Skip to main content

Tetrate Service Bridge API (1.5.x)

Download OpenAPI specification:Download

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters
code
string

OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.

error
string

OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong.

Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError

state
required
string

The state parameter sent to the OIDC provider on the authorization request.

errorDescription
string

Optional error description sent by the OIDC provider when an error occurs.

errorUri
string

Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

Content type
application/json
{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters
redirectUri
string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

Content type
application/json
{ }

Applications

List all existing applications for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "applications": [
    ]
}

Creates a new Application in TSB.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Application)

An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "application": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Get the details of an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Modify an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup
string

Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (*/*) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services
Array of strings

Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by by another application, application creation/modification will fail.

workspace
required
string

FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "gatewayGroup": "string",
  • "namespaceSelector": {
    },
  • "services": [
    ],
  • "workspace": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{ }

List all APIs attached to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Attach a new API to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2API)

An API configuring a set of servers and endpoints that expose the Application business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ]
}

Get the details of an API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ]
}

Delete an existing API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

Gateway

List all gateway groups that exist in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED"
}

Get the details of the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED"
}

update the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configMode": "BRIDGED",
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED"
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{ }

List all Egress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "egressGateways": [
    ]
}

Create an Egress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2EgressGateway)

EgressGateway configures a workload to act as an egress gateway in the mesh.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "egressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ]
}

Get the details of the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ]
}

Modify the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts)

The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "authorization": [
    ],
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ]
}

Delete the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Ingress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "ingressGateways": [
    ]
}

Create an Ingress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2IngressGateway)

IngressGateway configures a workload to act as an ingress gateway into the mesh.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "ingressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ]
}

Get the details of the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ]
}

Modify the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2HttpServer)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, etc.

Array of objects (One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS)
Array of objects (v2TLSPassthroughServer)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "http": [
    ],
  • "tcp": [
    ],
  • "tlsPassthrough": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ]
}

Delete the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

<