Skip to main content
logoTetrate Service BridgeVersion: 1.9.x

application.tsb.tetrate.io/v2

Resource Types:

API

↩ Parent

NameTypeDescriptionRequired
apiVersionstringapplication.tsb.tetrate.io/v2true
kindstringAPItrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

An API configuring a set of servers and endpoints that expose the Application business logic.

false
statusobject
false

API.spec

↩ Parent

An API configuring a set of servers and endpoints that expose the Application business logic.

NameTypeDescriptionRequired
configResources[]object

The configuration resources that are related to this API object.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
endpoints[]object

List of endpoints exposed by this API.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
httpServers[]object

List of gateways servers that expose the API.

false
openapistring

The raw OpenAPI spec for this API.

false
servers[]object

DEPRECATED: For new created APIs, the exposed servers will be available at httpServers.

false
workloadSelectorobject
false

API.spec.configResources[index]

↩ Parent

NameTypeDescriptionRequired
exclusivelyOwnedboolean
false
expectedEtagstring
false
fqnstring

The FQN of the resource this status is computed for.

false

API.spec.endpoints[index]

↩ Parent

NameTypeDescriptionRequired
exposedByobject

The exposer of this endpoint.

false
hostnames[]string

The list of hostnames where this endpoint is exposed.

false
methods[]string

The list of HTTP methods this endpoint supports.

false
pathstring

The HTTP path of the endpoint, relative to the hostnames exposed by the API.

false
servicestring

DEPRECATED: For new created APIs, the exposed servers will be available at httpServers.

false

API.spec.endpoints[index].exposedBy

↩ Parent

The exposer of this endpoint.

NameTypeDescriptionRequired
clusterGroupobject

The clusters that are exposing a concrete endpoint.

false
servicestring

The FQN of the service in the service registry that is exposing a concrete endpoint.

false

API.spec.endpoints[index].exposedBy.clusterGroup

↩ Parent

The clusters that are exposing a concrete endpoint.

NameTypeDescriptionRequired
clusters[]object

The clusters that contain gateways exposing the HTTPEndpoint.

false

API.spec.endpoints[index].exposedBy.clusterGroup.clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the cluster exposing the endpoint.

false
weightinteger

The weight for traffic to a cluster exposing the endpoint.


Minimum: 0
Maximum: 4.294967295e+09

false

API.spec.httpServers[index]

↩ Parent

NameTypeDescriptionRequired
authenticationobject
false
authorizationobject

Authorization is used to configure authorization of end users.

false
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed at the gateway workload(pod).


Minimum: 0
Maximum: 4.294967295e+09

false
rateLimitingobject

Configuration for rate limiting requests.

false
routingobject

Routing rules associated with HTTP traffic to this server.

false
tlsobject

TLS certificate info.

false
trafficModeenum

Traffic mode specifies the type of configuration applied to this server.


Enum: AUTO, INGRESS, EGRESS, TRANSIT

false
transitboolean

If set to true, the server is configured to be exposed within the mesh.

false

API.spec.httpServers[index].authentication

↩ Parent

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

API.spec.httpServers[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

API.spec.httpServers[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

API.spec.httpServers[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

API.spec.httpServers[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

API.spec.httpServers[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

API.spec.httpServers[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

API.spec.httpServers[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

API.spec.httpServers[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

API.spec.httpServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

API.spec.httpServers[index].authorization

↩ Parent

Authorization is used to configure authorization of end users.

NameTypeDescriptionRequired
externalobject
false
localobject
false

API.spec.httpServers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

API.spec.httpServers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

API.spec.httpServers[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

API.spec.httpServers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

API.spec.httpServers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

API.spec.httpServers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

API.spec.httpServers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

API.spec.httpServers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

API.spec.httpServers[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

API.spec.httpServers[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

API.spec.httpServers[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
headersmap[string]object
false

API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

API.spec.httpServers[index].rateLimiting.externalService.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

API.spec.httpServers[index].rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

API.spec.httpServers[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

API.spec.httpServers[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

API.spec.httpServers[index].routing

↩ Parent

Routing rules associated with HTTP traffic to this server.

