x-tsb-service | string Short name of the service in the TSB service registry where the path is
exposed. If the extension is configured in the info section, all paths in
the spec will be mapped to this service. This service name will be used to generate all the routes for traffic
coming to the associated paths. OpenAPI extension name: x-tsb-service<br/>
Applies to: info, path<br/>
Required: Required unless x-tsb-redirect or x-tsb-clusters is defined for the target paths. Example: openapi: 3.0.0 info: title: Sample API version: 0.1.9 x-tsb-service: productpage.bookinfo paths: /users: x-tsb-service: productpage.bookinfo get: summary: Returns a list of users.
| – |
x-tsb-redirect | tetrateio.api.tsb.gateway.v2.Redirect Configures a redirection for the given path.
If a redirection is configured for a given path, the x-tsb-service
extension can be omitted. OpenAPI extension name: x-tsb-redirect<br/>
Applies to: path<br/>
Required: false Example: paths: /users: x-tsb-redirect: uri: /v2/users get: summary: Returns a list of users.
| – |
x-tsb-tls | tetrateio.api.tsb.gateway.v2.ServerTLSSettings Configures the TLS settings for a given server. If omitted, the
server will be configured to serve plain text connections. OpenAPI extension name: x-tsb-redirect<br/>
Applies to: server<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-tls: mode: SIMPLE secretName: api-certs
| – |
x-tsb-cors | tetrateio.api.tsb.gateway.v2.CorsPolicy Configures CORS policy settings for the given server.
Note that Service Bridge does not currently support per-path CORS
settings, so this applies at a server level. OpenAPI extension name: x-tsb-cors<br/>
Applies to: server<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-cors: allowOrigin: - "*"
| – |
x-tsb-authentication | tetrateio.api.tsb.auth.v2.Authentication Configures Authentication rules for the given server.
This extension must be configured if the Authorization is configured
with rules based on JWT tokens. OpenAPI extension name: x-tsb-authentication<br/>
Applies to: server<br/>
Required: Required if Authorization is based on JWT tokens. Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-authentication: jwt: issuer: https://www.googleapis.com/oauth2/v1/certs audience: bookinfo
| – |
x-tsb-external-authorization | tetrateio.api.tsb.auth.v2.Authorization.ExternalAuthzBackend Configures an external authorization server to handle all authorization requests
for the configured server. OpenAPI extension name: x-tsb-external-authorization<br/>
Applies to: server<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-external-authorization: uri: http://authz-server.example.com includeRequestHeaders: - Authorization
| – |
x-tsb-jwt-authorization | tetrateio.api.tsb.application.v2.OpenAPIExtensions.JWTAuthz Configures Authorization based on JWT tokens. Note that if this is configured, the x-tsb-authentication extension must
be configured for the servers so the tokens can be properly validated and
trusted before reading their contents to enforce access control rules. This can be applied at the server or path level. When applied at the server level,
the authorization rules will be enforced for all paths in that server. OpenAPI extension name: x-tsb-jwt-authorization<br/>
Applies to: server, path<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-authorization: claims: - iss: https://www.googleapis.com/oauth2/v1/certs sub: expected-subject other: group: engineering paths: /users: x-tsb-authorization: claims: - other: group: admin
| – |
x-tsb-ratelimiting | tetrateio.api.tsb.gateway.v2.RateLimitSettings Configures settings for ratelimiting requests This can be applied at the server, path and operation level.
Each rate limit setting is independent of the other.
Top level fields such as failClosed and timeout
can be only be specified at the server level.
The dimensions are automatically populated based on the path
attributes, and users are allowed to append more dimensions
as well OpenAPI extension name: x-tsb-ratelimiting<br/>
Applies to: server, path, operation<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-ratelimiting: failClosed: false timeout: 0.03s rules: - dimensions: - header: name: x-user-id - header: name: ":method" value: exact: GET limit: requestsPerUnit: 10 unit: MINUTE paths: /users: x-tsb-ratelimiting: rules: - limit: requestsPerUnit: 5 unit: SECOND post: x-tsb-ratelimiting: rules: - limit: requestsPerUnit: 10 unit: SECOND
| – |
x-tsb-external-ratelimiting | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings Configures settings for ratelimiting requests using an external ratelimit server
This can be applied at the server, path and operation level.
Each setting is independent of the other.
Top level fields such as domain and rateLimitServerUri must
only be specified at the server level.
The 'headersfield within the headerValueMatch dimension field is automatically populated when this annotation is used at the path and operation level and the headers` field is unset.
