Tetrate Service BridgeVersion: 1.6.xgateway.tsb.tetrate.io/v2
Resource Types:
Tier1Gateway
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
| kind | string | Tier1Gateway | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object |
| false |
| status | object | false |
Tier1Gateway.spec
Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| externalServers | []object | One or more servers exposed by the gateway externally. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| internalServers | []object | One or more servers exposed by the gateway internally for cross cluster forwarding. | false |
| passthroughServers | []object | One or more tls passthrough servers exposed by the gateway externally. | false |
| tcpExternalServers | []object | One or more tcp servers exposed by the gateway externally. | false |
| tcpInternalServers | []object | One or more tcp servers exposed by the gateway for mesh internal traffic. | false |
| waf | object | WAF settings to be enabled for traffic passing through this Tier1 gateway. | false |
| workloadSelector | object | false |
Tier1Gateway.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
Tier1Gateway.spec.externalServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | object | false | |
| authorization | object | Authorization is used to configure authorization of end users. | false |
| clusters | []object | false | |
| hostname | string | false | |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| redirect | object | Redirect allows configuring HTTP redirect. | false |
| tls | object | TLS certificate info. | false |
Tier1Gateway.spec.externalServers[index].authentication
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
Tier1Gateway.spec.externalServers[index].authentication.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
Tier1Gateway.spec.externalServers[index].authorization
Authorization is used to configure authorization of end users.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
Tier1Gateway.spec.externalServers[index].authorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
Tier1Gateway.spec.externalServers[index].authorization.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
Tier1Gateway.spec.externalServers[index].authorization.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.externalServers[index].authorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
Tier1Gateway.spec.externalServers[index].clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. Minimum: 0 | false |
Tier1Gateway.spec.externalServers[index].rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | false |
| failClosed | boolean | false | |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | false |
| rules | []object | A set of rate limit rules. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | false |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| headers | map[string]object | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | false |
| headerName | string | The header name to be queried from the request headers. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| failClosed | boolean | false | |
| rules | []object | A list of rules for ratelimiting. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | false |
| limit | object | The ratelimit value that will be configured for the above rules. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| name | string | Name of the header to match on. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. Minimum: 0 | false |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | false |
Tier1Gateway.spec.externalServers[index].redirect
Redirect allows configuring HTTP redirect.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
| port | integer | Minimum: 0 | false |
| redirectCode | integer | Minimum: 0 | false |
| scheme | string | On a redirect, overwrite the scheme with this one. | false |
| uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
Tier1Gateway.spec.externalServers[index].tls
TLS certificate info.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | false |
Tier1Gateway.spec.externalServers[index].tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
Tier1Gateway.spec.internalServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | object | false | |
| authorization | object | Authorization is used to configure authorization of end user and traffic. | false |
| clusters | []object | false | |
| hostname | string | false | |
| name | string | A name assigned to the server. | false |
Tier1Gateway.spec.internalServers[index].authentication
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
Tier1Gateway.spec.internalServers[index].authentication.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
Tier1Gateway.spec.internalServers[index].authorization
Authorization is used to configure authorization of end user and traffic.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
Tier1Gateway.spec.internalServers[index].authorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
Tier1Gateway.spec.internalServers[index].authorization.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
Tier1Gateway.spec.internalServers[index].authorization.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.internalServers[index].authorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
Tier1Gateway.spec.internalServers[index].clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. Minimum: 0 | false |
Tier1Gateway.spec.passthroughServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| clusters | []object | false | |
| hostname | string | false | |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
Tier1Gateway.spec.passthroughServers[index].clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. Minimum: 0 | false |
Tier1Gateway.spec.tcpExternalServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| clusters | []object | The destination clusters contain ingress gateways exposing the service. | false |
| hostname | string | false | |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
| tls | object | TLS certificate information to terminate TLS. | false |
Tier1Gateway.spec.tcpExternalServers[index].clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. Minimum: 0 | false |
Tier1Gateway.spec.tcpExternalServers[index].tls
TLS certificate information to terminate TLS.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | false |
Tier1Gateway.spec.tcpExternalServers[index].tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
Tier1Gateway.spec.tcpInternalServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| clusters | []object | The destination clusters contain ingress gateways exposing the service. | false |
| hostname | string | The name of the service used. | false |
| name | string | A name assigned to the server. | false |
Tier1Gateway.spec.tcpInternalServers[index].clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. Minimum: 0 | false |
Tier1Gateway.spec.waf
