ASMMeshConfig CRD Global Mesh Parameters Overview - Alibaba Cloud Service Mesh

ASMMeshConfig is a Custom Resource (CR) provided by Alibaba Cloud Service Mesh (ASM) to define mesh-wide settings. Similar in function to Istio's MeshConfig, it lets you centrally manage parameters like connection timeouts, protocol detection, path normalization, retry policies, sidecar injector behavior, and access log configuration.

Configuration example

The following example shows a configuration for connection settings, path normalization, the default HTTP retry policy, the sidecar injector, access logging, and global rate limiting.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
  name: default
spec:
  connectTimeout: 30s
  tcpKeepalive:
    probes: 5
    time: 7200s
    interval: 72s
  pathNormalization:
    normalization: MERGE_SLASHES
  defaultHttpRetryPolicy:
    attempts: 3
    perTryTimeout: 1s
    retryOn: gateway-error,connect-failure,refused-stream
  enablePrometheusMerge: true
  sidecarInjectorWebhookConfiguration:
    rewriteAppHTTPProbe: true
    replicaCount: 2
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: '2'
        memory: 2Gi
  rateLimitService:
    enabled: true
    redis:
      authSecret: redis-secret
      url: redis.istio-system.svc:6379
    replicas: 1
  accessLogConfiguration:
    logEncoding: JSON
    logProject: test-project
    sidecarEnabled: true

Important

To use all fields of the ASMMeshConfig CRD, your Service Mesh instance version must be 1.24 or later. Specifically, the rateLimitService configuration requires instance version 1.25.6.84. In addition, the ASMMeshConfig CR is not namespaced and its name must be default. Any ASMMeshConfig CR with a different name will not take effect.

Fields

spec

Field path	Type	Description	Value
`tcpKeepalive`	TcpKeepalive	Configures TCP keepalive settings for outbound connections.	`N/A`
`connectTimeout`	Duration	Specifies the maximum wait time for the Envoy proxy to establish a TCP connection. A timeout triggers an `upstream connect timeout` error. The supported units are `ns`/`ms`/`s`/`m`/`h`.	`30s`
`protocolDetectionTimeout`	Duration	Timeout for automatic protocol detection, which identifies HTTP/HTTPS traffic. After the timeout, traffic is treated as raw TCP. Important Available only in ASM versions 1.19 and earlier.
`pathNormalization`	PathNormalization	Configures path normalization for HTTP requests.
`defaultHttpRetryPolicy`	DefaultHttpRetryPolicy	Defines the default HTTP retry policy for sidecars.
`enablePrometheusMerge`	Bool	Automatically merges the Pod's original `prometheus.io` annotations with the ASM monitoring configuration to prevent duplicate metric collection.	`true`
`sidecarInjectorWebhookConfiguration`	SidecarInjectorWebhookConfiguration	Configures the sidecar injector.
`accessLogConfiguration`	AccessLogConfiguration	Configures the format and collection of access logs.
`rateLimitService`	RatelimitService	Configures the global rate limiting service. Important Available only in ASM versions 1.25 and later.

TCP keepalive

Field path	Type	Description	Value	Scope
`probes`	Uint32	The maximum number of TCP keepalive probes to send. A value of `0` disables the keepalive mechanism.	`9`	Outbound TCP Persistent Connections.
`time`	Duration	Idle time before the first keepalive probe is sent.	`7200s`
`interval`	Duration	The keep-alive probe sending interval must be less than the `time` parameter.	`75s`

Path normalization

Field path

Type

Description

Value

Scope

normalization

Enum

Specifies the URI path processing policy:

NONE: Disables path normalization.
BASE: Merges slashes and retains path parameters (such as ;).
MERGE_SLASHES: Only merges consecutive slashes.

NONE

Mesh-wide HTTP routing.