NameTypeDescriptionRequired
corsPolicyobject

Cross origin resource request policy settings for all routes.

false
rules[]object

HTTP routes.

false

API.spec.httpServers[index].routing.corsPolicy

↩ Parent

Cross origin resource request policy settings for all routes.

NameTypeDescriptionRequired
allowCredentialsboolean
false
allowHeaders[]string

List of HTTP headers that can be used when requesting the resource.

false
allowMethods[]string

List of HTTP methods allowed to access the resource.

false
allowOrigin[]string

The list of origins that are allowed to perform CORS requests.

false
exposeHeaders[]string

A white list of HTTP headers that the browsers are allowed to access.

false
maxAgestring

Specifies how long the results of a preflight request can be cached.

false

API.spec.httpServers[index].routing.rules[index]

↩ Parent

NameTypeDescriptionRequired
directResponseobject

Return a fixed response.

false
disableExternalAuthorizationboolean
false
match[]object

One or more match conditions (OR-ed).

false
modifyobject

One or more mutations to be performed before forwarding.

false
redirectobject

Redirect the request to a different host or URL or both.

false
routeobject

Forward the request to the specified destination(s).

false

API.spec.httpServers[index].routing.rules[index].directResponse

↩ Parent

Return a fixed response.

NameTypeDescriptionRequired
bodyobject

Specifies the content of the response body.

false
statusinteger

Specifies the HTTP response status to be returned.


Minimum: 0
Maximum: 4.294967295e+09

false

API.spec.httpServers[index].routing.rules[index].directResponse.body

↩ Parent

Specifies the content of the response body.

NameTypeDescriptionRequired
bytesstring

response body as base64 encoded bytes.


Format: binary

false
stringstring
false

API.spec.httpServers[index].routing.rules[index].match[index]

↩ Parent

NameTypeDescriptionRequired
headersmap[string]object

The header keys must be lowercase and use hyphen as the separator, e.g.

false
uriobject

URI to match.

false

API.spec.httpServers[index].routing.rules[index].match[index].headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.httpServers[index].routing.rules[index].match[index].uri

↩ Parent

URI to match.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.httpServers[index].routing.rules[index].modify

↩ Parent

One or more mutations to be performed before forwarding.

NameTypeDescriptionRequired
headersobject

Add/remove/overwrite one or more HTTP headers in a request or response.

false
rewriteobject

Rewrite the HTTP Host or URL or both.

false

API.spec.httpServers[index].routing.rules[index].modify.headers

↩ Parent

Add/remove/overwrite one or more HTTP headers in a request or response.

NameTypeDescriptionRequired
requestobject

Header manipulation rules to apply before forwarding a request to the destination service.

false
responseobject

Header manipulation rules to apply before returning a response to the caller.

false

API.spec.httpServers[index].routing.rules[index].modify.headers.request

↩ Parent

Header manipulation rules to apply before forwarding a request to the destination service.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

API.spec.httpServers[index].routing.rules[index].modify.headers.response

↩ Parent

Header manipulation rules to apply before returning a response to the caller.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

API.spec.httpServers[index].routing.rules[index].modify.rewrite

↩ Parent

Rewrite the HTTP Host or URL or both.

NameTypeDescriptionRequired
authoritystring

Rewrite the Authority/Host header with this value.

false
uristring

Rewrite the path (or the prefix) portion of the URI with this value.

false

API.spec.httpServers[index].routing.rules[index].redirect

↩ Parent

Redirect the request to a different host or URL or both.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger

Minimum: 0
Maximum: 4.294967295e+09

false
redirectCodeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

API.spec.httpServers[index].routing.rules[index].route

↩ Parent

Forward the request to the specified destination(s).

