profile.tsb.tetrate.io/v2
Resource Types:
Profile
| Name | Type | Description | Required | 
|---|---|---|---|
| apiVersion | string | profile.tsb.tetrate.io/v2 | true | 
| kind | string | Profile | true | 
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadatafield. | true | 
| spec | object | A  | false | 
| status | object | false | 
Profile.spec
A Profile object can be created at Organization, Tenant, and Workspace levels.
| Name | Type | Description | Required | 
|---|---|---|---|
| defaults | object | Defaults section of the profile is meant for configurations which are allowed to be overwritten by subsequent profiles or by user defined configurations in the attached resources. | false | 
| deletionProtectionEnabled | boolean | When set, prevents the resource from being deleted. | false | 
| description | string | A description of the resource. | false | 
| displayName | string | User friendly name for the resource. | false | 
| etag | string | The etag for the resource. | false | 
| fqn | string | Fully-qualified name of the resource. | false | 
| mandates | object | Mandates section of the profile is meant for configurations which can't be relaxed. | false | 
Profile.spec.defaults
Defaults section of the profile is meant for configurations which are allowed to be overwritten by subsequent profiles or by user defined configurations in the attached resources.
| Name | Type | Description | Required | 
|---|---|---|---|
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false | 
| trafficSettings | object | Traffic settings for proxy workloads. | false | 
| unsetFields | []string | Unset fields specify fields that must not have any value. | false | 
| wafSettings | object | WAF settings is used to set firewall rules. | false | 
| wasmExtensions | []object | Wasm Extensions specifies all the WasmExtensions assigned to this profile with the specific configuration for each extension. | false | 
Profile.spec.defaults.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false | 
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.defaults.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required | 
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false | 
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false | 
Profile.spec.defaults.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true | 
| audiences | []string | The list of JWT audiences. | false | 
| fromCookies | []string | List of cookie names from which JWT is expected. | false | 
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false | 
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false | 
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false | 
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false | 
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false | 
Profile.spec.defaults.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | The HTTP header name. | true | 
| prefix | string | The prefix that should be stripped before decoding the token. | false | 
Profile.spec.defaults.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true | 
| header | string | The name of the header to be created. | true | 
Profile.spec.defaults.authenticationSettings.http.oidc
| Name | Type | Description | Required | 
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true | 
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true | 
| provider | object | The OIDC Provider configuration. | true | 
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true | 
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false | 
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false | 
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false | 
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false | 
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false | 
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false | 
Profile.spec.defaults.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true | 
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false | 
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false | 
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false | 
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false | 
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false | 
Profile.spec.defaults.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.defaults.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.defaults.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required | 
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false | 
Profile.spec.defaults.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true | 
| audiences | []string | The list of JWT audiences. | false | 
| fromCookies | []string | List of cookie names from which JWT is expected. | false | 
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false | 
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false | 
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false | 
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false | 
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false | 
Profile.spec.defaults.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | The HTTP header name. | true | 
| prefix | string | The prefix that should be stripped before decoding the token. | false | 
Profile.spec.defaults.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true | 
| header | string | The name of the header to be created. | true | 
Profile.spec.defaults.trafficSettings
Traffic settings for proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false | 
| description | string | A description of the resource. | false | 
| displayName | string | User friendly name for the resource. | false | 
| egress | object | Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload. | false | 
| etag | string | The etag for the resource. | false | 
| fqn | string | Fully-qualified name of the resource. | false | 
| inbound | object | Configures inbound traffic. | false | 
| outbound | object | Configures outbound traffic. | false | 
| rateLimiting | object | Configuration for rate limiting requests. | false | 
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false | 
| resilience | object | Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads. | false | 
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts. | false | 
Profile.spec.defaults.trafficSettings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required | 
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the  | false | 
| labels | map[string]string | Set of key value paris that will be added into the  | false | 
Profile.spec.defaults.trafficSettings.egress
Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.
| Name | Type | Description | Required | 
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true | 
| port | integer | Deprecated. Format: int32 | false | 
Profile.spec.defaults.trafficSettings.inbound
Configures inbound traffic.
| Name | Type | Description | Required | 
|---|---|---|---|
| failoverSettings | object | Failover settings apply to all clients accessing the hostname defined in this section. | false | 
| rateLimiting | object | Configuration for rate limiting requests. | false | 
| resilience | object | Resiliency configuration for inbound connections. | false | 
Profile.spec.defaults.trafficSettings.inbound.failoverSettings
Failover settings apply to all clients accessing the hostname defined in this section.
