Inject proxy.config in service definition

Hey everybody,

I’m playing with Consul Connect and I don’t really understand what is the correct way to inject configuration in a proxy service definition.

I have a use case where I would need to setup OAuth2 Authentication in front of a Kube service. Envoy has an OAuth2 Filter, so I thought maybe I could use that. Does this make sense?

I understand that I would probably have to use one of the escape-hatch override presented here. It looks like these overrides can’t be configured through Service Defaults CRD, only through Proxy Defaults, but those are global. Am I right? This seems weird…

In this case, since I obviously don’t want OAuth2 everywhere, I think I need to modify the service definition directly. But if I want to use Connect-Inject, which looks great for when most of your services live in Kube, how can I modify the proxy.config key? It looks like there are Inject annotations from pretty much everything but that. So what would be the correct way to do it?

I’m very new to Connect, so please point out any misunderstanding or misconception I have!

Thanks a lot.

Hey @alsyia

Yes, that’s an interesting use case. You’re right that you can’t configure escape hatches through service defaults and we also don’t expose a way to add them via annotations in Kubernetes.

This is a feature that we’d need to add to consul-k8s. Would you mind creating a feature request for us?