NameTypeDescriptionRequired
clusterDestinationobject
false
serviceDestinationobject

RouteToService represents the service running in clusters.

false

API.spec.httpServers[index].routing.rules[index].route.clusterDestination

↩ Parent

NameTypeDescriptionRequired
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false

API.spec.httpServers[index].routing.rules[index].route.clusterDestination.clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.


Minimum: 0
Maximum: 4.294967295e+09

false

API.spec.httpServers[index].routing.rules[index].route.serviceDestination

↩ Parent

RouteToService represents the service running in clusters.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E;.

false
portinteger

The port on the service to forward the request to.


Minimum: 0
Maximum: 4.294967295e+09

false
tlsobject
false

API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

API.spec.httpServers[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject
false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring
false
subjectAltNames[]string
false

API.spec.httpServers[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

API.spec.servers[index]

↩ Parent

NameTypeDescriptionRequired
authenticationobject

Configuration to authenticate clients.

false
authorizationobject

Configuration to authorize a request.

false
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

false
namestring

A name assigned to the server.

false
portinteger

The port where the server is exposed.


Minimum: 0
Maximum: 4.294967295e+09

false
rateLimitingobject

Configuration for rate limiting requests.

false
routingobject

Routing rules associated with HTTP traffic to this service.

false
tlsobject

TLS certificate info.

false
xxxOldAuthenticationobject
false
xxxOldAuthorizationobject
false

API.spec.servers[index].authentication

↩ Parent

Configuration to authenticate clients.

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

API.spec.servers[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

API.spec.servers[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

API.spec.servers[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

API.spec.servers[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

API.spec.servers[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

API.spec.servers[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

API.spec.servers[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

API.spec.servers[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

API.spec.servers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

API.spec.servers[index].authorization

↩ Parent

Configuration to authorize a request.

NameTypeDescriptionRequired
externalobject
false
localobject
false

API.spec.servers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

API.spec.servers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

API.spec.servers[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

API.spec.servers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

API.spec.servers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

API.spec.servers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

API.spec.servers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

API.spec.servers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

API.spec.servers[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

API.spec.servers[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

API.spec.servers[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
headersmap[string]object
false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

API.spec.servers[index].rateLimiting.externalService.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

API.spec.servers[index].rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

API.spec.servers[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

API.spec.servers[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

API.spec.servers[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

API.spec.servers[index].routing

↩ Parent

Routing rules associated with HTTP traffic to this service.

NameTypeDescriptionRequired
corsPolicyobject

Cross origin resource request policy settings for all routes.

false
rules[]object

HTTP routes.

false

API.spec.servers[index].routing.corsPolicy

↩ Parent

Cross origin resource request policy settings for all routes.

NameTypeDescriptionRequired
allowCredentialsboolean
false
allowHeaders[]string

List of HTTP headers that can be used when requesting the resource.

false
allowMethods[]string

List of HTTP methods allowed to access the resource.

false
allowOrigin[]string

The list of origins that are allowed to perform CORS requests.

false
exposeHeaders[]string

A white list of HTTP headers that the browsers are allowed to access.

false
maxAgestring

Specifies how long the results of a preflight request can be cached.

false

API.spec.servers[index].routing.rules[index]

↩ Parent

NameTypeDescriptionRequired
directResponseobject

Return a fixed response.

false
match[]object

One or more match conditions (OR-ed).

false
modifyobject

One or more mutations to be performed before forwarding.

false
redirectobject

Redirect the request to a different host or URL or both.

false
routeobject

Forward the request to the specified destination(s).

false

API.spec.servers[index].routing.rules[index].directResponse

↩ Parent

Return a fixed response.

NameTypeDescriptionRequired
bodyobject

Specifies the content of the response body.

false
statusinteger

Specifies the HTTP response status to be returned.


Minimum: 0
Maximum: 4.294967295e+09

false

API.spec.servers[index].routing.rules[index].directResponse.body

↩ Parent

Specifies the content of the response body.

