- Features and Benefits
- Using Ambassador Edge Stack in Your Organization
- Ambassador Edge Stack vs. Other Software
- Certified Builds
- Ambassador Edge Stack Architecture
- Ambassador Edge Stack Deployment Architecture
- Continuous Delivery, Declarative Config, and GitOps
- Microservices API Gateways
- Rate Limiting Concepts
- Self-Service Routing and Deployment Control
- Safely Testing in Production
- OAuth & OIDC Overview
- Why Ambassador Edge Stack Uses Envoy Proxy (External Link)
- Configuring Ambassador Edge Stack
- Mapping Services
- Canary Releases
- Circuit Breakers
- Cross Origin Resource Sharing
- Header-based routing
- Host Header
- Host CRD
- Prefix Regex
- Rate Limits
- Remove Request Headers
- Remove Response Headers
- Add Request Headers
- Add Response Headers
- Automatic Retries
- Routing TCP Connections
- Traffic Shadowing
- Developer Portal
- Filter Reference
- Statistics and Monitoring
Ambassador Edge Stack supports a variety of global configuration options in the
If present, the
ambassador Module defines system-wide configuration. This module can be applied to any Kubernetes service (the
ambassador service itself is a common choice). You may very well not need this Module. The defaults in the
ambassador Module are:
apiVersion: getambassador.io/v2kind: Modulemetadata:name: ambassadorspec:# Use ambassador_id only if you are using multiple ambassadors in the same cluster.# For more information: ../../running#ambassador_id.# ambassador_id: "<ambassador_id>"config:# Use the following table for config fields
|Should we automatically add Linkerd |
|The port where Ambassador's Envoy will listen for low-level admin requests. You should almost never need to change this.|
|Use only if you are using multiple ambassadors in the same cluster. Learn more.|
|Set the default upstream-connection idle timeout. If not set (the default), upstream connections will never be closed due to idling.|
|Set a default domain and request labels to every request for use by rate limiting. For more on how to use these, see the Rate Limit reference.|
|The port where Ambassador will listen for requests to the diagnostic service.|
|Should we enable the gRPC-http11 bridge?|
|Should we enable the grpc-Web protocol?|
|Should we enable http/1.0 protocol?|
|Should we do IPv4 DNS lookups when contacting services? Defaults to true, but can be overridden in a |
|Should we do IPv6 DNS lookups when contacting services? Defaults to false, but can be overridden in a |
|Defines the envoy log line format. See this page for a complete list of operators||See this page for the standard log format.|
|Defines the path of log envoy will use. By default this is standard output|
|Defines the type of log envoy will use, currently only support json or text|
|Run a custom lua script on every request. see below for more details.|
|This field controls the RE2 âprogram sizeâ which is a rough estimate of how complex a compiled regex is to evaluate. A regex that has a program size greater than the configured value will fail to compile|
|Set which regular expression engine to use. See the "Regular Expressions" section below.|
|By default Envoy sets server_name response header to |
|If present, service_port will be the port Ambassador listens on for microservice access. If not present, Ambassador will use 8443 if TLS is configured, 8080 otherwise.|
|Configures Ambassador statistics. These values can be set in the Ambassador module or in an environment variable. For more information, see the Statistics reference.|
|Controls whether Envoy will honor the PROXY protocol on incoming requests.|
|Controls whether Envoy will trust the remote address of incoming connections or rely exclusively on the X-Forwarded_For header.|
|Controls whether Ambassador will resolve upstream services assuming they are in the same namespace as the element referring to them, e.g. a Mapping in namespace |
|Ambassador lets through only the HTTP requests with |
|Controls the how Envoy sets the trusted client IP address of a request. If you have a proxy in front of Ambassador, Envoy will set the trusted client IP to the address of that proxy. To preserve the orginal client IP address, setting |
circuit_breakers sets the global circuit breaking configuration that Ambassador will use for all mappings, unless overridden in a mapping. More information at the circuit breaking reference.
cors sets default CORS configuration for all mappings in the cluster. See the CORS syntax.
cors:origins: http://foo.example,http://bar.examplemethods: POST, GET, OPTIONS......
diagnostics service (at /ambassador/v0/diag/) defaults on, but you can disable the API route. It will remain accessible on diag_port.
keepalive sets the global keepalive settings.
Ambassador will use for all mappings unless overridden in a
mapping. No default value is provided by Ambassador.
More information at https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/address.proto#envoy-api-msg-core-tcpkeepalive
keepalive:time: 2interval: 2probes: 100
liveness_probe defaults on, but you can disable the API route. It will remain accessible on diag_port.
load_balancer sets the global load balancing type and policy that Ambassador will use for all mappings unless overridden in a mapping. Defaults to round-robin with Kubernetes. More information at the load balancer reference.
readiness_probe defaults on, but you can disable the API route. It will remain accessible on diag_port.
retry_policy lets you add resilience to your services in case of request failures by performing automatic retries.
