Add documentation to inform users that Transparent Proxy and Mesh should

not be set via the CRD

api/v1alpha1/proxydefaults_types.go

@@ -63,6 +63,8 @@ type ProxyDefaultsSpec struct {
 	// Expose controls the default expose path configuration for Envoy.
 	Expose Expose `json:"expose,omitempty"`
 	// TransparentProxy controls configuration specific to proxies in transparent mode.
+	// Note: This cannot be set using the CRD and should be set using annotations on the
+	// services that are part of the mesh.
 	TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"`
 }
 

api/v1alpha1/servicedefaults_types.go

@@ -58,12 +58,16 @@ type ServiceDefaultsSpec struct {
 	// to be changed to a non-connect value when federating with an external system.
 	ExternalSNI string `json:"externalSNI,omitempty"`
 	// TransparentProxy controls configuration specific to proxies in transparent mode.
+	// Note: This cannot be set using the CRD and should be set using annotations on the
+	// services that are part of the mesh.
 	TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"`
-	// Mode can be one of direct or transparent. transparent represents that inbound and outbound
-	// and outbound application traffic is being captured and redirected through the proxy. This
-	// mode does not enable the traffic redirection itself. Instead it signals Consul to configure
-	// Envoy as if traffic is already being redirected. direct represents that the proxy's
-	// listeners must be dialed directly by the local application and other proxies.
+	// Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound
+	// application traffic is being captured and redirected through the proxy. This mode does not
+	// enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if
+	// traffic is already being redirected. "direct" represents that the proxy's listeners must be
+	// dialed directly by the local application and other proxies.
+	// Note: This cannot be set using the CRD and should be set using annotations on the
+	// services that are part of the mesh.
 	Mode *ProxyMode `json:"mode,omitempty"`
 	// UpstreamConfig controls default configuration settings that apply across all upstreams,
 	// and per-upstream configuration overrides. Note that per-upstream configuration applies
@@ -226,6 +230,7 @@ func (in *ServiceDefaults) ToConsul(datacenter string) capi.ConfigEntry {
 		Expose:           in.Spec.Expose.toConsul(),
 		ExternalSNI:      in.Spec.ExternalSNI,
 		TransparentProxy: in.Spec.TransparentProxy.toConsul(),
+		UpstreamConfig:   in.Spec.UpstreamConfig.toConsul(),
 		Meta:             meta(datacenter),
 	}
 }
@@ -277,13 +282,63 @@ func (in *Upstreams) validate(path *field.Path) field.ErrorList {
 	return errs
 }
 
+func (in *Upstreams) toConsul() *capi.UpstreamConfiguration {
+	if in == nil {
+		return nil
+	}
+	upstreams := &capi.UpstreamConfiguration{}
+	upstreams.Defaults = in.Defaults.toConsul()
+	for _, override := range in.Overrides {
+		upstreams.Overrides = append(upstreams.Overrides, override.toConsul())
+	}
+	return upstreams
+}
+
 func (in *Upstream) validate(path *field.Path) *field.Error {
 	if in == nil {
 		return nil
 	}
 	return in.MeshGateway.validate(path.Child("meshGateway"))
 }
 
+func (in *Upstream) toConsul() *capi.UpstreamConfig {
+	if in == nil {
+		return nil
+	}
+	return &capi.UpstreamConfig{
+		Name:               in.Name,
+		Namespace:          in.Namespace,
+		EnvoyListenerJSON:  in.EnvoyListenerJSON,
+		EnvoyClusterJSON:   in.EnvoyClusterJSON,
+		Protocol:           in.Protocol,
+		ConnectTimeoutMs:   in.ConnectTimeoutMs,
+		Limits:             in.Limits.toConsul(),
+		PassiveHealthCheck: in.PassiveHealthCheck.toConsul(),
+		MeshGateway:        in.MeshGateway.toConsul(),
+	}
+}
+
+func (in *UpstreamLimits) toConsul() *capi.UpstreamLimits {
+	if in == nil {
+		return nil
+	}
+	return &capi.UpstreamLimits{
+		MaxConnections:        in.MaxConnections,
+		MaxPendingRequests:    in.MaxPendingRequests,
+		MaxConcurrentRequests: in.MaxConcurrentRequests,
+	}
+}
+
+func (in *PassiveHealthCheck) toConsul() *capi.PassiveHealthCheck {
+	if in == nil {
+		return nil
+	}
+	return &capi.PassiveHealthCheck{
+		Interval:    in.Interval,
+		MaxFailures: in.MaxFailures,
+	}
+}
+
 // DefaultNamespaceFields has no behaviour here as service-defaults have no namespace specific fields.
 func (in *ServiceDefaults) DefaultNamespaceFields(_ bool, _ string, _ bool, _ string) {
 	return