NameTypeDescriptionRequired
bytesstring

response body as base64 encoded bytes.


Format: binary

false
stringstring
false

API.spec.servers[index].routing.rules[index].match[index]

↩ Parent

NameTypeDescriptionRequired
headersmap[string]object

The header keys must be lowercase and use hyphen as the separator, e.g.

false
uriobject

URI to match.

false

API.spec.servers[index].routing.rules[index].match[index].headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.servers[index].routing.rules[index].match[index].uri

↩ Parent

URI to match.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

API.spec.servers[index].routing.rules[index].modify

↩ Parent

One or more mutations to be performed before forwarding.

NameTypeDescriptionRequired
headersobject

Add/remove/overwrite one or more HTTP headers in a request or response.

false
rewriteobject

Rewrite the HTTP Host or URL or both.

false

API.spec.servers[index].routing.rules[index].modify.headers

↩ Parent

Add/remove/overwrite one or more HTTP headers in a request or response.

NameTypeDescriptionRequired
requestobject

Header manipulation rules to apply before forwarding a request to the destination service.

false
responseobject

Header manipulation rules to apply before returning a response to the caller.

false

API.spec.servers[index].routing.rules[index].modify.headers.request

↩ Parent

Header manipulation rules to apply before forwarding a request to the destination service.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

API.spec.servers[index].routing.rules[index].modify.headers.response

↩ Parent

Header manipulation rules to apply before returning a response to the caller.

NameTypeDescriptionRequired
addmap[string]string
false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

API.spec.servers[index].routing.rules[index].modify.rewrite

↩ Parent

Rewrite the HTTP Host or URL or both.

NameTypeDescriptionRequired
authoritystring

Rewrite the Authority/Host header with this value.

false
uristring

Rewrite the path (or the prefix) portion of the URI with this value.

false

API.spec.servers[index].routing.rules[index].redirect

↩ Parent

Redirect the request to a different host or URL or both.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger

Minimum: 0
Maximum: 4.294967295e+09

false
redirectCodeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

API.spec.servers[index].routing.rules[index].route

↩ Parent

Forward the request to the specified destination(s).

NameTypeDescriptionRequired
hoststring
false
portinteger

The port on the service to forward the request to.


Minimum: 0
Maximum: 4.294967295e+09

false

API.spec.servers[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject
false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring
false
subjectAltNames[]string
false

API.spec.servers[index].tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

API.spec.servers[index].xxxOldAuthentication

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

API.spec.servers[index].xxxOldAuthentication.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

API.spec.servers[index].xxxOldAuthorization

↩ Parent

NameTypeDescriptionRequired
externalobject
false
localobject
false

API.spec.servers[index].xxxOldAuthorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
uristring
false

API.spec.servers[index].xxxOldAuthorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

API.spec.servers[index].xxxOldAuthorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

API.spec.workloadSelector

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string
false
namespacestring

The namespace where the workload resides.

false

Application

↩ Parent

NameTypeDescriptionRequired
apiVersionstringapplication.tsb.tetrate.io/v2true
kindstringApplicationtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

Application.spec

↩ Parent

NameTypeDescriptionRequired
configResources[]object

The configuration resources that are related to this Application.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
gatewayGroupstring

Optional FQN of the Gateway Group to be used by the application.

false
namespaceSelectorobject

Optional set of namespaces this application can configure.

false
services[]string

Optional list of services that are part of the application.

false
workspacestring

FQN of the workspace this application is part of.

false

Application.spec.configResources[index]

↩ Parent

NameTypeDescriptionRequired
exclusivelyOwnedboolean
false
expectedEtagstring
false
fqnstring

The FQN of the resource this status is computed for.

false

Application.spec.namespaceSelector

↩ Parent

Optional set of namespaces this application can configure.

NameTypeDescriptionRequired
names[]string
false