{"openapi":"3.0.0","info":{"description":"Tetrate Service Bridge API.","title":"Tetrate Service Bridge API","contact":{"name":"Tetrate Service Bridge","url":"https://www.tetrate.io/tetrate-service-bridge/"},"version":"next"},"paths":{"/v2/admin/rbac/policy":{"get":{"tags":["Policy"],"summary":"Get the global RBAC access policy.\nThe global RBAC access policy configures who can manage the Role objects in TSB.","operationId":"Policy_GetRBACPolicy","responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the global RBAC access policy.\nThe global RBAC access policy configures who can manage the Role objects in TSB.","operationId":"Policy_SetRBACPolicy","requestBody":{"$ref":"#/components/requestBodies/v2AccessPolicy"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/admin/root/policy":{"get":{"tags":["Policy"],"summary":"Get the root access policy.\nThe root access policy configures global permissions for the platform. Subjects\nassigned to a root policy will be granted the permissions described in the policy\nto all objects ion TSB.","operationId":"Policy_GetRootPolicy","responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the root access policy.\nThe root access policy configures global permissions for the platform. Subjects\nassigned to a root policy will be granted the permissions described in the policy\nto all objects ion TSB.","operationId":"Policy_SetRootPolicy","requestBody":{"$ref":"#/components/requestBodies/v2AccessPolicy"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/dashboards":{"get":{"tags":["DashboardService"],"summary":"Return the list of available dashboards, alongside their descriptions.\nDashboards are identified by their names, which can be used to download them.","operationId":"DashboardService_ListDashboards","responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v1ListDashboardsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/dashboards/{name}":{"get":{"tags":["DashboardService"],"summary":"Download a Grafana dashboard in JSON format by providing the dashboard's name.\nThe downloaded dashboard is intended to be uploaded to a Grafana instance. Platform\noperators can use each dashboard to monitor specific components of the TSB platform.","operationId":"DashboardService_DownloadDashboard","parameters":[{"description":"The name of the dashboard to download.","name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apiHttpBody"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/lookup/services":{"post":{"tags":["Lookup"],"summary":"Get all the services in the registry that are part of the given selector.\nThis method can be used to resolve the registered services that are part of a workspace\nor group.\nThis method can be also used to figure out how applying a selector could affect\nthe platform and have an understanding of which of the existing services would be\nincluded in the selection.","operationId":"Lookup_Services","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceLookupRequest"}}},"description":"Request for all the services in the registry that are part of the given selector.","required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceLookupResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/oidc/[^/]+/callback":{"get":{"tags":["OIDC"],"summary":"Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.","operationId":"OIDC_Callback2","parameters":[{"description":"OAuth2 Authorization Code.\nWhen present this indicates the user authorized the request. TSB will use this code\nto acquire a token from the OIDC token endpoint and complete the login flow.","name":"code","in":"query","schema":{"type":"string"}},{"description":"OAuth2 Error Code.\nWhen present this indicates that either the authorization request has an error, the OIDC\nprovider encountered an error or the user failed to log in. When set TSB will display information\nto the user indicating what went wrong.\n\nStandard error codes can be found found here.\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1\nhttps://openid.net/specs/openid-connect-core-1_0.html#AuthError","name":"error","in":"query","schema":{"type":"string"}},{"description":"The state parameter sent to the OIDC provider on the authorization request.","name":"state","in":"query","required":true,"schema":{"type":"string"}},{"description":"Optional error description sent by the OIDC provider when an error occurs.","name":"errorDescription","in":"query","schema":{"type":"string"}},{"description":"Optional error URI of a web page that includes additional information about the error.","name":"errorUri","in":"query","schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/oidc/[^/]+/login":{"get":{"tags":["OIDC"],"summary":"Login endpoint to start an OIDC Authentication flow.","operationId":"OIDC_Login2","parameters":[{"description":"URl where the user will be redirected when the authentication flow completes.","name":"redirectUri","in":"query","schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/oidc/callback":{"get":{"tags":["OIDC"],"summary":"Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.","operationId":"OIDC_Callback","parameters":[{"description":"OAuth2 Authorization Code.\nWhen present this indicates the user authorized the request. TSB will use this code\nto acquire a token from the OIDC token endpoint and complete the login flow.","name":"code","in":"query","schema":{"type":"string"}},{"description":"OAuth2 Error Code.\nWhen present this indicates that either the authorization request has an error, the OIDC\nprovider encountered an error or the user failed to log in. When set TSB will display information\nto the user indicating what went wrong.\n\nStandard error codes can be found found here.\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1\nhttps://openid.net/specs/openid-connect-core-1_0.html#AuthError","name":"error","in":"query","schema":{"type":"string"}},{"description":"The state parameter sent to the OIDC provider on the authorization request.","name":"state","in":"query","required":true,"schema":{"type":"string"}},{"description":"Optional error description sent by the OIDC provider when an error occurs.","name":"errorDescription","in":"query","schema":{"type":"string"}},{"description":"Optional error URI of a web page that includes additional information about the error.","name":"errorUri","in":"query","schema":{"type":"string"}},{"description":"Optional OIDC configuration name identifier, used when multiple OIDCs configs are set.","name":"name","in":"query","schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/oidc/login":{"get":{"tags":["OIDC"],"summary":"Login endpoint to start an OIDC Authentication flow.","operationId":"OIDC_Login","parameters":[{"description":"URl where the user will be redirected when the authentication flow completes.","name":"redirectUri","in":"query","schema":{"type":"string"}},{"description":"Optional OIDC configuration name identifier, used when multiple OIDCs configs are set.","name":"name","in":"query","schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations":{"get":{"tags":["Organizations"],"summary":"List all existing organizations.\n$hide_from_docs","operationId":"Organizations_ListOrganizations","responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListOrganizationsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Organizations"],"summary":"Creates a new Organization in TSB.\nOrganizations are the top-level construct in TSB and contain all the resources such as\ntenants, workspaces and clusters.\n$hide_from_docs","operationId":"Organizations_CreateOrganization","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2CreateOrganizationRequest"}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Organization"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}":{"get":{"tags":["Organizations"],"summary":"Get the details of an organization.","operationId":"Organizations_GetOrganization","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Organization"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Organizations"],"summary":"Modify an organization.\nUpdate operations are protected against concurrent modifications of the resource. They are required\nto provide the last version of the `etag` field as part of the update request payload.\n$hide_from_docs","operationId":"Organizations_UpdateOrganization","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`Organization` is a root of the Service Bridge object hierarchy. Each\norganization is completely independent of the other with its own set of\ntenants, users, teams, clusters and workspaces.\n\nOrganizations in TSB are tied to an Identity Provider (IdP). Users and teams,\nrepresenting the organizational structure, are periodically synchronized\nfrom the IdP into TSB in order to make them available for access policy\nconfiguration.\n\nThe following example creates an organization named `myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Organization\nmetadata:\n  name: myorg\n```\n\n\n\n","type":"object","properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"profiles":{"description":"List of profiles attached to the Organization to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}},"systemNamespaces":{"description":"List of namespaces that will be considered as system namespaces for the organization\nand will not be able to be onboarded into TSB.\nSystem namespaces are namespaces that should not have sidecars injected and don't be\nconfigured with Istio injection.\nThis is useful for namespaces that are used for infrastructure components like monitoring,\nlogging, cloud provider components, etc. and that should not be managed by TSB in the\ncluster namespace onboarding workflows.","type":"array","items":{"type":"string"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Organization"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Organizations"],"summary":"Delete an organization.\nNote that deleting resources in TSB is a recursive operation. Deleting an organization will delete all\ntenants, clusters and all configurations that exist in it.\n$hide_from_docs","operationId":"Organizations_DeleteOrganization","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/cleanupresources":{"post":{"tags":["ManageResources"],"summary":"Finds and optionally cleans up unused resources.\nWhen apply=false (default), performs a dry-run and returns the list of\nchanges that would be applied.\nWhen apply=true, applies the changes and returns the set of applied\nchanges for auditing.","operationId":"ManageResources_CleanupResources","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2CleanupResourcesRequest"}}},"description":"Request message for finding and optionally cleaning up resources.","required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2CleanupResourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters":{"get":{"tags":["Clusters"],"summary":"Get the list of all clusters that have been onboarded into the platform.","operationId":"Clusters_ListClusters","parameters":[{"description":"Flag to fetch the workload information for all the clusters as well.\nNote that by default workload information is not returned as it may be expensive to retrieve.","name":"fetchWorkloads","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListClustersResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"This action will also create a service account with permissions to manage this cluster.\nThis service account (aka cluster service account) can be used in the ControlPlane installation to\nauthenticate it through the ManagementPlane.\n\nAs part of the response, a template will be provided (in the field `installTemplate`) with minimum\nconfiguration to be able to install the TSB Operator in the cluster running as ControlPlane.\nThis data is not stored and will be only available in the response of this action.\n\nThis method require CREATE permissions over the Cluster resource and SET_POLICY permissions over the\nOrganization resource, because it will return the keys for the cluster service account that is created\nwhich has admin-wide permissions.","tags":["Clusters"],"summary":"Creates a new cluster object in TSB. This is needed during cluster onboarding to let the\nmanagement plane know about the existence of a cluster.\nOnce a cluster has been created and fully onboarded, the management plane will manage the\nmesh for that cluster and keep this cluster entity up to date with the information that is\nreported by the cluster agents.\nThis method returns the created cluster, that will be continuously updated by the local\ncluster agents. This entity can be monitored to have an overview of the resources (namespaces,\nservices, etc) that are known to be running in the cluster.","operationId":"Clusters_CreateCluster","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a cluster and register it in the management plane so configuration can\nbe generated for it.","type":"object","required":["name","cluster"],"properties":{"cluster":{"$ref":"#/components/schemas/tsbv2Cluster"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2Cluster"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}":{"get":{"description":"This method also allows to retrieve the install template to onboard the Cluster, by setting the\n`includeInstallTemplate` request field to `true`.\n\nThis requires READ permissions over the Cluster resource, to return the last known state of the cluster.\nThe Organization SET_POLICY permission is needed when the install template is requested, since a new API key pair will be generated for the Cluster's Service Account.","tags":["Clusters"],"summary":"Get the last known state for an onboarded cluster.\nOnce a cluster has been onboarded into the platform, the agents will keep it up to date with\nits runtime status. Getting the cluster object will return the last known snapshot of existing\nnamespaces and services running in it.","operationId":"Clusters_GetCluster","parameters":[{"description":"Flag to fetch the workload information as well.\nNote that by default workload information is not returned as it may be expensive to retrieve.","name":"fetchWorkloads","in":"query","schema":{"type":"boolean"}},{"description":"Flag to return the install template required to install this cluster.\nThis will generate a new API key pair for the cluster service account.","name":"includeInstallTemplate","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2Cluster"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Clusters"],"summary":"Modify an existing cluster.\nUpdates a cluster with the given data. Note that most of the data in the cluster is read-only and\nautomatically populated by the local cluster agents.","operationId":"Clusters_UpdateCluster","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A Kubernetes cluster managing both pods and VMs.\n\nEach Kubernetes cluster managed by Service Bridge should be\nonboarded first before configurations can be applied to the\nservices in the cluster. Onboarding a cluster is a two step\nprocess. First, create a cluster object under the appropriate\ntenant. Once a cluster object is created, its status field should\nprovide the set of join tokens that will be used by the Service\nBridge agent on the cluster to talk to Service Bridge management\nplane. The second step is to deploy the Service Bridge agent on the\ncluster with the join tokens and deploy Istio on the cluster. The\nfollowing example creates a cluster named c1 under the tenant\nmycompany, indicating that the cluster is deployed on a network\n\"vpc-01\" corresponding to the AWS VPC where it resides.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Cluster\nmetadata:\n  name: c1\n  organization: myorg\n  labels:\n    env: uat-demo\nspec:\n  tokenTtl: \"1h\"\n  network: vpc-01\n```\n\nNote that configuration profiles such as traffic, security and\ngateway groups will flow to the Bridge agents in the cluster as\nlong their requested cluster exists in the Service Bridge\nhierarchy.\n\n\n\n","type":"object","properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be\nsent on every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"installTemplate":{"$ref":"#/components/schemas/ClusterInstallTemplate"},"labels":{"type":"object","title":"FIXME: this is super clunky to copy each and every metadata field into\nobjects used for multicluster. $hide_from_yaml","additionalProperties":{"type":"string"}},"locality":{"$ref":"#/components/schemas/tsbv2Locality"},"namespaceScope":{"$ref":"#/components/schemas/v2NamespaceScoping"},"namespaces":{"type":"array","title":"TODO(vikas): move this inside cluster state\nRead-only data for informational purposes. Any user provided\nvalue will be ignored. The data here may be stale depending on\nthe update frequency from the Bridge agents in the cluster.\n$hide_from_yaml","items":{"$ref":"#/components/schemas/tsbv2Namespace"},"readOnly":true},"network":{"description":"The network (e.g., VPC) where this cluster is present. All\nclusters within the same network will be assumed to be reachable\nfor the purposes of multi-cluster routing. In addition, networks\nmarked as reachable from one another in SystemSettings will also\nbe used for multi-cluster routing.","type":"string"},"serviceAccount":{"$ref":"#/components/schemas/tsbv2ServiceAccount"},"state":{"$ref":"#/components/schemas/v2ClusterState"},"tier1Cluster":{"description":"Deprecated: This flag is still honored for backward compatibility but will be ignored in future releases.\nIt is advisable not to set it, as all clusters can now host both Tier1 and IngressGateways.\n\nIndicates whether this cluster is hosting a tier1 gateway or not.\nTier1 clusters cannot host other gateways or workloads. Defaults\nto false if not specified.","type":"boolean"},"tokenTtl":{"description":"Lifetime of the tokens. Defaults to 1hr.","type":"string"},"trustDomain":{"description":"Trust domain for this cluster, used for multi-cluster routing.\nIt must be unique for every cluster and should match the one configured in\nthe local control plane. This value is optional, and will be updated by the\nlocal control plane agents. However, it is recommended to set it, if known,\nso that multi-cluster routing works without having to wait for the local\ncontrol planes to update it.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2Cluster"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Clusters"],"summary":"Unregisters a cluster from the platform.\nDeleting a cluster will unregister it from the management plane, and the agents will stop receiving\nconfiguration updates. Agent tokens for the cluster are revoked as well, so agents that are still\nrunning will fail to report back cluster status to the management plane.\nNote that unregistering the cluster is a management plane only operation. This does not uninstall\nthe agents from the local cluster. Agents will continue running and the services that are deployed\nin that cluster will be able to continue operating with the last applied configuration.\nUnregistering a cluster from the management plane should not generate downtime to services that are\nrunning on that cluster.","operationId":"Clusters_DeleteCluster","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_1","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/config":{"post":{"description":"The API is for control plane cluster to get the configurations\nthat must be set in both management plane and control plane,\nand that the control plane configurations must be in sync (or adjusted)\naccording to management plane's changes at runtime.\n\nExamples:\n- Telemetry data retention period set(changed) in management plane must be sync'ed to control plane.\n- A feature flag disabled in management plane must be sync'ed to control plane and disabled in all control planes.\n\n$hide_from_docs","tags":["Clusters"],"summary":"Get the configurations for a cluster.","operationId":"Clusters_GetClusterConfig","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterConfig"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/onboarding":{"get":{"tags":["Clusters"],"summary":"List the cluster onboarding configurations for a given cluster.","operationId":"Clusters_ListClusterOnboardingConfigs","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListClusterOnboardingConfigsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Clusters"],"summary":"Create the cluster onboarding configuration for a cluster.\nOnly one onboarding configuration can be created for a cluster. This configuration is used to\ndefine the desired state of the namespaces of the cluster.\nThese namespaces with state DESIRED_ONBOARDED will be added to the onboarding tenant and onboarding\nworkspace, so they can be managed by the management plane.\nThe onboarding tenant and workspace are created automatically if they do not exist.","operationId":"Clusters_CreateClusterOnboardingConfig","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create the cluster onboarding configuration for a cluster.","type":"object","required":["name","config"],"properties":{"config":{"$ref":"#/components/schemas/v2ClusterOnboardingConfig"},"name":{"description":"The short name for the cluster onboarding config to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterOnboardingConfig"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/onboarding/status":{"get":{"tags":["Clusters"],"summary":"Get the onboarding status for a cluster.","operationId":"Clusters_GetClusterOnboardingStatus","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterOnboardingStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/onboarding/{onboardin}":{"get":{"tags":["Clusters"],"summary":"Get the cluster onboarding configuration for a cluster.","operationId":"Clusters_GetClusterOnboardingConfig","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Onboardin name.","name":"onboardin","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterOnboardingConfig"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Clusters"],"summary":"Update the cluster onboarding configuration for a cluster.","operationId":"Clusters_UpdateClusterOnboardingConfig","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Onboardin name.","name":"onboardin","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Configuration for onboarding a cluster.\n\n\n\n","type":"object","required":["namespaces"],"properties":{"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be\nsent on every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"namespaces":{"description":"Set of namespaces configuration for the cluster.","type":"array","items":{"$ref":"#/components/schemas/ClusterOnboardingConfigNamespaceConfig"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterOnboardingConfig"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Clusters"],"summary":"Delete the cluster onboarding configuration for a cluster.","operationId":"Clusters_DeleteClusterOnboardingConfig","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Onboardin name.","name":"onboardin","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_1","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/clusters/{cluster}:generateTokens":{"post":{"tags":["Clusters"],"summary":"Generate the tokens for the cluster agents so they can talk to the management plane.\nOnce a cluster object has been registered in the management plane, this method can be used to\ngenerate the JWT tokens that need to be configured in the local cluster agents in order to let\nthem talk to the management plane.\nThese tokens contain the necessary permissions to allow the agents to download the configuration\nfor their cluster and to push cluster status updates to the management plane.","operationId":"Clusters_GenerateTokens","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Cluster name.","name":"cluster","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ClusterStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions":{"get":{"tags":["WasmExtensions"],"summary":"List the WASM extensions that are defined for the Organization.","operationId":"WasmExtensions_ListWasmExtension","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWasmExtensionResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["WasmExtensions"],"summary":"Creates a new WasmExtension object in TSB. This is needed to let the extensions run.\nOnce a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting.\nThis method returns the created extension.","operationId":"WasmExtensions_CreateWasmExtension","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a WasmExtension and make it available to be assigned to IngressGateway and SecuritySetting.","type":"object","required":["name","wasmExtension"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"wasmExtension":{"$ref":"#/components/schemas/v2WasmExtension"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WasmExtension"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}":{"get":{"tags":["WasmExtensions"],"summary":"Get a WASM extension","operationId":"WasmExtensions_GetWasmExtension","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WasmExtension"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["WasmExtensions"],"summary":"Modify an existing WasmExtension.\nWhen modifying the details of an extension in use, such as the image property, enabled flag, phase,\nor default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live\ntraffic in all those places that reference the extension.\nSimilarly, changes to the allowed_in property may trigger the removal of the extension from all places where\nthe extension was in use that are not allowed to use it anymore, affecting live traffic on the\nrelevant namespaces as well.","operationId":"WasmExtensions_UpdateWasmExtension","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images.\nThe resource allows specifying extension metadata that helps understand how extensions work and how they can be used.\nOnce defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic\nis captured and processed by the extension accordingly.\nBy default, extensions are globally available, but they can be assigned to specific Tenants as well\nto further control and constraint where in the Organization the extensions are allowed to be used.\n\n```yaml\napiVersion: extension.tsb.tetrate.io/v2\nkind: WasmExtension\nmetadata:\n  organization: org\n  name: wasm-auth\nspec:\n  allowedIn:\n    - organizations/org/tenants/tenant1\n  url: oci://docker.io/example/my-wasm-extension:1.0\n  source: https://github.com/example/wasm-extension\n  description: |\n    Long description for the extension such as an\n    entire README file\n  phase: AUTHZ\n  priority: 1000\n  config:\n    some_key: some_value\n```\n\nWASM extensions can also reference HTTP endpoints:\n\n```yaml\napiVersion: extension.tsb.tetrate.io/v2\nkind: WasmExtension\nmetadata:\n  organization: org\n  name: wasm-http\nspec:\n  url: http://tetrate.io/my-extension.wasm\n  source: https://github.com/example/wasm-extension\n  description: |\n    Long description for the extension such as an\n    entire README file\n  phase: AUTHZ\n  priority: 1000\n  config:\n    some_key: some_value\n```\n\n\n\n","type":"object","required":["url"],"properties":{"allowedIn":{"description":"List of fqns where this extension is allowed to run.\nIf it is empty, the extension can be used across the entire organization.\nCurrently only Tenant resources are considered.","type":"array","items":{"type":"string"}},"config":{"description":"Configuration parameters sent to the WASM plugin execution\nThe configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups.\nThe config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.","type":"object"},"description":{"type":"string","title":"A description of the extension.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the extension.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"image":{"description":"Deprecated. Use the `url` field instead.\nRepository and tag of the OCI image containing the WASM extension.","type":"string"},"imagePullPolicy":{"$ref":"#/components/schemas/WasmExtensionPullPolicy"},"imagePullSecret":{"description":"Credentials to use for OCI image pulling.\nName of a K8s Secret that contains a docker pull secret which is to be used\nto authenticate against the registry when pulling the image.\nIf TSB is configured to use the WASM download proxy, this secret must exist in\nthe `istio-system` namespace of each cluster that has applications that use the\nextension. If the download proxy is disabled, the secret must exist in each\napplication namespace that is using the extension.","type":"string"},"match":{"$ref":"#/components/schemas/v2GlobalTrafficSelector"},"phase":{"$ref":"#/components/schemas/WasmExtensionPluginPhase"},"priority":{"description":"Determines the ordering of WasmExtensions in the same phase.\nWhen multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order.\nIf no priority is assigned it will use the default 0 value.\nIn case of several extensions having the same priority in the same phase, the fqn will be used to sort them.","type":"integer","format":"int32"},"source":{"type":"string","title":"Source to find the code for the WASM extension"},"url":{"description":"URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image.\nOther valid schemes are file:// for referencing .wasm module files present locally within the proxy container,\nand http[s]:// for .wasm module files hosted remotely.","type":"string"},"vmConfig":{"$ref":"#/components/schemas/v2VmConfig"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WasmExtension"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["WasmExtensions"],"summary":"Delete a WasmExtension.\nNote that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.","operationId":"WasmExtensions_DeleteWasmExtension","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_2","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_2","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/extensions/{extension}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Extension name.","name":"extension","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/installation/oidcs":{"get":{"tags":["OIDCs"],"summary":"List all OIDC configurations in the given organization.","operationId":"OIDCs_ListOIDCs","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListOIDCsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["OIDCs"],"summary":"Create a new OIDC configuration in the given organization.","operationId":"OIDCs_CreateOIDC","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an OIDC configuration.","type":"object","required":["name","oidc"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"oidc":{"$ref":"#/components/schemas/v2OIDC"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OIDC"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/installation/oidcs/{oidc}":{"get":{"tags":["OIDCs"],"summary":"Get the details of an existing OIDC configuration.","operationId":"OIDCs_GetOIDC","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Oidc name.","name":"oidc","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OIDC"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["OIDCs"],"summary":"Modify an existing OIDC configuration.","operationId":"OIDCs_UpdateOIDC","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Oidc name.","name":"oidc","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`OIDC` represents an OpenID Connect (OIDC) configuration that can be used to\nauthenticate users in Service Bridge. Multiple OIDC configurations can be\ncreated to support different identity providers.\n\nThe OIDC configuration contains the settings for the OIDC provider and the\nclient secret used to authenticate with the provider. The secret must be\nbase64 encoded. Note that the secret is not stored in the database; it is\nsecurely stored in the Kubernetes cluster as a Secret resource.\n\nThe following example creates an OIDC configuration named `corporate-idp`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: OIDC\nmetadata:\n  name: corporate-idp\n  organization: myorg\nspec:\n  config:\n    clientId: my-client-id\n    issuer: https://idp.example.com\n    redirectUri: https://tsb.example.com/v2/oidc/callback\n    providerConfig:\n      dynamic:\n        configurationUri: https://corporate.idp.com/.well-known/openid-configuration\n  secret: bXktY2xpZW50LXNlY3JldA==\n```\n\n\n\n","type":"object","required":["config","secret"],"properties":{"config":{"$ref":"#/components/schemas/v1alpha1OIDCSettings"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"secret":{"description":"Base64 encoded client secret for the OIDC provider.