| Name | Type | Description | Required | 
|---|---|---|---|
| failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false | 
| regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false | 
| topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false | 
Profile.spec.defaults.trafficSettings.inbound.failoverSettings.regionalFailover[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| from | string | Originating region. | false | 
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false | 
| settings | object | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true | 
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true | 
| rules | []object | A set of rate limit rules. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false | 
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false | 
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false | 
| remoteAddress | object | Rate limit on remote address of client. | false | 
| requestHeaders | object | Rate limit on the value of certain request headers. | false | 
| sourceCluster | object | Rate limit on source envoy cluster. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true | 
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true | 
| headerName | string | The header name to be queried from the request headers. | true | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the rate limit server RPC. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true | 
| limit | object | The ratelimit value that will be configured for the above rules. | true | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false | 
| remoteAddress | object | Rate limit on the remote address of client. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the header to match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
| value | object | Value of the header to match on if matching on a specific value. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required | 
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true | 
Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true | 
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true | 
Profile.spec.defaults.trafficSettings.inbound.resilience
Resiliency configuration for inbound connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| meshTimeout | object | Configures the max connection and stream durations for HTTP and TCP connections. | false | 
Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| tcp | object | false | 
Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| keepAlive | object | Keep Alive Settings. | false | 
Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.defaults.trafficSettings.inbound.resilience.meshTimeout
Configures the max connection and stream durations for HTTP and TCP connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| maxConnectionDuration | string | This specifies the duration of time after which a downstream and upstream connection will be drained and/or closed, starting from when it was first established. | false | 
| maxDownstreamConnectionDuration | string | The maximum duration of a TCP connection. | false | 
| maxStreamDuration | string | The max stream duration is the maximum time that a stream’s lifetime will span. | false | 
| proxyType | enum | Specifies the type of proxy to which to apply the mesh timeout settings. Enum: ANY, SIDECAR, GATEWAY | false | 
Profile.spec.defaults.trafficSettings.outbound
Configures outbound traffic.
| Name | Type | Description | Required | 
|---|---|---|---|
| egress | object | Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads. | false | 
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false | 
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients sending traffic to them. | false | 
Profile.spec.defaults.trafficSettings.outbound.egress
Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true | 
Profile.spec.defaults.trafficSettings.outbound.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | When the mode is  | false | 
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false | 
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false | 
| loadBalancer | object | Load balancing settings for the clients. | false | 
| resilience | object | Resilience settings for the clients. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required | 
|---|---|---|---|
| trafficMode | enum | If set to  Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false | 
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required | 
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false | 
| httpHeaderName | string | Hash based on a specific HTTP header. | false | 
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false | 
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false | 
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false | 
| useSourceIp | boolean | Hash based on the source IP address. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the cookie. | true | 
| ttl | string | Lifetime of the cookie. | true | 
| path | string | Path to set for the cookie. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false | 
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | false | |
| tcp | object | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required | 
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false | 
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false | 
| requestTimeout | string | Timeout for HTTP requests. | false | 
| retries | object | Retry policy for HTTP requests. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false | 
| keepAlive | object | Keep Alive Settings. | false | 
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false | 
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false | 
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false | 
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false | 
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false | 
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false | 
| interval | string | The time interval between ejection analysis sweeps. | false | 
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false | 
| settings | object | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true | 
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true | 
| rules | []object | A set of rate limit rules. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false | 
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false | 
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false | 
| remoteAddress | object | Rate limit on remote address of client. | false | 
| requestHeaders | object | Rate limit on the value of certain request headers. | false | 
| sourceCluster | object | Rate limit on source envoy cluster. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true | 
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true | 
| headerName | string | The header name to be queried from the request headers. | true | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the rate limit server RPC. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true | 
| limit | object | The ratelimit value that will be configured for the above rules. | true | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false | 
| remoteAddress | object | Rate limit on the remote address of client. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the header to match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
| value | object | Value of the header to match on if matching on a specific value. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required | 
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true | 
Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true | 
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true | 
Profile.spec.defaults.trafficSettings.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | When the mode is  | false | 
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false | 
Profile.spec.defaults.trafficSettings.resilience
Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | This field is DEPRECATED in favor of  Enum: UNSET, LOW, MEDIUM, HIGH | false | 
| httpRequestTimeout | string | This field is DEPRECATED in favor of  | false | 
| httpRetries | object | This field is DEPRECATED in favor of  | false | 
| keepAlive | object | Keep Alive Settings. | false | 
Profile.spec.defaults.trafficSettings.resilience.httpRetries
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.defaults.trafficSettings.resilience.httpRetries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.defaults.trafficSettings.resilience.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| tcp | object | TCP Keep Alive settings associated with the upstream and downstream TCP connections. | false | 
Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp
