Traffic Setting

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
    mode: CUSTOM
    hosts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "db/*"
  resilience:
    circuitBreakerSensitivity: MEDIUM
  egress:
    host: istio-system/istio-egressgateway

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
    mode: GROUP

HTTPRetry

HTTPRetry defines the parameters for retrying API calls to a service.

Field	Description	Validation Rule
attempts	int32 REQUIRED Number of retries for a given request. The interval between retries will be determined automatically (25ms+). Actual number of retries attempted depends on the httpReqTimeout.	int32 = {   gte: 1 }
perTryTimeout	google.protobuf.Duration Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.	–
retryOn	string Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. See the retry policies and gRPC retry policies for more details.	string = {   pattern: ^$|^(5xx|gateway-error|reset|connect-failure|envoy-ratelimited|retriable-4xx|refused-stream|retriable-status-codes|retriable-headers|cancelled|deadline-exceeded|internal|resource-exhausted|unavailable)(,(5xx|gateway-error|reset|connect-failure|envoy-ratelimited|retriable-4xx|refused-stream|retriable-status-codes|retriable-headers|cancelled|deadline-exceeded|internal|resource-exhausted|unavailable))*$ }

KeepAliveSettings

Keep Alive Settings.

Field	Description	Validation Rule
tcp	tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings TCP Keep Alive settings associated with the upstream and downstream TCP connections.	–

TcpKeepAliveSettings

TCP Keep Alive Settings.

Field	Description	Validation Rule
downstream	tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings.TcpKeepAlive TCP Keep Alive Settings associated with the downstream (client) connection.	–
upstream	tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings.TcpKeepAlive TCP Keep Alive Settings associated with the upstream (backend) connection.	–

TcpKeepAlive

Field	Description	Validation Rule
probes	google.protobuf.UInt32Value The total number of unacknowledged probes to send before deciding the connection is dead. Default is to use the OS level configuration, Linux defaults to 9.	–
idleTime	google.protobuf.UInt32Value The number of seconds a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration, Linux defaults to 7200s.	–
interval	google.protobuf.UInt32Value The number of seconds between keep-alive probes. Default is to use the OS level configuration, Linux defaults to 75s.	–

ReachabilitySettings

ReachabilitySettings define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.

Field	Description	Validation Rule
mode	tetrateio.api.tsb.traffic.v2.ReachabilitySettings.Mode A short cut for specifying the set of services accessed by the workload.	–
hosts	List of string When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach. Must be in the \<namespace\>/\<fqdn\> format. ./* indicates all services in the namespace where the sidecar resides. ns1/* indicates all services in the ns1 namespace. ns1/svc1.com indicates svc1.com service in ns1 namespace. */svc1.com indicates svc1.com service in any namespace.	–

ResilienceSettings

ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or proxy workload.

Field	Description	Validation Rule
httpRequestTimeout	google.protobuf.Duration Timeout for HTTP requests. Disabled if not set.	–
httpRetries	tetrateio.api.tsb.traffic.v2.HTTPRetry Retry policy for HTTP requests. Disabled if not set.	–
tcpKeepalive	google.protobuf.BoolValue Deprecated. This field will be removed in upcoming releases. Please use the keep_alive field instead. If enabled, sets SO_KEEPALIVE on the socket to enable TCP keepalive.	–
keepAlive	tetrateio.api.tsb.traffic.v2.KeepAliveSettings Keep Alive Settings.	–
circuitBreakerSensitivity	tetrateio.api.tsb.traffic.v2.ResilienceSettings.Sensitivity Circuit breakers in Envoy are applied per endpoint in a load balancing pool. By default, circuit breakers are disabled. If set, the sensitivity level determines the maximum number of consecutive failures that Envoy will tolerate before ejecting an endpoint from the load balancing pool.	–

TrafficSetting

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Field	Description	Validation Rule
reachability	tetrateio.api.tsb.traffic.v2.ReachabilitySettings The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.	–
resilience	tetrateio.api.tsb.traffic.v2.ResilienceSettings Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.	–
egress	tetrateio.api.tsb.traffic.v2.TrafficSetting.EgressGateway Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload. If not specified, the proxy workload will send the unknown traffic directly to the IP requested by the application.	–
rateLimiting	tetrateio.api.tsb.gateway.v2.RateLimiting Configuration for rate limiting requests. These settings are only applied to sidecar proxies in the traffic group. Use the rateLimiting field in the Tier1Gateway and the Ingressgateway API to configure ratelimiting at the ingressgateway proxies.	–
configGenerationMetadata	tetrateio.api.tsb.types.v2.ConfigGenerationMetadata Metadata values that will be add into the Istio generated configurations. When using YAML APIs liketctl or gitops, put them into the metadata.labels or metadata.annotations instead. This field is only necessary when using gRPC APIs directly.	–

EgressGateway

EgressGateway specifies the gateway where traffic external to the mesh will be redirected.

Field	Description	Validation Rule
host	string REQUIRED Specifies the egress gateway hostname. Must be in \<namespace\>/\<fqdn\> format.	string = {   pattern: ^[^/]+/[^/]+$ }
port	int32 Deprecated. This field is ignored and will be removed in upcoming releases. Specifies the port on the host to connect to.	–

Mode

A short cut for defining the common reachability patterns

Field	Number	Description
UNSET	0	Inherit from parent if possible. Otherwise treated as CLUSTER.
NAMESPACE	1	The workload may talk to any service in its own namespace.
GROUP	2	The workload may talk to any service in the traffic group.
WORKSPACE	3	The workload may talk to any service in the workspace.
CLUSTER	4	The workload may talk to any service in the cluster.
CUSTOM	5	The workload may talk to services defined explicitly.

Sensitivity

Available sensitivity levels for the circuit breaker.

Field	Number	Description
UNSET	0	Default values will be used.
LOW	1	Tolerate up to 20 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.
MEDIUM	2	Tolerate up to 10 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.
HIGH	3	Tolerate up to 5 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.