Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed.
Consul returns an error when `Required` is set to `true` and the extension does not update Envoy resources.
| String | None | +| `Arguments` | Specifies the arguments to pass to the extension executable. Refer to the documentation for the extension you want to implement for additional information. | Map | None | +| `ConsulVersion` | Specifies the version of Consul that the extension is allowed to work with. Consul validates the version during xDS updates. If a different version is in use, Consul skips the extension and writes the event to the log.The `ConsulVersion` and `EnvoyVersion` must both validate for Consul to implement the extension.
| String | None | +| `EnvoyVersion` | Specifies the version of Envoy that the extension is allowed to work with. Consul validates the version during xDS updates. If a different version is in use, Consul skips the extension and writes the event to the log.The `ConsulVersion` and `EnvoyVersion` must both validate for Consul to implement the extension.
| String | None | + +### `Mode` + +Specifies a mode for how proxies direct inbound and outbound traffic. You can specify one of the following values: + +- `transparent`: In transparent mode, proxies capture and redirect inbound and outbound traffic. The mode does not enable traffic redirection, but directs Consul to configure Envoy as if traffic is already being redirected. + +- `direct`: In this mode, the local application and other proxies must directly dial proxy listeners. + +#### Values + +- Default: None +- Data type: String + +### `TransparentProxy` + +Contains configurations for proxies that are running in transparent proxy mode. This mode enables permissive mTLS for Consul so that you can use your Kubernetes cluster's DNS service instead of Consul DNS. Refer to [Transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy) for additional information. + +#### Values + +- Default: None +- Data type: Map of containing the following fields: + - `OutboundListenerPort` + - `DialedDirectly` + +The following table describes how to configure values in the `TransparentProxy` map: + +| Parameter | Description | Data type | Default | +| --- | --- | --- | --- | +| `OutboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. Outbound application traffic must be captured and redirected to this port. | Integer | `15001` | +| `DialedDirectly` | Determines whether other proxies in transparent mode can directly dial this proxy instance's IP address. Proxies in transparent mode commonly dial upstreams at the [`virtual` tagged address](/consul/docs/services/configuration/services-configuration-reference#tagged_addresses-virtual), which load balances across instances. Dialing individual instances can be helpful when sending requests to stateful services, such as database clusters with a leader. | Boolean | `false` | + +### `MutualTLSMode` + +Controls the default mutual TLS (mTLS) mode for all proxies. You can only set mutual TLS mode for services in transparent proxy mode. + +You can specify one of the following modes: + +`strict`: The sidecar proxy requires mTLS for incoming traffic. +`permissive`: The sidecar proxy accepts mTLS traffic on the sidecar proxy service port and accepts any traffic on the destination service port. We recommend only using permissive mode if necessary while onboarding services to the service mesh. + +#### Values + +- Default: `strict` +- Data type: One of the following string values: + - `strict` + - `permissive` + +### `MeshGateway` + +Sets the default mesh gateway `mode` field for all proxies. You can specify the following string values for the `mode` field: + +- `none`: The proxy does not make outbound connections through a mesh gateway. Instead, it makes outbound connections directly to the destination services. +- `local`: The proxy makes an outbound connection to a gateway running in the same datacenter. +- `remote`: The proxy makes an outbound connection to a gateway running in the destination datacenter. + +#### Values + +- Default: None +- Data type: Map containing the `mode` field + +### `Expose` + +Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to protect themselves by only listening on `localhost`. Applications that are not Consul service mesh-enabled are still able to contact an HTTP endpoint. + +Example use-cases include exposing the `/metrics` endpoint to a monitoring system, such as Prometheus, and exposing the `/healthz` endpoint to the kubelet for liveness checks. Refer to [Expose Paths Configuration Reference](/consul/docs/connect/proxy-config-reference#expose-paths-configuration-reference) for additional information. + +#### Values + +- Default: None +- Data type: Map containing the following parameters: + - [`Checks`](#expose-checks) + - [`Paths`](#expose-paths) + +### `Expose{}.Checks` + +Exposes all HTTP and gRPC checks registered with the agent when set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or the [Consul agent's `advertise_addr`](/consul/docs/agent/config/config-files#advertise). The ports for the listeners are dynamically allocated from the [agent's `expose_min_port`](/consul/docs/agent/config/config-files#expose_min_port) and [`expose_max_port`](/consul/docs/agent/config/config-files#expose_max_port) configurations. + +We recommend enabling the `Checks` configuration when a Consul client cannot reach registered services over localhost. + +#### Values + +- Default: `false` +- Data type: Boolean + +### `Expose{}.Paths[]` + +Specifies a list of configuration maps that define paths to expose through Envoy when `Expose.Checks` is set to `true`. + +#### Values + +- Default: None +- Data type: List of maps + +The following table describes the parameters for each map you can define in the list: + +| Parameter | Description | Data type | Default | +| --- | --- | --- | --- | +| `Path` | Specifies the HTTP path to expose. You must prepend the path with a forward slash (`/`). | String | None | +| `LocalPathPort` | Specifies the port where the local service listens for connections to the path. | Integer | `0` | +| `ListenPort` | Specifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds. | Integer | `0` | +| `Protocol` | Specifies the protocol of the listener. You can configure one of the following values:Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed.
Consul returns an error when `Required` is set to `true` and the extension does not update Envoy resources.
| String | None | +| `arguments` | Specifies the arguments to pass to the extension executable. Refer to the documentation for the extension you want to implement for additional information. | Map | None | +| `consulVersion` | Specifies the version of Consul that the extension is allowed to work with. Consul validates the version during xDS updates. If a different version is in use, Consul skips the extension and writes the event to the log.The `consulVersion` and `envoyVersion` must both validate for Consul to implement the extension.
| String | None | +| `envoyVersion` | Specifies the version of Envoy that the extension is allowed to work with. Consul validates the version during xDS updates. If a different version is in use, Consul skips the extension and writes the event to the log.The `consulVersion` and `envoyVersion` must both validate for Consul to implement the extension.
| String | None | + +### `spec.mode` + +Specifies a mode for how proxies direct inbound and outbound traffic. You can specify one of the following values: -