TCP Keep Alive settings associated with the upstream and downstream TCP connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| downstream | object | TCP Keep Alive Settings associated with the downstream (client) connection. | false | 
| upstream | object | This field is DEPRECATED in favor of  | false | 
Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp.downstream
TCP Keep Alive Settings associated with the downstream (client) connection.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp.upstream
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false | 
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false | 
| loadBalancer | object | Load balancing settings for the clients. | false | 
| resilience | object | Resilience settings for the clients. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required | 
|---|---|---|---|
| trafficMode | enum | If set to  Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false | 
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required | 
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false | 
| httpHeaderName | string | Hash based on a specific HTTP header. | false | 
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false | 
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false | 
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false | 
| useSourceIp | boolean | Hash based on the source IP address. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the cookie. | true | 
| ttl | string | Lifetime of the cookie. | true | 
| path | string | Path to set for the cookie. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false | 
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | false | |
| tcp | object | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required | 
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false | 
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false | 
| requestTimeout | string | Timeout for HTTP requests. | false | 
| retries | object | Retry policy for HTTP requests. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false | 
| keepAlive | object | Keep Alive Settings. | false | 
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false | 
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false | 
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false | 
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false | 
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false | 
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false | 
| interval | string | The time interval between ejection analysis sweeps. | false | 
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false | 
Profile.spec.defaults.wafSettings
WAF settings is used to set firewall rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true | 
Profile.spec.defaults.wasmExtensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true | 
| config | object | Configuration parameters sent to the WASM plugin execution. | false | 
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false | 
Profile.spec.defaults.wasmExtensions[index].match[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false | 
| ports | []object | Criteria for selecting traffic by their destination port. | false | 
Profile.spec.defaults.wasmExtensions[index].match[index].ports[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| number | integer | true | 
Profile.spec.mandates
Mandates section of the profile is meant for configurations which can't be relaxed.
| Name | Type | Description | Required | 
|---|---|---|---|
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false | 
| trafficSettings | object | Traffic settings for proxy workloads. | false | 
| unsetFields | []string | Unset fields specify fields that must not have any value. | false | 
| wafSettings | object | WAF settings is used to set firewall rules. | false | 
| wasmExtensions | []object | Wasm Extensions specifies all the WasmExtensions assigned to this profile with the specific configuration for each extension. | false | 
Profile.spec.mandates.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false | 
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.mandates.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required | 
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false | 
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false | 
Profile.spec.mandates.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true | 
| audiences | []string | The list of JWT audiences. | false | 
| fromCookies | []string | List of cookie names from which JWT is expected. | false | 
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false | 
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false | 
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false | 
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false | 
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false | 
Profile.spec.mandates.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | The HTTP header name. | true | 
| prefix | string | The prefix that should be stripped before decoding the token. | false | 
Profile.spec.mandates.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true | 
| header | string | The name of the header to be created. | true | 
Profile.spec.mandates.authenticationSettings.http.oidc
| Name | Type | Description | Required | 
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true | 
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true | 
| provider | object | The OIDC Provider configuration. | true | 
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true | 
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false | 
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false | 
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false | 
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false | 
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false | 
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false | 
Profile.spec.mandates.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true | 
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false | 
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false | 
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false | 
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false | 
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false | 
Profile.spec.mandates.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.mandates.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.mandates.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required | 
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false | 
Profile.spec.mandates.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true | 
| audiences | []string | The list of JWT audiences. | false | 
| fromCookies | []string | List of cookie names from which JWT is expected. | false | 
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false | 
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false | 
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false | 
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false | 
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false | 
Profile.spec.mandates.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | The HTTP header name. | true | 
| prefix | string | The prefix that should be stripped before decoding the token. | false | 
Profile.spec.mandates.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true | 
| header | string | The name of the header to be created. | true | 
Profile.spec.mandates.trafficSettings
Traffic settings for proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false | 
| description | string | A description of the resource. | false | 
| displayName | string | User friendly name for the resource. | false | 
| egress | object | Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload. | false | 
| etag | string | The etag for the resource. | false | 
| fqn | string | Fully-qualified name of the resource. | false | 
| inbound | object | Configures inbound traffic. | false | 
| outbound | object | Configures outbound traffic. | false | 
| rateLimiting | object | Configuration for rate limiting requests. | false | 
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false | 
| resilience | object | Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads. | false | 
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts. | false | 
Profile.spec.mandates.trafficSettings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required | 
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the  | false | 
| labels | map[string]string | Set of key value paris that will be added into the  | false | 
Profile.spec.mandates.trafficSettings.egress
Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.