Default HTTP retry policy

Field path	Type	Description	Value	Scope
`attempts`	Int32	Maximum number of attempts, including the initial request. This setting applies only if the `VirtualService` does not define a retry policy.	`2`	HTTP routing policy.
`perTryTimeout`	Duration	Timeout for each individual attempt. Must be shorter than the overall timeout defined in the `VirtualService`.	`0s` (no limit)
`retryOn`	String	The conditions that trigger a retry support standard error types such as `5xx`/`gateway-error`/`connect-failure`/`reset`. Multiple values are separated by commas.	`gateway-error`, `connect-failure`, `refused-stream`

Sidecar injector

Field path	Type	Description	Value	Scope
`rewriteAppHTTPProbe`	Bool	If true, redirects Pod HTTP readiness probes to the sidecar proxy port, ensuring that probes pass through the mesh.	`true`	Sidecar injection behavior.
`replicaCount`	Int	Number of sidecar injector controller replicas. Increase this value for High Availability in production clusters.	`2`	Sidecar injector component.
`resources`	Object	Resource requests and limits for the sidecar injector container: `requests`: Minimum resources needed to start the container. `limits`: Maximum resources the container can use.	`... resources: requests: cpu: 100m memory: 256Mi limits: cpu: '2' memory: 2Gi`	Sidecar injector component.

Access log

Field path	Type	Description	Value
`logEncoding`	String	The output format for logs. Valid values: `JSON`, `TEXT`.	`JSON`
`logProject`	String	The name of the Alibaba Cloud Log Service (SLS) project that receives the logs. Important Available only in ASM versions 1.25 and later.	`log-project-test`
`gatewayEnabled`	Boolean	Enables access log collection from gateways to Alibaba Cloud Log Service (SLS).	`true`
`sidecarEnabled`	Boolean	Enables access log collection from sidecars to Alibaba Cloud Log Service (SLS).	`true`
`ztunnelEnabled`	Boolean	Enables access log collection from Ztunnel to Alibaba Cloud Log Service (SLS). Important Available only in ASM versions 1.25 and later.	`true`
`gatewayLifecycle`	Integer	Retention period in days for gateway access logs. Defaults to 90.	`30`
`sidecarLifecycle`	Integer	Retention period in days for sidecar access logs. Defaults to 90.	`30`
`ztunnelLifecycle`	Integer	Retention period in days for Ztunnel access logs. Defaults to 90. Important Available only in ASM versions 1.25 and later.	`30`

Global rate limiting

Field path	Type	Description	Value	Scope
`enabled`	Bool	If true, enables the global rate limiting service.	`true`	Global rate limiting capability.
`replicas`	Int	The number of replicas for the rate limiting service.	`1`	Availability and performance of the rate limiting service.
`resources`	Object	Resource configuration for the rate limiting service.	`limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi`	Availability and performance of the rate limiting service.
`redis`	Object	Configuration for the Redis instance that the rate limiting service uses. Note The global rate limiting service uses Redis to store policies and decisions.	`redis: authSecret: redis-secret url: redis.istio-system.svc:6379`	Rate limiting state backend.
`redis.type`	String	The Redis cluster type. The valid values are `single`, `cluster`, and `sentinel`. The default value is `single`.	`single`	Rate limiting state backend.
`redis.url`	String	The Redis connection address.	`redis.istio-system.svc.cluster.local:6379`	Rate limiting state backend.
`redis.auth`	String	The Redis authentication credentials, in the format: `password` or `user:password`. (For security, we recommend that you use an AuthSecret.)	xxxxxx	Credentials management.
`redis.authSecret`	String	Name of the Kubernetes Secret that stores Redis authentication information. Note This Secret must be deployed in the `istio-system` namespace and contain a `redis-auth` key with the Base64-encoded authentication information.	`apiVersion: v1 data: redis-auth: ${Base64-encoded-credentials} kind: Secret metadata: name: redis-secret namespace: istio-system type: Opaque`	Credentials management.
`redis.cacheKeyPrefix`	String	Prefix for all Redis cache keys. Defaults to empty.	N/A	Rate limiting state backend.

Note

We recommend that you use Alibaba Cloud Redis to ensure high availability. You can configure rateLimitService.redis.type based on your Redis instance type by referring to the following table.

Instance type	Architecture	Connection mode	`redis.type`
Single-node	--	--	`single`
High-availability	Cluster disabled	--	`single`
	Cluster enabled	Direct connection	`cluster`
	Cluster enabled	Proxy mode	`single`

ASM aggregates all configurations and automatically generates a rate-limiting service configuration named ratelimit-service-config in the istio-system namespace. When you enable the rate-limiting service, this configuration is automatically mounted. You do not need to manually update the rate-limiting service configuration.