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OIDC"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["OIDCs"],"summary":"Delete an OIDC configuration from the organization.","operationId":"OIDCs_DeleteOIDC","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Oidc name.","name":"oidc","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/installgatewaytemplates":{"get":{"tags":["Gateways"],"summary":"List all Install Gateway Template objects.","operationId":"Gateways_ListInstallGatewayTemplates","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListInstallGatewayTemplatesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create an Install Gateway Template object.","operationId":"Gateways_CreateInstallGatewayTemplate","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an InstallGatewayTemplate.","type":"object","required":["name","template"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"template":{"$ref":"#/components/schemas/v2InstallGatewayTemplate"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2InstallGatewayTemplate"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/installgatewaytemplates/{installgatewaytemplate}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Install Gateway Template object.","operationId":"Gateways_GetInstallGatewayTemplate","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgatewaytemplate name.","name":"installgatewaytemplate","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2InstallGatewayTemplate"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Modify the given Install Gateway Template object.","operationId":"Gateways_UpdateInstallGatewayTemplate","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgatewaytemplate name.","name":"installgatewaytemplate","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"An InstallGatewayTemplate defines a configuration template for installing gateways in TSB.\nIt allows specifying gateway configurations that will be applied to gateways created in a defined part\nof the infrastructure determined by selectors that match attributes such as provider, labels, or cluster names.\nThe following example creates an InstallGatewayTemplate named `eks-template` under the `tetrate` organization.\nIt enforces the use of a specific annotation for all gateways created in EKS clusters.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: InstallGatewayTemplate\nmetadata:\n  name: aws-template\n  organization: tetrate\nspec:\n  displayName: \"AWS template\"\n  description: \"Template for AWS EKS gateways\"\n  environmentSelector:\n    provider: \"EKS\"\n  gatewaySpec:\n    kubeSpec:\n      annotations:\n        service.beta.kubernetes.io/aws-load-balancer-type: 'external'\n```\n\nAnother example creates an InstallGatewayTemplate named `mem-template` under the `tetrate` organization.\nBy using a cluster selector, it is scoped to clusters labelled with `managed-by: a-team`. Furthermore, the scope\nis narrowed down thanks to the gateway workload selector to only the gateways with the label `memory: high-limits` that\nare part of the beforementioned clusters. The template enforces memory limits for the selected gateways.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: InstallGatewayTemplate\nmetadata:\n  name: mem-template\n  organization: tetrate\nspec:\n  displayName: \"memory template\"\n  description: \"Template for setting memory limits for some specific labelled gateways\"\n  clusterSelector:\n    labelsSelector:\n      labels:\n        managed-by: \"a-team\"\n  gatewayWorkloadSelector:\n    labelsSelector:\n      labels:\n        memory: \"high-limits\"\n  gatewaySpec:\n    kubeSpec:\n      deployment:\n        resources:\n          limits:\n            memory: 2Gi\n```\n\n\n\n","type":"object","title":":::warning Alpha early access\nThe install gateway template feature is in an early access alpha state. Before trying this in a\nnon production environment, please reach out to Tetrate first.\n:::","required":["gatewaySpec"],"properties":{"allClustersSelector":{"description":"Selects all the onboarded clusters on TSB.","type":"boolean"},"clusterSelector":{"$ref":"#/components/schemas/v2ClusterSelector"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"environmentSelector":{"$ref":"#/components/schemas/v2EnvironmentSelector"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"gatewaySpec":{"$ref":"#/components/schemas/gatewayv2GatewaySpec"},"gatewayWorkloadSelector":{"$ref":"#/components/schemas/tsbgatewayv2WorkloadSelector"},"priority":{"type":"integer","format":"int32","title":"Indicates when a template must be chosen in case of multiple\nselectors of the same type matching a single gateway configuration.\nDefaults to 0, the highest priority. When two templates have the same\npriority, they are sorted alphabetically by their names.\nTemplates with different selector types will be resolved in the\nfollowing order, regardless of the priority value:\n1. environment selectors\n2. cluster selectors with no namespace selectors\n3. cluster selectors with namespace selector matching labels\n4. cluster selectors with namespace selector matching name\n5. specific InstallGateway TSB resources"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2InstallGatewayTemplate"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Install Gateway Template object.","operationId":"Gateways_DeleteInstallGatewayTemplate","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgatewaytemplate name.","name":"installgatewaytemplate","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/profiles":{"get":{"tags":["Profiles"],"summary":"List all Profiles that belong to a resource.","operationId":"Profiles_ListProfiles","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Profiles"],"summary":"Create a profile object for a given resource.\nA `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be\nattached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.","operationId":"Profiles_CreateProfile","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CreateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/profiles/{profile}":{"get":{"tags":["Profiles"],"summary":"Get the details of a Profile in an resource.","operationId":"Profiles_GetProfile","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Profiles"],"summary":"Modify a Profile in a resource.","operationId":"Profiles_UpdateProfile","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_UpdateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Profiles"],"summary":"Delete a Profile from a resource.","operationId":"Profiles_DeleteProfile","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/profiles/{profile}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/profiles/{profile}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/segmentation/troubleshooting/access":{"get":{"tags":["Troubleshooting"],"summary":"Retrieve allowed access relationships between resources, such as:\n- the target resources a source resource is allowed to access.\n- the source resources allowed to access a target resource.","operationId":"Troubleshooting_ResourceAccess","parameters":[{"description":"FQN of the source resource.\nIf set, retrieves the list of target resources the source is allowed to access.","name":"sourceFqn","in":"query","schema":{"type":"string"}},{"description":"FQN of the target resource.\nIf set, retrieves the list of source resources allowed to access the target.","name":"targetFqn","in":"query","schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v1ResourceAccessResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/segmentation/troubleshooting/operations":{"get":{"tags":["Troubleshooting"],"summary":"Get the operations that a source resource is allowed on a target resource.\nFor example, if a source has the \"connect\" operation allowed on a target, it means it's allowed to connect\nto that target. Otherwise, the request from the source to the target will be refused.","operationId":"Troubleshooting_Operations","parameters":[{"description":"FQN of the source resource from which operations are retrieved.","name":"sourceFqn","in":"query","required":true,"schema":{"type":"string"}},{"description":"FQN of the target resource on which the source resource is permitted to perform operations.","name":"targetFqn","in":"query","required":true,"schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v1OperationsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts":{"get":{"tags":["Teams"],"summary":"List existing Service Accounts.","operationId":"Teams_ListServiceAccounts","parameters":[{"description":"The format in which the key pairs for each key will be returned.\nIf not set keys are returned in PEM format.","name":"keyEncoding","in":"query","schema":{"type":"string","enum":["PEM","JWK"],"default":"PEM"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListServiceAccountsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Teams"],"summary":"Create Service Account in TSB.\nService Accounts are local to TSB and can be used to access the platform using\nJWT tokens signed with the Service Account's private key for authentication.","operationId":"Teams_CreateServiceAccount","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","title":"Request to create a ServiceAccount.\n","required":["name","serviceAccount"],"properties":{"keyEncoding":{"$ref":"#/components/schemas/KeyPairEncoding"},"name":{"description":"The short name for the resource to be created.","type":"string"},"serviceAccount":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}":{"get":{"tags":["Teams"],"summary":"Get the details of an existing Service Account.","operationId":"Teams_GetServiceAccount","parameters":[{"description":"The format in which the key pairs will be returned.\nIf not set keys are returned in PEM format.","name":"keyEncoding","in":"query","schema":{"type":"string","enum":["PEM","JWK"],"default":"PEM"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Teams"],"summary":"Update the details of a service account.\nUpdating the details of the service account does not regenerate its keys.","operationId":"Teams_UpdateServiceAccount","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`ServiceAccount` represents a service account that can be used to access the TSB platform.\nService accounts have a set of associated public and private keys that can be used to generate\nsigned JWT tokens that are suitable to authenticate to TSB.\nA default key-pair is generated on service account creation and the public key is stored in TSB.\nPrivate keys are returned when service accounts are created, but TSB will not store them. It\nis up to the client to store them securely.\n\nThe following example creates a service account named `my-sa` under the organization\n`myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: ServiceAccount\nmetadata:\n  name: my-sa\n  organization: myorg\nspec:\n  displayName: My Service Account\n  description: Service account used for service integrations\n```\n\n\n\n","type":"object","properties":{"description":{"description":"A description of the resource.","type":"string"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"keys":{"type":"array","title":"Keys associated with the service account.\nA default key-pair is automatically created when the Service Account is created. Note that\nTSB does not store the private keys, so it is up to the client to store the returned private\nkeys securely, as they are only returned once after creation.\nAdditional keys can be added (and deleted) by using the corresponding key management APIs.\n","items":{"$ref":"#/components/schemas/ServiceAccountKeyPair"},"readOnly":true}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Teams"],"summary":"Delete the given Service account.","operationId":"Teams_DeleteServiceAccount","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_5","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/jwks":{"get":{"tags":["Teams"],"summary":"Get all the public keys available in the service account and return them in a JWKS document.\nSee: https://datatracker.ietf.org/doc/html/rfc7517\nRequests to this endpoint require read permissions on the service account, or a token signed\nwith one of the service account keys.","operationId":"Teams_GetServiceAccountJWKS","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2JWKS"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/keys":{"post":{"tags":["Teams"],"summary":"Generate a new key-pair for the service account.\nNote that TSB does not store the generated private key, so the client must read it and\nstore it securely.","operationId":"Teams_GenerateServiceAccountKey","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to generate a new key-pair for the Service Account.","type":"object","properties":{"keyEncoding":{"$ref":"#/components/schemas/KeyPairEncoding"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/keys/{id}":{"delete":{"tags":["Teams"],"summary":"Delete a key-pair associated the service account.","operationId":"Teams_DeleteServiceAccountKey","parameters":[{"description":"ID of the key-pair to delete.","name":"id","in":"path","required":true,"schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbv2ServiceAccount"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_5","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/serviceaccounts/{serviceaccount}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceaccount name.","name":"serviceaccount","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services":{"get":{"tags":["Registration"],"summary":"List the services that have been registered in an organization","operationId":"Registration_ListServices","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListServicesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Registration"],"summary":"Register the given service in the organization.\nServices in the registry are deduplicated so that the same service running in different\nclusters are represented as a single entity in the registry.\nThe service returned by this method is the result of deduplicating the service.\nThis API is currently only intended for internal use by the discovery agents.\n$hide_from_docs","operationId":"Registration_RegisterService","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to register a service in a given parent (organization).","type":"object","required":["cluster","shortName","namespace","serviceType","state","source"],"properties":{"canonicalName":{"description":"optional canonical name that identify this service.","type":"string"},"cluster":{"description":"Name of the cluster where the service belongs to.\nThis will be used to load the deduplication settings that have been configured for the cluster\nwhere the service belongs.","type":"string"},"externalAddresses":{"description":"For kubernetes services of type load balancer, this field contains the list of lb hostnames or\nIPs assigned to the service.","type":"array","items":{"type":"string"}},"hostnames":{"description":"The hostnames by which this service is accessed. It corresponds to the gateway virtual hosts.\nThis field is expected to be empty if the service is not publicly accessible.","type":"array","items":{"type":"string"}},"internalHostnames":{"type":"array","title":"The hostnames by which this service is accessed internally. Can correspond to the\nFQDN of the service or to the hostnames provided by an external service (E.g. service entry)","items":{"type":"string"}},"namespace":{"description":"Namespace associated with the service. It will be used in deduplication logic.","type":"string"},"ports":{"description":"The set of ports on which this service is exposed.","type":"array","items":{"$ref":"#/components/schemas/registryv2Port"}},"serviceType":{"$ref":"#/components/schemas/v2ServiceType"},"shortName":{"description":"Short name for the service, used to uniquely identify it within the organization.","type":"string"},"source":{"description":"Source of the service: Kubernetes, Istio, Consul, etc.","type":"string"},"spiffeIds":{"description":"List of SPIFFE identities used by the workloads of the service.","type":"array","items":{"type":"string"}},"state":{"$ref":"#/components/schemas/registryv2State"},"subsets":{"description":"Subset denotes a specific version of a service. By default the 'version'\nlabel is used to designate subsets of a workload.\nKnown subsets for the service.","type":"array","items":{"type":"string"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbregistryv2Service"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Registration"],"summary":"Remove the given service from the organization registry.\nThis API is currently only intended for internal use by the discovery agents.\n$hide_from_docs","operationId":"Registration_UnregisterService","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","title":"Request to unregister a service from the registry","required":["shortName","cluster","namespace"],"properties":{"cluster":{"description":"Name of the cluster of the service.","type":"string"},"namespace":{"description":"Namespace of the service.","type":"string"},"shortName":{"type":"string","title":"Name attribute of the service"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}":{"get":{"tags":["Registration"],"summary":"Get the details of a registered service","operationId":"Registration_GetService","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbregistryv2Service"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_3","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/groups":{"get":{"tags":["Lookup"],"summary":"Get all the groups that configure the given service in the registry.","operationId":"Lookup_Groups","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GroupLookupResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_3","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/services/{service}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Service name.","name":"service","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings":{"get":{"tags":["Organizations"],"summary":"List all the settings objects that have been attached to the given Organization.","operationId":"Organizations_ListSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListOrganizationSettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Organizations"],"summary":"Create a settings object for the given organization.","operationId":"Organizations_CreateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Organization Settings.","type":"object","required":["name","settings"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"settings":{"$ref":"#/components/schemas/v2OrganizationSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OrganizationSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}":{"get":{"tags":["Organizations"],"summary":"Get the details for the given settings object.","operationId":"Organizations_GetSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OrganizationSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Organizations"],"summary":"Modify the given settings in the given Organization.","operationId":"Organizations_UpdateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Organization Setting allows configuring global settings for the organization.\nSettings such as network reachability or regional failover that apply globally\nto the organization are configured in the Organizations Setting object.\n\nThis is a global object that uniquely configures the organization, and there can\nbe only one organization setting object defined for each organization.\n\nThe following example shows how these settings can be used to describe the organization's\nnetwork reachability settings and some regional failover configurations.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: OrganizationSetting\nmetadata:\n  name: org-settings\n  organization: myorg\nspec:\n  networkSettings:\n    networkReachability:\n      vpc01: vpc02,vpc03\n  regionalFailover:\n    - from: us-east1\n      to: us-central1\n```\n\n\n\n","type":"object","properties":{"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"},"networkSettings":{"$ref":"#/components/schemas/OrganizationSettingNetworkSettings"},"regionalFailover":{"description":"Default locality routing settings for all gateways.\nPlease use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.\n\nExplicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbtypesv2RegionalFailover"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2OrganizationSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Organizations"],"summary":"Delete the given settings object from the Organization.","operationId":"Organizations_DeleteSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_4","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_4","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/sharedgateways":{"get":{"tags":["Gateways"],"summary":"ListSharedGateways lists gateways that have a shared reference grant for the given gateway group, workspace, tenant, or organization.","operationId":"Gateways_ListSharedGateways4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSharedGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/status/search":{"get":{"tags":["Status"],"summary":"Search the status of resources related to the specified search criteria.\nIt will descend in the hierarchy starting with the resource identified by the given FQN.\nThis method is available for organizations, tenant or workspace resources.\nIn the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios),\nit’s recommended to use the tenant FQN instead of the workspace FQN.\nThis ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.","operationId":"Status_SearchStatus","parameters":[{"description":"Fully-qualified domain name to search in the mesh that exposes a service. Example: \"test.tetrate.io\"","name":"fqdn","in":"query","required":true,"schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SearchStatusResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/sync":{"post":{"description":"This method will update the state of users and groups in the organization and will create, modify, and\ndelete groups according to the incoming request.\nSync requests are assumed to be a full-sync and to contain all existing users and groups. Existing TSB users and groups\nthat are not contained in a sync request will be deleted from the platform, as it will assume they have been removed\nfrom the Identity Provider.","tags":["Organizations"],"summary":"SyncOrganization is used by processes that monitor the identity providers to synchronize\nthe users and teams with the ones in TSB.","operationId":"Organizations_SyncOrganization","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to synchronize the users and teams in an organization from the configured identity provider.","type":"object","properties":{"sourceType":{"$ref":"#/components/schemas/v2SourceType"},"teams":{"type":"array","items":{"$ref":"#/components/schemas/SyncOrganizationRequestSyncTeam"}},"users":{"type":"array","items":{"$ref":"#/components/schemas/SyncOrganizationRequestSyncUser"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SyncOrganizationResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams":{"get":{"tags":["Teams"],"summary":"List all existing teams.","operationId":"Teams_ListTeams","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTeamsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Teams"],"summary":"Create a new team.","operationId":"Teams_CreateTeam","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","title":"Request to create a Team.\n","required":["name","team"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"team":{"$ref":"#/components/schemas/v2Team"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Team"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}":{"get":{"tags":["Teams"],"summary":"Get the details of an existing team.","operationId":"Teams_GetTeam","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Team"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Teams"],"summary":"Modify an existing team.","operationId":"Teams_UpdateTeam","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`Team` is a named collection of users, service accounts, and other\nteams. Teams can be assigned access permissions on various\nresources. All members of a team inherit the access permissions\nassigned to the team.\n\nThe following example creates a team named `org` under the organization\n`myorg` with all members of `product1` and `product2` teams, and\nusers `alice` and `bob`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Team\nmetadata:\n  name: org\n  organization: myorg\nspec:\n  members:\n  - organizations/myorg/users/alice\n  - organizations/myorg/users/bob\n  - organizations/myorg/teams/product1\n  - organizations/myorg/teams/product2\n```\n\n\n\n","type":"object","properties":{"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"members":{"description":"List of members under the team.\nThe elements of this list are the FQNs of the team members. Team members can be\nusers, service accounts or other teams.","type":"array","items":{"type":"string"}},"sourceType":{"$ref":"#/components/schemas/v2SourceType"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Team"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Teams"],"summary":"Delete a team.\nNote that deleting a team only deletes the team itself, but not its members.","operationId":"Teams_DeleteTeam","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_6","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_6","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/teams/{team}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Team name.","name":"team","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants":{"get":{"tags":["Tenants"],"summary":"List all tenants that are available.","operationId":"Tenants_ListTenants","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTenantsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Tenants"],"summary":"Create a new tenant in the platform that will be the home for a set of resources.","operationId":"Tenants_CreateTenant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","title":"Request to create a tenant.\n","required":["name","tenant"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"tenant":{"$ref":"#/components/schemas/v2Tenant"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tenant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}":{"get":{"tags":["Tenants"],"summary":"Get the details of an existing tenant.","operationId":"Tenants_GetTenant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tenant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Tenants"],"summary":"Modify the details of the given tenant.","operationId":"Tenants_UpdateTenant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`Tenant` is a self-contained entity within an organization in\nthe Service Bridge object hierarchy. Tenants can be business units,\norganization units, or any logical grouping that matches a corporate\nstructure.\n\nThe following example creates a tenant named `mycompany` in an organization\nnamed `myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Tenant\nmetadata:\n  organization: myorg\n  name: mycompany\n```\n\n\n\n","type":"object","properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"profiles":{"description":"List of profiles attached to the tenant to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Tenant_, all the children resources will belong to that\nsecurity domain in the same way a _Workspace_ belongs to a _Tenant_, a _Workspace_ will also belong\nto the security domain assigned to the _Tenant_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tenant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Tenants"],"summary":"Delete a tenant from the platform.\nDeleting a tenant will recursively delete all resources attached to the tenant, so use with\ncaution.\nIt will delete all workspaces and all settings that have been created in that tenant, so this\noperation should be done carefully, when it's safe to do so.","operationId":"Tenants_DeleteTenant","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications":{"get":{"tags":["Applications"],"summary":"List all existing applications for the given tenant.","operationId":"Applications_ListApplications","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListApplicationsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Applications"],"summary":"Creates a new Application in TSB.","operationId":"Applications_CreateApplication","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an application and register it in the management plane so configuration can\nbe generated for it.","type":"object","required":["name","application"],"properties":{"application":{"$ref":"#/components/schemas/v2Application"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Application"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}":{"get":{"tags":["Applications"],"summary":"Get the details of an existing application.","operationId":"Applications_GetApplication","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Application"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Applications"],"summary":"Modify an existing application.","operationId":"Applications_UpdateApplication","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Applications are logical groupings of services that are related to each other,\ntypically within a trusted group.\nA common example are three tier applications composed of a frontend, a backend and a\ndatastore service.\n\nApplications are often consumed through APIs, and a single Application can expose one\nor more of those APIs. These APIs will define the hostnames that are exposed and the\nmethods exposed in each hostname.\n\n```yaml\napiVersion: application.tsb.tetrate.io/v2\nkind: Application\nmetadata:\n  name: three-tier\n  organization: myorg\n  tenant: tetrate\nspec:\n  workspace: organizations/myorg/tenants/tetrate/three-tier\n```\n\n\n\n","type":"object","required":["workspace"],"properties":{"configResources":{"type":"array","title":"The configuration resources that are related to this Application.\n$hide_from_docs","items":{"$ref":"#/components/schemas/v2ConfigResource"},"readOnly":true},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"gatewayGroup":{"description":"Optional FQN of the Gateway Group to be used by the application.\nIf configured, this gateway group will be used by the application. If\nno namespaces are configured and no existing gateway group is set, a new gateway group claiming all\nnamespaces in the workspace (`*/*`) will be created by default.\nAll Ingress Gateway resources created for the APIs attached to the application will be created in\nthe application's gateway group.","type":"string"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"services":{"description":"Optional list of services that are part of the application. This is a list of FQNs of services in the\nservice registry.\nIf omitted, the application is assumed to own all the services in the workspace.\nNote that a service can only be part of one application. If any of the services in the list is already\nin use by an existing application, application creation/modification will fail.\nIf the list of services is not explicitly set and any service in the workspace is already in use by\nanother application, application creation/modification will fail.","type":"array","items":{"type":"string"}},"workspace":{"description":"FQN of the workspace this application is part of.\nThe application will configure IngressGateways for the attached APIs\nin the different namespaces exposed by this workspace.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Application"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Applications"],"summary":"Delete an existing Application.