Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

gateway.tsb.tetrate.io/v2

Resource Types:

Tier1Gateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringTier1Gatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

false
statusobject
false

Tier1Gateway.spec

↩ Parent

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

NameTypeDescriptionRequired
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
externalServers[]object

One or more servers exposed by the gateway externally.

false
fqnstring

Fully-qualified name of the resource.

false
internalServers[]object

One or more servers exposed by the gateway internally for cross cluster forwarding.

false
passthroughServers[]object

One or more tls passthrough servers exposed by the gateway externally.

false
tcpExternalServers[]object

One or more tcp servers exposed by the gateway externally.

false
tcpInternalServers[]object

One or more tcp servers exposed by the gateway for mesh internal traffic.

false
wafobject

WAF settings to be enabled for traffic passing through this Tier1 gateway.

false
workloadSelectorobject
false

Tier1Gateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

Tier1Gateway.spec.externalServers[index]

↩ Parent

NameTypeDescriptionRequired
authenticationobject
false
authorizationobject

Authorization is used to configure authorization of end users.

false
clusters[]object
false
hostnamestring
false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
rateLimitingobject

Configuration for rate limiting requests.

false
redirectobject

Redirect allows configuring HTTP redirect.

false
tlsobject

TLS certificate info.

false

Tier1Gateway.spec.externalServers[index].authentication

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

Tier1Gateway.spec.externalServers[index].authentication.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

Tier1Gateway.spec.externalServers[index].authorization

↩ Parent

Authorization is used to configure authorization of end users.

NameTypeDescriptionRequired
externalobject
false
localobject
false

Tier1Gateway.spec.externalServers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

Tier1Gateway.spec.externalServers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

Tier1Gateway.spec.externalServers[index].authorization.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.externalServers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

Tier1Gateway.spec.externalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.externalServers[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
headersmap[string]object
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

Tier1Gateway.spec.externalServers[index].redirect

↩ Parent

Redirect allows configuring HTTP redirect.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger

Minimum: 0
Maximum: 4.294967295e+09

false
redirectCodeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

Tier1Gateway.spec.externalServers[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring
false

Tier1Gateway.spec.externalServers[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Tier1Gateway.spec.internalServers[index]

↩ Parent

NameTypeDescriptionRequired
authenticationobject
false
authorizationobject

Authorization is used to configure authorization of end user and traffic.

false
clusters[]object
false
hostnamestring
false
namestring

A name assigned to the server.

false

Tier1Gateway.spec.internalServers[index].authentication

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

Tier1Gateway.spec.internalServers[index].authentication.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

Tier1Gateway.spec.internalServers[index].authorization

↩ Parent

Authorization is used to configure authorization of end user and traffic.

NameTypeDescriptionRequired
externalobject
false
localobject
false

Tier1Gateway.spec.internalServers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

Tier1Gateway.spec.internalServers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

Tier1Gateway.spec.internalServers[index].authorization.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.internalServers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

Tier1Gateway.spec.internalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.passthroughServers[index]

↩ Parent

NameTypeDescriptionRequired
clusters[]object
false
hostnamestring
false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.passthroughServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.tcpExternalServers[index]

↩ Parent

NameTypeDescriptionRequired
clusters[]object

The destination clusters contain ingress gateways exposing the service.

false
hostnamestring
false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
tlsobject

TLS certificate information to terminate TLS.

false

Tier1Gateway.spec.tcpExternalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.tcpExternalServers[index].tls

↩ Parent

TLS certificate information to terminate TLS.

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring
false

Tier1Gateway.spec.tcpExternalServers[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Tier1Gateway.spec.tcpInternalServers[index]

↩ Parent

NameTypeDescriptionRequired
clusters[]object

The destination clusters contain ingress gateways exposing the service.

false
hostnamestring

The name of the service used.

false
namestring

A name assigned to the server.

false

Tier1Gateway.spec.tcpInternalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

Tier1Gateway.spec.waf

↩ Parent

WAF settings to be enabled for traffic passing through this Tier1 gateway.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

Tier1Gateway.spec.workloadSelector

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string
false
namespacestring

The namespace where the workload resides.

false

IngressGateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringIngressGatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

IngressGateway configures a workload to act as an ingress gateway into the mesh.

false
statusobject
false

IngressGateway.spec

↩ Parent

IngressGateway configures a workload to act as an ingress gateway into the mesh.

