Configuration#
This is a global list of all the settings
GRPC server#
Property | Description | Default value |
---|---|---|
envoy-control.server.executor-group.type | Group executor type. DIRECT or PARALLEL | DIRECT |
envoy-control.server.executor-group.parallel-pool-size | Pool size used for executor group in PARALLEL mode | 4 |
envoy-control.server.nio-event-loop-thread-count | The number of threads that will be used by netty's nio worker event loop | 1 |
envoy-control.server.nio-boss-event-loop-thread-count | The number of threads that will be used by netty's nio boss event loop | 1 |
envoy-control.server.netty.keep-alive-time | Sets a custom keepalive time for Netty server | 15s |
envoy-control.server.netty.permit-keep-alive-time | Specify the most aggressive keep-alive time clients are permitted to configure (in seconds) | 10s |
envoy-control.server.netty.permit-keep-alive-without-calls | Sets whether to allow clients to send keep-alive HTTP/2 PINGs even if there are no outstanding RPCs on the connection | true |
envoy-control.server.port | Port of the xDS server | 50000 |
envoy-control.server.server-pool-size | Pool size of xDS server | 16 |
envoy-control.server.server-poolkeep-alive | Threads keep alive in xDS server pool | 10m |
envoy-control.server.group-snapshot-update-scheduler.type | Scheduler type for update snapshot for groups operation. DIRECT or PARALLEL | DIRECT |
envoy-control.server.group-snapshot-update-scheduler.parallel-pool-size | Parallelism level for PARALLEL mode. Should match executor pool size if custom executor is used | 1 |
envoy-control.server.snapshot-cleanup.collect-after-millis | How long a snapshot must be referenced before being collected | 10s |
envoy-control.server.snapshot-cleanup.collection-interval-millis | How often the collection background action should run | 10s |
envoy-control.server.global-snapshot-audit-pool-size | Pool size used for default global snapshot audit executor group | 10s |
Snapshot properties#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.dynamic-listeners.enabled | Enable or disable creating listeners using dynamic configuration | true |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.enabled | Enable or disable access logs | false |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.time-format | Time format for access logs | "%START_TIME(%FT%T.%3fZ)%" |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.message-format | Message format for access logs | "%PROTOCOL% %REQ(:METHOD)% %REQ(:authority)% %REQ(:PATH)% %DOWNSTREAM_REMOTE_ADDRESS% -> %UPSTREAM_HOST%" |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.level | Logging level for access logs | "TRACE" |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.logger | Logger name for access logs | "envoy.AccessLog" |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.custom-fields | Custom fields, which should be included in access logs | null |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.status-code | Default status code filter for access logs | null |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.duration | Default duration filter for access logs | null |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.not-health-check | Disable health checks filter for access logs | true |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.response-flag | Default response flag filter for access logs | null |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.header | Default header filter for access logs | null |
envoy-control.envoy.snapshot.dynamic-listeners.http-filters.ingress-xff-num-trusted-hops | Number of trusted hops for ingress filter (refer to envoy docs) | 1 |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.enabled | Enable or disable creating local reply mapper configuration (refer to envoy docs) | false |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.response-format.text-format | Text message format with placeholders (refer to envoy docs) | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.response-format.json-format | JSON message format with placeholders for matched response (refer to envoy docs). | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.response-format.content-type | Response content-type header value | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.status-code-matcher | Matcher which handles specific status codes formatted as string e.g.: EQ:400 - equal to status code 400 | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.header-matcher.name | Header name to match | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.header-matcher.exact-match | Header value to match for specified header (only one of: exactMatch, regexMatch can be specified. If none is specified, header name presence matcher will be used) | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.header-matcher.regex-match | Header value regex to match for specified header (only one of: exactMatch, regexMatch can be specified. If none is specified, header name presence matcher will be used) | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.response-flag-matcher | Response flags to match (refer to envoy docs) | empty list |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.status-code-to-return | Status code to return for matched response | 0 (disabled) |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.body-to-return | Response message to return for matched response | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.response-format.text-format | Text message format with placeholders for matched response | "" |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.response-format.json-format | JSON message format with placeholders for matched response | empty map |
envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.matchers.response-format.content-type | Response content-type header value | "" |
envoy-control.envoy.snapshot.eds-connection-timeout | Connection timeout for EDS clusters | 2s |
envoy-control.envoy.snapshot.egress.common-http.idle-timeout | Set idle timeout for all HTTP connections (HTTP/1 and HTTP/2) | 120s |
envoy-control.envoy.snapshot.egress.common-http.request-timeout | Set request timeout for all routes (HTTP/1 and HTTP/2) | 120s |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.high-threshold.max-connections | The maximum number of connections that Envoy will make to the upstream cluster for high priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.high-threshold.max-pending-requests | The maximum number of pending requests that Envoy will allow to the upstream cluster for high priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.high-threshold.max-requests | The maximum number of parallel requests that Envoy will make to the upstream cluster for high priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.high-threshold.max-retries | The maximum number of parallel retries that Envoy will allow to the upstream cluster for high priority threshold. | 3 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.default-threshold.max-connections | The maximum number of connections that Envoy will make to the upstream cluster for default priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.default-threshold.max-pending-requests | The maximum number of pending requests that Envoy will allow to the upstream cluster for default priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.default-threshold.max-requests | The maximum number of parallel requests that Envoy will make to the upstream cluster for default priority threshold. | 1024 |
envoy-control.envoy.snapshot.egress.common-http.circuit-breakers.default-threshold.max-retries | The maximum number of parallel retries that Envoy will allow to the upstream cluster for default priority threshold. | 3 |
envoy-control.envoy.snapshot.egress.never-remove-clusters | Don't remove cluster, when corresponding service disappears from services source. Only remove all instances. | true |
envoy-control.envoy.snapshot.egress.cluster-not-found-status-code | Status code when cluster is not found | 503 |
envoy-control.envoy.snapshot.egress.http2.enabled | Enable http2 for clusters that use envoy | true |
envoy-control.envoy.snapshot.egress.http2.tag-name | Tag to be used to identify if instance uses envoy | envoy |
envoy-control.envoy.snapshot.egress.handle-internal-redirect | Handle redirects by Envoy | false |
envoy-control.envoy.snapshot.egress.host-header-rewriting.enabled | Enable rewriting Host header with value from specified header | false |
envoy-control.envoy.snapshot.egress.host-header-rewriting.custom-host-header | Header name which value will override Host header | "x-envoy-original-host" |
envoy-control.envoy.snapshot.egress.headers-to-remove | List of headers to sanitize on egress | empty list |
envoy-control.envoy.snapshot.egress.domains | List of domains added to service names for matching. Domain name has to start with '.' ( e.g.: .domain) | empty list |
envoy-control.envoy.snapshot.ingress.headers-to-remove | List of headers to sanitize on ingress | empty list |
envoy-control.envoy.snapshot.local-service.idle-timeout | Idle timeout between client to envoy | 60s |
envoy-control.envoy.snapshot.local-service.response-timeout | Response timeout for localService | 15s |
envoy-control.envoy.snapshot.local-service.connection-idle-timeout | Connection idle timeout for localService | 120s |
envoy-control.envoy.snapshot.routes.status.enabled | Enable status route | false |
envoy-control.envoy.snapshot.routes.status.endpoints | List of endpoints with path or prefix of status routes | /status |
envoy-control.envoy.snapshot.routes.status.create-virtual-cluster | Create virtual cluster for status route | false |
envoy-control.envoy.snapshot.state-sample-duration | Duration of state sampling (this is used to prevent surges in consul events overloading control plane) | 1s |
envoy-control.envoy.snapshot.xds-cluster-name | Name of cluster for xDS operations | envoy-control-xds |
envoy-control.envoy.snapshot.enabled-communication-modes.ads | Enable or disable support for ADS communication mode | true |
envoy-control.envoy.snapshot.enabled-communication-modes.xds | Enable or disable support for XDS communication mode | true |
envoy-control.envoy.snapshot.should-send-missing-endpoints | Enable sending missing Endpoints - when Envoy requests for not existing cluster in snapshot control-plane will respond with empty Endpoint definition | false |
envoy-control.envoy.snapshot.cluster-name | Dynamic forward proxy cluster name | dynamic_forward_proxy_cluster |
envoy-control.envoy.snapshot.dns-lookup-family | DNS lookup address family | V4_ONLY |
envoy-control.envoy.snapshot.max-cached-hosts | The maximum number of hosts that the cache will hold | 1024 |
envoy-control.envoy.snapshot.max-host-ttl | The TTL for hosts that are unused. Hosts that have not been used in the configured time interval will be purged | 300s |