Users are allowed to append more values as well. OpenAPI extension name: x-tsb-external-ratelimiting<br/>
Applies to: server, path, operation<br/>
Required: false Example: openapi: 3.0.0 servers: - url: http://api.example.com/v1 x-tsb-external-ratelimiting: domain: "my-api-domain" rateLimitServerUri: "grpc://ratelimiter.bar.com" rules: - dimensions: - requestHeaders: headerName: "x-user-id" descriptorKey: "desc-key-1" - headerValueMatch: descriptorValue: "desc-value-1" headers: ":method": exact: "GET" - remoteAddress: \{\} paths: /users: x-tsb-external-ratelimiting: rules: - dimensions: - headerValueMatch: descriptorValue: "desc-value-2" post: x-tsb-external-ratelimiting: rules: - dimensions: - headerValueMatch: descriptorValue: "desc-value-3"
| – |
x-tsb-wasm-extensions | tetrateio.api.tsb.application.v2.OpenAPIWasmExtensionAttachment Configures WASM extensions associated to the Ingress Gateway generated from the API OpenAPI definition.
This list of extensions can be assigned to the info level as there is only one IngressGateway per API. OpenAPI extension name: x-tsb-wasm-extensions<br/>
Applies to: info<br/>
Required: false Example: openapi: 3.0.0 info: title: Sample API version: 0.1.9 x-tsb-wasm-extensions: - name: wasm-header config: header: x-wasm-header value: api-tsb paths: /users: x-tsb-service: productpage.bookinfo get: summary: Returns a list of users.
| – |
x-tsb-wasm-definitions | tetrateio.api.tsb.extension.v2.WasmExtension Configures WASM extensions definitions used in the attachments from the API OpenAPI definition.
This list of extensions can be assigned to the info level.
Inline extension definition is ONLY allowed when using App Ingress. When using it in a TSB application,
only extensions enabled in the TSB extensino catalog can be referenced. OpenAPI extension name: x-tsb-wasm-definitions<br/>
Applies to: info<br/>
Required: false Example: openapi: 3.0.0 info: title: Sample API version: 0.1.9 x-tsb-wasm-extensions: - name: wasm-header config: header: x-wasm-header value: api-tsb x-tsb-wasm-definitions: - fqn: extensions/wasm-header url: oci://docker.io/example/my-wasm-extension:1.0 source: https://github.com/example/wasm-extension phase: AUTHN priority: 200 config: header: x-wasm-header value: def-value paths: /users: x-tsb-service: productpage.bookinfo get: summary: Returns a list of users.
| – |
x-tsb-waf | tetrateio.api.tsb.security.v2.WAFSettings Configures a set of WAF rules to be applied to incoming traffic. OpenAPI extension name: x-tsb-waf<br/>
Applies to: info<br/>
Required: false Example: openapi: 3.0.0 info: title: Sample API version: 0.1.9 x-tsb-waf: rules: - Include @recommended-conf - SecResponseBodyAccess Off - Include @owasp_crs/*.conf paths: /users: x-tsb-service: productpage.bookinfo get: summary: Returns a list of users.
| – |
x-tsb-clusters | tetrateio.api.tsb.gateway.v2.RouteToClusters Short name of the clusters that contain ingress gateways where the path is
exposed. If the extension is configured in the info section, all paths in
the spec will be mapped to clusters. This clusters name will be used to generate all the routes for traffic
coming to the associated paths. OpenAPI extension name: x-tsb-clusters<br/>
Applies to: info, path<br/>
Required: Required unless x-tsb-redirect or x-tsb-service is defined for the target paths. Example: openapi: 3.0.0 info: title: Sample API version: 0.1.9 x-tsb-clusters: clusters: - name: c1 weight: 100 paths: /users: x-tsb-clusters: clusters: - name: c2 weight: 90 - name: c3 weight: 10 get: summary: Returns a list of users.
| – |
x-tsb-transit | bool If this flag is activated (set to true), only the specified path(s) for a given server will be accessible
exclusively within the mesh network. This implies that any external traffic aiming to reach these paths
would be blocked, promoting network isolation and enhanced security. This setting plays a crucial role in traffic forwarding across two different clusters that may not
have a direct connection to each other. It facilitates communication through the mesh network, creating
an indirect link between them. Thus, even if a direct route does not exist, information exchange can still take place. If this extension is applied under the server of the 'info' section, it affects all paths listed
in the 'spec' for that particular server. Consequently, these paths become exclusive to the mesh network,
restricting their accessibility from outside the network. However, if this extension is applied to a single server listed in the path section, its impact is more specific.
It only affects that particular path mentioned in the 'spec' for that server. In turn, this single path is
made exclusive to the mesh network, shielding it from external access. This granular level of control can be
beneficial in cases where only a specific path needs to be isolated, while others remain accessible. In both cases, this helps in controlling and managing traffic flow, especially in large distributed systems where
security and traffic management are critical. This granular control allows for a flexible, security-focused approach
to managing network traffic within the mesh network. OpenAPI extension name: x-tsb-transit<br/>
Applies to: server<br/>
Required: false Example: openapi: 3.0.0 info: title: Sample Internal API version: 0.1.9 servers: - url: http://api.example.com/v1 x-tsb-transit: false paths: /users: get: summary: Returns a list of users that can be accessed from outside. /internalusers: servers: - url: http://internal.api.example.com/v1 x-tsb-transit: true get: summary: Returns a list of internal users only accessible within the mesh.
| – |