NameTypeDescriptionRequired
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
http[]object

One or more HTTP or HTTPS servers exposed by the gateway.

false
tcp[]object
false
tlsPassthrough[]object

One or more TLS servers exposed by the gateway.

false
wafobject

WAF settings to be enabled for traffic passing through the HttpServer.

false
workloadSelectorobject
false

IngressGateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

IngressGateway.spec.http[index]

↩ Parent

NameTypeDescriptionRequired
authenticationobject

Configuration to authenticate clients.

false
authorizationobject

Configuration to authorize a request.

false
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
rateLimitingobject

Configuration for rate limiting requests.

false
routingobject

Routing rules associated with HTTP traffic to this service.

false
tlsobject

TLS certificate info.

false
xxxOldAuthenticationobject
false
xxxOldAuthorizationobject
false

IngressGateway.spec.http[index].authentication

↩ Parent

Configuration to authenticate clients.

NameTypeDescriptionRequired
jwtobject
false

IngressGateway.spec.http[index].authentication.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

IngressGateway.spec.http[index].authorization

↩ Parent

Configuration to authorize a request.

NameTypeDescriptionRequired
externalobject
false
localobject
false

IngressGateway.spec.http[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

IngressGateway.spec.http[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

IngressGateway.spec.http[index].authorization.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

IngressGateway.spec.http[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

IngressGateway.spec.http[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

IngressGateway.spec.http[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

IngressGateway.spec.http[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

IngressGateway.spec.http[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
headersmap[string]object
false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

IngressGateway.spec.http[index].rateLimiting.externalService.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

IngressGateway.spec.http[index].rateLimiting.externalService.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

IngressGateway.spec.http[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

IngressGateway.spec.http[index].routing

↩ Parent

Routing rules associated with HTTP traffic to this service.

NameTypeDescriptionRequired
corsPolicyobject

Cross origin resource request policy settings for all routes.

false
rules[]object

HTTP routes.

false

IngressGateway.spec.http[index].routing.corsPolicy

↩ Parent

Cross origin resource request policy settings for all routes.

NameTypeDescriptionRequired
allowCredentialsboolean
false
allowHeaders[]string

List of HTTP headers that can be used when requesting the resource.

false
allowMethods[]string

List of HTTP methods allowed to access the resource.

false
allowOrigin[]string

The list of origins that are allowed to perform CORS requests.

false
exposeHeaders[]string

A white list of HTTP headers that the browsers are allowed to access.

false
maxAgestring

Specifies how long the results of a preflight request can be cached.

false

IngressGateway.spec.http[index].routing.rules[index]

↩ Parent

NameTypeDescriptionRequired
match[]object

One or more match conditions (OR-ed).

false
modifyobject

One or more mutations to be performed before forwarding.

false
redirectobject

Redirect the request to a different host or URL or both.

false
routeobject

Forward the request to the specified destination(s).

false

IngressGateway.spec.http[index].routing.rules[index].match[index]

↩ Parent

NameTypeDescriptionRequired
headersmap[string]object

The header keys must be lowercase and use hyphen as the separator, e.g.

false
uriobject

URI to match.

false

IngressGateway.spec.http[index].routing.rules[index].match[index].headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].routing.rules[index].match[index].uri

↩ Parent

URI to match.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].routing.rules[index].modify

↩ Parent

One or more mutations to be performed before forwarding.

NameTypeDescriptionRequired
headersobject

Add/remove/overwrite one or more HTTP headers in a request or response.

false
rewriteobject

Rewrite the HTTP Host or URL or both.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers

↩ Parent

Add/remove/overwrite one or more HTTP headers in a request or response.