envoy-control.envoy.snapshot.rate-limit.domain | Domain name for ratelimit service. | rl |
envoy-control.envoy.snapshot.rate-limit.service-name | ratelimit GRPC service name | ratelimit-grpc |
envoy-control.envoy.snapshot.delta-xds-enabled | Enable detla xds | false |
envoy-control.envoy.snapshot.should-audit-global-snapshot | Enable global snapshot audits | false |
Permissions#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.incoming-permissions.enabled | Enable incoming permissions | false |
envoy-control.envoy.snapshot.incoming-permissions.client-identity-headers | Headers that identify the client calling the endpoint. In most cases client-identity-header should include service-name-header value to correctly identify other services in the mesh. |
[ x-service-name ] |
envoy-control.envoy.snapshot.incoming-permissions.clients-allowed-to-all-endpoints | Client names which are allowed to even call service if incoming permissions are enabled. | empty list |
envoy-control.envoy.snapshot.incoming-permissions.request-identification-headers | Headers that are used to identify requests in incoming permissions logs. | [ x-request-id ] |
envoy-control.envoy.snapshot.incoming-permissions.trusted-client-identity-header | Header that securely identify the client calling the endpoint. It's added by Envoy to a request to local service. Local service can trust this header, it always contains only confirmed client identities. Set to empty string to disable. | x-client-name-trusted |
envoy-control.envoy.snapshot.incoming-permissions.service-name-header | Name of a header to propagate a called endpoint's service name upstream | x-service-name |
envoy-control.envoy.snapshot.incoming-permissions.source-ip-authentication.ip-from-service-discovery.enabled-for-incoming-services | Enable source ip based authentication for selected services | empty list |
envoy-control.envoy.snapshot.incoming-permissions.source-ip-authentication.ip-from-range | Enable source ip based authentication for selected clients using static IP ranges | empty map |
envoy-control.envoy.snapshot.incoming-permissions.source-ip-authentication.ip-from-range.{name} | User chosen name for static ip range, it must match client name defined in incoming permissions | none |
envoy-control.envoy.snapshot.incoming-permissions.source-ip-authentication.ip-from-range.{name}.{ip}/{prefix} | Ip and prefix informat of {ip}/{prefix} for static ip range. Eg: 192.168.1.0/24 | empty string |
envoy-control.envoy.snapshot.incoming-permissions.selector-matching.{name}. | Selector matching is used to further authenticate source IP targets. {name} corresponds to client name defined in incoming permissions and IP range | empty map |
envoy-control.envoy.snapshot.incoming-permissions.selector-matching.{name}.header.{selector-name} | Name used to identify the selector. For header authentication it is the header name. In the future for metadata it will be filter/path. |
empty string |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.tls-context-metadata-match-key | Name of tls context metadata matcher key | acceptMTLS |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.validation-context-secret-name | Name of validation context config, has to match static configuration in Envoy config | validation_context |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.tls-certificate-secret-name | Name of server TLS Certificate config, has to match static configuration in Envoy config | server_cert |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.require-client-certificate | Enable to reject TLS connections without a client certificate. Even if set to false, incoming permissions are still enforced. | false |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.protocol.minimum-version | Minimum version of TLS protocol used | "TLSv1_2" |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.protocol.maximum-version | Maximum version of TLS protocol used | "TLSv1_2" |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.protocol.cipher-suites | A list of cipher suites to use | list of "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256" |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.mtls-enabled-tag | Name of tag that is used to identify if mTLS should be enabled for cluster (note that envoy-control.envoy.snapshot.egress.http2.enabled should also be enabled) |
mtls:enabled |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.san-uri-format | URI format for SAN field that will be matched in client/server validation. {service-name} will be replaced by service name from discovery source. | spiffe://{service-name} |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.service-name-wildcard-regex | Regex to match service-names for "wildcard" client identifier. By default it will match all service names of length greater than zero (.+). It is used in place of {service-name} placeholder in san-uri-format. | .+ |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.services-allowed-to-use-wildcard | Services that are allowed to have wildcard in incoming.clients field | empty set |
envoy-control.envoy.snapshot.incoming-permissions.tls-authentication.wildcard-client-identifier | Special value (wildcard) that signifies that the service accepts traffic from all other validated services | * |
