Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

Profile

Alpha feature

The configuration profiles feature is in an alpha state, we will be making breaking changes to its API in release 1.12. Please contact Tetrate if you have any questions or concerns.

A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces, and then can be attached to Organizations, Tenants, Workspaces and Groups. Profiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies (e.g. authorization policies) related to relationships between resources. They contain Default configurations, which can be overridden, and Mandates configurations, which can't be.

The following example creates a Profile named myprofile that enforces mutual TLS authenticated connections across the whole tetrate organization, also sets the default circuit breaking sensitivity to MEDIUM. It also configures the TCP KeepAlive as 300 seconds for all inbound connections to all the proxies in the tetrate organization.

apiVersion: profile.tsb.tetrate.io/v2
kind: Profile
metadata:
name: myprofile
organization: tetrate
spec:
displayName: "mTLS enforcement and default circuit breaking"
mandates:
authenticationSettings:
trafficMode: "REQUIRED"
defaults:
trafficSettings:
inbound:
resilience:
connectionPool:
tcp:
keepAlive:
idleTime: 300s
outbound:
upstreamTrafficSettings:
- hosts:
- '*'
settings:
resilience:
circuitBreakerSensitivity: MEDIUM

Profile

A Profile object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be attached at its own level or down the hierarchy at Organization, Tenant, Workspace and Groups levels. Once attached, all the configurations provided in the profile and compatible with the attachment point will be applied, the others will be ignored.

FieldDescriptionValidation Rule

deletionProtectionEnabled

bool
When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

defaults

tetrateio.api.tsb.profile.v2.ProfileConfig
Defaults section of the profile is meant for configurations which are allowed to be overwritten by subsequent profiles or by user defined configurations in the attached resources.

mandates

tetrateio.api.tsb.profile.v2.ProfileConfig
Mandates section of the profile is meant for configurations which can't be relaxed.

ProfileConfig

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

FieldDescriptionValidation Rule

trafficSettings

tetrateio.api.tsb.traffic.v2.TrafficSetting
Traffic settings for proxy workloads. Proxy workloads without a specific traffic group will inherit these settings.

authenticationSettings

tetrateio.api.tsb.security.v2.AuthenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

wafSettings

tetrateio.api.tsb.security.v2.WAFSettings
WAF settings is used to set firewall rules.

wasmExtensions

List of tetrateio.api.tsb.types.v2.WasmExtensionAttachment
Wasm Extensions specifies all the WasmExtensions assigned to this profile with the specific configuration for each extension.

unsetFields

List of string
Unset fields specify fields that must not have any value. In Mandates, fields in this list must remain unset, even if subsequent evaluated Profile Mandates define them. In Defaults, fields in this list are removed if defined in previously evaluated Profile Defaults. Items in this list are dot-separated paths to the fields, relative to the root of ProfileConfig. Field names are in camelCase, as in JSON/YAML. Paths that navigate lists or maps unset the sub-path for all elements. For example:

  • "trafficSettings.reachability.hosts"
  • "trafficSettings.resilience.upstreamTrafficSettings.hosts"

repeated = {
  items: {string:{min_len:1}}
}