By default, Ambassador Edge Stack listens for HTTP or HTTPS traffic on ports 8080 or 8443 respectively. This value can be overridden by setting the
service_port in the Ambassador
---apiVersion: getambassador.io/v2kind: Modulemetadata:name: ambassadorspec:config:service_port: 4567
This will configure Ambassador Edge Stack to listen for traffic on port 4567 instead of 8080.
regex_type is unset (the default), or is set to any value other than
unsafe, Ambassador Edge Stack will use the RE2 regular expression engine. This engine is designed to support most regular expressions, but keep bounds on execution time. RE2 is the recommended regular expression engine.
regex_type is set to
unsafe, Ambassador Edge Stack will use the modified ECMAScript regular expression engine. This is not recommended since the modified ECMAScript engine can consume unbounded CPU in some cases (mostly relating to backreferences and lookahead); it is provided for backward compatibility if necessary.
Ambassador Edge Stack supports the ability to inline Lua scripts that get run on every request. This is useful for simple use cases that mutate requests or responses, e.g., add a custom header. Here is a sample:
---apiVersion: getambassador.io/v2kind: Modulemetadata:name: ambassadorspec:config:lua_scripts: |function envoy_on_response(response_handle)response_handle:headers():add("Lua-Scripts-Enabled", "Processed")end
For more details on the Lua API, see the Envoy Lua filter documentation.
Some caveats around the embedded scripts:
- They run in-process, so any bugs in your Lua script can break every request
- They're inlined in the Ambassador Edge Stack YAML, so you likely won't want to write complex logic in here
- They're run on every request/response to every URL
If you need more flexible and configurable options, Ambassador Edge Stack supports a pluggable Filter system.
When using Linkerd, requests going to an upstream service need to include the
l5d-dst-override header to ensure that Linkerd will route them correctly. Setting
add_linkerd_headers does this automatically; see the Mapping documentation for more details.
cluster_idle_timeout_ms specifies the timeout (in milliseconds) after which an idle connection upstream will closed. If no
cluster_idle_timeout_ms is specified, upstream connections will never be closed due to idling.
Ambassador supports bridging HTTP/1.1 clients to backend gRPC servers. When an HTTP/1.1 connection is opened and the request content type is
application/grpc, Ambassador will buffer the response and translate into gRPC requests. For more details on the translation process, see the Envoy gRPC HTTP/1.1 bridge documentation. This setting can be enabled by setting
enable_grpc_http11_bridge: true. Read more about gRPC and Ambassador.
The gRPC-Web specification requires a server-side proxy to translate between gRPC-Web requests and gRPC backend services. Ambassador can serve as the service-side proxy for gRPC-Web when
enable_grpc_web: true is set. Find more on the gRPC Web client GitHub.
Enable/disable the handling of incoming HTTP/1.0 and HTTP 0.9 requests.
If both IPv4 and IPv6 are enabled, Ambassador Edge Stack will prefer IPv6. This can have strange effects if Ambassador Edge Stack receives
AAAA records from a DNS lookup, but the underlying network of the pod doesn't actually support IPv6 traffic. For this reason, the default is IPv4 only.
Mapping can override both
enable_ipv6, but if either is not stated explicitly in a
Mapping, the values here are used. Most Ambassador Edge Stack installations will probably be able to avoid overriding these settings in
The default liveness and readiness probes map
ambassador/v0/check_ready internally to check Envoy itself. If you'd like to, you can change these to route requests to some other service. For example, to have the readiness probe map to the quote application's health check, you could do
readiness_probe:service: quoterewrite: /backend/health
The liveness and readiness probe both support
service, with the same meanings as for mappings. Additionally, the
enabled boolean may be set to
false (as in the commented-out examples above) to disable support for the probe entirely.
Note well that configuring the probes in the
ambassador Module only means that Ambassador Edge Stack will respond to the probes. You must still configure Kubernetes to perform the checks, as shown in the Datawire-provided YAML files.
In Ambassador 0.50 and later, the default value for
true. When set to
true, Ambassador Edge Stack will append to the
X-Forwarded-For header its IP address so upstream clients of Ambassador Edge Stack can get the full set of IP addresses that have propagated a request. You may also need to set
externalTrafficPolicy: Local on your
LoadBalancer as well to propagate the original source IP address. See the Envoy documentation and the Kubernetes documentation for more details.
Note well that if you need to use
X-Forwarded-Proto, you must set
Many load balancers can use the PROXY protocol to convey information about the connection they are proxying. In order to support this in Ambassador Edge Stack, you'll need to set
true; this is not the default since the PROXY protocol is not compatible with HTTP.
The value of
xff_num_trusted_hops indicates the number of trusted proxies in front of Ambassador Edge Stack. The default setting is 0 which tells Envoy to use the immediate downstream connection's IP address as the trusted client address. The trusted client address is used to populate the
remote_address field used for rate limiting and can affect which IP address Envoy will set as
xff_num_trusted_hops behavior is determined by the value of
use_remote_address (which defaults to
true in Ambassador Edge Stack).
xff_num_trusted_hopsis set to a value N that is greater than zero, the trusted client address is the (N+1)th address from the right end of XFF. (If the XFF contains fewer than N+1 addresses, Envoy falls back to using the immediate downstream connection’s source address as a trusted client address.)
xff_num_trusted_hopsis set to a value N that is greater than zero, the trusted client address is the Nth address from the right end of XFF. (If the XFF contains fewer than N addresses, Envoy falls back to using the immediate downstream connection’s source address as a trusted client address.)
Refer to Envoy's documentation for some detailed examples in this interaction.
NOTE: This value is not dynamically configurable in Envoy. A restart is required changing the value of
xff_num_trusted_hops for Envoy to respect the change.