ASMMeshConfig CRD reference - Alibaba Cloud Service Mesh

ASMMeshConfig is a custom resource provided by Alibaba Cloud Service Mesh (ASM) to globally configure the core parameters of a service mesh. Its functionality is similar to Istio's MeshConfig. You can use this CustomResourceDefinition (CRD) to centrally manage mesh-level settings, such as connection timeouts, protocol detection, path normalization, and retry policies. You can also use it to control the resource quotas and behavior of the sidecar injector.

Configuration example

The following example shows how to configure an ASM instance. The configuration includes connection settings, path normalization, HTTP retry policies, sidecar injector policies, and global rate limiting.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
  name: default
spec:
  connectTimeout: 30s
  tcpKeepalive:
    probes: 5
    time: 7200s
    interval: 72s
  pathNormalization:
    normalization: MERGE_SLASHES
  defaultHttpRetryPolicy:
    attempts: 3
    perTryTimeout: 1s
    retryOn: gateway-error,connect-failure,refused-stream
  enablePrometheusMerge: true
  sidecarInjectorWebhookConfiguration:
    rewriteAppHTTPProbe: true
    replicaCount: 2
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: '2'
        memory: 2Gi
  rateLimitService:
    enabled: true
    redis:
      authSecret: redis-secret
      url: redis.istio-system.svc:6379
    replicas: 1

Important

To use all the fields of the ASMMeshConfig CRD, your Service Mesh instance must be version 1.24 or later. To configure rateLimitService, the instance version must be 1.25.6.84 or later. In addition, the ASMMeshConfig CR is not namespaced, and its name must be `default`. ASMMeshConfig CRs with other names will not take effect.

Field reference

Basic configurations

Field path	Data type	Description	Example	Scope
`.spec.connectTimeout`	Duration	The maximum time to wait for an Envoy proxy to establish a TCP connection. If the connection times out, an `upstream connect timeout` error is triggered. Supported units are `ns`, `ms`, `s`, `m`, and `h`.	`30s`	Mesh-level outbound TCP connections.
`.spec.protocolDetectionTimeout`	Duration	The timeout for automatic protocol detection, which is used to identify HTTP/HTTPS traffic. If the detection times out, traffic is processed based on the original protocol. Important This field is configurable only in ASM 1.19 and earlier versions.	`30s`	Mesh-level protocol sniffing.

TCP keepalive configurations

Field path	Data type	Description	Example	Scope
`.spec.tcpKeepalive.probes`	Uint32	The maximum number of TCP keepalive probes to send. Set this to `0` to disable the keepalive mechanism.	`9`	Outbound persistent TCP connections.
`.spec.tcpKeepalive.time`	Duration	The idle time for a TCP connection before keepalive probes are sent.	`7200s`
`.spec.tcpKeepalive.interval`	Duration	The interval between keepalive probes. This value must be smaller than the `time` parameter.	`75s`

Path normalization

Field path

Data type

Description

Example

Scope

.spec.pathNormalization.normalization

Enum

The URI path processing policy.

NONE: Disables normalization.
BASE: Merges slashes and preserves path parameters, such as ;.
MERGE_SLASHES: Merges only consecutive slashes.

NONE

Mesh-level HTTP routing.

HTTP retry policy

Field path	Data type	Description	Example	Scope
`.spec.defaultHttpRetryPolicy.attempts`	Int32	The maximum number of retries for an HTTP request. This includes the initial request. This setting takes effect only if a retry policy is not explicitly configured in the VirtualService.	`2`	HTTP routing policy.
`.spec.defaultHttpRetryPolicy.perTryTimeout`	Duration	The timeout for a single retry. This value must be shorter than the total timeout defined in the VirtualService.	`0s` (unlimited)
`.spec.defaultHttpRetryPolicy.retryOn`	String	The conditions that trigger a retry. Standard error types are supported, such as `5xx`, `gateway-error`, `connect-failure`, and `reset`. Separate multiple values with commas.	`gateway-error`, `connect-failure`, `refused-stream`

Monitoring integration

Field path	Data type	Description	Example	Scope
`.spec.enablePrometheusMerge`	Bool	Automatically merges the original `prometheus.io` annotations of the pod with the ASM monitoring configuration to avoid duplicate metric collection.	`true`	Prometheus monitoring configuration.

Sidecar injector configuration

Field path	Data type	Description	Example	Scope
`.spec.sidecarInjectorWebhookConfiguration.rewriteAppHTTPProbe`	Bool	Automatically redirects the HTTP readiness probe of the pod to the sidecar proxy port.	`true`	Sidecar injection behavior.
`.spec.sidecarInjectorWebhookConfiguration.replicaCount`	Int	The number of replicas for the sidecar injection controller. A larger number of replicas improves high availability.	`2`	Sidecar injector component.
`.spec.sidecarInjectorWebhookConfiguration.resources`	Object	The resource quota configuration. `requests`: The minimum resources required for the container to start. `limits`: The maximum resources that the container can use.	`... resources: requests: cpu: 100m memory: 256Mi limits: cpu: '2' memory: 2Gi`	Sidecar injector component.

Global rate limiting configuration

Field path	Data type	Description	Example	Scope
`.spec.rateLimitService.enabled`	Bool	Specifies whether to enable the rate limiting service.	`true`	Enables the global rate limiting feature.
`.spec.rateLimitService.replicas`	Int	The number of replicas for the rate limiting service.	`1`	Availability and performance of the rate limiting service.
`.spec.rateLimitService.resources`	Object	The resource configuration for the rate limiting service.	`limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi`	Availability and performance of the rate limiting service.
`.spec.rateLimitService.redis`	Object	The Redis configuration for the rate limiting service. Note The global rate limiting service uses Redis to record rate limiting policies and decisions.	`redis: authSecret: redis-secret url: redis.istio-system.svc:6379`	Rate limiting state storage backend.
`.spec.rateLimitService.redis.type`	String	The type of the Redis cluster. Valid values: `single`, `cluster`, and `sentinel`. Default value: `single`.	`single`	Rate limiting state storage backend.
`.spec.rateLimitService.redis.url`	String	The Redis address.	`redis.istio-system.svc.cluster.local:6379`	Rate limiting state storage backend.
`.spec.rateLimitService.redis.auth`	String	The Redis authentication information. The format is `password` or `user:password`. For security, use `authSecret`.	xxxxxx	Credential security management.
`.spec.rateLimitService.redis.authSecret`	String	The name of the secret that stores the Redis authentication information. Note This secret must be deployed in the `istio-system` namespace. The authentication information must be Base64-encoded and stored in the `redis-auth` key of the secret.	`apiVersion: v1 data: redis-auth: ${Base64-encoded authentication information} kind: Secret metadata: name: redis-secret namespace: istio-system type: Opaque`	Credential security management.
`.spec.rateLimitService.redis.cacheKeyPrefix`	String	The prefix for Redis cache keys. The default value is empty.	N/A	Rate limiting state storage backend.

Note

Use Alibaba Cloud ApsaraDB for Redis to ensure high availability. Configure rateLimitService.redis.type for the rate limiting service based on the Redis instance type by referring to the following table.

Instance type	Architecture	Connection mode	Cluster type configuration
Single-node	/	/	`single`
High-availability	Cluster disabled	/	`single`
	Cluster enabled	Direct connection mode	`cluster`
	Cluster enabled	Proxy mode	`single`

ASM aggregates all configurations and automatically generates a rate limiting service configuration named ratelimit-service-config in the `istio-system` namespace. After you enable the rate limiting service, this configuration is automatically mounted. You do not need to manually update it.