| Name | Type | Description | Required | 
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true | 
| port | integer | Deprecated. Format: int32 | false | 
Profile.spec.mandates.trafficSettings.inbound
Configures inbound traffic.
| Name | Type | Description | Required | 
|---|---|---|---|
| failoverSettings | object | Failover settings apply to all clients accessing the hostname defined in this section. | false | 
| rateLimiting | object | Configuration for rate limiting requests. | false | 
| resilience | object | Resiliency configuration for inbound connections. | false | 
Profile.spec.mandates.trafficSettings.inbound.failoverSettings
Failover settings apply to all clients accessing the hostname defined in this section.
| Name | Type | Description | Required | 
|---|---|---|---|
| failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false | 
| regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false | 
| topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false | 
Profile.spec.mandates.trafficSettings.inbound.failoverSettings.regionalFailover[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| from | string | Originating region. | false | 
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false | 
| settings | object | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true | 
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true | 
| rules | []object | A set of rate limit rules. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false | 
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false | 
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false | 
| remoteAddress | object | Rate limit on remote address of client. | false | 
| requestHeaders | object | Rate limit on the value of certain request headers. | false | 
| sourceCluster | object | Rate limit on source envoy cluster. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true | 
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true | 
| headerName | string | The header name to be queried from the request headers. | true | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the rate limit server RPC. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true | 
| limit | object | The ratelimit value that will be configured for the above rules. | true | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false | 
| remoteAddress | object | Rate limit on the remote address of client. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the header to match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
| value | object | Value of the header to match on if matching on a specific value. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required | 
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true | 
Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true | 
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true | 
Profile.spec.mandates.trafficSettings.inbound.resilience
Resiliency configuration for inbound connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| meshTimeout | object | Configures the max connection and stream durations for HTTP and TCP connections. | false | 
Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| tcp | object | false | 
Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| keepAlive | object | Keep Alive Settings. | false | 
Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.mandates.trafficSettings.inbound.resilience.meshTimeout
Configures the max connection and stream durations for HTTP and TCP connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| maxConnectionDuration | string | This specifies the duration of time after which a downstream and upstream connection will be drained and/or closed, starting from when it was first established. | false | 
| maxDownstreamConnectionDuration | string | The maximum duration of a TCP connection. | false | 
| maxStreamDuration | string | The max stream duration is the maximum time that a stream’s lifetime will span. | false | 
| proxyType | enum | Specifies the type of proxy to which to apply the mesh timeout settings. Enum: ANY, SIDECAR, GATEWAY | false | 
Profile.spec.mandates.trafficSettings.outbound
Configures outbound traffic.
| Name | Type | Description | Required | 
|---|---|---|---|
| egress | object | Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads. | false | 
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false | 
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients sending traffic to them. | false | 
Profile.spec.mandates.trafficSettings.outbound.egress
Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true | 
Profile.spec.mandates.trafficSettings.outbound.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | When the mode is  | false | 
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false | 
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false | 
| loadBalancer | object | Load balancing settings for the clients. | false | 
| resilience | object | Resilience settings for the clients. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required | 
|---|---|---|---|
| trafficMode | enum | If set to  Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false | 
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required | 
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false | 
| httpHeaderName | string | Hash based on a specific HTTP header. | false | 
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false | 
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false | 
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false | 
| useSourceIp | boolean | Hash based on the source IP address. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the cookie. | true | 
| ttl | string | Lifetime of the cookie. | true | 
| path | string | Path to set for the cookie. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false | 
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | false | |
| tcp | object | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required | 
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false | 
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false | 
| requestTimeout | string | Timeout for HTTP requests. | false | 
| retries | object | Retry policy for HTTP requests. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false | 
| keepAlive | object | Keep Alive Settings. | false | 
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false | 
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false | 
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false | 
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false | 
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false | 
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false | 
| interval | string | The time interval between ejection analysis sweeps. | false | 
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false | 
| settings | object | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true | 
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true | 
| rules | []object | A set of rate limit rules. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false | 
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false | 
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false | 
| remoteAddress | object | Rate limit on remote address of client. | false | 
| requestHeaders | object | Rate limit on the value of certain request headers. | false | 
| sourceCluster | object | Rate limit on source envoy cluster. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true | 
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true | 
| headerName | string | The header name to be queried from the request headers. | true | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required | 