WAF settings to be enabled for traffic passing through this Tier1 gateway.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | false |
Tier1Gateway.spec.workloadSelector
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | false | |
| namespace | string | The namespace where the workload resides. | false |
IngressGateway
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
| kind | string | IngressGateway | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object |
| false |
| status | object | false |
IngressGateway.spec
IngressGateway configures a workload to act as an ingress gateway into the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| fqn | string | Fully-qualified name of the resource. | false |
| http | []object | One or more HTTP or HTTPS servers exposed by the gateway. | false |
| tcp | []object | false | |
| tlsPassthrough | []object | One or more TLS servers exposed by the gateway. | false |
| waf | object | WAF settings to be enabled for traffic passing through the HttpServer. | false |
| workloadSelector | object | false |
IngressGateway.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
IngressGateway.spec.http[index]
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | object | Configuration to authenticate clients. | false |
| authorization | object | Configuration to authorize a request. | false |
| hostname | string | Hostname with which the service can be expected to be accessed by clients. | false |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| routing | object | Routing rules associated with HTTP traffic to this service. | false |
| tls | object | TLS certificate info. | false |
| xxxOldAuthentication | object | false | |
| xxxOldAuthorization | object | false |
IngressGateway.spec.http[index].authentication
Configuration to authenticate clients.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
IngressGateway.spec.http[index].authentication.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
IngressGateway.spec.http[index].authorization
Configuration to authorize a request.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
IngressGateway.spec.http[index].authorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
IngressGateway.spec.http[index].authorization.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
IngressGateway.spec.http[index].authorization.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
IngressGateway.spec.http[index].authorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
IngressGateway.spec.http[index].authorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
IngressGateway.spec.http[index].authorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
IngressGateway.spec.http[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
IngressGateway.spec.http[index].authorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
IngressGateway.spec.http[index].rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
IngressGateway.spec.http[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | false |
| failClosed | boolean | false | |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | false |
| rules | []object | A set of rate limit rules. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | false |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| headers | map[string]object | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | false |
| headerName | string | The header name to be queried from the request headers. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.tls�
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
IngressGateway.spec.http[index].rateLimiting.externalService.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
IngressGateway.spec.http[index].rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| failClosed | boolean | false | |
| rules | []object | A list of rules for ratelimiting. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | false |
| limit | object | The ratelimit value that will be configured for the above rules. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| name | string | Name of the header to match on. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. Minimum: 0 | false |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | false |
IngressGateway.spec.http[index].routing
Routing rules associated with HTTP traffic to this service.
| Name | Type | Description | Required |
|---|---|---|---|
| corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
| rules | []object | HTTP routes. | false |
IngressGateway.spec.http[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
| Name | Type | Description | Required |
|---|---|---|---|
| allowCredentials | boolean | false | |
| allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
| allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
| allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
| exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
| maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
IngressGateway.spec.http[index].routing.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| match | []object | One or more match conditions (OR-ed). | false |
| modify | object | One or more mutations to be performed before forwarding. | false |
| redirect | object | Redirect the request to a different host or URL or both. | false |
| route | object | Forward the request to the specified destination(s). | false |
IngressGateway.spec.http[index].routing.rules[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
| uri | object | URI to match. | false |
IngressGateway.spec.http[index].routing.rules[index].match[index].headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].routing.rules[index].match[index].uri
URI to match.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
| Name | Type | Description | Required |
|---|---|---|---|
| headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
| rewrite | object | Rewrite the HTTP Host or URL or both. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
| Name | Type | Description | Required |
|---|---|---|---|
| request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
| response | object | Header manipulation rules to apply before returning a response to the caller. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | false | |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | false | |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | Rewrite the Authority/Host header with this value. | false |
| uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
IngressGateway.spec.http[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
| port | integer | Minimum: 0 | false |
| redirectCode | integer | Minimum: 0 | false |
| scheme | string | On a redirect, overwrite the scheme with this one. | false |
| uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
IngressGateway.spec.http[index].routing.rules[index].route
Forward the request to the specified destination(s).