NameTypeDescriptionRequired
requestobject

Header manipulation rules to apply before forwarding a request to the destination service.

false
responseobject

Header manipulation rules to apply before returning a response to the caller.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.request

↩ Parent

Header manipulation rules to apply before forwarding a request to the destination service.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.response

↩ Parent

Header manipulation rules to apply before returning a response to the caller.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

IngressGateway.spec.http[index].routing.rules[index].modify.rewrite

↩ Parent

Rewrite the HTTP Host or URL or both.

NameTypeDescriptionRequired
authoritystring

Rewrite the Authority/Host header with this value.

false
uristring

Rewrite the path (or the prefix) portion of the URI with this value.

false

IngressGateway.spec.http[index].routing.rules[index].redirect

↩ Parent

Redirect the request to a different host or URL or both.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger

Minimum: 0
Maximum: 4.294967295e+09

false
redirectCodeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

IngressGateway.spec.http[index].routing.rules[index].route

↩ Parent

Forward the request to the specified destination(s).

NameTypeDescriptionRequired
hoststring
false
portinteger

The port on the service to forward the request to.


Minimum: 0
Maximum: 4.294967295e+09

false

IngressGateway.spec.http[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring
false

IngressGateway.spec.http[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

IngressGateway.spec.http[index].xxxOldAuthentication

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

IngressGateway.spec.http[index].xxxOldAuthentication.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

IngressGateway.spec.http[index].xxxOldAuthorization

↩ Parent

NameTypeDescriptionRequired
externalobject
false
localobject
false

IngressGateway.spec.http[index].xxxOldAuthorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
uristring
false

IngressGateway.spec.http[index].xxxOldAuthorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

IngressGateway.spec.tcp[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname to identify the service.

false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
routeobject

Forward the connection to the specified destination.

false
tlsobject
false

IngressGateway.spec.tcp[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
hoststring
false
portinteger

The port on the service to forward the request to.


Minimum: 0
Maximum: 4.294967295e+09

false

IngressGateway.spec.tcp[index].tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring
false

IngressGateway.spec.tcp[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

IngressGateway.spec.tlsPassthrough[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
routeobject

Forward the connection to the specified destination.

false

IngressGateway.spec.tlsPassthrough[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
hoststring
false
portinteger

The port on the service to forward the request to.


Minimum: 0
Maximum: 4.294967295e+09

false

IngressGateway.spec.waf

↩ Parent

WAF settings to be enabled for traffic passing through the HttpServer.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

IngressGateway.spec.workloadSelector

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string
false
namespacestring

The namespace where the workload resides.

false

Group

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

Group.spec

↩ Parent

NameTypeDescriptionRequired
configModeenum

Enum: BRIDGED, DIRECT

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string
false

EgressGateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringEgressGatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

EgressGateway configures a workload to act as an egress gateway in the mesh.

false
statusobject
false

EgressGateway.spec

↩ Parent

EgressGateway configures a workload to act as an egress gateway in the mesh.

NameTypeDescriptionRequired
authorization[]object

The description of which service accounts can access which hosts.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
workloadSelectorobject
false

EgressGateway.spec.authorization[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

The workloads or service accounts this authorization rule applies to.

false
to[]string

The external hostnames the workload(s) described in this rule can access.

false

EgressGateway.spec.authorization[index].from

↩ Parent

The workloads or service accounts this authorization rule applies to.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

EgressGateway.spec.authorization[index].from.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

EgressGateway.spec.authorization[index].from.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

EgressGateway.spec.authorization[index].from.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

EgressGateway.spec.authorization[index].from.http.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

EgressGateway.spec.authorization[index].from.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

EgressGateway.spec.authorization[index].from.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

EgressGateway.spec.authorization[index].from.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

EgressGateway.spec.authorization[index].from.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

EgressGateway.spec.authorization[index].from.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

EgressGateway.spec.authorization[index].from.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

EgressGateway.spec.authorization[index].from.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

EgressGateway.spec.authorization[index].from.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

EgressGateway.spec.authorization[index].from.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

EgressGateway.spec.authorization[index].from.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

EgressGateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

EgressGateway.spec.workloadSelector

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string
false
namespacestring

The namespace where the workload resides.

false