| Field |
Type |
Description |
max_connections |
int32 |
Maximum number of connections to a backend. |
http_max_pending_requests |
int32 |
Maximum number of pending requests to a backend. |
http_max_requests |
int32 |
Maximum number of requests to a backend. |
sleep_window |
double |
Minimum time the circuit will be closed. In floating point seconds format. |
http_consecutive_errors |
int32 |
Number of 5XX errors before circuit is opened. |
http_detection_interval |
double |
Interval for checking state of hystrix circuit. |
http_max_requests_per_connection |
int32 |
Maximum number of requests per connection to a backend. |
http_max_ejection_percent |
int32 |
Maximum % of hosts in the destination service that can be ejected due to circuit breaking. Defaults to 10%. |
| Field |
Type |
Description |
percent |
float |
percentage of connections to throttle. |
downstream_limit_bps |
int64 |
bandwidth limit in "bits" per second between downstream and proxy |
upstream_limit_bps |
int64 |
bandwidth limits in "bits" per second between proxy and upstream |
throttle_for_period |
DoubleValue |
Stop throttling after the given duration. If not set, the connection will be throttled for its lifetime. |
throttle_after_period |
double (oneof ) |
Wait for X seconds after the connection is established, before starting bandwidth throttling. This would allow us to inject fault after the application protocol (e.g., MySQL) has had time to establish sessions/whatever handshake necessary. |
throttle_after_bytes |
double (oneof ) |
Alternatively, we could wait for a certain number of bytes to be transferred to upstream before throttling the bandwidth. |
| Field |
Type |
Description |
source |
string |
Identifies the service initiating a connection or a request by its name. If specified, name MUST BE a fully qualified domain name such as foo.bar.com |
source_tags |
repeated map<string, string> |
Identifies the source service version. The identifier is interpreted by the platform to match a service version for the source service. N.B. The map is used instead of pstruct due to lack of serialization support in golang protobuf library (see https://github.com/golang/protobuf/pull/208) |
tcp |
L4MatchAttributes |
Set of layer 4 match conditions based on the IP ranges. INCOMPLETE implementation |
udp |
L4MatchAttributes |
Set of layer 4 match conditions based on the IP ranges |
http_headers |
repeated map<string, StringMatch> |
Set of HTTP match conditions based on HTTP/1.1, HTTP/2, GRPC request metadata, such as "uri", "scheme", "authority". The header keys are case-insensitive. |
| Field |
Type |
Description |
egress_proxy_address |
string |
Address of the egress proxy service (e.g. "istio-egress:80") |
discovery_address |
string |
Address of the discovery service exposing SDS, CDS, RDS (e.g. "manager:8080") |
mixer_address |
string |
Address of the mixer service (e.g. "mixer:9090") |
proxy_listen_port |
int32 |
Port opened by the proxy for the traffic capture |
proxy_admin_port |
int32 |
Port opened by the proxy for the administrative interface |
drain_duration |
Duration |
Duration of the grace period to drain connections from the parent proxy instance |
parent_shutdown_duration |
Duration |
Duration to wait before shutting down the parent proxy instance |
istio_service_cluster |
string |
IstioServiceCluster defines the name for the service_cluster that is shared by all proxy instances. Since Istio does not assign a local service/service version to each proxy instance, the name is same for all of them. This setting corresponds to "--service-cluster" flag in Envoy. The value for "--service-node" is used by the proxy to identify its set of local instances to RDS for source-based routing. For example, if proxy sends its IP address, the RDS can compute routes that are relative to the service instances located at that IP address. |
discovery_refresh_delay |
Duration |
Delay between polling requests to the discovery service |
connect_timeout |
Duration |
Connection timeout used by the Envoy clusters |
ingress_class |
string |
Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of "kubernetes.io/ingress.class" annotation. |
ingress_controller_mode |
IngressControllerMode |
Defines whether to use Istio ingress proxy for annotated or all ingress resources |
auth_policy |
AuthPolicy |
Authentication policy defines the global switch to control authentication for proxy-to-proxy communication |
auth_certs_path |
string |
Path to the secrets used by the authentication policy |
| Field |
Type |
Description |
destination |
string |
REQUIRED: Destination uniquely identifies the destination associated with this routing rule. This field is applicable for hostname-based resolution for HTTP traffic as well as IP-based resolution for TCP/UDP traffic. The value MUST be a fully-qualified domain name, e.g. "my-service.default.svc.cluster.local". |
precedence |
int32 |
Precedence is used to disambiguate the order of application of rules for the same destination service. A higher number takes priority. If not specified, the value is assumed to be 0. The order of application for rules with the same precedence is unspecified. |
match |
MatchCondition |
Optional match condtions to be satisfied for the route rule to be activated. If match is omitted, the route rule applies only to HTTP traffic. |
route[] |
repeated DestinationWeight |
Each routing rule is associated with one or more service version destinations (see glossary in beginning of document). Weights associated with the service version determine the proportion of traffic it receives. |
http_req_timeout |
HTTPTimeout |
Timeout policy for HTTP requests. |
http_req_retries |
HTTPRetry |
Retry policy for HTTP requests. |
http_fault |
HTTPFaultInjection |
/L7 fault injection policy applies to Http traffic |
l4_fault |
L4FaultInjection |
/@exclude L4 fault injection policy applies to Tcp/Udp (not Http) traffic |