\nNote that deleting resources in TSB is a recursive operation. Deleting a application will delete all\nAPI objects that exist in it.","operationId":"Applications_DeleteApplication","parameters":[{"description":"Force the deletion of internal groups even if they are protected against deletion.","name":"forceDeleteProtectedGroups","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis":{"get":{"tags":["Applications"],"summary":"List all APIs attached to the given application.","operationId":"Applications_ListAPIs","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbapplicationv2ListAPIsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Applications"],"summary":"Attach a new API to the given application.","operationId":"Applications_CreateAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an API and register it in the management plane so configuration can\nbe generated for it.","type":"object","required":["name","api"],"properties":{"api":{"$ref":"#/components/schemas/tsbapplicationv2API"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbapplicationv2API"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}":{"get":{"tags":["Applications"],"summary":"Get the details of an API.","operationId":"Applications_GetAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbapplicationv2API"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Applications"],"summary":"Delete an existing API.","operationId":"Applications_DeleteAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_10","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_10","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/apis/{api}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_10","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_9","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_9","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/applications/{application}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Application name.","name":"application","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_8","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/extensions":{"get":{"tags":["Tenants"],"summary":"List all the WASM extensions that have been attached to the given tenant.","operationId":"Tenants_ListWasmExtensions","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTenantExtensionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/profiles":{"get":{"tags":["Profiles"],"summary":"List all Profiles that belong to a resource.","operationId":"Profiles_ListProfiles2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Profiles"],"summary":"Create a profile object for a given resource.\nA `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be\nattached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.","operationId":"Profiles_CreateProfile2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CreateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/profiles/{profile}":{"get":{"tags":["Profiles"],"summary":"Get the details of a Profile in an resource.","operationId":"Profiles_GetProfile2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Profiles"],"summary":"Modify a Profile in a resource.","operationId":"Profiles_UpdateProfile2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_UpdateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Profiles"],"summary":"Delete a Profile from a resource.","operationId":"Profiles_DeleteProfile2","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/profiles/{profile}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/profiles/{profile}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings":{"get":{"tags":["Tenants"],"summary":"List all the settings objects that have made available to the given tenant.","operationId":"Tenants_ListSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTenantSettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Tenants"],"summary":"Create a settings object for the given tenant.","operationId":"Tenants_CreateSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Tenant Setting.","type":"object","required":["name","setting"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"setting":{"$ref":"#/components/schemas/v2TenantSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TenantSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}":{"get":{"tags":["Tenants"],"summary":"Get the details for the given settings object.","operationId":"Tenants_GetSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TenantSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Tenants"],"summary":"Modify the given settings in the given tenant.","operationId":"Tenants_UpdateSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Tenant Setting allows configuring default settings for the tenant.\n\nThis is a global object that uniquely configures the tenant, and there can \nbe only one tenant setting object defined for each tenant.\n\nTraffic and security settings can be defined as default for a tenant, meaning that they\nwill be applied to all the workspaces of the tenant.\nThese defaults settings can be overridden by creating proper WorkspaceSetting, TrafficSetting or SecuritySetting\ninto the desired workspace or group.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: TenantSetting\nmetadata:\n  name: tenant-settings\n  organization: myorg\n  tenant: mytenant\nspec:\n  defaultTrafficSetting:\n    outbound:\n      reachability:\n        mode: WORKSPACE\n      egress:\n        host: bookinfo-perimeter/tsb-egress\n  defaultSecuritySetting:\n    authenticationSettings:\n      trafficMode: REQUIRED\n    authorization:\n      mode: GROUP\n```\n\n\n\n","type":"object","properties":{"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TenantSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Tenants"],"summary":"Delete the given settings object from the tenant.","operationId":"Tenants_DeleteSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_11","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_11","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_11","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/sharedgateways":{"get":{"tags":["Gateways"],"summary":"ListSharedGateways lists gateways that have a shared reference grant for the given gateway group, workspace, tenant, or organization.","operationId":"Gateways_ListSharedGateways3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSharedGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/status/search":{"get":{"tags":["Status"],"summary":"Search the status of resources related to the specified search criteria.\nIt will descend in the hierarchy starting with the resource identified by the given FQN.\nThis method is available for organizations, tenant or workspace resources.\nIn the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios),\nit’s recommended to use the tenant FQN instead of the workspace FQN.\nThis ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.","operationId":"Status_SearchStatus2","parameters":[{"description":"Fully-qualified domain name to search in the mesh that exposes a service. Example: \"test.tetrate.io\"","name":"fqdn","in":"query","required":true,"schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SearchStatusResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_8","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces":{"get":{"tags":["Workspaces"],"summary":"List all existing workspaces for the given tenant.","operationId":"Workspaces_ListWorkspaces","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkspacesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Workspaces"],"summary":"Create a new workspace.\nThe workspace will own exclusively the namespaces configured in the namespaces\nselector for the workspace.","operationId":"Workspaces_CreateWorkspace","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Workspace.","type":"object","required":["name","workspace"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"workspace":{"$ref":"#/components/schemas/v2Workspace"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Workspace"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}":{"get":{"tags":["Workspaces"],"summary":"Get the details of an existing workspace","operationId":"Workspaces_GetWorkspace","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Workspace"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Workspaces"],"summary":"Modify an existing workspace","operationId":"Workspaces_UpdateWorkspace","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A Workspace carves a chunk of the cluster resources owned by a\ntenant into an isolated configuration domain.\n\nThe following example claims `ns1` and `ns2` namespaces across all\nclusters owned by the tenant `mycompany`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n```\n\nThe following example claims `ns1` namespace only from the `c1`\ncluster and claims all namespaces from the `c2` cluster.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\"\n    - \"c2/*\"\n```\n\nCustom labels and annotations can be propagated to the final Istio translation that\nwill be applied at the clusters.\nThis could help with third-party integrations or to set custom identifier.\nThe following example configures the annotation `my.org.environment` to be applied to\nall final Istio translations generated under this Workspace, for example Gateways or Virtual Services.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\n  annotations:\n    my.org.environment: dev\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n```\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"isolationBoundary":{"description":"Istio Isolation Boundary name to which this workspace belongs.\nIf not provided explicitly, the workspace looks for an isolation boundary with\nname set as \"global\". \nTherefore, in order to move existing workspaces to isolation boundaries, and\nbe a part of revisioned control plane, it is recommended to configure an\nisolation boundary with the name \"global\".","type":"string"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"privileged":{"description":"If set to true, allows Gateways in the workspace to route to\nservices in other workspaces. Set this to true for workspaces\nowning cluster-wide gateways shared by multiple teams.","type":"boolean"},"profiles":{"description":"List of profiles attached to the workspace to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Workspace_, all the children resources will belong to that\nsecurity domain in the same way a _Security group_ belongs to a _Workspace_, a _Security group_ will also belong\nto the security domain assigned to the _Workspace_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Workspace"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Workspaces"],"summary":"Delete an existing workspace.\nNote that deleting resources in TSB is a recursive operation. Deleting a workspace will delete all\ngroups and configuration objects that exist in it.","operationId":"Workspaces_DeleteWorkspace","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/apis":{"get":{"tags":["Workspaces"],"summary":"List all API objects in the workspace.","operationId":"Workspaces_ListAPIs","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ListAPIsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Workspaces"],"summary":"Create an API object in the workspace.","operationId":"Workspaces_CreateAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an API.","type":"object","required":["name","api"],"properties":{"api":{"$ref":"#/components/schemas/apitsbv2API"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2API"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/apis/{api}":{"get":{"tags":["Workspaces"],"summary":"Get the details of the given API object.","operationId":"Workspaces_GetAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2API"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Workspaces"],"summary":"Modify the given API object.","operationId":"Workspaces_UpdateAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"An API resource defines an OpenAPI specification that can be used by gateways to validate incoming requests.\n\nThe following API resource example validates incoming requests for certain hostnames and optional paths.\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: API\nmetadata:\n  organization: myorg\n  tenant: mycompany\n  workspace: myapp\n  name: example-api\nspec:\n  openapi: |\n    TODO: add an example with request body definition\n```\n\nThe following gateway definition references the previous API to perform its validations for incoming requests.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  organization: myorg\n  tenant: mycompany\n  workspace: myapp\n  name: example-gateway\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo\n    port: 443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n    openapi:\n      api: organizations/myorg/tenants/mycompany/workspaces/myapp/apis/example-api\n      validation:\n        enabled: true\n```\n\n\n\n","type":"object","required":["openapi"],"properties":{"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"openapi":{"description":"The raw OpenAPI spec for this API.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2API"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Workspaces"],"summary":"Delete the given API object.","operationId":"Workspaces_DeleteAPI","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Api name.","name":"api","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_12","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_1","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups":{"get":{"tags":["Gateways"],"summary":"List all gateway groups that exist in the workspace.","operationId":"Gateways_ListGroups","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListGatewayGroupsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"Groups will by default configure all the namespaces owned by their workspace, unless\nexplicitly configured. If a specific set of namespaces is set for the group, it must be a\nsubset of the namespaces defined by its workspace.","tags":["Gateways"],"summary":"Create a new gateway group in the given workspace.","operationId":"Gateways_CreateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Gateway Group.","type":"object","required":["name","group"],"properties":{"group":{"$ref":"#/components/schemas/tsbgatewayv2Group"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbgatewayv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given gateway group.","operationId":"Gateways_GetGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbgatewayv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"update the given gateway group.","operationId":"Gateways_UpdateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Gateway Groups allow grouping the gateways in a set of namespaces\nowned by its parent workspace. Gateway related configurations can\nthen be applied on the group to control the behavior of these\ngateways. The group can be in one of two modes: `BRIDGED` and\n`DIRECT`. `BRIDGED` mode is a minimalistic mode that allows users to\nquickly configure the most commonly used features in the service\nmesh using Tetrate specific APIs, while the `DIRECT` mode provides\nmore flexibility for power users by allowing them to configure the\ngateways's traffic and security properties using a restricted\nsubset of Istio Networking and Security APIs.\n\nThe following example creates a gateway group for the gateways in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIt is possible to create a gateway group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio\nNetworking v1beta1 APIs - `VirtualService`, and `Gateway`, and\nIstio Security v1beta1 APIs - `RequestAuthentication`, and\n`AuthorizationPolicy` to the gateway group. These configurations\nwill be validated for correctness and conflict free operations and\nthen pushed to the appropriate Istio control planes.\n\nThe following example declares a `Gateway` and a `VirtualService`\nfor a specific workload in the `ns1` namespace:\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: Gateway\nmetadata:\n  name: ingress\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/gatewayGroup: g1\nspec:\n  selector:\n      app: my-ingress-gateway\n  servers:\n  - port:\n      number: 80\n      name: http\n      protocol: HTTP\n    hosts:\n    - uk.bookinfo.com\n    - eu.bookinfo.com\n```\n\nand the associated `VirtualService`\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: VirtualService\nmetadata:\n  name: ingress-rule\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/gatewayGroup: g1\nspec:\n  hosts:\n  - uk.bookinfo.com\n  - eu.bookinfo.com\n  gateways:\n  - ns1/ingress # Has to bind to the same gateway\n  http:\n  - route:\n    - destination:\n        port:\n          number: 7777\n        host: reviews.ns1.svc.cluster.local\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent gateway group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\ngateway group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"profiles":{"description":"List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbgatewayv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given gateway group.\nNote that deleting resources in TSB is a recursive operation. Deleting a gateway group will\ndelete all configuration objects that exist in it.","operationId":"Gateways_DeleteGroup","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_13","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways":{"get":{"tags":["Gateways"],"summary":"List all Egress Gateway objects in the gateway group.","operationId":"Gateways_ListEgressGateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListEgressGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create an Egress Gateway object in the gateway group.","operationId":"Gateways_CreateEgressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a EgressGateway.","type":"object","required":["name","egressGateway"],"properties":{"egressGateway":{"$ref":"#/components/schemas/gatewayv2EgressGateway"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2EgressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Egress Gateway object.","operationId":"Gateways_GetEgressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2EgressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Modify the given Egress Gateway object.","operationId":"Gateways_UpdateEgressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`EgressGateway` configures a workload to act as a gateway for\ntraffic exiting the mesh. The egress gateway is meant to be the destination\nof unknown traffic within the mesh (traffic sent to non-mesh services). The\ngateway allows authorization control of traffic sent to it to more finely tune\nwhich services are allowed to send unknown traffic through the gateway. Only HTTP\nis supported at this time.\n\nThe following example declares an egress gateway running on pods in istio-system\nwith the label app=istio-egressgateway. This gateway is setup to allow traffic\nfrom anywhere in the cluster to access www.httpbin.org and from the bookinfo details app\nspecifically, you can access any external host. `EgressGateway`s need to be paired\nwith `TrafficSetting`s in order to be usable. You must set the `egress` field in the\n`TrafficSetting`s to point to the egress gateway and send traffic to port 15443. Once\nthis is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS.\nThe gateway will then decide whether to forward the traffic or not, and use one-way TLS for\nexternal calls.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: EgressGateway\nmetadata:\n  name: my-egress\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1 \n    labels:\n      app: istio-egressgateway\n  authorization:\n    - from:\n        mode: WORKSPACE\n      to: [\"www.httpbin.org\"]\n    - from:\n        mode: CUSTOM\n        serviceAccounts: [\"default/bookinfo-details\"]\n      to: [\"*\"]\n```\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  reachability:\n   mode: CUSTOM\n   hosts:\n   - \"./*\"\n   - \"istio-system/*\"\n  egress:\n    host: istio-system/istio-egressgateway.istio-system.svc.cluster.local\n```\n\nThe following example customizes the `Extensions` field to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: EgressGateway\nmetadata:\n  name: my-egress\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: istio-egressgateway\n  authorization:\n    - from:\n        mode: WORKSPACE\n      to: [\"www.httpbin.org\"]\n    - from:\n        mode: CUSTOM\n        serviceAccounts: [\"default/bookinfo-details\"]\n      to: [\"*\"]\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\n\n-->\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `EgressGateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `EgressGateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"authorization":{"description":"The description of which service accounts can access which hosts.\nIf the list of authorization rules is empty, this egress gateway will deny all traffic.","type":"array","items":{"$ref":"#/components/schemas/v2EgressAuthorization"}},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this EgressGateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"}},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2EgressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Egress Gateway object.","operationId":"Gateways_DeleteEgressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_15","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_15","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/egressgateways/{egressgateway}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_15","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Egressgateway name.","name":"egressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways":{"get":{"tags":["Gateways"],"summary":"List all Ingress Gateway objects in the gateway group.","operationId":"Gateways_ListIngressGateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListIngressGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create an Ingress Gateway object in the gateway group.","operationId":"Gateways_CreateIngressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a IngressGateway.","type":"object","required":["name","ingressGateway"],"properties":{"ingressGateway":{"$ref":"#/components/schemas/v2IngressGateway"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2IngressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Ingress Gateway object.","operationId":"Gateways_GetIngressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2IngressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Modify the given Ingress Gateway object.","operationId":"Gateways_UpdateIngressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`IngressGateway` configures a workload to act as a gateway for\ntraffic entering the mesh. The ingress gateway also provides basic\nAPI gateway functionalities such as JWT token validation \nand request authorization. Gateways in privileged\nworkspaces can route to services outside the workspace while those\nin unprivileged workspaces can only route to services inside the\nworkspace.\n\nThe following example declares an ingress gateway running on pods\nwith `app: gateway` labels in the `ns1` namespace. The gateway\nexposes a host `bookinfo.com` on https port 9443 and http port 9090.\nThe port 9090 is configured to receive plaintext traffic and send a\nredirect to the https port 9443 (site-wide HTTP -> HTTPS redirection).\nAt port 9443, TLS is terminated using the certificates in the Kubernetes\nsecret `bookinfo-certs`. Clients are authenticated using JWT\ntokens, whose keys are obtained from the OIDC provider `www.googleapis.com`.\nThe request is then authorized by an the user's authorization engine\nhosted at `https://company.com/authz` before being forwarded to \nthe `productpage` service in the backend.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n      - redirect:\n          authority: bookinfo.com\n          port: 9443\n          redirectCode: 301\n          scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      rules:\n        jwt:\n        - issuer: https://accounts.google.com\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n        - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          host: ns1/productpage.ns1.svc.cluster.local\n    rateLimiting:\n      settings:\n        rules:\n          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4 \n        - dimensions: \n          - remoteAddress:\n              value: 1.2.3.4\n          limit:\n            requestsPerUnit: 10\n            unit: HOUR\n          # Ratelimit at 50 requests/minute for every unique value in the user-agent header\n        - dimensions:\n          - header:\n              name: user-agent\n          limit:\n            requestsPerUnit: 50\n            unit: MINUTE\n          # Ratelimit at 100 requests/second for every unique client remote address\n          # with the HTTP requests having a GET method and the path prefix of /productpage\n        - dimensions:\n          - remoteAddress:\n              value: \"*\"\n          - header:\n              name: \":path\"\n              value:\n                prefix: /productpage\n          - header:\n              name: \":method\"\n              value:\n                exact: \"GET\"\n          limit:\n            requestsPerUnit: 100\n            unit: SECOND\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the `productpage`\nservice in the backend.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n```\n\nIf the `productpage.ns1` service on Kubernetes has a `ServiceRoute`\nwith multiple subsets and weights, the traffic will be split across\nthe subsets accordingly.\n\nThe following example illustrates defining non-HTTP servers (based\non TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP\nprotocol and listens on port 9000. The clients have to connect with TLS\nwith the SNI `kafka.myorg.internal`. The TLS is terminated at the gateway\nand the traffic is routed to `kafka.infra.svc.cluster.local:8000`.\n\nIf subsets are defined in the `ServiceRoute` referencing\n`kafka.infra.svc.cluster.local` service, then it is also considered\nwhile routing.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tcp:\n  - name: kafka-gateway\n    hostname: kafka.myorg.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      host: kafka.infra.svc.cluster.local\n      port: 8000\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n  namespace: ns1\n  labels:\n    app: gateway\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n  http:\n  - name: bookinfo\n    port: 80\n    hostname: bookinfo.com\n    routing:\n      rules:\n      - route:\n        host: ns1/productpage.ns1.svc.cluster.local\n\n`IngressGateway` also allows you to apply ModSecurity/Coraza compatible Web\nApplication Firewall rules to traffic passing through the gateway.\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: waf-gw\n    namespace: ns1\n    labels:\n      app: waf-gateway\n  http:\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n  waf:\n    rules:\n      - Include @recommended-conf\n      - SecResponseBodyAccess Off\n      - Include @owasp_crs/*.conf\n```\n\n\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `IngressGateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `IngressGateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this IngressGateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"}},"http":{"description":"One or more HTTP or HTTPS servers exposed by the gateway. The\nserver exposes configuration for TLS termination, request\nauthentication/authorization, HTTP routing, etc.","type":"array","items":{"$ref":"#/components/schemas/v2HttpServer"}},"tcp":{"type":"array","title":"One or more non-HTTP and non-passthrough servers which use TCP\nbased protocols. This server also exposes configuration for terminating TLS","items":{"$ref":"#/components/schemas/v2TCPServer"}},"tlsPassthrough":{"description":"One or more TLS servers exposed by the gateway. The server\ndoes not terminate TLS and exposes config for SNI based routing.","type":"array","items":{"$ref":"#/components/schemas/v2TLSPassthroughServer"}},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2IngressGateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Ingress Gateway object.","operationId":"Gateways_DeleteIngressGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_14","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_14","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/ingressgateways/{ingressgateway}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_14","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Ingressgateway name.","name":"ingressgateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/installgateways":{"get":{"tags":["Gateways"],"summary":"List all Install Gateway objects in the gateway group.","operationId":"Gateways_ListInstallGateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListInstallGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create an Install Gateway object in the gateway group.","operationId":"Gateways_CreateInstallGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an InstallGateway.","type":"object","required":["name","gateway"],"properties":{"gateway":{"$ref":"#/components/schemas/installdataplanev1alpha1GatewaySpec"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/installdataplanev1alpha1GatewaySpec"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/installgateways/{installgateway}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Install Gateway object.","operationId":"Gateways_GetInstallGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgateway name.","name":"installgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/installdataplanev1alpha1GatewaySpec"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Modify the given Install Gateway object.","operationId":"Gateways_UpdateInstallGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgateway name.","name":"installgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"GatewaySpec defines the desired installed state of a single\ngateway for a given namespace in Service Bridge. Specifying a minimal\nGatewaySpec with a hub will create a default gateway with sensible\nvalues.\n\n","type":"object","properties":{"concurrency":{"description":"Number of Envoy worker threads to run. By default it will be set\nautomatically based on the gateway's CPU resource limits.\n\nSet to `-1` to use the legacy behavior of all cores on the machine.","type":"integer","format":"int32"},"connectionDrainDuration":{"description":"The amount of time the gateway will wait on shutdown for connections to\ncomplete before terminating the gateway. During this drain period, no new\nconnections can be created but existing ones are allowed complete.","type":"string"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"revision":{"type":"string","title":"Specifies the istio revision to reconcile with.\nIf specified, TSB control plane operator will reconcile this gateway only\nif operator's revision matches with it. TSB data plane operator, which\nwould be running only when TSB control plane operator is not configured a\nrevision, will ignore revision field and will reconcile gateway as usual.\nInternally, this revision will guide to pick matching istio control plane\nfor the gateway deployment\nhttps://istio.io/latest/docs/setup/upgrade/canary/"},"targetCluster":{"description":"Cluster where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway.\nIgnored when using as a pure kubernetes resource.","type":"string"},"targetNamespace":{"description":"Namespace where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway.\nIgnored when using as a pure kubernetes resource.","type":"string"},"type":{"$ref":"#/components/schemas/dataplanev1alpha1GatewaySpecType"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/installdataplanev1alpha1GatewaySpec"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Install Gateway object.","operationId":"Gateways_DeleteInstallGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Installgateway name.","name":"installgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/sharedgatewayreferencegrants":{"get":{"tags":["Gateways"],"summary":"List all Shared Gateway Reference Grants in the gateway group.","operationId":"Gateways_ListSharedGatewayReferenceGrants","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSharedGatewayReferenceGrantsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create a new Shared Gateway Reference Grant.","operationId":"Gateways_CreateSharedGatewayReferenceGrant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a SharedGatewayReferenceGrant.","type":"object","required":["name","sharedGatewayReferenceGrant"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"sharedGatewayReferenceGrant":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrant"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/sharedgatewayreferencegrants/{sharedgatewayreferencegrant}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Shared Gateway Reference Grant.","operationId":"Gateways_GetSharedGatewayReferenceGrant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Sharedgatewayreferencegrant name.","name":"sharedgatewayreferencegrant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Update the given Shared Gateway Reference Grant.","operationId":"Gateways_UpdateSharedGatewayReferenceGrant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Sharedgatewayreferencegrant name.","name":"sharedgatewayreferencegrant","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Shared Gateway Reference Grants allows sharing a Gateway with other Workspaces or Gateway Groups, so\nthat the referencing Workspaces or Gateway Groups can apply their own configurations to the shared Gateway.\n\nThe following example creates a Shared Gateway Reference Grant for the Gateway `shared-gw1` and allows the Workspace `w2`\nto reference it and apply its own configurations. Any shared Gateway configurations that are applied to `shared-gw1`\nin Workspace `w2` will be applied to the Gateway `shared-gw1` in Workspace `w1`.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: SharedGatewayReferenceGrant\nmetadata:\n  name: shared-gw1-grant\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  gatewaySelectors:\n  - nameSelector:\n      name: shared-gw1\n  from:\n    fqn:\n    - organizations/tetrate/tenants/mycompany/workspaces/w2\n```\n\n\n\n","type":"object","required":["from","gatewaySelectors"],"properties":{"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"from":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrantFrom"},"gatewaySelectors":{"description":"A list of Gateway Selectors that specify which Gateways are being shared.","type":"array","items":{"$ref":"#/components/schemas/SharedGatewayReferenceGrantGatewaySelector"}},"updateProtectionEnabled":{"description":"When set, prevents the resource from being deleted or updated. In order to delete or update the resource\nthis property needs to be set to `false` first.","type":"boolean"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrant"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Shared Gateway Reference Grant.","operationId":"Gateways_DeleteSharedGatewayReferenceGrant","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Sharedgatewayreferencegrant name.","name":"sharedgatewayreferencegrant","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/sharedgateways":{"get":{"tags":["Gateways"],"summary":"ListSharedGateways lists gateways that have a shared reference grant for the given gateway group, workspace, tenant, or organization.","operationId":"Gateways_ListSharedGateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSharedGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_13","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_13","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways":{"get":{"tags":["Gateways"],"summary":"List all Tier1 Gateway objects that have been created in the gateway group.","operationId":"Gateways_ListTier1Gateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTier1GatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create a Tier1 Gateway object in the gateway group.","operationId":"Gateways_CreateTier1Gateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Tier1Gateway.","type":"object","required":["name","tier1Gateway"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"tier1Gateway":{"$ref":"#/components/schemas/v2Tier1Gateway"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tier1Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}":{"get":{"tags":["Gateways"],"summary":"get the details of the given Tier1 Gateway object.","operationId":"Gateways_GetTier1Gateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tier1Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"operationId":"Gateways_UpdateTier1Gateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`Tier1Gateway` configures a workload to act as a gateway that\ndistributes traffic across one or more ingress gateways in other\nclusters.\n\n**NOTE:** Tier1 gateways cannot be used to route traffic to the\nsame cluster. A cluster with tier1 gateway cannot have any other\ngateways or workloads.\n\nThe following example declares a tier1 gateway running on pods with\n`app: gateway` labels in the `ns1` namespace. The gateway exposes\nhost `movieinfo.com` on ports 8080, 8443 and `kafka.internal` on port 9000.\nTraffic for these hosts at the ports 8443 and 9000 are TLS terminated and\nforwarded over Istio mutual TLS to the ingress gateways hosting\n`movieinfo.com` host on clusters `c3` and `c4` and the internal\n`kafka.internal` service in cluster `c3` respectively. The server at\nport 8080 is configured to receive plaintext HTTP traffic and redirect\nto port 8443 with \"Permanently Moved\" (HTTP 301) status code.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    clusters:\n    - name: c3 # the target gateway IPs will be automatically determined\n      weight: 90\n    - name: c4\n      weight: 10\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n  tcpExternalServers:\n  - name: kafka\n    hostname: kafka.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    clusters:\n    - name: c3\n      weight: 100\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the c3 or c4.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    clusters:\n    - name: c3 # the target gateway IPs will be automatically determined\n      weight: 90\n    - name: c4\n      weight: 10\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n```\n\nTier1 gateways can also be used to forward mesh internal traffic\nfor Gateway hosts from one cluster to another. This form of\nforwarding will work only if the two clusters cannot reach each\nother directly (e.g., they are on different VPCs that are not\npeered). The following example declares a tier1 gateway running on\npods with `app: gateway` labels in the `ns1` namespace. The gateway\nexposes hosts `movieinfo.com`, `bookinfo.com`, and a non-HTTP server\ncalled `kafka.org-internal` within the mesh. Traffic to `movieinfo.com`\nis load balanced across all clusters on `vpc-02`, while traffic to\n`bookinfo.com` and `kafka.org-internal` is load balanced across ingress\ngateways exposing `bookinfo.com` on any cluster. Traffic from the source\n(sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  internalServers: # forwarding gateway (HTTP traffic only)\n  - name: movieinfo\n    hostname: movieinfo.com\n    clusters:\n    - labels:\n        network: vpc-02 # the target gateway IPs will be automatically determined\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.company.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n  - name: bookinfo\n    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com\n  tcpInternalServers: # forwarding non-HTTP traffic within the mesh\n  - name: kafka\n    hostname: kafka.org-internal\n```\n\n** NOTE:** If two clusters have direct connectivity, declaring\na tier1 internal server will have no effect.\n\nTier1 gateways can also be configured to expose hostnames in the\nTLS passthrough mode. Tier1 gateway will forward the pasthrough server traffic to \nany tier2 pass through servers exposing the same hostname. In other words,\nTo be able to leverage passthrough at tier1, it is a MUST that passthrough is configured\nat t2 IngressGateway as well.\n\n** NOTE:** A hostname like `abc.com` can only be exposed either in passthrough mode OR\nin terminating tls mode(External/Internal servers), not in both the modes.\n\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  passthroughServers:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n```\n\nThe Tier1Gateway above will require the corresponding, at least one or more, IngressGateway(s), e.g.:\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tlsPassthrough:\n    - name: nginx\n      port: 443\n      hostname: nginx.example.com\n      route:\n        host: \"ns1/my-nginx.default.svc.cluster.local\"\n        port: 443\n```\n\nThe following example customizes the `Extensions` field to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\nWhenever traffic is to be sent from one cluster to another, one or more of\nthe following would have to be true for it to succeed:\n- Both clusters belong to the same network.\n- Destination cluster network is not named.\n- [Organization Setting](https://docs.tetrate.io/service-bridge/en-us/refs/tsb/v2/organization_setting#organizationsetting)\nis set up to send traffic from source cluster to destination cluster.\n\n`Tier1Gateway` also allows you to apply ModSecurity/Coraza compatible Web\nApplication Firewall rules to traffic passing through the gateway.\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-waf-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  passthroughServers:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n  waf:\n    rules:\n      - Include @owasp_crs/*.conf\n```\n\n\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `Tier1Gateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `Tier1Gateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this Tier1Gateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"}},"externalServers":{"description":"One or more servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1ExternalServer"}},"internalServers":{"description":"One or more servers exposed by the gateway internally for cross cluster forwarding.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1InternalServer"}},"passthroughServers":{"description":"One or more tls passthrough servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1PassthroughServer"}},"tcpExternalServers":{"description":"One or more tcp servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1TCPExternalServer"}},"tcpInternalServers":{"description":"One or more tcp servers exposed by the gateway for mesh internal traffic.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1TCPInternalServer"}},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Tier1Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Tier1 Gateway object.","operationId":"Gateways_DeleteTier1Gateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_16","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_16","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/tier1gateways/{tier1gateway}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_16","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tier1gateway name.","name":"tier1gateway","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/unifiedgateways":{"get":{"tags":["Gateways"],"summary":"List all Gateway objects in the gateway group.","operationId":"Gateways_ListGateways","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Gateways"],"summary":"Create a Gateway object in the gateway group.","operationId":"Gateways_CreateGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Gateway.","type":"object","required":["name","gateway"],"properties":{"gateway":{"$ref":"#/components/schemas/gatewayv2Gateway"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/gatewaygroups/{gatewaygroup}/unifiedgateways/{unifiedgateway}":{"get":{"tags":["Gateways"],"summary":"Get the details of the given Gateway object.","operationId":"Gateways_GetGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Unifiedgateway name.","name":"unifiedgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Gateways"],"summary":"Modify the given Gateway object.","operationId":"Gateways_UpdateGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Unifiedgateway name.","name":"unifiedgateway","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"The `Gateway` configuration combines the functionalities of both the existing `Tier1Gateway` and `IngressGateway`,\nproviding a unified approach for configuring a workload as a gateway in the mesh.\nEach server within the `Gateway` is configured to route requests either to destination clusters, such as a `Tier1Gateway`,\nor to specific services, like an `IngressGateway`.\n\nThe following example declares a gateway running on pods\nwith `app: gateway` labels in the `ns1` namespace. The gateway\nexposes a host `bookinfo.com` on https port 9443 and http port 9090.\nThe port 9090 is configured to receive plaintext traffic and send a\nredirect to the https port 9443 (site-wide HTTP -> HTTPS redirection).\nAt port 9443, TLS is terminated using the certificates in the Kubernetes\nsecret `bookinfo-certs`. Clients are authenticated using JWT\ntokens, whose keys are obtained from the OIDC provider `www.googleapis.com`.\nThe request is then authorized by an the user's authorization engine\nhosted at `https://company.com/authz` before being forwarded to\nthe `productpage` service in the backend.\nHere, the `gateway` is configured in a manner similar to an\nexisting `IngressGateway` with HTTP server.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      rules:\n        jwt:\n        - issuer: https://accounts.google.com\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n    rateLimiting:\n      settings:\n        rules:\n          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4\n        - dimensions:\n          - remoteAddress:\n              value: 1.2.3.4\n          limit:\n            requestsPerUnit: 10\n            unit: HOUR\n          # Ratelimit at 50 requests/minute for every unique value in the user-agent header\n        - dimensions:\n          - header:\n              name: user-agent\n          limit:\n            requestsPerUnit: 50\n            unit: MINUTE\n          # Ratelimit at 100 requests/second for every unique client remote address\n          # with the HTTP requests having a GET method and the path prefix of /productpage\n        - dimensions:\n          - remoteAddress:\n              value: \"*\"\n          - header:\n              name: \":path\"\n              value:\n                prefix: /productpage\n          - header:\n              name: \":method\"\n              value:\n                exact: \"GET\"\n          limit:\n            requestsPerUnit: 100\n            unit: SECOND\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the `productpage`\nservice in the backend.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n```\n\nIf the `productpage.ns1` service on Kubernetes has a `ServiceRoute`\nwith multiple subsets and weights, the traffic will be split across\nthe subsets accordingly.\n\nThe following example declares a gateway running on pods with\n`app: gateway` labels in the `ns1` namespace. The gateway exposes\nhost `movieinfo.com` on ports 8080, 8443 and `kafka.internal` on port 9000.\nTraffic for these hosts at the ports 8443 and 9000 are TLS terminated and\nforwarded over Istio mutual TLS to the ingress gateways hosting\n`movieinfo.com` host on clusters `c3` for matching prefix `v1` and `c4` for matching `v2`,\nand the internal `kafka.internal` service in cluster `c3` respectively. The server at\nport 8080 is configured to receive plaintext HTTP traffic and redirect\nto port 8443 with \"Permanently Moved\" (HTTP 301) status code.\nHere, the `gateway` is configured in a manner similar to an\nexisting `Tier1Gateway` with external servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    routing:\n      rules:\n        - redirect:\n            authority: movieinfo.com\n            port: 8443\n            redirectCode: 301\n            scheme: https\n            uri: \"/\"\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    routing:\n      rules:\n         - match:\n             - uri:\n                 prefix: \"/v1\"\n           route:\n             clusterDestination:\n               clusters:\n                 - name: c3 # the target gateway IPs will be automatically determined\n                   weight: 100\n         - match:\n             - uri:\n                 prefix: \"/v2\"\n           route:\n             clusterDestination:\n               clusters:\n                 - name: c4 # the target gateway IPs will be automatically determined\n                   weight: 100\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n          - authorization\n  tcp:\n  - name: kafka\n    hostname: kafka.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      clusterDestination:\n        clusters:\n          - name: c3\n            weight: 100\n```\n\nThis example used to forward mesh internal traffic\nfor Gateway hosts from one cluster to another. This form of\nforwarding will work only if the two clusters cannot reach each\nother directly (e.g., they are on different VPCs that are not\npeered). The following example declares a gateway running on\npods with `app: gateway` labels in the `ns1` namespace. The gateway\nexposes hosts `movieinfo.com`, `bookinfo.com`, and a non-HTTP server\ncalled `kafka.org-internal` within the mesh. Traffic to `movieinfo.com`\nis load balanced across all clusters on `vpc-02`, while traffic to\n`bookinfo.com` and `kafka.org-internal` is load balanced across ingress\ngateways exposing `bookinfo.com` on any cluster. Traffic from the source\n(sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.\nHere, the `gateway` is configured in a manner similar to an\nexisting `Tier1Gateway` with internal servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http: # forwarding gateway (HTTP traffic only)\n  - name: movieinfo\n    transit: true # server marked as internal\n    hostname: movieinfo.com\n    routing:\n      rules:\n      - route:\n          clusterDestination:\n            clusters:\n            - labels:\n                network: vpc-02 # the target gateway IPs will be automatically determined\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.company.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      meshInternalAuthz:\n        external:\n          uri: \"https://auth.company.com\"\n          includeRequestHeaders:\n            - authorization\n  - name: bookinfo\n    transit: true # server marked as internal\n    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com\n    routing:\n      rules:\n      - route:\n          clusterDestination:\n            clusters:\n  tcp: # forwarding non-HTTP traffic within the mesh\n  - name: kafka\n    transit: true # server marked as internal\n    hostname: kafka.org-internal\n    route:\n      clusterDestination:\n        clusters:\n```\n\nThe following example illustrates defining non-HTTP server (based\non TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP\nprotocol and listens on port 9000. The clients have to connect with TLS\nwith the SNI `kafka.myorg.internal`. The TLS is terminated at the gateway\nand the traffic is routed to `kafka.infra.svc.cluster.local:8000`.\n\nIf subsets are defined in the `ServiceRoute` referencing\n`kafka.infra.svc.cluster.local` service, then it is also considered\nwhile routing.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tcp:\n  - name: kafka-gateway\n    hostname: kafka.myorg.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      serviceDestination:\n        host: kafka.infra.svc.cluster.local\n        port: 8000\n```\n\nThis is an example of configuring a gateway for TLS.\nThe gateway will forward the passthrough server traffic to clusters `c1` and `c2`.\nIt is essential to configure TLS on the same hostname at `c1` and `c2` as well.\nHere, the `gateway` is configured similarly to an existing `Tier1Gateway` with passthrough servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tls:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n    route:\n      clusterDestination:\n         clusters:\n           - name: c1 # the target gateway IPs will be automatically determined\n             weight: 90\n           - name: c2\n             weight: 10\n```\n\nThis configuration defines a Gateway named `egress-access` intended for egress traffic management.\nIt operates within the namespace `ns` and targets pods labeled with `app: egressgateway`.\nThe Gateway exposes three external hosts for egress access: `example.com`, `httpbin.org`, and `apis.google.com`.\n\nBy default, egress access is denied for all three hosts.\nUsers must explicitly define allow rules for traffic to pass through.\n\nClients in the `cluster-1/client` namespace are granted access to the `example.com` host.\nClients in the `cluster-2/client` namespace can access `httpbin.org`.\nHowever, access to `apis.google.com` is denied for all clients.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: egress-access\n  labels:\n    xcp.tetrate.io/workspace: egress-ws\n    xcp.tetrate.io/gatewayGroup: egress-gw-group\nspec:\n  workloadSelector:\n    namespace: ns\n    labels:\n      app: egressgateway\n  http:\n    - name: example\n      hostname: \"example.com\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/example.com\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n    - name: httpbin\n      hostname: \"httpbin.org\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/httpbin.org\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n    - name: apis\n      hostname: \"apis.google.com\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/apis.google.com\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n  egressAuthorization:\n    - from:\n        mode: SERVICE_ACCOUNT\n        serviceAccounts:\n          - \"cluster-1/client/*\"\n      to:\n        - host:\n            exact: \"example.com\"\n    - from:\n        mode: SERVICE_ACCOUNT\n        serviceAccounts:\n          - \"cluster-2/client/*\"\n      to:\n        - host:\n            exact: \"httpbin.org\"\n```\n\nTSB provides ways to extend the bundled functionality that comes in with envoy\nusing the `extensions` field.\n\nThe following example shows a Gateway configuration in which the kong's\n`response-transformer` plugin is being used.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    extensions:\n      kong:\n        plugins:\n          - name: response-transformer\n            priority: 999\n            config:\n              inline:\n                remove:\n                  json:\n                  - example-field\n          - name: custom-header-adder\n            priority: 1000\n            config:\n              inline:\n                request_header_to_add: example-header\n            pluginSource:\n              configMap: cm-containing-this-plugin-in-gw-install-ns\n```\n\n\n\n","type":"object","required":["workloadSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"egressAuthorization":{"description":"External services are onboarded into the mesh via service entry,\nand these services are exposed on the Gateway for egress access.\nBy default, access is denied for these hosts.\nUsers can configure EgressAuthorizationSettings to specify which service accounts are allowed.","type":"array","items":{"$ref":"#/components/schemas/v2EgressAuthorizationSettings"}},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"http":{"description":"One or more HTTP or HTTPS servers exposed by the gateway. The\nserver exposes configuration for TLS termination, request\nauthentication/authorization, HTTP routing, rate limiting, etc.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2HTTP"}},"tcp":{"description":"One or more non-HTTP and non-passthrough servers which use TCP\nbased protocols. This server also exposes configuration for terminating TLS.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2TCP"}},"tls":{"description":"One or more TLS servers exposed by the gateway. The server\ndoes not terminate TLS and exposes config for SNI based routing.","type":"array","items":{"$ref":"#/components/schemas/v2TLS"}},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"wasmPlugins":{"description":"WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway\nwith the specific configuration for each plugin. This custom configuration\nwill override the one configured globally to the plugin.\nEach plugin has a global configuration including priority\nthat will condition the execution of the assigned plugins.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"}},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/gatewayv2Gateway"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Gateways"],"summary":"Delete the given Gateway object.","operationId":"Gateways_DeleteGateway","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Gatewaygroup name.","name":"gatewaygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Unifiedgateway name.","name":"unifiedgateway","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups":{"get":{"tags":["IstioInternal"],"summary":"List all Istio internal groups in the given workspace.","operationId":"IstioInternal_ListGroups","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListIstioInternalGroupsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"Groups will by default configure all the namespaces owned by their workspace, unless\nexplicitly configured. If a specific set of namespaces is set for the group, it must be a\nsubset of the namespaces defined by its workspace.","tags":["IstioInternal"],"summary":"Create a new Istio internal group in the given workspace.","operationId":"IstioInternal_CreateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create an Istio internal group.","type":"object","required":["name","group"],"properties":{"group":{"$ref":"#/components/schemas/tsbistiointernalv2Group"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbistiointernalv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}":{"get":{"tags":["IstioInternal"],"summary":"Get the details of the given Istio internal group.","operationId":"IstioInternal_GetGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbistiointernalv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["IstioInternal"],"summary":"Modify a Istio internal group.","operationId":"IstioInternal_UpdateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Istio internal groups only allow grouping `DIRECT` mode mesh resources in a set of namespaces\nowned by its parent workspace. This group is aimed for grouping resources not directly related\nto traffic, security, or gateway like `EnvoyFilters` and `ServiceEntry` for instance.\nIstio internal group is meant to group highly coupled and implementation-detailed oriented istio resources that\ndon't provide any `BRIDGE` mode guarantees or backward/forward compatibilities that other groups like\ntraffic, security of gateway can provide.\nEspecially, and mainly because resources like `EnvoyFilters`, are highly customizable and can interfere\nin unpredictable ways, with any other routing, security, listeners, or filter chains among other configurations\nthat TSB may have setup. Therefore, this group is only meant to be used for users/administrators that are confident\nwith those advanced features, knowing that the defined resources under this group will not interfere\nwith the TSB provided mesh governance functionalities.\n\nThe following example creates an istio internal group for resources in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`.\n```yaml\napiVersion: istiointernal.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n```\n\nIt is possible to directly attach Istio APIs such as `EnvoyFilter`, and `ServiceEntry`\nto the istio internal group. These configurations will then pushed to the\nappropriate Istio control planes.\n\nThe following ServiceEntry example declares a few external APIs accessed by internal applications over HTTPS.\nThe sidecar inspects the SNI value in the ClientHello message to route to the appropriate external service.\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: ServiceEntry\nmetadata:\n  name: external-svc-https\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/istioInternalGroup: t1\nspec:\n  hosts:\n  - api.dropboxapi.com\n  - www.googleapis.com\n  - api.facebook.com\n  location: MESH_EXTERNAL\n  ports:\n  - number: 443\n    name: https\n    protocol: TLS\n  resolution: DNS\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent istio internal group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\nistio internal group to which it belongs to.\n\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbistiointernalv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["IstioInternal"],"summary":"Delete the given Istio internal group.\nNote that deleting resources in TSB is a recursive operation. Deleting a Istio internal group will\ndelete all configuration objects that exist in it.","operationId":"IstioInternal_DeleteGroup","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_17","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_18","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_18","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_18","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_17","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/istiointernalgroups/{istiointernalgroup}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_17","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Istiointernalgroup name.","name":"istiointernalgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/profiles":{"get":{"tags":["Profiles"],"summary":"List all Profiles that belong to a resource.","operationId":"Profiles_ListProfiles3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Profiles"],"summary":"Create a profile object for a given resource.\nA `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be\nattached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.","operationId":"Profiles_CreateProfile3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CreateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/profiles/{profile}":{"get":{"tags":["Profiles"],"summary":"Get the details of a Profile in an resource.","operationId":"Profiles_GetProfile3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Profiles"],"summary":"Modify a Profile in a resource.","operationId":"Profiles_UpdateProfile3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_UpdateProfileBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Profile"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Profiles"],"summary":"Delete a Profile from a resource.","operationId":"Profiles_DeleteProfile3","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/profiles/{profile}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/profiles/{profile}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Profile name.","name":"profile","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysis2Body"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups":{"get":{"tags":["Security"],"summary":"List all security groups in the given workspace.","operationId":"Security_ListGroups","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSecurityGroupsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"Groups will by default configure all the namespaces owned by their workspace, unless\nexplicitly configured. If a specific set of namespaces is set for the group, it must be a\nsubset of the namespaces defined by its workspace.","tags":["Security"],"summary":"Create a new security group in the given workspace.","operationId":"Security_CreateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Security Group.","type":"object","required":["name","group"],"properties":{"group":{"$ref":"#/components/schemas/tsbsecurityv2Group"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbsecurityv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}":{"get":{"tags":["Security"],"summary":"Get the details of the given security group.","operationId":"Security_GetGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbsecurityv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Security"],"summary":"Modify a security group.","operationId":"Security_UpdateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Security Groups allow grouping the proxy workloads in a set of namespaces\nowned by its parent workspace. Security related configurations can\nthen be applied on the group to control the behavior of these\nproxy workloads. The group can be in one of two modes: `BRIDGED` and\n`DIRECT`. `BRIDGED` mode is a minimalistic mode that allows users to\nquickly configure the most commonly used features in the service\nmesh using Tetrate specific APIs, while the `DIRECT` mode provides\nmore flexibility for power users by allowing them to configure the\nproxy workload's security properties using a restricted subset of Istio\nSecurity APIs.