api/v1alpha1/servicedefaults_types_test.go

@@ -66,6 +66,70 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 					TransparentProxy: &TransparentProxy{
 						OutboundListenerPort: 1000,
 					},
+					UpstreamConfig: &Upstreams{
+						Defaults: &Upstream{
+							Name:              "upstream-default",
+							Namespace:         "ns",
+							EnvoyListenerJSON: `{"key": "value"}`,
+							EnvoyClusterJSON:  `{"key": "value"}`,
+							Protocol:          "http2",
+							ConnectTimeoutMs:  10,
+							Limits: &UpstreamLimits{
+								MaxConnections:        intPointer(10),
+								MaxPendingRequests:    intPointer(10),
+								MaxConcurrentRequests: intPointer(10),
+							},
+							PassiveHealthCheck: &PassiveHealthCheck{
+								Interval:    2 * time.Second,
+								MaxFailures: uint32(20),
+							},
+							MeshGateway: MeshGateway{
+								Mode: "local",
+							},
+						},
+						Overrides: []*Upstream{
+							{
+								Name:              "upstream-override-1",
+								Namespace:         "ns",
+								EnvoyListenerJSON: `{"key": "value"}`,
+								EnvoyClusterJSON:  `{"key": "value"}`,
+								Protocol:          "http2",
+								ConnectTimeoutMs:  15,
+								Limits: &UpstreamLimits{
+									MaxConnections:        intPointer(5),
+									MaxPendingRequests:    intPointer(5),
+									MaxConcurrentRequests: intPointer(5),
+								},
+								PassiveHealthCheck: &PassiveHealthCheck{
+									Interval:    2 * time.Second,
+									MaxFailures: uint32(10),
+								},
+								MeshGateway: MeshGateway{
+									Mode: "remote",
+								},
+							},
+							{
+								Name:              "upstream-default",
+								Namespace:         "ns",
+								EnvoyListenerJSON: `{"key": "value"}`,
+								EnvoyClusterJSON:  `{"key": "value"}`,
+								Protocol:          "http2",
+								ConnectTimeoutMs:  10,
+								Limits: &UpstreamLimits{
+									MaxConnections:        intPointer(2),
+									MaxPendingRequests:    intPointer(2),
+									MaxConcurrentRequests: intPointer(2),
+								},
+								PassiveHealthCheck: &PassiveHealthCheck{
+									Interval:    2 * time.Second,
+									MaxFailures: uint32(10),
+								},
+								MeshGateway: MeshGateway{
+									Mode: "remote",
+								},
+							},
+						},
+					},
 				},
 			},
 			&capi.ServiceConfigEntry{
@@ -96,6 +160,70 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 				TransparentProxy: &capi.TransparentProxyConfig{
 					OutboundListenerPort: 1000,
 				},
+				UpstreamConfig: &capi.UpstreamConfiguration{
+					Defaults: &capi.UpstreamConfig{
+						Name:              "upstream-default",
+						Namespace:         "ns",
+						EnvoyListenerJSON: `{"key": "value"}`,
+						EnvoyClusterJSON:  `{"key": "value"}`,
+						Protocol:          "http2",
+						ConnectTimeoutMs:  10,
+						Limits: &capi.UpstreamLimits{
+							MaxConnections:        intPointer(10),
+							MaxPendingRequests:    intPointer(10),
+							MaxConcurrentRequests: intPointer(10),
+						},
+						PassiveHealthCheck: &capi.PassiveHealthCheck{
+							Interval:    2 * time.Second,
+							MaxFailures: uint32(20),
+						},
+						MeshGateway: capi.MeshGatewayConfig{
+							Mode: "local",
+						},
+					},
+					Overrides: []*capi.UpstreamConfig{
+						{
+							Name:              "upstream-override-1",
+							Namespace:         "ns",
+							EnvoyListenerJSON: `{"key": "value"}`,
+							EnvoyClusterJSON:  `{"key": "value"}`,
+							Protocol:          "http2",
+							ConnectTimeoutMs:  15,
+							Limits: &capi.UpstreamLimits{
+								MaxConnections:        intPointer(5),
+								MaxPendingRequests:    intPointer(5),
+								MaxConcurrentRequests: intPointer(5),
+							},
+							PassiveHealthCheck: &capi.PassiveHealthCheck{
+								Interval:    2 * time.Second,
+								MaxFailures: uint32(10),
+							},
+							MeshGateway: capi.MeshGatewayConfig{
+								Mode: "remote",
+							},
+						},
+						{
+							Name:              "upstream-default",
+							Namespace:         "ns",
+							EnvoyListenerJSON: `{"key": "value"}`,
+							EnvoyClusterJSON:  `{"key": "value"}`,
+							Protocol:          "http2",
+							ConnectTimeoutMs:  10,
+							Limits: &capi.UpstreamLimits{
+								MaxConnections:        intPointer(2),
+								MaxPendingRequests:    intPointer(2),
+								MaxConcurrentRequests: intPointer(2),
+							},
+							PassiveHealthCheck: &capi.PassiveHealthCheck{
+								Interval:    2 * time.Second,
+								MaxFailures: uint32(10),
+							},
+							MeshGateway: capi.MeshGatewayConfig{
+								Mode: "remote",
+							},
+						},
+					},
+				},
 				Meta: map[string]string{
 					common.SourceKey:     common.SourceValue,
 					common.DatacenterKey: "datacenter",
@@ -528,3 +656,7 @@ func TestServiceDefaults_ObjectMeta(t *testing.T) {
 	}
 	require.Equal(t, meta, serviceDefaults.GetObjectMeta())
 }
+
+func intPointer(i int) *int {
+	return &i
+}