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | false | |
| port | integer | The port on the service to forward the request to. Minimum: 0 | false |
IngressGateway.spec.http[index].tls
TLS certificate info.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | false |
IngressGateway.spec.http[index].tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
IngressGateway.spec.http[index].xxxOldAuthentication
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
IngressGateway.spec.http[index].xxxOldAuthentication.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
IngressGateway.spec.http[index].xxxOldAuthorization
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
IngressGateway.spec.http[index].xxxOldAuthorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| uri | string | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
IngressGateway.spec.tcp[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hostname | string | Hostname to identify the service. | false |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
| route | object | Forward the connection to the specified destination. | false |
| tls | object | false |
IngressGateway.spec.tcp[index].route
Forward the connection to the specified destination.
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | false | |
| port | integer | The port on the service to forward the request to. Minimum: 0 | false |
IngressGateway.spec.tcp[index].tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | false |
IngressGateway.spec.tcp[index].tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
IngressGateway.spec.tlsPassthrough[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hostname | string | Hostname with which the service can be expected to be accessed by clients. | false |
| name | string | A name assigned to the server. | false |
| port | integer | The port where the server is exposed. Minimum: 0 | false |
| route | object | Forward the connection to the specified destination. | false |
IngressGateway.spec.tlsPassthrough[index].route
Forward the connection to the specified destination.
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | false | |
| port | integer | The port on the service to forward the request to. Minimum: 0 | false |
IngressGateway.spec.waf
WAF settings to be enabled for traffic passing through the HttpServer.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | false |
IngressGateway.spec.workloadSelector
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | false | |
| namespace | string | The namespace where the workload resides. | false |
Group
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
| kind | string | Group | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
Group.spec
| Name | Type | Description | Required |
|---|---|---|---|
| configMode | enum | Enum: BRIDGED, DIRECT | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| namespaceSelector | object | Set of namespaces owned exclusively by this group. | false |
Group.spec.namespaceSelector
Set of namespaces owned exclusively by this group.
| Name | Type | Description | Required |
|---|---|---|---|
| names | []string | false |
EgressGateway
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
| kind | string | EgressGateway | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object |
| false |
| status | object | false |
EgressGateway.spec
EgressGateway configures a workload to act as an egress gateway in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| authorization | []object | The description of which service accounts can access which hosts. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| fqn | string | Fully-qualified name of the resource. | false |
| workloadSelector | object | false |
EgressGateway.spec.authorization[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | The workloads or service accounts this authorization rule applies to. | false |
| to | []string | The external hostnames the workload(s) described in this rule can access. | false |
EgressGateway.spec.authorization[index].from
The workloads or service accounts this authorization rule applies to.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | false | |
| serviceAccounts | []string | false |
EgressGateway.spec.authorization[index].from.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
EgressGateway.spec.authorization[index].from.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
EgressGateway.spec.authorization[index].from.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
EgressGateway.spec.authorization[index].from.http.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
EgressGateway.spec.authorization[index].from.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
EgressGateway.spec.authorization[index].from.rules
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
EgressGateway.spec.authorization[index].from.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
EgressGateway.spec.authorization[index].from.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
EgressGateway.spec.authorization[index].from.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
EgressGateway.spec.authorization[index].from.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
EgressGateway.spec.authorization[index].from.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
EgressGateway.spec.authorization[index].from.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
EgressGateway.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
EgressGateway.spec.workloadSelector
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | false | |
| namespace | string | The namespace where the workload resides. | false |