\n\nThe following example creates a security group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated security settings for the proxy workloads in the group\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authentication: REQUIRED\n```\n\nUnder the hood, Service Bridge translates these minimalistic\nsettings into Istio APIs such as `PeerAuthentication`,\n`AuthorizationPolicy`, etc. for the namespaces managed by the\nsecurity group. These APIs are then pushed to the Istio control\nplanes of clusters where the workspace is applicable.\n\nIt is possible to create a security group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio\nSecurity v1beta1 APIs - `PeerAuthentication`, and\n`AuthorizationPolicy` to the security group. These configurations\nwill be validated for correctness and conflict free operations and\nthen pushed to the appropriate Istio control planes.\n\nThe following example declares a `PeerAuthentication` policy for a\nspecific workload in the `ns1` namespace:\n\n```yaml\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n  name: workload-mtls-disable\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/securityGroup: t1\nspec:\n  selector:\n    matchLabels:\n      app: reviews\n  mtls:\n    mode: DISABLE\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent security group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\nsecurity group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"profiles":{"description":"List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Security group_, all the children resources will belong to that\nsecurity domain in the same way a _Security setting_ belongs to a _Security group_, a _Security setting_\nwill also belong to the security domain assigned to the _Security group_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbsecurityv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Security"],"summary":"Delete the given security group.\nNote that deleting resources in TSB is a recursive operation. Deleting a security group will\ndelete all configuration objects that exist in it.","operationId":"Security_DeleteGroup","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_19","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles6","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis9","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/servicesettings":{"get":{"tags":["Security"],"summary":"List all service security settings objects that have been attached to the security group.","operationId":"Security_ListServiceSecuritySettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListServiceSecuritySettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Security"],"summary":"Create a service security settings object in the security group.","operationId":"Security_CreateServiceSecuritySettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Service Security Settings.","type":"object","required":["name","settings"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"settings":{"$ref":"#/components/schemas/v2ServiceSecuritySetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceSecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/servicesettings/{servicesetting}":{"get":{"tags":["Security"],"summary":"Get the details of the given service security settings object.","operationId":"Security_GetServiceSecuritySettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceSecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Security"],"summary":"Modify the given service security settings object.","operationId":"Security_UpdateServiceSecuritySettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`ServiceSecuritySetting` allows configuring security related properties\nsuch as TLS authentication and access control for traffic arriving\nat a particular service in a security group. These settings will replace\nthe security group wide settings for this service.\n\nThe following example defines a security setting that applies to the service\n`foo` in namespace `ns1` that only allows mutual TLS authenticated traffic\nfrom other proxy workloads in the same group.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: ServiceSecuritySetting\nmetadata:\n  name: foo-auth\n  group: sg1\n  workspace: w1\n  tenant: mycompany\n  org: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    authentication: REQUIRED\n    authorization:\n      mode: GROUP\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the WasmExtensions list specified, detailing\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: ServiceSecuritySetting\nmetadata:\n  name: foo-wasm-plugin\n  group: sg1\n  workspace: w1\n  tenant: mycompany\n  org: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    extension:\n    - fqn: hello-world # fqn of imported extensions in TSB\n      config:\n        foo: bar\n```\n\n\n\n","type":"object","required":["service"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.","type":"string"},"settings":{"$ref":"#/components/schemas/v2SecuritySetting"},"subsets":{"description":"Subset specific settings that will replace the service wide settings for the specified service\nsubsets.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceSecuritySettingSubset"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceSecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Security"],"summary":"Delete the given service security settings from the group.","operationId":"Security_DeleteServiceSecuritySettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings":{"get":{"tags":["Security"],"summary":"List all security settings objects that have been attached to the security group.","operationId":"Security_ListSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSecuritySettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Security"],"summary":"Create a security settings object in the security group.","operationId":"Security_CreateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Security Settings.","type":"object","required":["name","settings"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"settings":{"$ref":"#/components/schemas/v2SecuritySetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}":{"get":{"tags":["Security"],"summary":"Get the details of the given security settings object.","operationId":"Security_GetSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Security"],"summary":"Modify the given security settings object.","operationId":"Security_UpdateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`SecuritySetting` allows configuring security related properties\nsuch as TLS authentication and access control for traffic arriving\nat a proxy workload in a security group.\n\nThis is a global object that uniquely configures the security group, and there can \nbe only one security setting object defined for each security group.\n\nSecurity settings can be propagated along any defined security settings in the configuration hierarchy.\nHow security settings are propagated can be configured by specifying a *PropagationStrategy*.\n\nThe following example creates a security group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany` and defines a security setting that\nonly allows mutual TLS authenticated traffic from other proxy workloads in\nthe same group.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated security settings for all proxy workloads in the group\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: GROUP\n```\n\nThe following example customizes the `allowedSources` to allow\ntraffic from the namespaces within the group as well as the\n`catalog-sa` service account from `ns4` namespace.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: custom\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n    http:\n      rules:\n        jwt:\n        - issuer: \"https://auth.tetrate.io\"\n          jwksUri: \"https://oauth2.auth.tetrate.io/certs\"\n        - issuer: \"https://auth.tetrate.internal\"\n          jwksUri: \"https://oauth2.auth.tetrate.internal/certs\"\n  authorization:\n    mode: CUSTOM\n    serviceAccounts:\n    - \"ns1/*\"\n    - \"ns2/*\"\n    - \"ns3/*\"\n    - \"ns4/catalog-sa\"\n    http:\n      external:\n        uri: \"https://policy.auth.tetrate.io\"\n        includeRequestHeaders:\n        - authorization\n```\n\nThe following example **rejects all** traffic arriving at workloads from namespaces\nthat belong to security group `t1`.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      denyAll: true\n```\n\nThe following example **accepts all** traffic arriving at workloads from namespaces\nthat belong to security group `t1`. All authenticated requests are accepted\nbecause any workload is targeted to be allowed nor denied.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n```\n\nThe following example **accepts all** traffic arriving at workloads in namespaces that belong\nto security group `t1` traffic, **except** from workloads belonging to workspace `w2`.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      deny:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w2\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1\n```\n\nThe following example accepts traffic arriving at workloads in namespaces that belong\nto security group `t1` traffic, from workloads belonging to workspace `w2`.\nHence, only authenticated request to workloads in security group `t1` coming from\nworkloads in workspace `w2` are accepted. All other request will be rejected.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      allow:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w2\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1\n```\n\nThe following example uses a combination of allows and denies to show how rules are evaluated.\nLet's say we have a workspace `w3` which contains 3 security groups, `sg31`, `sg32`, and `sg33`. Besides we also\nhave workspace `w1` and `w2`.\nSecurity group `sg31` contains workloads that handle sensitive data, and we want to\nonly accept requests arriving from the same workspace `w3` and explicitly reject requests coming from `sg32`.\nHence, only authenticated request to workloads in security group `sg31` coming from\nworkloads in workspace `w3` and security group `sg31` or `sg33` will be accepted. Requests coming from `sg32`\nwill be rejected. Moreover, a request coming from any workload that belongs to another\nworkspace (`w1`, or `w2`), or security group that belong to another workspace, will also be reject\nby default because it is not in the list of allowed resource FQNs.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: sg31\n  workspace: w3\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      allow:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31\n      deny:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31\n```\n\nThe following example customizes the `WAFSettings` to enforce Web Application\nFirewall rules on sidecars in namespaces reside in SecurityGroup.\n\nPlease **DO NOT** use it in production.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  waf:\n    rules:\n      - SecRuleEngine ON\n      - Include @owasp_crs/*.conf\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the WasmExtensions list specified, detailing\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\n\n\n","type":"object","properties":{"authentication":{"$ref":"#/components/schemas/v2SecuritySettingAuthenticationMode"},"authenticationSettings":{"$ref":"#/components/schemas/tsbsecurityv2AuthenticationSettings"},"authorization":{"$ref":"#/components/schemas/tsbsecurityv2AuthorizationSettings"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this SecuritySettings\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enabling and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"}},"propagationStrategy":{"$ref":"#/components/schemas/v2PropagationStrategy"},"waf":{"$ref":"#/components/schemas/v2WAFSettings"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SecuritySetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Security"],"summary":"Delete the given security settings from the group.","operationId":"Security_DeleteSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_20","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_20","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_20","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_19","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/securitygroups/{securitygroup}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_19","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Securitygroup name.","name":"securitygroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings":{"get":{"tags":["Workspaces"],"summary":"List all settings available for the given workspace.","operationId":"Workspaces_ListSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkspaceSettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Workspaces"],"summary":"Create default settings for a workspace.\nDefault settings will apply to the services owned by the workspace, unless more\nspecific settings are provided at the group level.","operationId":"Workspaces_CreateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Workspace Settings.","type":"object","required":["name","settings"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"settings":{"$ref":"#/components/schemas/v2WorkspaceSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WorkspaceSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}":{"get":{"tags":["Workspaces"],"summary":"Get the details of a settings object for the given workspace.","operationId":"Workspaces_GetSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WorkspaceSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Workspaces"],"summary":"Modify the given workspace settings.","operationId":"Workspaces_UpdateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Workspace setting allows configuring the default traffic, security and\neast-west gateway settings for all the workloads in the namespaces owned by\nthe workspace. Any namespace in the workspace that is not part of a\ntraffic or security group with specific settings will use these default\nsettings.\n\nThis is a global object that uniquely configures the workspace, and there can \nbe only one workspace setting object defined for each workspace.\n\nThe following example sets the default security policy to accept\neither mutual TLS or plaintext traffic, and only accept connections\nat a proxy workload from services within the same namespace. The default\ntraffic policy allows unknown traffic from a proxy workload to be\nforwarded via an egress gateway `tsb-egress` in the `perimeter`\nnamespace in the same cluster.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultSecuritySetting:\n    authenticationSettings:\n      trafficMode: REQUIRED\n  defaultTrafficSetting:\n    outbound:\n      egress:\n        host: bookinfo-perimeter/tsb-egress\n```\n\nIn order to set all the proxies in a workspace to use a specific load balancer\nalgorithm such as `LEAST_REQUEST` for all outbound requests, the `defaultTrafficSetting`\nresource can be defined as following.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultTrafficSetting:\n    outbound:\n      upstreamTrafficSettings:\n      - hosts:\n        - '*' // asterisk '*' selects all upstream hosts\n        settings:\n          loadBalancer:\n            simple: LEAST_REQUEST\n```\n\nThe above traffic settings are for outbound requests from proxies in the workspace.\nThe inbound traffic can also be configured for proxies at a workspace level. For example\nthe following configures the tcp keep alive for all downstream connections to workloads in\nthis workspace with 300 seconds idle time.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultTrafficSetting:\n    inbound:\n      resilience:\n        connectionPool:\n          tcp:\n            keepAlive:\n              idleTime: 300\n```\n\nSimilarly other traffic setting properties can be set at a workspace level. Refer\nto `TrafficSettings` documentation for more information. Note that a workspace level\ntraffic configuration can be overwritten by more granular configuration such as\n`TrafficSettings` or `ServiceTrafficSettings`.\n\nThe next example sets the defaults for east-west traffic configuring gateways\nfor two different app groups.\nThe first setting configures the gateway from the namespace `platinum` to manage the traffic\nfor all those workloads with the labels `tier: platinum` and `critical: true`.\nThe second one configures the gateway from the namespace `internal` to manage the traffic\nfor all those workloads with the labels `app: eshop` or `internal-critical: true`.\nSetting up multiple east-west gateways allows isolating also the cross-cluster traffic.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultEastWestGatewaySettings:\n  - workloadSelector:\n      namespace: platinum\n      labels:\n        app: eastwest-gw\n    exposedServices:\n    - serviceLabels:\n        tier: platinum\n        critical: \"true\"\n  - workloadSelector:\n      namespace: internal\n      labels:\n        app: eastwest-gw\n    exposedServices:\n    - serviceLabels:\n        app: eshop\n    - serviceLabels:\n        internal-critical: \"true\"\n```\n\nThe next example configures workspace settings for different workspaces\nwith a list of gateway hosts that they can reach.\n\nThe first one configures the hostname `echo-1.tetrate.io` which is reachable\nfrom workspace w1.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames:\n     - exact: echo-1.tetrate.io\n```\n\nThe second one configures the hostnames `echo-1.tetrate.io` and\n`echo-2.tetrate.io` which are reachable from workspace w2.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w2-settings\n  workspace: w2\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames:\n     - exact: echo-1.tetrate.io\n     - exact: echo-2.tetrate.io\n```\n\nThe third configures nothing.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w3-settings\n  workspace: w3\n  tenant: mycompany\n  organization: myorg\nspec:\n```\n\nThe last one configures an empty hostname list.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w4-settings\n  workspace: w4\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames: []\n```\n\nIn summary, the previous example makes:\n- The host `echo-1.tetrate.io` to be reachable from namespaces configured in workspaces `w1`, `w2` and `w3`.\n- The host `echo-2.tetrate.io` to be reachable from namespaces configured in workspaces `w2` and `w3``.\n- All hosts to be reachable from namespaces configured in workspace `w3`.\n- Workspace `w4` cannot reach any hosts.\n\n\n\n","type":"object","properties":{"defaultEastWestGatewaySettings":{"description":"Default east west gateway settings specifies workspace-wide east-west gateway configuration.\nThis is used to configure east-west routing (required for fail-over) for the services that\nare not exposed on the gateways. All the services matching the specified criteria is picked\nup for exposing on the east-west gateway workload selected by the workload selector. In case,\na service matches selectors in multiple items, the one which comes first is picked up.","type":"array","items":{"$ref":"#/components/schemas/v2EastWestGateway"}},"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"},"hostsReachability":{"$ref":"#/components/schemas/v2HostsReachability"},"regionalFailover":{"description":"Locality routing settings for all gateways in the workspace. Overrides any global settings.\nPlease use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.\n\nExplicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbtypesv2RegionalFailover"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2WorkspaceSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Workspaces"],"summary":"Delete the given workspace settings.","operationId":"Workspaces_DeleteSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_21","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_21","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_21","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/sharedgateways":{"get":{"tags":["Gateways"],"summary":"ListSharedGateways lists gateways that have a shared reference grant for the given gateway group, workspace, tenant, or organization.","operationId":"Gateways_ListSharedGateways2","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSharedGatewaysResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/status/search":{"get":{"tags":["Status"],"summary":"Search the status of resources related to the specified search criteria.\nIt will descend in the hierarchy starting with the resource identified by the given FQN.\nThis method is available for organizations, tenant or workspace resources.\nIn the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios),\nit’s recommended to use the tenant FQN instead of the workspace FQN.\nThis ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.","operationId":"Status_SearchStatus3","parameters":[{"description":"Fully-qualified domain name to search in the mesh that exposes a service. Example: \"test.tetrate.io\"","name":"fqdn","in":"query","required":true,"schema":{"type":"string"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2SearchStatusResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_12","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups":{"get":{"tags":["Traffic"],"summary":"List all traffic groups in the given workspace.","operationId":"Traffic_ListGroups","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTrafficGroupsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"Groups will by default configure all the namespaces owned by their workspace, unless\nexplicitly configured. If a specific set of namespaces is set for the group, it must be a\nsubset of the namespaces defined by its workspace.","tags":["Traffic"],"summary":"Create a new traffic group in the given workspace.","operationId":"Traffic_CreateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Traffic Group.","type":"object","required":["name","group"],"properties":{"group":{"$ref":"#/components/schemas/tsbtrafficv2Group"},"name":{"description":"The short name for the resource to be created.","type":"string"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbtrafficv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}":{"get":{"tags":["Traffic"],"summary":"Get the details of the given traffic group.","operationId":"Traffic_GetGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbtrafficv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Traffic"],"summary":"Modify the given traffic group.","operationId":"Traffic_UpdateGroup","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A traffic group manages the routing properties of proxy workloads in a\ngroup of namespaces owned by the parent workspace.\n\nTraffic Groups allow grouping the proxy workloads in a set of namespaces\nowned by its parent workspace. Networking and routing related\nconfigurations can then be applied on the group to control the\nbehavior of these proxy workloads. The group can be in one of two modes:\n`BRIDGED` and `DIRECT`. `BRIDGED` mode is a minimalistic mode that\nallows users to quickly configure the most commonly used features\nin the service mesh using Tetrate specific APIs, while the `DIRECT`\nmode provides more flexibility for power users by allowing them to\nconfigure the proxy workload behavior using a restricted subset of Istio\nNetworking APIs.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany` and sets up a `TrafficSetting`\ndefining the resilience properties for proxy workloads in these\nnamespaces.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated traffic settings for the proxy workloads in the group\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  resilience:\n    circuitBreakerSensitivity: MEDIUM\n```\n\nUnder the hood, Service Bridge translates these minimalistic\nsettings into Istio APIs such as `Sidecar`, `DestinationRule`,\netc. for the namespaces managed by the traffic group. These APIs\nare then pushed to the Istio control planes of clusters where the\nworkspace is applicable.\n\nIt is possible to create a traffic group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio APIs\nsuch as `VirtualService`, `DestinationRule`, and `Sidecar` to the\ntraffic group. These configurations will be validated for\ncorrectness and conflict free operations and then pushed to the\nappropriate Istio control planes.\n\nThe following example declares a `DestinationRule` with two\nsubsets, for the `ratings` service in the `ns1` namespace:\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: DestinationRule\nmetadata:\n  name: ratings-subsets\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/trafficGroup: t1\nspec:\n  host: ratings.ns1.svc.cluster.local\n  subsets:\n  - name: stableversion\n    labels:\n      app: ratings\n      env: prod\n  - name: testversion\n    labels:\n      app: ratings\n      env: uat\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent traffic group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\ntraffic group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"profiles":{"description":"List of profiles attached to the traffic group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/tsbtrafficv2Group"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Traffic"],"summary":"Delete the given traffic group.\nNote that deleting resources in TSB is a recursive operation. Deleting a traffic group will\ndelete all configuration objects that exist in it.","operationId":"Traffic_DeleteGroup","parameters":[{"description":"Force the deletion of the object even if deletion protection is enabled.\nIf this is set, then the object and all its children will be deleted even if any of them\nhas the deletion protection enabled.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_22","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/availableprofiles":{"get":{"tags":["Profiles"],"summary":"Lists the profiles that can be attached to the given resource.\nThe returned profiles contain metadata (fqn, display name and description) information.\nTo retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.","operationId":"Profiles_ListAvailableProfiles5","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListAvailableProfilesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_3","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/currentimpact":{"post":{"tags":["Profiles"],"summary":"CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_CurrentImpactAnalysis8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_CurrentImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/impact":{"post":{"tags":["Profiles"],"summary":"ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications.\nThe response is streamed, with each message representing the impact analysis for a specific profile\nor resource and its corresponding impacts.","operationId":"Profiles_ImpactAnalysis8","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Profiles_ImpactAnalysisBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2ImpactAnalysisResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2ImpactAnalysisResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/clusterstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the cluster stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetClusterStats4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetClusterStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetClusterStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/configdump":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a config dump from a workload (Istio Proxy)","operationId":"ProxyDiagnosticService_GetConfigDump4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetConfigDumpBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetConfigDumpResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/loggerlevels":{"put":{"tags":["ProxyDiagnosticService"],"summary":"Set the log levels of a workload","operationId":"ProxyDiagnosticService_SetLoggerLevels4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_SetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the logger levels of a workload","operationId":"ProxyDiagnosticService_GetLoggerLevels4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetLoggerLevelsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2LoggerLevelsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/serverstats":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the server stats of an Istio Proxy","operationId":"ProxyDiagnosticService_GetServerStats4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_GetServerStatsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetServerStatsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/streamlogs":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.","operationId":"ProxyDiagnosticService_StreamLogs4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_StreamLogsBody"},"responses":{"200":{"description":"A successful response.(streaming responses)","content":{"application/json":{"schema":{"type":"object","title":"Stream result of v2StreamLogsResponse","properties":{"error":{"$ref":"#/components/schemas/googlerpcStatus"},"result":{"$ref":"#/components/schemas/v2StreamLogsResponse"}}}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/proxytools/workloads":{"post":{"tags":["ProxyDiagnosticService"],"summary":"Return the workload names under a given FQN resource and cluster.","operationId":"ProxyDiagnosticService_ListWorkloads4","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/ProxyDiagnosticService_ListWorkloadsBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListWorkloadsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes":{"get":{"tags":["Traffic"],"summary":"List all service routes that have been attached to the traffic group.","operationId":"Traffic_ListServiceRoutes","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListServiceRoutesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Traffic"],"summary":"Create a new service route in the given traffic group.","operationId":"Traffic_CreateServiceRoute","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a ServiceRoute.","type":"object","required":["name","serviceRoute"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"serviceRoute":{"$ref":"#/components/schemas/v2ServiceRoute"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceRoute"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}":{"get":{"tags":["Traffic"],"summary":"Get the details of the given service route.","operationId":"Traffic_GetServiceRoute","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceRoute"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Traffic"],"summary":"Modify a service route.","operationId":"Traffic_UpdateServiceRoute","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A service route controls routing configurations for traffic to a\nservice in a traffic group.\n\nService Routes can be used by service owners to configure traffic shifting\nacross different versions of a service in a Traffic Group. The traffic to\nthis service can originate from sidecars in the same or different traffic\ngroups, as well as gateways.\n\nThe following example yaml defines a Traffic Group `t1` in the namespaces\n`ns1`, `ns2` and `ns3`, owned by its parent Workspace `w1`.\nThen it defines a Service Route for the `reviews` service in the `ns1`\nnamespace with two subsets: `v1` and `v2`, where 80% of the traffic to the\nreviews service is sent to `v1` while the remaining 20% is sent to `v2`.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelectors:\n  - name: \"*/ns1\"\n  - name: \"*/ns2\"\n  - name: \"*/ns3\"\n  configMode: BRIDGED\n---\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n    weight: 80\n  - name: v2\n    labels:\n      version: v2\n    weight: 20\n```\n\nServer side load balancing can be set through the combination of\n`portLevelSettings` and `stickySession`.