linkerd.yaml

admin:
  port: 9990
  ip: 0.0.0.0

routers:
  # http 1.1: service -> [linkerd] -> linkerd -> service
  # should lookup consul service then rewrite outgoing port to linkerd
  - label: http1-out
    protocol: http
    servers:
      - port: 4140
        ip: 169.254.1.1
    client:
      tls:
        commonName: linkerd.service.dal-prd.consul
        trustCerts: [/etc/linkerd/ca.crt]
    dtab: |
      /consulSvc  => /#/io.l5d.consul_to_linker/.local;
      /host => /$/io.buoyant.http.subdomainOfPfx/linkerd/consulSvc;
      /svc => /host;
    identifier:
      kind: io.l5d.header.token
    interpreter:
      kind: default
      transformers:
        - kind: io.l5d.port
          port: 4141

  # http 1.1: service -> linkerd -> [linkerd] -> service
  # should lookup local service then filter down to local node
  - label: http1-in
    protocol: http
    servers:
      - port: 4141
        ip: 10.154.11.209
        tls:
          certPath: /etc/linkerd/server.crt
          keyPath: /etc/linkerd/server.crt
          ciphers:
            - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
            - TLS_RSA_WITH_AES_128_GCM_SHA256
            - TLS_RSA_WITH_AES_256_GCM_SHA384
    # auth.linkerd -> auth.service.consul
    dtab: |
      /consulSvc  => /#/io.l5d.consul/.local;
      /host => /$/io.buoyant.http.subdomainOfPfx/linkerd/consulSvc;
      /svc => /host;
    identifier:
      kind: io.l5d.header.token
    interpreter:
      kind: default
      transformers:
        - kind: io.l5d.localhost

  # http 2: service -> [linkerd] -> linkerd -> service
  # should lookup consul service then rewrite outgoing port to linkerd
  - label: h2-out
    protocol: h2
    experimental: true
    servers:
      - port: 4142
        ip: 169.254.1.1
        initialStreamWindowBytes: 1048576
        maxFrameBytes: 4194304
    client:
      initialStreamWindowBytes: 1048576
      maxFrameBytes: 4194304
      hostConnectionPool:
        minSize: 8
      failureAccrual:
        kind: none
      tls:
        commonName: linkerd.service.dal-prd.consul
        trustCerts: [/etc/linkerd/ca.crt]
    identifier:
      kind: io.l5d.header.path
      segments: 2
    interpreter:
      kind: io.l5d.mesh
      experimental: true
      dst: /#/io.l5d.consul/.local/namerd-grpc
      root: /h2
      transformers:
        - kind: io.l5d.port
          port: 4143

  # http 2: service -> linkerd -> [linkerd] -> service
  # should lookup local service then filter down to local node
  - label: h2-in
    protocol: h2
    experimental: true
    client:
      initialStreamWindowBytes: 1048576
      maxFrameBytes: 4194304
      failureAccrual:
        kind: none
      hostConnectionPool:
        minSize: 8
    servers:
      - port: 4143
        ip: 10.154.11.209
        initialStreamWindowBytes: 1048576
        maxFrameBytes: 4194304
        tls:
          certPath: /etc/linkerd/server.crt
          keyPath: /etc/linkerd/server.crt
          ciphers:
            - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
            - TLS_RSA_WITH_AES_128_GCM_SHA256
            - TLS_RSA_WITH_AES_256_GCM_SHA384
    identifier:
      kind: io.l5d.header.path
      segments: 2
    interpreter:
      kind: io.l5d.mesh
      experimental: true
      dst: /#/io.l5d.consul/.local/namerd-grpc
      root: /h2
      transformers:
        - kind: io.l5d.localhost

  # a router that sends TLS encrypted https traffic to the bcapp based
  # on a datacenter specified in the X-BC-Datacenter header
  # while this listens for plain text connections, it wraps the traffic
  # in TLS before sending it to bcapp
  #
  # bcapp-https-out: service -> [linkerd] -> bcapp (by datacenter)
  - label: bcapp-https-out
    protocol: http
    servers:
      - port: 4145
        ip: 169.254.1.1
    client:
      tls:
        commonName: bcapp.service.consul
        trustCerts: [/etc/linkerd/ca.crt]
    dtab: |
      /svc => /#/bcdc;
    identifier:
      kind: io.l5d.header.token
      header: X-BC-Datacenter
    interpreter:
      kind: default
      transformers:
        - kind: io.l5d.port
          port: 443

namers:
  - kind: io.l5d.consul
    host: localhost
    port: 8500
    failFast: false # disable circuit breaker because using localhost
    useHealthCheck: true # evict failing services from LB
    setHost: true
  - kind: io.l5d.consul
    prefix: /io.l5d.tagged_consul
    host: localhost
    port: 8500
    failFast: false # disable circuit breaker because using localhost
    useHealthCheck: true # evict failing services from LB
    setHost: false
    includeTag: true
  - prefix: /io.l5d.consul_to_linker
    kind: io.l5d.consul
    host: localhost
    port: 8500
    failFast: false # disable circuit breaker because using localhost
    useHealthCheck: true # evict failing services from LB
    setHost: false
  - kind: io.l5d.rewrite
    prefix: /bcdc
    pattern: "/{dc}"
    name: "/#/io.l5d.tagged_consul/.local/{dc}/bcapp"

usage:
  enabled: false

telemetry:
  - kind: io.l5d.prometheus