|---|---|---|---|
| files | object | TLS key source from files. | false | 
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false | 
| secretName | string | TLS key source from a Kubernetes Secret. | false | 
| subjectAltNames | []string | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required | 
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false | 
| clientCertificate | string | Certificate file to authenticate the client. | false | 
| privateKey | string | Private key file associated with the client certificate. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true | 
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false | 
| timeout | string | The timeout in seconds for the rate limit server RPC. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true | 
| limit | object | The ratelimit value that will be configured for the above rules. | true | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false | 
| remoteAddress | object | Rate limit on the remote address of client. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the header to match on. | true | 
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false | 
| value | object | Value of the header to match on if matching on a specific value. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required | 
|---|---|---|---|
| exact | string | Exact string match. | false | 
| prefix | string | Prefix-based match. | false | 
| regex | string | ECMAscript style regex-based match. | false | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required | 
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true | 
Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true | 
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true | 
Profile.spec.mandates.trafficSettings.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | When the mode is  | false | 
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false | 
Profile.spec.mandates.trafficSettings.resilience
Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | This field is DEPRECATED in favor of  Enum: UNSET, LOW, MEDIUM, HIGH | false | 
| httpRequestTimeout | string | This field is DEPRECATED in favor of  | false | 
| httpRetries | object | This field is DEPRECATED in favor of  | false | 
| keepAlive | object | Keep Alive Settings. | false | 
Profile.spec.mandates.trafficSettings.resilience.httpRetries
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.mandates.trafficSettings.resilience.httpRetries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.mandates.trafficSettings.resilience.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| tcp | object | TCP Keep Alive settings associated with the upstream and downstream TCP connections. | false | 
Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp
TCP Keep Alive settings associated with the upstream and downstream TCP connections.
| Name | Type | Description | Required | 
|---|---|---|---|
| downstream | object | TCP Keep Alive Settings associated with the downstream (client) connection. | false | 
| upstream | object | This field is DEPRECATED in favor of  | false | 
Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp.downstream
TCP Keep Alive Settings associated with the downstream (client) connection.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp.upstream
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false | 
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false | 
| loadBalancer | object | Load balancing settings for the clients. | false | 
| resilience | object | Resilience settings for the clients. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required | 
|---|---|---|---|
| trafficMode | enum | If set to  Enum: UNSET, OPTIONAL, REQUIRED | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false | 
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required | 
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false | 
| httpHeaderName | string | Hash based on a specific HTTP header. | false | 
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false | 
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false | 
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false | 
| useSourceIp | boolean | Hash based on the source IP address. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required | 
|---|---|---|---|
| name | string | Name of the cookie. | true | 
| ttl | string | Lifetime of the cookie. | true | 
| path | string | Path to set for the cookie. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required | 
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required | 
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false | 
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false | 
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required | 
|---|---|---|---|
| http | object | false | |
| tcp | object | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required | 
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false | 
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false | 
| requestTimeout | string | Timeout for HTTP requests. | false | 
| retries | object | Retry policy for HTTP requests. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required | 
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true | 
| perTryTimeout | string | Timeout per retry attempt for a given request. | false | 
| retryBackOff | object | Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure. | false | 
| retryOn | string | Specifies the conditions under which retry takes place. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries.retryBackOff
Specifies the parameters that controls the interval between retry attempts, i.e., how soon the next retry should be attempted after a failure.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseInterval | string | The base interval between retry attempts. | true | 
| maxInterval | string | The maximum interval between retry attempts. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required | 
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false | 
| keepAlive | object | Keep Alive Settings. | false | 
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required | 
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false | 
| interval | integer | The number of seconds between keep-alive probes. | false | 
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false | 
Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required | 
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false | 
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false | 
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false | 
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false | 
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false | 
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false | 
| interval | string | The time interval between ejection analysis sweeps. | false | 
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false | 
Profile.spec.mandates.wafSettings
WAF settings is used to set firewall rules.
| Name | Type | Description | Required | 
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true | 
Profile.spec.mandates.wasmExtensions[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true | 
| config | object | Configuration parameters sent to the WASM plugin execution. | false | 
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false | 
Profile.spec.mandates.wasmExtensions[index].match[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false | 
| ports | []object | Criteria for selecting traffic by their destination port. | false | 
Profile.spec.mandates.wasmExtensions[index].match[index].ports[index]
| Name | Type | Description | Required | 
|---|---|---|---|
| number | integer | true |