\nThe following ServiceRoute will generate two routes:\n1. An HTTP route matching traffic on port 8080 and routing it 80:20 between\n   v1:v2, targeting port 8080. The server side load balancing will be based\n   on `header`.\n2. A TCP route matching traffic on port 443, and routing it 80:20 between\n   v1:v2, targeting port 443. The server side load balancing will be based\n   on `source IP`.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n  - port: 8080\n    trafficType: HTTP\n    stickySession:\n      header: x-session-hash\n  - port: 443\n    trafficType: TCP\n    stickySession:\n      useSourceIp: true\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n    weight: 80\n  - name: v2\n    labels:\n      version: v2\n    weight: 20\n```\n\n**Note**: For TCP routes, only source IP (`useSourceIp: true`) is a valid\nload balancing hash key. Any other hash keys will be invalid.\n\nYou can also apply port settings just to a subset, such as in the following\nexample where for subset `v2` the source IP is used for sticky sessions.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n   - port: 8000\n     trafficType: TCP\n   - port: 443\n     trafficType: HTTP\n     stickySession:\n       header: x-sticky-hash\n subsets:\n   - name: v1\n     labels:\n       version: v1\n     weight: 80\n   - name: v2\n     labels:\n       version: v2\n     weight: 20\n     portLevelSettings:\n       - port: 8000\n         trafficType: TCP\n         stickySession:\n           useSourceIp: true\n```\n\nIf the service exposes more than one port, then all such ports with\nprotocols need to be specified in top level `portLevelSettings`. Explicit\nroutes can be specified within `httpRoutes` or `tcpRoutes` sections. You can\nalso specify match conditions within each httpRoute to match the incoming\ntraffic and route the traffic accordingly.\n\nService Routes can also be used to delegate traffic weighting to a\n[Flagger Canary resource](https://docs.flagger.app).\nFirst create the resource with delegation enabled in each cluster, for example:\n```yaml\napiVersion: flagger.app/v1beta1\nkind: Canary\nmetadata:\n  name: reviews-canary\n  namespace: bookinfo\nspec:\n  targetRef:\n    apiVersion: apps/v1\n    kind: Deployment\n    name: reviews\n  service:\n    port: 9080\n    delegation: true\n  analysis:\n    threshold: 5\n    maxWeight: 50\n    stepWeight: 10\n```\n\nThen the following ServiceRoute will delegate all traffic on port 9080 to the above Flagger\nCanary.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews-sr\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: bookinfo/reviews.bookinfo.svc.cluster.local\n  portLevelSettings:\n    - port: 9080\n      trafficType: HTTP\n  httpRoutes:\n    - name: reviews-flagger\n      match:\n        - name: port-9080\n          port: 9080\n      flagger:\n        canary: reviews-canary\n        namespace: bookinfo\n```\n\nThe ServiceRoute below has two HTTP routes:\n1. The first route matches traffic on\n  `reviews.ns1.svc.cluster.local:8080/reviews` endpoint and `end-user: jason`\n  header and routes 80% of traffic to subset \"v1\" and 20% to subset \"v2\".\n2. The second route is the default HTTP route, which matches traffic on\n   `reviews.ns1.svc.cluster.local:8080/reviews` endpoint, and routes 50% of\n   traffic to subset \"v1\" and remaining 50% to subset \"v2\".\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n  httpRoutes:\n    - name: http-route-match-reviews-endpoint\n      match:\n        - name: match-reviews-endpoint\n          uri:\n            prefix: /reviews\n          headers:\n            end-user:\n              exact: jason\n          port: 8080\n      destination:\n        - subset: v1\n          weight: 80\n          port: 8080\n        - subset: v2\n          weight: 20\n          port: 8080\n    - name: http-route-default\n      match:\n        - name: match-default\n          uri:\n            prefix: /reviews\n          port: 8080\n      destination:\n        - subset: v1\n          weight: 50\n          port: 8080\n        - subset: v2\n          weight: 50\n          port: 8080\n```\n\n**Note**: Default routes will be generated automatically **only** if a port\nis specified in top level `portLevelSettings` but not used in any match\nconditions of httpRoutes, tcpRoutes or tlsRoutes (or if no routes are\nspecified). In all other conditions, all routes have to be defined\n**explicitly**.\n\nFor example, the ServiceRoute below will generate a `default-http-route`\nmatching on port `8080` and will route traffic in the ratio 80:20 between\nv1:v2.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n```\n\nA similar example for TCP traffic where all the traffic for port\n6666 will be sent to the v1 subset.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 6666\n      trafficType: TCP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 50\n    - name: v2\n      labels:\n        version: v2\n      weight: 50\n  tcpRoutes:\n    - name: tcp-route-match-port-6666-v1-100\n      match:\n        - name: match-condition-port-6666-v1-100\n          port: 6666\n      destination:\n        - subset: v1\n          weight: 100\n          port: 6666\n```\n\nFor HTTP traffic routes, fault injection allows delaying or aborting requests,\nand traffic mirroring allows mirroring a percentage of the traffic to multiple\ndifferent destinations.\n\nIn the next example, a Service Route defines a single HTTP route that\nmatches traffic on the `reviews` service on port 8080, with a 80/20 weight\nfor v1/v2 subsets.\nFor the specific `/reviews` path and `end-user: jason-chaos` header, an HTTP Route is defined with a\ndifferent subset where 100% of requests will go to v1, and have a the following fault injections:\n- 2 out of 100 requests will have a 5 second delay\n- 1 out of 1000 will return a 400 HTTP status code.\n\nOn top of that, for all the `/reviews` requests, 5 out of 1000 will be mirrored to the service\n`debug-reviews.ns1.svc.cluster.local` on port 8888.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n   name: reviews\n   group: t1\n   workspace: w1\n   tenant: mycompany\n   organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n  httpRoutes:\n    - name: http-route-match-reviews-endpoint\n      match:\n        - name: match-reviews-endpoint\n          uri:\n            prefix: /reviews\n          headers:\n            end-user:\n              exact: jason-chaos\n          port: 8080\n      destination:\n        - subset: v1\n          port: 8080\n      fault:\n        delay:\n          percentage: 2\n          fixedDelay: 5s\n        abort:\n          percentage: 0.1\n          httpStatus: 400\n      mirrors:\n        - host: reviews.ns1.svc.cluster.local\n          subset: v2\n          port: 8080\n          percentage: 0.5\n```\n\n\n\n","type":"object","required":["service"],"properties":{"argoRollout":{"$ref":"#/components/schemas/v2ArgoRollout"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"httpRoutes":{"description":"HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers\nand port and destination routes need to be set using subset-weight\ncombinations specified within the route.\n**Note**: If a route is specified, then the global subset-weight\ncombinations (specified under subsets) will be ignored for the matched\nport, as subsets within route will take effect.","type":"array","items":{"$ref":"#/components/schemas/v2HTTPRoute"}},"portLevelSettings":{"type":"array","title":"In order to support multi-protocol routing, a list of all port/protocol combinations is needed.\nThese port settings are applied to all the subsets","items":{"$ref":"#/components/schemas/ServiceRoutePortLevelTrafficSettings"}},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.","type":"string"},"stickySession":{"$ref":"#/components/schemas/ServiceRouteStickySession"},"subsets":{"description":"The set of versions of a service and the percentage of traffic to\nsend to each version.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceRouteSubset"}},"tcpRoutes":{"description":"TCPRoutes match TCP traffic based on port number. The subset-weight\nconfiguration and priority have the same behaviour as HTTPRoutes.","type":"array","items":{"$ref":"#/components/schemas/v2TCPRoute"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceRoute"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Traffic"],"summary":"Delete the given service route.","operationId":"Traffic_DeleteServiceRoute","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_24","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_24","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/serviceroutes/{serviceroute}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_24","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Serviceroute name.","name":"serviceroute","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/servicesettings":{"get":{"tags":["Traffic"],"summary":"List all service traffic settings objects that have been attached to the traffic group.","operationId":"Traffic_ListServiceTrafficSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListServiceTrafficSettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Traffic"],"summary":"Create a service traffic settings object in the traffic group.","operationId":"Traffic_CreateServiceTrafficSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Service Traffic Setting.","type":"object","required":["name","serviceSetting"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"serviceSetting":{"$ref":"#/components/schemas/v2ServiceTrafficSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceTrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/servicesettings/{servicesetting}":{"get":{"tags":["Traffic"],"summary":"Get the details of the given service traffic settings object.","operationId":"Traffic_GetServiceTrafficSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceTrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Traffic"],"summary":"Modify the given service traffic settings object.","operationId":"Traffic_UpdateServiceTrafficSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A service traffic setting applies configuration to a service in a\ntraffic group. Unset fields will inherit values from the\nworkspace-wide setting if any.\n\n`ServiceTrafficSetting` allows configuring traffic related properties\nsuch as resiliency, reachability, load balancing and egress proxy for a\nparticular service in a traffic group. These settings will merge and\noverwrite the traffic group wide settings.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace `w1` under\ntenant `mycompany`. It then defines a service traffic setting for the workloads\nselected by service `foo.ns1.svc.cluster.local`. This setting limits the workloads\nof `foo.ns1.svc.cluster.local` to only discover services in in `ns1`, `ns2`, `ns3`\nand `db` namespace. It also configures that outbound traffic to a service or IP which\nis not a part of the mesh should be forwarded through through egress gateway deployed\nin `istio-system` namespace.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelectors:\n  - name: \"*/ns1\"\n  - name: \"*/ns2\"\n  - name: \"*/ns3\"\n  configMode: BRIDGED\n\nAnd the associated service traffic settings:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceTrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    outbound:\n      reachability:\n        mode: CUSTOM\n        hosts:\n        - \"ns1/*\"\n        - \"ns2/*\"\n        - \"ns3/*\"\n        - \"db/*\"\n      upstreamTrafficSettings:\n      - hosts:\n        - \"*\"\n        settings:\n          resilience:\n            circuitBreakerSensitivity: MEDIUM\n      egress:\n        host: istio-system/istio-egressgateway\n```\n\nThe following service traffic setting confines the reachability of the service\n`foo.ns1.svc.cluster.local` sidecar proxies in the traffic group `t1` to other\nnamespaces inside the group. The resilience and egress gateway settings will be\ninherited from the workspace wide traffic setting.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceTrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    outbound:\n      reachability:\n        mode: GROUP\n```\n\n\n\n","type":"object","required":["service","settings"],"properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.\n\nOnly one service traffic setting can be given per service. Any conflicting configuration created\nlater will be rejected by TSB.","type":"string"},"settings":{"$ref":"#/components/schemas/v2TrafficSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ServiceTrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Traffic"],"summary":"Delete the given service traffic settings from the group.","operationId":"Traffic_DeleteServiceTrafficSetting","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Servicesetting name.","name":"servicesetting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings":{"get":{"tags":["Traffic"],"summary":"List all the settings objects that have been attached to the given traffic group.","operationId":"Traffic_ListSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListTrafficSettingsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Traffic"],"summary":"Create a settings object for the given traffic group.","operationId":"Traffic_CreateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request to create a Traffic Settings.","type":"object","required":["name","settings"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"settings":{"$ref":"#/components/schemas/v2TrafficSetting"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}":{"get":{"tags":["Traffic"],"summary":"Get the details for the given settings object.","operationId":"Traffic_GetSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Traffic"],"summary":"Modify the given settings in the given traffic group.","operationId":"Traffic_UpdateSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"A traffic setting applies configuration to a set of proxy workloads in a\ntraffic group or a workspace. When applied to a traffic group,\nmissing fields will inherit values from the workspace-wide setting if any.\n\nTraffic Settings allow configuring the behavior of the proxy workloads in\na set of namespaces owned by a traffic group. Specifically, it\nallows configuring the dependencies of proxy workloads on namespaces\noutside the traffic group as well as reliability settings for\noutbound calls made by the proxy workloads to other services.\n\nThis is a global object that uniquely configures the traffic group, and there can \nbe only one traffic setting object defined for each traffic group.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`. It then defines a traffic setting\nfor the all workloads in these namespaces, adding a dependency on\nall the services in the shared `db` namespace, and forwarding all\nunknown traffic via the egress gateway in the `istio-system`\nnamespace.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated traffic settings for the proxy workloads:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    reachability:\n      mode: CUSTOM\n      hosts:\n      - \"ns1/*\"\n      - \"ns2/*\"\n      - \"ns3/*\"\n      - \"db/*\"\n    upstreamTrafficSettings:\n    - hosts:\n      - '*'\n      settings:\n        resilience:\n          circuitBreakerSensitivity: MEDIUM\n    egress:\n      host: istio-system/istio-egressgateway\n```\n\n\nTo setup load balancing algorithm as `ROUND_ROBIN` for all outbound requests\nto service `foo.bar.svc.cluster.local` from clients in `t1` traffic group:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - 'foo.bar.svc.cluster.local'\n      settings:\n        loadBalancer:\n          simple: ROUND_ROBIN\n```\n\n`upstreamTrafficSettings` can be used to configure the outbound traffic\nwith grouping a particular group of upstream hosts to have a certain setting.\nIn the below example all outbound requests to hosts matching wildcard\n`*.ns1.svc.cluster.local` will use request timeout of 10s while hosts matching\n`*.ns2.svc.cluster.local` and `*.ns3.svc.cluster.local` will use request timeout of 5s.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - '*.ns1.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 10s\n    - hosts:\n      - '*.ns2.svc.cluster.local'\n      - '*.ns3.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 5s\n```\n\nThe following traffic setting confines the reachability of proxy workloads\nin the traffic group `t1` to other namespaces inside the group. The\nresilience and egress gateway settings will be inherited from the\nworkspace wide traffic setting.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    reachability:\n      mode: GROUP\n```\n\nThe above fields are now moved to two different sections called `inbound`\nand `outbound` to allow better control over these fields. Please refer the\nbelow example to configure a traffic setting for all services in traffic group\n`t1` configuring similar knobs as explained in earlier examples:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  inbound:\n    resilience:\n      connectionPool:\n        tcp:\n          keepAlive:\n            idleTime: 300\n  outbound:\n    reachability:\n      mode: GROUP\n    upstreamTrafficSettings:\n    - hosts:\n      - '*.ns1.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 10s\n```\n\nThis traffic setting configuration specifies upstream traffic settings\nfor specific hosts within the `client` namespace. It is associated with\nthe `w1` workspace and the `t1` traffic group.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: client-upstream-traffic-setting\n  namespace: client\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - 'httpbin.app1.svc.cluster.local'\n      - '*.app3.svc.cluster.local'\n      - '*.app4.svc.cluster.local'\n      settings:\n        authentication:\n          trafficMode: REQUIRED\n    - hosts:\n      - '*.app2.svc.cluster.local'\n      - 'tetrate.app4.svc.cluster.local'\n      settings:\n        authentication:\n          trafficMode: OPTIONAL\n```\n\nThis configuration specifies authentication requirements for traffic to the following hosts:\n- `httpbin.app1.svc.cluster.local` requires mTLS authentication.\n- All non-injected services in `app3` namespace require mTLS authentication.\n- All non-injected services in `app4` namespace require mTLS authentication, except for `tetrate.app4.svc.cluster.local`, which is excluded.\n- Authentication enforcement is skipped for all non-injected services in `app2` namespace.\n\n\n\n","type":"object","properties":{"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"egress":{"$ref":"#/components/schemas/v2TrafficSettingEgressGateway"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"inbound":{"$ref":"#/components/schemas/tsbtrafficv2InboundTrafficSetting"},"outbound":{"$ref":"#/components/schemas/tsbtrafficv2OutboundTrafficSetting"},"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"},"reachability":{"$ref":"#/components/schemas/tsbtrafficv2ReachabilitySettings"},"resilience":{"$ref":"#/components/schemas/v2ResilienceSettings"},"upstreamTrafficSettings":{"description":"List of hosts and the associated traffic settings to be used by\nthe clients that are downstreams to the defined upstream hosts.\n\nDEPRECATED. Moved to `outbound`.","type":"array","items":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamTrafficSettings"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TrafficSetting"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Traffic"],"summary":"Delete the given settings object from the traffic group.","operationId":"Traffic_DeleteSettings","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_23","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_23","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/settings/{setting}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_23","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Setting name.","name":"setting","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_22","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/tenants/{tenant}/workspaces/{workspace}/trafficgroups/{trafficgroup}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_22","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"Tenant name.","name":"tenant","in":"path","required":true,"schema":{"type":"string"}},{"description":"Workspace name.","name":"workspace","in":"path","required":true,"schema":{"type":"string"}},{"description":"Trafficgroup name.","name":"trafficgroup","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users":{"get":{"tags":["Teams"],"summary":"List existing users.","operationId":"Teams_ListUsers","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListUsersResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"description":"This method should only be used when there is no Identity Provider configured in TSB\nand all users are managed locally by IAM.\nWhen using an external Identity Provider, the SyncOrganization method should be used\ninstead to synchronize the users and teams.","tags":["Teams"],"summary":"Create a local User in TSB.","operationId":"Teams_CreateUser","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","title":"Request to create a User.\n","required":["name","user"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"user":{"$ref":"#/components/schemas/v2User"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2User"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}":{"get":{"tags":["Teams"],"summary":"Get the details of an existing user.","operationId":"Teams_GetUser","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2User"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"description":"This method should only be used when there is no Identity Provider configured in TSB\nand all users are managed locally by IAM.\nWhen using an external Identity Provider, the SyncOrganization method should be used\ninstead to synchronize the users and teams.","tags":["Teams"],"summary":"Modify an existing local user.","operationId":"Teams_UpdateUser","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`User` represents a user that has been loaded from a configured\nIdentity Provider (IdP) that can log into the platform.\nCurrently, users are automatically synchronized by TSB from a\nconfigured LDAP server.\n\nThe following example creates a user named `john` under the organization\n`myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: User\nmetadata:\n  name: john\n  organization: myorg\nspec:\n  loginName: john\n  firstName: John\n  lastName: Doe\n  displayName: John Doe\n  email: john.doe@acme.com\n```\n\n\n\n","type":"object","required":["loginName"],"properties":{"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"email":{"description":"Email for the user where alerts and other notifications will be sent.","type":"string"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"firstName":{"description":"The first name of the user.","type":"string"},"lastName":{"description":"The last name of the user, if any.","type":"string"},"loginName":{"description":"The username used in the login credentials.","type":"string"},"sourceType":{"$ref":"#/components/schemas/v2SourceType"}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2User"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"description":"This method should only be used when there is no Identity Provider configured in TSB\nand all users are managed locally by IAM.\nWhen using an external Identity Provider, the SyncOrganization method should be used\ninstead to synchronize the users and teams.","tags":["Teams"],"summary":"Delete an existing user.","operationId":"Teams_DeleteUser","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals":{"get":{"tags":["Approvals"],"summary":"GetPolicy returns the approval policy for the given resource.","operationId":"Approvals_GetPolicy_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ApprovalPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["Approvals"],"summary":"SetPolicy enables authorization policy checks for the given resource and applies any provided\nrequest or approval settings. If the resource has existing policies settings, they will be replaced.\nOnce the policy is set, authorization checks will be performed for the given resource.","operationId":"Approvals_SetPolicy_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_SetPolicyBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["Approvals"],"summary":"DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization\nchecks will no longer be performed, the resource will no longer accept approval requests and all existing approvals\nwill be revoked.","operationId":"Approvals_DeletePolicy_variant_7","parameters":[{"description":"Force the deletion of internal resources even if they are protected against deletion.","name":"force","in":"query","schema":{"type":"boolean"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/approved:add":{"post":{"tags":["Approvals"],"summary":"AddApprovedAccess adds a new entry in the approved access list for the given resource.","operationId":"Approvals_AddApprovedAccess_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/approved:delete":{"post":{"tags":["Approvals"],"summary":"DeleteApprovedAccess deletes an entry from the approved list for the given resource.","operationId":"Approvals_DeleteApprovedAccess_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/query":{"post":{"tags":["Approvals"],"operationId":"Approvals_QueryPolicies_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_QueryPoliciesBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryPoliciesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/requested:add":{"post":{"tags":["Approvals"],"summary":"AddAccessRequest adds a new access request entry in the access request list for the given resource.\nIf the policy approval mode is \"ALLOW_REQUESTED\", access is allowed immediately. If the policy approval\nmode is \"REQUIRE_APPROVAL\" access will be pending until the request is approved.","operationId":"Approvals_AddAccessRequest_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/requested:approve":{"post":{"tags":["Approvals"],"summary":"ApproveAccessRequest approves an existing access request for the given resource.\nOnce approved, the request will be removed from the requested list and added to the approved list.\nIf any of the permissions are changed, the requested permissions will be discarded and only the approved\npermissions will be added to the approved list.","operationId":"Approvals_ApproveAccessRequest_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_AddApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/approvals/requested:delete":{"post":{"tags":["Approvals"],"summary":"DeleteAccessRequest removes an existing entry from the access request list for the given resource.\nIf the request is already approved, the request no longer exists and this operation will return NotFound.\nDeleting an approved request should be done using the DeleteApproved operation.","operationId":"Approvals_DeleteAccessRequest_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Approvals_DeleteApprovedAccessBody"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/blame":{"get":{"tags":["Profiles"],"summary":"Get the profile blame data for a given resource FQN.","operationId":"Profiles_Blame_variant_12","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2BlameResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/permissions":{"get":{"tags":["Permissions"],"summary":"GetResourcePermission looks up permissions that are allowed for the current principal.\non the given resource FQN. This is similar to QueryResourcePermission but limited to a single\nresource FQN.","operationId":"Permissions_GetResourcePermissions_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2GetResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/policy":{"get":{"tags":["Policy"],"summary":"Get the access policy for the given resource.","operationId":"Policy_GetPolicy_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["Policy"],"summary":"Set the access policy for the given resource.","operationId":"Policy_SetPolicy_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"$ref":"#/components/requestBodies/Policy_SetPolicy_variant_1Body"},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/status":{"get":{"tags":["Status"],"summary":"Given a resource fully-qualified name of a resource returns its current status.","operationId":"Status_GetStatus_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/telemetry/sources":{"get":{"tags":["Sources"],"summary":"List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong\nto the requested parent and from all its child resources.","operationId":"Sources_ListSources_variant_7","parameters":[{"description":"The scope type that a telemetry source needs to match.\nTelemetry sources that matches any requested scope type will be returned.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","name":"scopeTypes","in":"query","explode":true,"schema":{"type":"array","items":{"enum":["INVALID","SERVICE","INGRESS","RELATION"],"type":"string"}}},{"description":"Which resources the telemetry sources must belong to.\nTelemetry sources that belongs to any requested resource will be returned.","name":"belongTos","in":"query","explode":true,"schema":{"type":"array","items":{"type":"string"}}},{"description":"Moment in time since we retrieve Telemetry Sources.","name":"existed.since","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Moment in time until we retrieve Telemetry Sources.","name":"existed.until","in":"query","schema":{"type":"string","format":"date-time"}},{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListSourcesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/telemetry/sources/{source}":{"get":{"tags":["Sources"],"summary":"Get the details of an existing telemetry source.","operationId":"Sources_GetSource_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/telemetryv2Source"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/telemetry/sources/{source}/metrics":{"get":{"tags":["Metrics"],"summary":"List the telemetry metrics that are available for the requested telemetry source.","operationId":"Metrics_ListMetrics_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListMetricsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}/telemetry/sources/{source}/metrics/{metric}":{"get":{"tags":["Metrics"],"summary":"Get the details of an existing telemetry metric.","operationId":"Metrics_GetMetric_variant_7","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}},{"description":"Source name.","name":"source","in":"path","required":true,"schema":{"type":"string"}},{"description":"Metric name.","name":"metric","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Metric"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/organizations/{organization}/users/{user}:generateTokens":{"post":{"description":"Generate the tokens for a local user account so it can authenticate against management plane.\nThis method will return an error if the user account is not of type MANUAL. Credentials for\nnormal platform users must be configured in the corresponding Identity Provider.","tags":["Teams"],"summary":"Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.","operationId":"Teams_GenerateTokens","parameters":[{"description":"Organization name.","name":"organization","in":"path","required":true,"schema":{"type":"string"}},{"description":"User name.","name":"user","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2TokenResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/permissions/query":{"put":{"tags":["Permissions"],"summary":"QueryResourcePermission looks up permissions that are allowed for the current principal.\nMultiple records can be queried with a single request. Query limit is 100, multiple requests\nare required to lookup more than the limit.","operationId":"Permissions_QueryResourcePermissions","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryResourcePermissionsRequest"}}},"description":"Request to query permissions on multiple records.