type": "...",
  "cluster_names": [],
  "grpc_services": [],
  "refresh_delay": "{...}",
  "request_timeout": "{...}",
  "rate_limit_settings": "{...}"
}

参考

  1. Envoy(三):envoy设计思路、配置文件和功能特性概览

本文原创首发于网站:www.lijiaocn.com

QQ交流群

区块链实践互助QQ群:576555864

Kubernetes实践互助QQ群:947371129

Prometheus实践互助QQ群:952461804

Kong/Envoy实践互助QQ群:952503851

Ansible实践互助QQ群:955105412

Copyright @2011-2019 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: [email protected],备注网站合作 友情链接: lijiaocn github.com