envoy-control.envoy.snapshot.incoming-permissions.overlapping-paths-fix | Make RBAC factory generate rules for endpoints with log policy in actual "rules" of RBAC engine to fix unintuitive behaviour when overlapping paths are defined. | false |
envoy-control.envoy.snapshot.outgoing-permissions.enabled | Enable outgoing permissions | false |
envoy-control.envoy.snapshot.outgoing-permissions.all-services-dependencies.identifier | Special value (wildcard) that signifies that the service depends on all other services | * |
envoy-control.envoy.snapshot.outgoing-permissions.all-services-dependencies.not-included-by-prefix | Services not included in dependencies for services with wildcard in outgoing.dependency field. Matched by service name prefix. | empty list |
envoy-control.envoy.snapshot.outgoing-permissions.services-allowed-to-use-wildcard | Services that are allowed to have wildcard in outgoing.dependency field | empty set |
Load Balancing#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.load-balancing.weights.enabled | if set to true, weighted load balancing will be enabled | false |
envoy-control.envoy.snapshot.load-balancing.canary.enabled | if set to true, routing to canary instances based on canary header will be enabled (corresponding Envoy static config is required, see docs) | false |
envoy-control.envoy.snapshot.load-balancing.canary.metadata-key | metadata that will be set for canary EDS endpoints - key (must match Envoy static header_to_metadata filter config, see docs) |
canary |
envoy-control.envoy.snapshot.load-balancing.canary.header-value | only when canary header is set to this value request will be routed to canary instances (canary header name is set in Envoy static config, see docs) | 1 |
envoy-control.envoy.snapshot.load-balancing.policy | load balancing policy used for clusters. Accepted values | LEAST_REQUEST |
envoy-control.envoy.snapshot.load-balancing.use-keys-subset-fallback-policy | KEYS_SUBSET fallback policy is used by default when canary and service-tags are enabled. It is not supported in Envoy <= 1.12.x. Set to false for compatibility with Envoy 1.12.x | true |
Routing#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.routing.service-tags.enabled | If set to true, service tags routing will be enabled | false |
envoy-control.envoy.snapshot.routing.service-tags.metadata-key | What key to use in endpoint metadata to store its service tags | tag |
envoy-control.envoy.snapshot.routing.service-tags.header | What header to use in service tag rules | x-service-tag |
envoy-control.envoy.snapshot.routing.service-tags.routing-excluded-tags | List of tags predicates that cannot be used for routing. This supports an exact matching (just "string" - EXACT matching) prefixes (PREFIX matching) and regexes (REGEX matching) | empty list |
envoy-control.envoy.snapshot.routing.service-tags.allowed-tags-combinations | List of rules, which tags can be conbined together and requested together. Details below | empty list |
(...).allowed-tags-combinations[].service-name | The rule will apply only for this service | "" |
(...).allowed-tags-combinations[].tags | List of tag patterns, that can be combined and requested together | empty list |
Outlier detection#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.cluster-outlier-detection.enabled | Enable cluster outlier detection | false |
envoy-control.envoy.snapshot.cluster-outlier-detection.base-ejection-time | The base time that a host is ejected for | 30s |
envoy-control.envoy.snapshot.cluster-outlier-detection.consecutive-gateway-failure | The number of consecutive gateway failures (502, 503, 504 status or connection errors that are mapped to one of those status codes) before a consecutive gateway failure ejection occurs | 5 |
envoy-control.envoy.snapshot.cluster-outlier-detection.consecutive5xx | The number of consecutive 5xx responses before a consecutive 5xx ejection | 5 |
envoy-control.envoy.snapshot.cluster-outlier-detection.enforcing-consecutive-gateway-failure | The % chance that a host will be actually ejected when an outlier status is detected through consecutive gateway failures | 0 |
envoy-control.envoy.snapshot.cluster-outlier-detection.enforcing-consecutive5xx | The % chance that a host will be actually ejected when an outlier status is detected through consecutive 5xx | 100 |
envoy-control.envoy.snapshot.cluster-outlier-detection.enforcing-success-rate | The % chance that a host will be actually ejected when an outlier status is detected through success rate statistics | 100 |
envoy-control.envoy.snapshot.cluster-outlier-detection.interval | The time interval between ejection analysis sweeps | 10s |
envoy-control.envoy.snapshot.cluster-outlier-detection.max-ejection-percent | The maximum % of an upstream cluster that can be ejected due to outlier detection | 10 |
envoy-control.envoy.snapshot.cluster-outlier-detection.success-rate-minimum-hosts | The number of hosts in a cluster that must have enough request volume to detect success rate outliers | 5 |
envoy-control.envoy.snapshot.cluster-outlier-detection.success-rate-request-volume | The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to include this host * in success rate based outlier detection | 100 |
envoy-control.envoy.snapshot.cluster-outlier-detection.success-rate-stdev-factor | This factor is used to determine the ejection threshold for success rate outlier ejection. | 1900 |
Retries#
Local Service#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