\n\nExample:\nQueryResourcePermissionsRequest {\n  Queries: []Query{\n    Query{\n      QueryID: \"1234\",\n      Kind: Query_Fqn{\n        Fqn: \"tetrate/tenants/default/workspaces/example\"\n      }\n    }\n  }\n}","required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2QueryResourcePermissionsResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/security/rbac":{"get":{"tags":["RBAC"],"summary":"List all existing roles.","operationId":"RBAC_ListRoles","responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2ListRolesResponse"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"post":{"tags":["RBAC"],"summary":"Create a new role.","operationId":"RBAC_CreateRole","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2CreateRoleRequest"}}},"description":"Request to create a Role.","required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Role"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/security/rbac/{rba}":{"get":{"tags":["RBAC"],"summary":"Get the details of the given role.","operationId":"RBAC_GetRole","parameters":[{"description":"Rba name.","name":"rba","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Role"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"put":{"tags":["RBAC"],"summary":"Modify a role.","operationId":"RBAC_UpdateRole","parameters":[{"description":"Rba name.","name":"rba","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"`Role` is a named collection of permissions that can be assigned to\nany user or team in the system. The set of actions that can be\nperformed by a user, such as the ability to create, delete, or\nupdate configuration will depend on the permissions associated with\nthe user's role. Roles are global resources that are defined\nonce. `AccessBindings` in each configuration group will bind a user\nto a specific role defined apriori.\n\nTSB comes with the following predefined roles:\n\n| Role | Permissions | Description |    \n| -----| ----------- | ----------- |\n| rbac/admin | `*` | Grants full access to the target resource and its child objects |\n| rbac/editor | `Read` `Write` `Create` | Grants read/write access to a resource and allows creating child resources |\n| rbac/creator | `Read` `Create` | Useful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself |\n| rbac/writer | `Read` `Write` | Grants Read and Write access permissions |\n| rbac/reader | `Read` | Grants read-only permissions to a resource |\n\nThe following example declares a custom `workspace-admin` role with\nthe ability to create, delete configurations and the ability to set\nRBAC policies on the groups within the workspace.\n\n```yaml\napiVersion: rbac.tsb.tetrate.io/v2\nkind: Role\nmetadata:\n  name: role1\nspec:\n  rules:\n  - types:\n    - apiGroup: api.tsb.tetrate.io/v2\n      kinds:\n      - WorkspaceSetting\n    permissions:\n    - CREATE\n    - READ\n    - DELETE\n    - WRITE\n    - SET_POLICY\n```\n\n\n\n","type":"object","properties":{"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"rules":{"description":"A set of rules that define the permissions associated with each API group.","type":"array","items":{"$ref":"#/components/schemas/v2RoleRule"}}}}}},"required":true},"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2Role"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}},"delete":{"tags":["RBAC"],"summary":"Delete a role.\nNRoles that are in use by policies attached to existing resources\ncannot be deleted.","operationId":"RBAC_DeleteRole","parameters":[{"description":"Rba name.","name":"rba","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"type":"object"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}},"/v2/security/rbac/{rba}/kubernetes":{"get":{"tags":["RBAC"],"summary":"Get the Kubernetes ClusterRole associated with the given TSB Role.\nReturns the ClusterRole formatted as a JSON or YAML depending on the Accept header: application/json or application/yaml.\nIf no Accept header is provided, the response will be in YAML format.","operationId":"RBAC_GetRoleK8sMapping","parameters":[{"description":"Rba name.","name":"rba","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"A successful response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/apiHttpBody"}}}},"default":{"description":"An unexpected error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/googlerpcStatus"}}}}}}}},"tags":[{"name":"OAuth"},{"name":"OIDC"},{"name":"SidecarConfigurationService"},{"name":"SidecarInfoService"},{"name":"OnboardingAuthorizationService"},{"name":"OnboardingPlaneDiscoveryService"},{"name":"WorkloadRegistrationService"},{"name":"AgentSessionService"},{"name":"Applications"},{"name":"DashboardService"},{"name":"ProxyDiagnosticService"},{"name":"WasmExtensions"},{"name":"Gateways"},{"name":"IstioInternal"},{"name":"Metrics"},{"name":"Sources"},{"name":"Profiles"},{"name":"Approvals"},{"name":"Permissions"},{"name":"Policy"},{"name":"RBAC"},{"name":"Lookup"},{"name":"Registration"},{"name":"Security"},{"name":"Troubleshooting"},{"name":"Traffic"},{"name":"Clusters"},{"name":"ManageResources"},{"name":"OIDCs"},{"name":"Organizations"},{"name":"Status"},{"name":"Teams"},{"name":"Tenants"},{"name":"Workspaces"}],"components":{"requestBodies":{"Approvals_SetPolicyBody":{"content":{"application/json":{"schema":{"description":"ApprovalPolicy is a set of authorization rules that define access to a resource.\nWhen applied to a resource, the rules enforce access to the resource based on the permission set.\n\nExample:\nApprovalPolicy {\n  Mode: ApprovalPolicy_REQUIRE_APPROVAL,\n  Resource: \"organizations/demo/tenants/demo/applications/target-app\",\n  Approved: []Access {{\n    Subject: \"organizations/demo/tenants/demo/applications/calling-app\",\n    Permissions: []string{\"GET\", \"POST\"}\n  }}\n}","type":"object","required":["mode"],"properties":{"approved":{"description":"Approved is a list of subjects that are approved to access the resource.","type":"array","items":{"$ref":"#/components/schemas/v2Access"}},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"metadata":{"$ref":"#/components/schemas/qv2Metadata"},"mode":{"$ref":"#/components/schemas/v2ApprovalPolicyMode"},"requested":{"description":"Requested is a list of subjects that are requested to access the resource but that have not yet been\nexplicitly approved.\nThe access mode of the policy will determine if the subjects in this list are given immediate access to the\nresource.","type":"array","items":{"$ref":"#/components/schemas/v2Access"}}}}}},"required":true},"Profiles_CurrentImpactAnalysis2Body":{"content":{"application/json":{"schema":{"description":"CurrentImpactAnalysisRequest holds the fields needed to request the current impact of a\nprofile or a attached profiles to a resource.\nOnly one of the fields should be set at a time.","type":"object","properties":{"fieldPaths":{"description":"List of field paths to analyze the impact of the profiles on. If this field is set,\nthe request will analyze the impact of the profiles only on the specified field paths.","type":"array","items":{"type":"string"}},"resource":{"description":"Resource fqn to analyze its attached profiles impact.","type":"string"}}}}},"required":true},"ProxyDiagnosticService_SetLoggerLevelsBody":{"content":{"application/json":{"schema":{"description":"Request to change effective logger levels of an Istio Proxy.","type":"object","required":["cluster","workload"],"properties":{"allLoggers":{"$ref":"#/components/schemas/SetLoggerLevelsRequestAllLoggers"},"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"givenLoggers":{"$ref":"#/components/schemas/SetLoggerLevelsRequestGivenLoggers"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"Profiles_CurrentImpactAnalysisBody":{"content":{"application/json":{"schema":{"description":"CurrentImpactAnalysisRequest holds the fields needed to request the current impact of a\nprofile or a attached profiles to a resource.\nOnly one of the fields should be set at a time.","type":"object","properties":{"fieldPaths":{"description":"List of field paths to analyze the impact of the profiles on. If this field is set,\nthe request will analyze the impact of the profiles only on the specified field paths.","type":"array","items":{"type":"string"}},"profile":{"description":"Profile fqn to analyze the impact.","type":"string"}}}}},"required":true},"Profiles_CreateProfileBody":{"content":{"application/json":{"schema":{"description":"Request to create a profile belonging to a given resource.","type":"object","required":["name","profile"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string"},"profile":{"$ref":"#/components/schemas/v2Profile"}}}}},"required":true},"Approvals_AddApprovedAccessBody":{"content":{"application/json":{"schema":{"description":"AccessRequest is a request used for requesting or approving access to a resource.\n\nExample:\nAccessRequest {\n  Resource: \"organizations/demo/tenants/demo/applications/target\",\n  Access: []Access{{\n    Subject: \"organizations/demo/tenants/demo/applications/calling-app\",\n    Permissions: []string{\"GET\", \"POST\"}\n  }}\n}","type":"object","required":["access"],"properties":{"access":{"$ref":"#/components/schemas/v2Access"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"}}}}},"required":true},"v2AccessPolicy":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/v2AccessPolicy"}}},"description":"A policy defines the set of subjects that can access a resource and under\nwhich conditions that access is granted.","required":true},"Approvals_DeleteApprovedAccessBody":{"content":{"application/json":{"schema":{"description":"ResourceAndSubject is a resource and subject pair used for approval and deletion operations.\n\nExample:\nResourceAndSubject {\n  Resource: \"organizations/demo/tenants/demo/applications/target\",\n  Subject: \"organizations/demo/tenants/demo/applications/caller\"\n}","type":"object","required":["subject"],"properties":{"subject":{"description":"Subject for which the access request is made.","type":"string"}}}}},"required":true},"Approvals_QueryPoliciesBody":{"content":{"application/json":{"schema":{"description":"QueryPoliciesRequest is the request message for QueryPolicies.\n\nExample:\nQueryPoliciesRequest {\n  Parent: \"organizations/demo/tenants/demo\",\n  Types: []string{\"applications\"},\n  IncludeDetails: true,\n  IncludePermissions: true,\n}","type":"object","required":["types"],"properties":{"includeDetails":{"description":"IncludeDetails indicates whether to include the details of the resources that are part of the policy.\nWhen set to true, the name and description of the resource are included in the response.","type":"boolean"},"includePermissions":{"description":"IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy.\nWhen set to true, the user level permissions are included in the response.","type":"boolean"},"types":{"description":"Type is the type of the resources to query for policies.","type":"array","items":{"type":"string"}}}}}},"required":true},"Policy_SetPolicy_variant_1Body":{"content":{"application/json":{"schema":{"description":"A policy defines the set of subjects that can access a resource and under\nwhich conditions that access is granted.","type":"object","title":"Policy","properties":{"allow":{"description":"The list of allowed bindings configures the different access profiles that\nare allowed on the resource configured by the policy.","type":"array","items":{"$ref":"#/components/schemas/rbacv2Binding"}},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"}}}}},"required":true},"ProxyDiagnosticService_GetClusterStatsBody":{"content":{"application/json":{"schema":{"description":"Request for the cluster stats of an Istio Proxy.","type":"object","required":["cluster","workload"],"properties":{"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"outputFormat":{"$ref":"#/components/schemas/GetClusterStatsRequestClusterStatsFormat"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"ProxyDiagnosticService_GetConfigDumpBody":{"content":{"application/json":{"schema":{"description":"Request for a config dump from a workload (Istio Proxy).","type":"object","required":["cluster","workload"],"properties":{"all":{"$ref":"#/components/schemas/v2GetConfigDumpRequestAll"},"bootstrap":{"$ref":"#/components/schemas/GetConfigDumpRequestBootstrap"},"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"clusters":{"$ref":"#/components/schemas/GetConfigDumpRequestClusters"},"ecds":{"$ref":"#/components/schemas/GetConfigDumpRequestEcds"},"endpoints":{"$ref":"#/components/schemas/v2GetConfigDumpRequestEndpoints"},"listeners":{"$ref":"#/components/schemas/GetConfigDumpRequestListeners"},"routes":{"$ref":"#/components/schemas/GetConfigDumpRequestRoutes"},"secrets":{"$ref":"#/components/schemas/v2GetConfigDumpRequestSecrets"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"ProxyDiagnosticService_GetLoggerLevelsBody":{"content":{"application/json":{"schema":{"description":"Request for effective logger levels of an Istio Proxy.","type":"object","required":["cluster","workload"],"properties":{"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"ProxyDiagnosticService_GetServerStatsBody":{"content":{"application/json":{"schema":{"description":"Request for the server stats of an Istio Proxy.","type":"object","required":["cluster","workload"],"properties":{"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"outputFormat":{"$ref":"#/components/schemas/GetServerStatsRequestServerStatsFormat"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"ProxyDiagnosticService_StreamLogsBody":{"content":{"application/json":{"schema":{"description":"Request to stream logs of an Istio Proxy.","type":"object","required":["cluster","workload"],"properties":{"cluster":{"description":"Fully-qualified name of the cluster to execute the diagnostic task in.","type":"string"},"follow":{"description":"Follow the log stream of the pod. Defaults to false.","type":"boolean"},"previous":{"description":"Return logs of the previous terminated container instead of the logs of the current container.\nDefaults to false.","type":"boolean"},"sinceSeconds":{"description":"A relative time in seconds before the current time from which to show logs. If this value\nprecedes the time a pod was started, only logs since the pod start will be returned.\nIf this value is in the future, no logs will be returned.","type":"string","format":"int64"},"workload":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"}}}}},"required":true},"ProxyDiagnosticService_ListWorkloadsBody":{"content":{"application/json":{"schema":{"description":"Request to retrieve the workload names on which the diagnostic tools can be run.\nThe returned workloads are belonging to the resource specified by the `fqn` field \nand are running in the cluster specified by the `cluster` field.","type":"object","required":["cluster"],"properties":{"cluster":{"description":"Fully-qualified name of the cluster the workload belongs to.","type":"string"},"filter":{"$ref":"#/components/schemas/ListWorkloadsRequestFilter"},"pageSize":{"description":"Optional. The maximum number of Workloads to return.\nThe service may return fewer than this value.\nRely on the `next_page_token` response field to determine if there are more workloads\nto be retrieved.\nIf unspecified, at most 50 Workloads will be returned.\nThe maximum value is 1000; values above 1000 will be coerced to 1000.","type":"integer","format":"int32"},"pageToken":{"description":"Optional. A page token, received from a previous `ListWorkloadsRequest` call.\nProvide this to retrieve the subsequent page.\n\nWhen paginating, all other parameters provided to `ListWorkloadsRequest` must\nmatch the call that provided the page token.","type":"string"}}}}},"required":true},"Profiles_ImpactAnalysisBody":{"content":{"application/json":{"schema":{"description":"ImpactAnalysisRequest holds the fields needed to request the impact of a\nprofile modification or profile attachment modification in a resource.\nOnly one of the fields should be set at a time.","type":"object","properties":{"fieldPaths":{"description":"List of field paths to analyze the impact of the profiles on. If this field is set,\nthe request will analyze the impact of the profiles only on the specified field paths.","type":"array","items":{"type":"string"}},"modifyAttachedProfiles":{"description":"Request to analyze the impact of modifying the attached profiles of a resource.","type":"object","title":"Request to analyze the impact of modifying the attached profiles of a resource.","properties":{"profiles":{"description":"A list of profiles attached to the resource that will be analyzed for impact.\nThese profiles are used to propagate default and mandatory configurations to\nchild resources, and any changes to them will be reflected in the impact analysis.","type":"array","items":{"type":"string"}}}},"modifyProfile":{"$ref":"#/components/schemas/v2ModifyProfile"}}}}},"required":true},"Profiles_UpdateProfileBody":{"content":{"application/json":{"schema":{"description":"A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces,\nand then can be attached to Organizations, Tenants, Workspaces and Groups.\nProfiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies \n(e.g. authorization policies) related to relationships between resources.\nThey contain Default configurations, which can be overridden, and Mandates configurations, which can't be.\n\nThe following example creates a Profile named `myprofile` that enforces mutual TLS authenticated connections across the whole `tetrate` \norganization. It also sets the default circuit-breaking sensitivity to `MEDIUM`, and configures a TCP KeepAlive timeout of 300 seconds\nfor all inbound connections to all the proxies within the `tetrate` organization.\n\n```yaml\napiVersion: profile.tsb.tetrate.io/v2\nkind: Profile\nmetadata:\n  name: myprofile\n  organization: tetrate\nspec:\n  displayName: \"mTLS enforcement and default circuit breaking\"\n  mandates:\n    authenticationSettings:\n      trafficMode: \"REQUIRED\"\n  defaults:\n    traffic:\n      inbound:\n        resilience:\n          connectionPool:\n            tcp:\n              keepAlive:\n                idleTime: 300\n      outbound:\n        upstreamTrafficSettings:\n        - hosts:\n          - '*'\n          settings:\n            resilience:\n              circuitBreakerSensitivity: MEDIUM\n```\n\n\n\n","type":"object","title":":::warning Beta feature\nThe Configuration Profiles feature is in beta state for release 1.13. Please contact Tetrate if you have any questions or concerns.\n:::","properties":{"defaults":{"$ref":"#/components/schemas/v2ProfileConfig"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean"},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml"},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml"},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml"},"mandates":{"$ref":"#/components/schemas/v2ProfileConfig"}}}}},"required":true},"Profiles_ImpactAnalysis2Body":{"content":{"application/json":{"schema":{"description":"ImpactAnalysisRequest holds the fields needed to request the impact of a\nprofile modification or profile attachment modification in a resource.\nOnly one of the fields should be set at a time.","type":"object","required":["profile"],"properties":{"fieldPaths":{"description":"List of field paths to analyze the impact of the profiles on. If this field is set,\nthe request will analyze the impact of the profiles only on the specified field paths.","type":"array","items":{"type":"string"}},"modifyAttachedProfiles":{"$ref":"#/components/schemas/v2ModifyAttachedProfiles"},"modifyProfile":{"description":"Request to analyze the impact of modifying an existing profile.","type":"object","title":"Request to analyze the impact of modifying an existing profile.","properties":{"profile":{"$ref":"#/components/schemas/v2Profile"}}}}}}},"required":true}},"schemas":{"AggregatedStatusChildStatus":{"description":"`ChildStatus` contains the status details for a particular child resource,\nand a human-friendly message further describing the status if it is an\nerrored one.","type":"object","properties":{"status":{"$ref":"#/components/schemas/v2ResourceStatusStatus"},"message":{"description":"Contains the human-friendly message describing the status of the child resource.","type":"string","x-order":1}}},"AuthenticationRules":{"type":"object","properties":{"jwt":{"description":"List of rules how to authenticate an HTTP request from a JWT Token attached to it.\nA JWT Token, if present in the HTTP request, must satisfy one of the rules defined here.\nThe order in which rules are being checked at runtime might differ from the order\nin which they are defined here.\nIf the JWT Token doesn't satisfy any of the rules, the request will be rejected.\nIf the JWT Token does satisfy one of the rules, the identity of the request\nwill be extracted from the JWT Token.\n\nNotice that an HTTP request without a JWT Token attached to it will NOT be rejected\nbased on the rules defined here. Remember to define HTTP request authorization settings\nto achieve that.","type":"array","items":{"$ref":"#/components/schemas/tsbauthv2AuthenticationJWT"},"x-order":0}}},"BackendRedisSettings":{"type":"object","title":"Configuration for the External Redis Backend Database","required":["uri"],"properties":{"uri":{"description":"The Redis Database URI. The value of the URI decides the scope\nfor ratelimiting across multiple clusters.","type":"string","x-order":0}}},"CertManagerSettingsCertManagerCAInjector":{"description":"CertManagerCAInjector represents the settings used for cert-manager CAInjector installation in the clusters.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"CertManagerSettingsCertManagerSpec":{"description":"CertManagerSpec represents the settings used for cert-manager controller installation in the clusters.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"CertManagerSettingsCertManagerStartupAPICheck":{"description":"CertManagerStartupAPICheck represents the settings used for cert-manager startup API check job installation in the clusters.\nDEPRECATED. StartupAPICheck is disabled.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesJobComponentSpec"}}},"CertManagerSettingsCertManagerWebhookSpec":{"description":"CertManagerWebhookSpec represents the settings used for cert-manager Webhook installation in the clusters.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"CertManagerSettingsManaged":{"description":"- AUTO: TSB will check if a pre-existing cert-manager installation is found in the cluster and only\ninstall and manage cert-manager if it is not found.\nThe pre-installed cert-manager should support signing requests raised through Kubernetes CSR\n - EXTERNAL: EXTERNAL represents that TSB will rely on a pre installed cert-manager for use.\nPre installed cert-manager should support signing requests raised through Kubernetes CSR\n - INTERNAL: INTERNAL represents that TSB will install and manage cert-manager in the cluster.\nIn case a pre-existing installation is found, the operator will not install cert-manager and fail.","type":"string","title":"If INTERNAL, TSB will install and manage cert-manager. In case a pre-existing installation is found, the operator will not install cert-manager and fail.\nIf EXTERNAL, TSB would rely on a pre installed cert-manager for use.\nPre installed cert-manager should support signing requests raised through Kubernetes CSR","default":"AUTO","enum":["AUTO","EXTERNAL","INTERNAL"]},"ChangeAction":{"description":"The action to be taken or that was taken on the resource.\n\n - NONE: The resource will not be changed. It is either still used by other active routes,\nor requires force to be removed.\n - UPDATE: The resource will be updated (e.g., hosts removed). Action returned during dry-run (apply=false).\nAn update is proposed when the resource serves multiple routes, including the target hostname/path (if specified),\nand can be partially updated (e.g., remove a specific HTTP server from a TSB Gateway,\nor remove specific routes from a VirtualService).\n - DELETE: The resource will be deleted. Action returned during dry-run (apply=false).\nA deletion is proposed when the resource is used exclusively by the target hostname/path (if specified),\nor when the resource is unused.\n - UPDATED: The resource has been updated (e.g. remove hosts). Action returned when apply=true.\n - DELETED: The resource has been deleted. Action returned when apply=true.","type":"string","default":"NONE","enum":["NONE","UPDATE","DELETE","UPDATED","DELETED"]},"ChangeReasonType":{"description":"Reason enumeration explaining why a resource requires change or is displayed.\n\n - ALL_HOSTS_UNUSED: All hostnames on the resource were not found; suggests a deletion.\n - SOME_HOSTS_UNUSED: Some hostnames on the resource are unused; suggests an update.\n - SOME_DESTINATIONS_UNUSED: Some destinations on the resource are unused; suggests an update.\n - HOST_DECOMMISSIONED: The provided hostname has been found in the resource; suggests an update or \ndeletion to decommission it.\n - ALL_NAMESPACE_SELECTORS_INEFFECTIVE: All namespace selectors are ineffective, with no services in those namespaces.\nIt suggests a deletion of the workspace.\n - RESOURCE_USED_BY_OTHER_ROUTES: The resource is still referenced by other routes and is only displayed.\nFor example, DestinationRules when multiple routes reference the same service.\nDecommissioning one route will not remove the resource.\n - RESOURCE_IN_USE_REQUIRES_FORCE: The resource is still in use by the specified hostname/path and requires force to be removed.","type":"string","default":"REASON_UNSPECIFIED","enum":["REASON_UNSPECIFIED","ALL_HOSTS_UNUSED","SOME_HOSTS_UNUSED","SOME_DESTINATIONS_UNUSED","HOST_DECOMMISSIONED","ALL_NAMESPACE_SELECTORS_INEFFECTIVE","RESOURCE_USED_BY_OTHER_ROUTES","RESOURCE_IN_USE_REQUIRES_FORCE"]},"CleanupResourcesRequestUsage":{"description":" - ANY: Default value. Returns all resources (both in-use and unused).\nIt requires a hostname to be set.\n - IN_USE: Returns only resources that are currently in use.\nIt requires a hostname to be set.\n - UNUSED: Returns only resources that are currently unused.","type":"string","default":"ANY","enum":["ANY","IN_USE","UNUSED"]},"CleanupResourcesResponseChange":{"description":"Change represents a proposed or applied modification to a resource.","type":"object","properties":{"fqn":{"description":"Fully-qualified name of the resource.","type":"string","x-order":0},"kind":{"description":"The kind of the resource (e.g., VirtualService, DestinationRule, Gateway, Workspace).","type":"string","x-order":1},"action":{"$ref":"#/components/schemas/ChangeAction"},"reason":{"$ref":"#/components/schemas/ChangeReasonType"},"used":{"description":"Indicates whether the resource is still in use by an existing service.","type":"boolean","x-order":4},"istioGateway":{"$ref":"#/components/schemas/CleanupResourcesResponseIstioGatewayDetails"},"unifiedGateway":{"$ref":"#/components/schemas/CleanupResourcesResponseUnifiedGatewayDetails"},"virtualService":{"$ref":"#/components/schemas/CleanupResourcesResponseVirtualServiceDetails"},"destinationRule":{"$ref":"#/components/schemas/CleanupResourcesResponseDestinationRuleDetails"},"workspace":{"$ref":"#/components/schemas/CleanupResourcesResponseWorkspaceDetails"}}},"CleanupResourcesResponseDestinationRuleDetails":{"description":"DestinationRuleDetails provides context for DestinationRule changes.","type":"object","properties":{"host":{"description":"The destination hostname associated with the rule.","type":"string","x-order":0}}},"CleanupResourcesResponseIstioGatewayDetails":{"description":"IstioGatewayDetails provides context for Istio Gateway changes.","type":"object","properties":{"hosts":{"description":"Hostnames on the gateway that would or have been removed.","type":"array","items":{"type":"string"},"x-order":0}}},"CleanupResourcesResponseUnifiedGatewayDetails":{"description":"UnifiedGatewayDetails provides context for TSB Unified Gateway changes.","type":"object","properties":{"httpHosts":{"description":"HTTP hostnames that would or have been removed.","type":"array","items":{"type":"string"},"x-order":0},"tcpHosts":{"description":"TCP hostnames that would or have been removed.","type":"array","items":{"type":"string"},"x-order":1},"tlsHosts":{"description":"TLS hostnames that would or have been removed.","type":"array","items":{"type":"string"},"x-order":2},"httpDestinationHosts":{"description":"HTTP route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":3},"tcpDestinationHosts":{"description":"TCP route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":4},"tlsDestinationHosts":{"description":"TLS route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":5}}},"CleanupResourcesResponseVirtualServiceDetails":{"description":"VirtualServiceDetails provides context for VirtualService changes.","type":"object","properties":{"hosts":{"description":"hostnames that would or have been removed.","type":"array","items":{"type":"string"},"x-order":0},"httpDestinationHosts":{"description":"HTTP route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":1},"tcpDestinationHosts":{"description":"TCP route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":2},"tlsDestinationHosts":{"description":"TLS route destination hosts that would or have been removed.","type":"array","items":{"type":"string"},"x-order":3}}},"CleanupResourcesResponseWorkspaceDetails":{"description":"WorkspaceDetails provides context for Workspace changes.","type":"object","properties":{"namespaceSelectors":{"description":"Namespace selectors that are ineffective for this Workspace.","type":"array","items":{"type":"string"},"x-order":0}}},"ClusterInstallTemplate":{"description":"InstallTemplate provides templates ready to be used in the ControlPlane (cluster onboard) installation.","type":"object","properties":{"message":{"type":"string","title":"can provide useful information to the user","x-order":0,"readOnly":true},"helm":{"$ref":"#/components/schemas/v1alpha1Values"}}},"ClusterOnboardingConfigNamespaceConfig":{"description":"Configuration for a namespace.","type":"object","required":["name"],"properties":{"name":{"description":"The name of the namespace.","type":"string","x-order":0},"desiredState":{"$ref":"#/components/schemas/v2NamespaceDesiredState"}}},"ClusterStateIstioRevision":{"description":"IstioRevision represents the Istio revisions in the ControlPlane Cluster.","type":"object","properties":{"revision":{"type":"string","title":"Istio revision found in the cluster","x-order":0},"version":{"description":"Istio version found in the cluster.","type":"string","x-order":1},"distribution":{"$ref":"#/components/schemas/IstioRevisionDistribution"}}},"ComposerPluginPluginConfig":{"description":"Configuration for plugin.","type":"object","properties":{"inline":{"description":"Provide plugin config inline in the `yaml` format.\n\nThe following is an example of a valid config for tetrate's\nresponse-transformer plugin.\n\n```yaml\ninline:\n  headersToAdd:\n  - key: \"example-header\"\n    value: \"example-value\"\n  headersToRemove:\n  - \"example-header-to-remove\"\n  bodyToSet: \"the response is mutated!\"\n```\n\nIf the config fails plugin's schema validation, the\n`tetrate-composer` sidecar will reject it.","type":"object","x-order":0},"secret":{"description":"Obtain plugin config from the specified kubernetes secret.\nPlease ensure the secret has a key \"config\" having values in the\n`yaml` format. The secret must be present in the same namespace as\nthe gateway install.\n\nThe following is an example of a secret which contains a valid config\nfor tetrate's response-transformer plugin.\n\n```yaml\napiVersion: v1\ndata:\n  config: YWRkOgogIGpzb246CiAgLSBleGFtcGxl\nkind: Secret\nmetadata:\n  name: response-transformer-config\n  namespace: gw-install-namespace\ntype: Opaque\n```\n\nIn case the secret cannot be loaded (not found, bad format, schema\nvalidation failure or any other issue reading it), the config will be\nrejected by the `tetrate-composer` sidecar.\nNOT IMPLEMENTED.\n$hide_from_docs","type":"string","x-order":1},"configMap":{"description":"Obtain plugin config from the specified kubernetes configMap.\nEnsure the configMap has a key \"config\" having values in the\n`yaml` format. The configMap must be present in the same namespace\nas the gateway install.\n\nThe following is an example of a configMap which contains a valid config\nfor tetrate's response-transformer plugin.