config/crd/bases/consul.hashicorp.com_proxydefaults.yaml

@@ -82,7 +82,7 @@ spec:
                     type: string
                 type: object
               transparentProxy:
-                description: TransparentProxy controls configuration specific to proxies in transparent mode.
+                description: 'TransparentProxy controls configuration specific to proxies in transparent mode. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
                 properties:
                   outboundListenerPort:
                     description: The port of the listener where outbound application traffic is being redirected to.

config/crd/bases/consul.hashicorp.com_servicedefaults.yaml

@@ -81,13 +81,13 @@ spec:
                     type: string
                 type: object
               mode:
-                description: Mode can be one of direct or transparent. transparent represents that inbound and outbound and outbound application traffic is being captured and redirected through the proxy. This mode does not enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected. direct represents that the proxy's listeners must be dialed directly by the local application and other proxies.
+                description: 'Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound application traffic is being captured and redirected through the proxy. This mode does not enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected. "direct" represents that the proxy''s listeners must be dialed directly by the local application and other proxies. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
                 type: string
               protocol:
                 description: Protocol sets the protocol of the service. This is used by Connect proxies for things like observability features and to unlock usage of the service-splitter and service-router config entries for a service.
                 type: string
               transparentProxy:
-                description: TransparentProxy controls configuration specific to proxies in transparent mode.
+                description: 'TransparentProxy controls configuration specific to proxies in transparent mode. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
                 properties:
                   outboundListenerPort:
                     description: The port of the listener where outbound application traffic is being redirected to.