Enable retry policy for localService | false |
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
When should envoy retry request Envoy V2 API retry-on | empty list |
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
Number of retries | 1 |
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
Specifies a non-zero upstream timeout per retry attempt | 0ms |
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
The maximum number of times host selection will be reattempted before request being routed to last selected host | 1 |
envoy-control.envoy.snapshot.localService.retryPolicy.\ |
HTTP status codes for which envoy should trigger retry in addition to retryOn | empty list |
Where <selector>
is one of the following:
* perHttpMethod.{GET,HEAD,POST,PUT,DELETE}
- retry policy for requests with given HTTP method
* default
- default retry policy, applied for every request that doesn't match more specific selector
Outgoing traffic#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.retryPolicy.numberOfRetries | Number of retries | 1 |
envoy-control.envoy.snapshot.retryPolicy.hostSelectionRetryMaxAttempts | The maximum number of times host selection will be reattempted before request being routed to last selected host | 3 |
envoy-control.envoy.snapshot.retryPolicy.retryHostPredicate | Specifies a collection of RetryHostPredicates that will be consulted when selecting a host for retries | a list with one entry "envoy.retry_host_predicates.previous_hosts" |
envoy-control.envoy.snapshot.retryPolicy.retryBackOff.baseInterval | Specifies parameters that control exponential retry back off base interval | 25ms |
envoy-control.envoy.snapshot.retryPolicy.retryBackOff.maxInterval | Specifies parameters that control exponential retry back off max interval | 10 times base interval |
Metrics#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.metrics.cache-set-snapshot | Report metrics for cache.setSnapshot operation | false |
Cross DC synchronization#
Property | Description | Default value |
---|---|---|
envoy-control.sync.enabled | Enable Cross DC Synchronization | false |
envoy-control.sync.connection-timeout | Connection timeout to other Envoy Controls | 1s |
envoy-control.sync.envoy-control-app-name | Envoy Control app name available in discovery service | envoy-control |
envoy-control.sync.polling-interval | Polling interval in seconds | 1 |
envoy-control.sync.read-timeout | Read timeout to other Envoy Controls | 500ms |
Service filters#
Property | Description | Default value |
---|---|---|
envoy-control.service-filters.excluded-names-patterns | Regex for excluding services with a given name | empty list |
Consul#
Property | Description | Default value |
---|---|---|
envoy-control.source.consul.host | Hostname of consul server | localhost |
envoy-control.source.consul.port | Port of consul server | 8500 |
envoy-control.source.consul.tags.weight | Service instance tag which will be mapped to instance weight. If set to <name> , expected tag will be <name>:<value> , where <value> is an integer (>0) representing instance weight |
weight |
envoy-control.source.consul.tags.default-weight | Default service instance weight, if weight tag is not present on the instance | 50 |
envoy-control.source.consul.tags.canary | Service instance tag which indicate canary instance | canary |
JWT filter#
Property | Description | Default value |
---|---|---|
envoy-control.envoy.snapshot.jwt.forwardJwt | If false, the JWT is removed in the request after a success verification. If true, the JWT is not removed in the request | true |
envoy-control.envoy.snapshot.jwt.forwardPayloadHeader | the header name to forward a successfully verified JWT payload to the backend. The forwarded data is: base64url_encoded(jwt_payload_in_JSON) |
x-oauth-token-validated |
envoy-control.envoy.snapshot.jwt.payloadInMetadata | Key for token fields, the value is the protobuf::Struct converted from JWT JSON payload. | jwt |
envoy-control.envoy.snapshot.jwt.fieldRequiredInToken | Name of the field that will be checked if its present in JWT. This field should be present in every token. | exp |
envoy-control.envoy.snapshot.jwt.defaultVerificationType | Type of token validation, either ONLINE or OFFLINE (currently only OFFLINE supported) | offline |
envoy-control.envoy.snapshot.jwt.defaultOAuthPolicy | Policy specifies a Jwt requirement. Allowed values are allowMissingOrFailed, allowMissing and strict. | strict |
envoy-control.envoy.snapshot.jwt.providers.{providerName} | Provider of OAuth JWKs | empty map |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.jwksUri | Uri of the endpoint serving JWKs | http://localhost |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.createCluster | If true, cluster will be created for OAuth provider | false |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterName | Name of the cluster | "" |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.clusterPort | Port of the cluster that will be created for provider | 443 |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.cacheDuration | Duration of caching public key fetched from provider | 300s |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.connectionTimeout | Connection timeout for request fetching JWKs | 1s |
envoy-control.envoy.snapshot.jwt.providers.{providerName}.matchings.{matching} | Name of the token field that should be verified for given selector | empty map |