\n\n```yaml\napiVersion: v1\ndata:\n  config: |\n    headersToAdd:\n    - key: \"example-header\"\n      value: \"example-value\"\n    headersToRemove:\n    - \"example-header-to-remove\"\n    bodyToSet: \"the response is mutated!\"\nkind: ConfigMap\nmetadata:\n  name: response-transformer-config\n  namespace: gw-install-namespace\ntype: Opaque\n```\n\nIn case the configMap cannot be loaded (not found, bad format, schema\nvalidation failure or any other issue reading it), the config will be\nrejected by the `tetrate-composer` sidecar.\nNOT IMPLEMENTED.\n$hide_from_docs","type":"string","x-order":2}}},"ConfigEventsEdgeConfigState":{"type":"object","properties":{"status":{"$ref":"#/components/schemas/ConfigEventsEdgeConfigStatus"},"reason":{"description":"Accompanying reason when status is not `APPLIED`.","type":"string","x-order":1},"reasonDetails":{"$ref":"#/components/schemas/v2EventDetails"}}},"ConfigEventsEdgeConfigStatus":{"description":" - UNKNOWN: `UNKNOWN` indicates an undefined status. Either the edge has not reported\nthe status for the config or it is not available due to some delays or something else.\nThis is a catch-all when we don't know what to do.\n - APPLIED: `APPLIED` indicates that the config has been successfully applied at the edge.\n - ERRORED: `ERRORED` indicates that some error occurred while applying config at an edge. This will be\naccompanied by a message which specifies the reason for the error.\n - IGNORED: `IGNORED` indicates that the config was ignored because of some misconfiguration in config yaml.\nFor instance, applying `DIRECT` mode config within `BRIDGED` mode group.\n - APPLIED_NOT_READY: `APPLIED_NOT_READY` indicates that the config has been applied at the edge,\nbut the configuration is not yet fully operational. This is a temporary state\nthat some configurations may go through before transitioning to `APPLIED`.\nFor example, when a gateway configuration is applied at the edge, it may remain\nin `APPLIED_NOT_READY` while the Kubernetes deployment creates the required replicas\nor while the gateway's service becomes ready by obtaining an IP address, such as in the\ncase of a LoadBalancer service type.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","APPLIED","ERRORED","IGNORED","APPLIED_NOT_READY"]},"ConfigEventsEventType":{"description":"Simple `Status` of the current resource. It's a projection of its details\n(events, etc.) that allows to easily know the status of the resource\nwithout requiring to check the details.\n\n - INVALID: INVALID is the zero value and should never be reached.\n - TSB_ACCEPTED: TSB_ACCEPTED happens when the configuration has been validated and\npersisted by TSB. Note that there is no TSB_REJECTED because in case of\nan obvious syntax error, the client requests for the API will fail\ndirectly. The configuration will not be persisted and therefore no\nconfig status will be associated with it.\n - MPC_ACCEPTED: MPC_ACCEPTED happens when MPC receives the configuration from TSB.\nNote that there is no MPC_REJECTED because it's just a pass-through\nto XCP.\n - XCP_ACCEPTED: XCP_ACCEPTED happens when XCP validates the configuration and the XCP\nresource is properly created.\n - XCP_REJECTED: XCP_REJECTED happens when XCP reports that the configuration is not\nvalid.\n - MPC_FAILED: MPC_FAILED happens when MPC fails to process some configuration received\nfrom TSB. These failures are prior to sending the translated\nconfigurations to XCP.\n - XCP_UNKNOWN: XCP_UNKNOWN happens when XCP reports that all edges are in UNKNOWN\nstate.\n - XCP_PARTIALLY_APPLIED: XCP_PARTIAL happens when XCP reports that at least one edge is in\nAPPLIED state, and the rest are UNKNOWN.\n - XCP_APPLIED: XCP_APPLIED happens when XCP reports that every edge is in APPLIED\nstate.\n - XCP_ERRORED: XCP_ERRORED happens when XCP reports that any edge is in ERRORED state.\n - XCP_IGNORED: XCP_IGNORED happens when XCP reports that the config is IGNORED by all the edges.\nOne of the cases where configs are ignored is when a BRIDGED mode config object\nlike IngressGateway is part of a gateway group configured for the DIRECT mode\nand vice versa. More generally, this happens when there is a mismatch between\nthe mode where a config is valid and the mode configured for the group.\n - MPC_DIRTY: MPC_DIRTY happens when a resource that is dependent on others\nhave not reached the desired status (even when they are not FAILED).\nFor instance, when a resource configuration affected by a STRICTER propagation\nstrategy gets superseded (fully or partially) by a stricter resource configuration higher up\nin the hierarchy. Concretely, if a security group's security settings (which\nis in ACCEPTED configuration state) is affected\nby a STRICTER propagation strategy, and for instance an organization's\ndefault security settings (a resource higher up in the hierarchy)\nhas been updated to restrict more the previously set authorization policy, then\nthe previously ACCEPTED security group's security settings (a resource lower in\nthe hierarchy) will become DIRTY if it is not stricter.\n - XCP_APPLIED_NOT_READY: XCP_APPLIED_NOT_READY indicates that XCP has applied the configuration at the edge,\nbut the configuration is not yet fully operational. This is a temporary state\nthat some configurations may go through before transitioning to XCP_APPLIED.\nFor example, when a gateway configuration is applied at the edge, it may remain\nin XCP_APPLIED_NOT_READY while the Kubernetes deployment creates the required replicas\nor while the gateway's service becomes ready by obtaining an IP address, such as in the\ncase of a LoadBalancer service type.\n - MPC_COMPOSED: MPC_COMPOSED happens when a resource is composed from config profiles and\nconfig settings (like tenant settings, workspace settings, etc.).\n - IAM_ACCEPTED: IAM_ACCEPTED indicates IAM accepted those TSB resources it manages like OIDC configurations.\n - IAM_APPLIED: IAM_APPLIED indicates IAM successfully applied those TSB resources it manages like OIDC configurations,\nmean they are ready to be used.","type":"string","default":"INVALID","enum":["INVALID","TSB_ACCEPTED","MPC_ACCEPTED","XCP_ACCEPTED","XCP_REJECTED","MPC_FAILED","XCP_UNKNOWN","XCP_PARTIALLY_APPLIED","XCP_APPLIED","XCP_ERRORED","XCP_IGNORED","MPC_DIRTY","XCP_APPLIED_NOT_READY","MPC_COMPOSED","IAM_ACCEPTED","IAM_APPLIED"]},"DynamicParameterConstraintsConstraintList":{"type":"object","properties":{"constraints":{"type":"array","items":{"$ref":"#/components/schemas/v3DynamicParameterConstraints"},"x-order":0}}},"DynamicParameterConstraintsSingleConstraint":{"description":"A single constraint for a given key.","type":"object","properties":{"key":{"description":"The key to match against.","type":"string","x-order":0},"value":{"description":"Matches this exact value.","type":"string","x-order":1},"exists":{"$ref":"#/components/schemas/SingleConstraintExists"}}},"EgressAuthorizationSettingsHostDetails":{"description":"List of external hosts details.","type":"object","required":["host"],"properties":{"host":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"paths":{"description":"The request paths allowed for access, e.g., [\"/accounts\", \"/info*\", \"/user/profile/*\"].\nExact and prefix-based regular matches are supported.\nIf not set, any path is allowed.","type":"array","items":{"type":"string"},"x-order":1},"methods":{"description":"The HTTP methods allowed by this rule, e.g., [\"GET\", \"HEAD\"].\nIf not set, any method is allowed.","type":"array","items":{"type":"string"},"x-order":2}}},"FilterSettingsAWSZoneType":{"description":"AWS Route53 Zone type filters.\n\n - NONE: No filter.\n - PUBLIC: Filter public zones.\n - PRIVATE: Filter private zones.","type":"string","default":"NONE","enum":["NONE","PUBLIC","PRIVATE"]},"GatewaySelectorAppLabelSelector":{"description":"AppLabelSelector specifies the app label and namespace of the Gateway to be shared. This is used to\nselect Gateways with a specific app label and namespace within the same Workspace or Gateway Group\nas the SharedGatewayReferenceGrant.","type":"object","required":["appLabel","namespace"],"properties":{"appLabel":{"description":"The app label and namespace of the Gateway to be shared.","type":"string","x-order":0},"namespace":{"description":"The namespace of the Gateway to be shared.","type":"string","x-order":1}}},"GatewaySelectorNameSelector":{"description":"NameSelector specifies the name of the Gateway to be shared in the same Workspace or Gateway Group\nas the SharedGatewayReferenceGrant.","type":"object","required":["name"],"properties":{"name":{"description":"The name of the Gateway to be shared. This is the name of the Gateway resource in the same Workspace or\nGateway Group as the SharedGatewayReferenceGrant.","type":"string","x-order":0}}},"GetClusterStatsRequestClusterStatsFormat":{"description":"Format of the cluster stats of an Istio Proxy.\n\n - JSON: JSON format.\n - TEXT: Text format.","type":"string","default":"JSON","enum":["JSON","TEXT"]},"GetConfigDumpRequestBootstrap":{"description":"Dump bootstrap configuration.","type":"object"},"GetConfigDumpRequestClusters":{"description":"Dump cluster configuration.","type":"object"},"GetConfigDumpRequestEcds":{"description":"Dump typed extension configuration.","type":"object"},"GetConfigDumpRequestListeners":{"description":"Dump listener configuration.","type":"object"},"GetConfigDumpRequestRoutes":{"description":"Dump route configuration.","type":"object"},"GetServerStatsRequestServerStatsFormat":{"description":"Format of the server stats of an Istio Proxy.\n\n - JSON: JSON format.\n - TEXT: Text format.\n - PROMETHEUS: Prometheus format.","type":"string","default":"JSON","enum":["JSON","TEXT","PROMETHEUS"]},"GitOpsPushMode":{"description":"Push mode for GitOps component. Default: SYNC.\n\n - SYNC: In SYNC mode TSB K8s resources are validated and pushed to Management Plane synchronously,\nblocking on resource creation until the resource is created successfully in the Management Plane.\nThis is the default mode.\n - ASYNC: In ASYNC mode TSB K8s resources are pushed to Management Plane asynchronously, without blocking on resource creation.\nTo know if the resource was created successfully, check its K8s status.","type":"string","default":"SYNC","enum":["SYNC","ASYNC"]},"HTTPDirectResponseHTTPBody":{"description":"Specifies the content of the response body.","type":"object","properties":{"string":{"type":"string","title":"response body as a string","x-order":0},"bytes":{"description":"response body as base64 encoded bytes.","type":"string","format":"byte","x-order":1}}},"HTTPFaultInjectionAbort":{"description":"Abort specification is used to prematurely abort a request with a\npre-specified error code.\nThe _httpStatus_ field is used to indicate the HTTP status code to\nreturn to the caller. The optional _percentage_ field can be used to only\nabort a certain percentage of requests. If not specified, no request will be\naborted.","type":"object","properties":{"percentage":{"description":"Percentage of requests to be aborted with the error code provided.\nIf not specified, no request will be aborted.","type":"number","format":"double","x-order":0},"httpStatus":{"description":"HTTP status code to use to abort the HTTP request.","type":"integer","format":"int32","x-order":1},"grpcStatus":{"type":"string","title":"GRPC status code to use to abort the request. The supported\ncodes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md","x-order":2}}},"HTTPFaultInjectionDelay":{"description":"Delay specification is used to inject latency into the request\nforwarding path.\n\nThe _fixedDelay_ field is used to indicate the amount of delay in seconds.\nThe optional _percentage_ field can be used to only delay a certain\npercentage of requests. If left unspecified, no request will be delayed.","type":"object","properties":{"percentage":{"description":"Percentage of requests on which the delay will be injected.\nIf left unspecified, no request will be delayed.","type":"number","format":"double","x-order":0},"fixedDelay":{"description":"Add a fixed delay before forwarding the request. Format:\n1h/1m/1s/1ms. MUST be >=1ms.","type":"string","x-order":1}}},"HeadersHeaderOperations":{"description":"HeaderOperations Describes the header manipulations to apply.","type":"object","properties":{"set":{"description":"Overwrite the headers specified by key with the given values.","type":"object","additionalProperties":{"type":"string"},"x-order":0},"add":{"description":"Append the given values to the headers specified by keys (will create a comma-separated list\nof values).","type":"object","additionalProperties":{"type":"string"},"x-order":1},"remove":{"description":"Remove a the specified headers.","type":"array","items":{"type":"string"},"x-order":2}}},"HostManagementRepository":{"description":"Configure `Tetrate Host Management Repository` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"ImpactImpactType":{"description":"Enum representing the different types of impact a profile can have on a field.\n\n - UNKNOWN: The impact type is unknown or unspecified.\n - EFFECTIVE: The profile is effective on the field, meaning the profile directly sets\nthe field's value.\n - OVERRIDE: The field's value is overridden by another profile or configuration, but was\npreviously set by the profile being analyzed.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","EFFECTIVE","OVERRIDE"]},"ImpactSourceType":{"description":"The type of the impact source.\n\n - INVALID: The impact source is unknown or unspecified.\n - DEFAULT: The impact source is a profile default.\n - MANDATE: The impact source is a profile mandate.\n - SETTINGS: The impact source is configuration setting.","type":"string","default":"INVALID","enum":["INVALID","DEFAULT","MANDATE","SETTINGS"]},"IngressScopesIngressScope":{"description":"An ingress defines the telemetry source wingspan in the mesh of ingress's hostname.","type":"object","properties":{"type":{"$ref":"#/components/schemas/IngressScopesIngressScopeScopeType"},"scope":{"$ref":"#/components/schemas/IngressScopesIngressScopeScope"},"deployment":{"description":"The FQN of the service deployment in a concrete cluster related with this telemetry source scope.\nWill have a value for scope types HOSTNAME.","type":"string","x-order":2}}},"IngressScopesIngressScopeScope":{"description":"Each of the scope properties can have the following values:\n- A non empty value.\n- An empty value or absence of the property act as a wildcard, meaning any possible value.","type":"object","properties":{"hostname":{"type":"string","title":"hostname is always a concrete value","x-order":0},"ingressService":{"type":"string","title":"ingress_service is always a concrete value","x-order":1},"cluster":{"description":"cluster can be a concrete value or an empty value meaning any cluster.","type":"string","x-order":2}}},"IngressScopesIngressScopeScopeType":{"description":"ScopeType denotes the wingspan of a telemetry source for an ingress's hostname.\n\n - HOSTNAME: A hostname telemetry source that belongs to a specific ingress instance in a cluster.\n - GLOBAL: A global telemetry source of a hostname from an ingress across clusters.","type":"string","default":"INVALID","enum":["INVALID","HOSTNAME","GLOBAL"]},"IstioAmbient":{"type":"object","title":"Ambient-related configuration","properties":{"enable":{"type":"boolean","title":"Enable or disable Ambient mode","x-order":0},"waypoints":{"$ref":"#/components/schemas/v1alpha1WaypointsConfig"}}},"IstioRevisionDistribution":{"description":"- UNKNOWN: Unknown Istio distribution\n - TSB: TSB istio distribution\n - TID: TID istio distribution","type":"string","title":"Type of distribution for the Istio version","default":"UNKNOWN","enum":["UNKNOWN","TSB","TID"]},"IstioStatusIstioInjection":{"description":"Istio injection status for the namespace.\n\n - ISTIO_INJECTION_UNDEFINED: The TSB CP is not able to determine the Istio injection status of the namespace.\n - ISTIO_INJECTION_ENABLED: The namespace is configured with Istio injection.\n - ISTIO_INJECTION_DISABLED: The namespace is not configured with Istio injection.","type":"string","default":"ISTIO_INJECTION_UNDEFINED","enum":["ISTIO_INJECTION_UNDEFINED","ISTIO_INJECTION_ENABLED","ISTIO_INJECTION_DISABLED"]},"JWKSJWK":{"type":"object","title":"JSON Web Key. Refer to https://datatracker.ietf.org/doc/html/rfc7517","properties":{"alg":{"description":"The specific cryptographic algorithm used with the key.","type":"string","x-order":0},"kty":{"description":"The family of cryptographic algorithms used with the key.","type":"string","x-order":1},"use":{"description":"How the key was meant to be used; `sig` represents the signature.","type":"string","x-order":2},"n":{"description":"The modulus for the RSA public key.","type":"string","x-order":3},"e":{"description":"The exponent for the RSA public key.","type":"string","x-order":4},"kid":{"description":"The unique identifier for the key.","type":"string","x-order":5}}},"JWTClaimToHeader":{"description":"This message specifies the detail for copying claim to header.","type":"object","required":["header","claim"],"properties":{"header":{"description":"The name of the header to be created. The header will be overridden if it already exists in the request.","type":"string","x-order":0},"claim":{"description":"The name of the claim to be copied from. Only claim of type string/int/bool is supported.\nThe header will not be there if the claim does not exist or the type of the claim is not supported.","type":"string","x-order":1}}},"JWTJWTHeader":{"description":"This message specifies a header location to extract JWT token.","type":"object","required":["name"],"properties":{"name":{"description":"The HTTP header name.","type":"string","x-order":0},"prefix":{"description":"The prefix that should be stripped before decoding the token.\nFor example, for `Authorization: Bearer <token>`, prefix=`Bearer ` with a space at the end.\nIf the header doesn't have this exact prefix, it is considered invalid.","type":"string","x-order":1}}},"K8sObjectOverlayPathValue":{"type":"object","properties":{"path":{"description":"Path of the form a.[key1:value1].b.[:value2]\nWhere [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value\nselector to identify a list element in a leaf list.\nAll path intermediate nodes must exist.","type":"string","x-order":0},"value":{"description":"Value to add, delete or replace.\nFor add, the path should be a new leaf.\nFor delete, value should be unset.\nFor replace, path should reference an existing node.\nAll values are strings but are converted into appropriate type based on schema.","x-order":1}}},"KeyPairEncoding":{"type":"string","title":"Format in which the keys in this keypair are encoded","default":"PEM","enum":["PEM","JWK"]},"KongPlugins":{"description":"Plugin definition.\n\nOnly plugins mutating request and response are supported currently.\nAdvanced plugins may not work. Please contact Tetrate to check if a plugin\nis supported.","type":"object","required":["name"],"properties":{"name":{"description":"Plugin name.\n\nThis can be one of the [Kong open source\nplugins](https://github.com/Kong/kong/tree/master/kong/plugins) or a\ncustom plugin.\n\nKong open source plugins are bundled with TSB and can run in the same\nfashion as Kong. However providing `pluginSource` is required if this is\na custom plugin.","type":"string","x-order":0},"priority":{"description":"Priority to be given to this plugin (Optional).\n\nPriority is a concept of kong which decides the order of execution of\nplugins. Most of the bundled plugins come with a priority defined as per\n[kong's plugin execution\norder](https://docs.konghq.com/konnect/reference/plugins/#plugin-execution-order)\n\nTSB allows you to run both bundled and custom plugins in a different\norder by reassigning priorities.","type":"integer","format":"int64","x-order":1},"config":{"$ref":"#/components/schemas/KongPluginsPluginConfig"},"pluginSource":{"$ref":"#/components/schemas/PluginsPluginSource"}}},"KongPluginsPluginConfig":{"description":"Configuration for Kong plugin.","type":"object","properties":{"inline":{"description":"Provide plugin config inline in the `yaml` format.\n\nThe following is an example of a valid config for Kong's\nresponse-transformer plugin.\n\n```yaml\ninline:\n  add:\n    json:\n    - example\n```\n\nIf the config fails plugin's schema vaildation, the\n`tetrate-kong-extender` sidecar will reject it.","type":"object","x-order":0},"secret":{"description":"Obtain plugin config from the specified kubernetes secret.\nPlease ensure the secret has a key \"config\" having values in the\n`yaml` format. The secret must be present in the same namespace as\nthe gateway install.\n\nThe following is an example of a secret which contains a valid config\nfor Kong's response-transformer plugin.\n\n```yaml\napiVersion: v1\ndata:\n  config: YWRkOgogIGpzb246CiAgLSBleGFtcGxl\nkind: Secret\nmetadata:\n  name: response-transformer-config\n  namespace: gw-install-namespace\ntype: Opaque\n```\n\nIn case the secret cannot be loaded (not found, bad format, schema\nvalidation failure or any other issue reading it), the config will be\nrejected by the `tetrate-kong-extender` sidecar.\n\nNOT IMPLEMENTED.\n$hide_from_docs","type":"string","x-order":1}}},"ListSharedGatewaysResponseSharedGateway":{"description":"Represents a shared gateway that has a reference grant.","type":"object","required":["FQN"],"properties":{"FQN":{"description":"The fully-qualified name of an installed gateway that is shared.","type":"string","x-order":0},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"}}},"ListSourcesRequestTimeRange":{"description":"TimeRange is a closed time range. If since or until are not provided they will not be used to filter.","type":"object","properties":{"since":{"description":"Moment in time since we retrieve Telemetry Sources.","type":"string","format":"date-time","x-order":0},"until":{"description":"Moment in time until we retrieve Telemetry Sources.","type":"string","format":"date-time","x-order":1}}},"ListWorkloadsRequestFilter":{"description":"Workloads filter.","type":"object","properties":{"namespace":{"description":"Namespace name.","type":"string","x-order":0},"serviceName":{"description":"Name of a Service.","type":"string","x-order":1}}},"LocalRateLimitSettingsTokenBucket":{"description":"Rate limiting token bucket.","type":"object","required":["maxTokens","fillInterval"],"properties":{"maxTokens":{"description":"The maximum tokens that the bucket can hold.\nThis is also the number of tokens that the bucket initially contains.","type":"integer","format":"int64","x-order":0},"tokensPerFill":{"description":"The number of tokens added to the bucket during each fill interval.\nIf not specified, defaults to a single token.","type":"integer","format":"int64","x-order":1},"fillInterval":{"description":"The fill interval that tokens are added to the bucket.","type":"string","x-order":2}}},"MeshExpansionSettingsHostManagement":{"description":"EXPERIMENTAL: Settings for the `Tetrate Host Management` component.","type":"object","required":["endpoint"],"properties":{"enabled":{"description":"To install the component,  set the value to `true`.\n\nDefaults to `false`.","type":"boolean","x-order":0},"endpoint":{"$ref":"#/components/schemas/MeshExpansionSettingsHostManagementEndpoint"},"plane":{"$ref":"#/components/schemas/MeshExpansionSettingsHostManagementPlane"},"repository":{"$ref":"#/components/schemas/HostManagementRepository"},"agent":{"$ref":"#/components/schemas/MeshExpansionSettingsHostManagementAgent"}}},"MeshExpansionSettingsHostManagementAgent":{"description":"Settings for the `Tetrate Host Management Agent`.","type":"object","properties":{"version":{"description":"Version of the `Tetrate Host Management Agent` to use.\n\nDefaults to the version of the `Tetrate Host Management Agent` included into a given TSB release.","type":"string","x-order":0}}},"MeshExpansionSettingsHostManagementEndpoint":{"description":"Configuration of the endpoint exposing `Host Management API` to\n`Host Management Agents`.","type":"object","required":["hosts","secretName"],"properties":{"hosts":{"description":"List of hosts included in the TLS certificate.","type":"array","items":{"type":"string"},"x-order":0},"secretName":{"description":"Name of the secret that holds TLS certificate chain and private key.\n\nThe secret can be either a TLS secret or a generic one.\nKeys `tls.crt` and `tls.key` are mandatory.\nAdditionally, the secret may also have a `ca.crt` key to provide\nthe certificate of a custom CA that issued given TLS cert.","type":"string","x-order":1},"hasNoDnsRecord":{"description":"To configure `Agents` to connect to the `Host Management Endpoint`\nusing an address of the k8s Service rather than host name, set the value to `true`.\n\nDefaults to `false`.","type":"boolean","x-order":2}}},"MeshExpansionSettingsHostManagementPlane":{"description":"Configure `Tetrate Host Management Plane` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\n\nSupported log levels: \"none\", \"error\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"MeshExpansionSettingsOnboardingPlaneEndpoint":{"description":"Configuration of the endpoint exposing `Workload Onboarding API` to\n`Workload Onboarding Agents`.","type":"object","required":["hosts","secretName"],"properties":{"hosts":{"description":"List of hosts included in the TLS certificate.","type":"array","items":{"type":"string"},"x-order":0},"secretName":{"description":"Name of the secret that holds TLS certificate chain and private key.","type":"string","x-order":1}}},"MeshExpansionSettingsOnboardingPlaneTokenIssuer":{"description":"Configuration of the built-in `Workload Onboarding Token Issuer`.","type":"object","properties":{"jwt":{"$ref":"#/components/schemas/MeshExpansionSettingsOnboardingPlaneTokenIssuerJwtTokenIssuer"}}},"MeshExpansionSettingsOnboardingPlaneTokenIssuerJwtTokenIssuer":{"description":"Configuration of the built-in JWT Token Issuer.","type":"object","properties":{"expiration":{"description":"Expiration is the duration issued tokens are valid for.\nDefaults to `1h`.","type":"string","x-order":0}}},"MeshExpansionSettingsServiceObservability":{"description":"EXPERIMENTAL: Settings for the `Tetrate Service Observability` component.","type":"object","properties":{"enabled":{"description":"To install the component,  set the value to `true`.\n\nDefaults to `false`.","type":"boolean","x-order":0},"agent":{"$ref":"#/components/schemas/MeshExpansionSettingsServiceObservabilityAgent"},"serviceDiscovery":{"$ref":"#/components/schemas/ServiceObservabilityServiceDiscovery"},"domains":{"description":"List of domains to consider when discovering services.\nServices outside of domains specified here will NOT be added to the registry of services known to TSB\nand will NOT appear on TSB UI.\n\nEmpty list means that discovered services may belong to any domain.\n\nDefaults to an empty list.","type":"array","items":{"type":"string"},"x-order":3}}},"MeshExpansionSettingsServiceObservabilityAgent":{"description":"Settings for the `SPM Agent`.","type":"object","properties":{"version":{"description":"Version of the `SPM Agent` to use.\n\nDefaults to the version of the `SPM Agent` included into a given TSB release.","type":"string","x-order":0}}},"MetadataDetails":{"description":"Details is additional information about a resource.","type":"object","properties":{"name":{"description":"Name is the resources name.","type":"string","x-order":0},"description":{"description":"Description is the resources description.","type":"string","x-order":1}}},"OIDCSettingsDynamicSettings":{"description":"Dynamically configures OIDC client settings using values from the OIDC provider's well-known OIDC configuration\nendpoint.","type":"object","required":["configurationUri"],"properties":{"configurationUri":{"description":"OIDC provider's well-known OIDC configuration URI. When set TSB will automatically configure the\nOIDC client settings for the Authorization Endpoint, Token Endpoint and JWKS URI from the OIDC Provider's\nconfiguration URI.","type":"string","x-order":0}}},"OIDCSettingsOfflineAccessOverrides":{"description":"OIDC settings that can be used to override top-level settings for offline access.","type":"object","properties":{"clientId":{"description":"The client ID from the OIDC provider's application configuration settings.","type":"string","x-order":0},"scopes":{"description":"Scopes passed to the OIDC provider in the Device Code request\nRequired scope 'openid' is included by default, any additional scopes will be appended in the Device Code\nAuthorization request. Additional scopes such as 'profile' or 'email' are generally required if user records in\nTSB can not be identified with the ID Token 'sub' claim alone.","type":"array","items":{"type":"string"},"x-order":1},"skipClientIdCheck":{"description":"Instructs JWT validation to ignore the 'aud' claim. When set to true, comparisons between the 'aud' claim in the\nJWT token and the 'client_id' in the OIDC provider's configuration will be skipped.","type":"boolean","x-order":2},"providerConfig":{"$ref":"#/components/schemas/v1alpha1OIDCSettingsProviderSettings"}}},"OIDCSettingsOfflineAccessSettings":{"description":"Optional OIDC settings specific to offline access. When specified these settings take precedence over\ntop-level OIDC settings.","type":"object","properties":{"deviceCodeAuth":{"$ref":"#/components/schemas/OIDCSettingsOfflineAccessOverrides"},"tokenExchange":{"$ref":"#/components/schemas/OIDCSettingsOfflineAccessOverrides"}}},"OIDCSettingsStaticSettings":{"description":"Allows to statically configure OIDC client settings if the OIDC provider doesn't have a configuration endpoint.","type":"object","required":["authorizationEndpoint","tokenEndpoint"],"properties":{"authorizationEndpoint":{"description":"The Authorization Endpoint for the OIDC provider.","type":"string","x-order":0},"tokenEndpoint":{"description":"The Token Endpoint for the OIDC provider.","type":"string","x-order":1},"jwksUri":{"description":"URI for the OIDC provider's JSON Web Key Sets. This can be found in the OIDC provider's configuration response.\nThe JWKS are used for token verification.","type":"string","x-order":2},"jwks":{"description":"JSON string with the OIDC provider's JSON Web Key Sets. In general the URI for the Key Set is the preferred\nmethod for configuring JWKS. This setting is provided in case the provider doesn't publish JWKS via a\npublic URI.","type":"string","x-order":3},"deviceCodeEndpoint":{"description":"The Device Code endpoint for the OIDC provider.\nThis is optional but required when using the Device Code authentication flow.","type":"string","x-order":4},"introspectionEndpoint":{"description":"The Introspection endpoint for the OIDC provider.\nThis is optional and used as an authentication source for the Token Exchange flow.","type":"string","x-order":5}}},"OnboardingPlaneLocalRepository":{"description":"Configuration of the local repository with `DEB` and `RPM` packages\nof the `Workload Onboarding Agent` and `Istio Sidecar`.","type":"object"},"OpenAPIValidation":{"description":"Validation options for the OpenAPI document.","type":"object","properties":{"enabled":{"description":"If set to true, the OpenAPI document is enabled for validation.\nDefaults to false.","type":"boolean","x-order":0},"pathPrefix":{"description":"Prefix to add to the paths in the OpenAPI doc before matching against incoming requests.","type":"string","x-order":1}}},"OrganizationSettingNetworkSettings":{"description":"Network related settings for clusters.","type":"object","properties":{"networkReachability":{"description":"Reachability between clusters on various networks. Each cluster\nhas a \"network\" field representing a network boundary like a VPC\non AWS/GCP/Azure. All clusters within the same network are\nassumed to be reachable to each other for multi-cluster routing.\nIn addition, you can specify additional connectivity between\nvarious networks in the mesh here. For example on AWS, each VPC\ncan be treated as a distinct network. VPCs that are reachable to\none another (through peering or transit gateways) can be listed\nas reachable networks. The key is the network name and the value\nis a comma separated list of networks whose clusters are\nreachable from this network. For instance, vpc01: vpc02,vpc03 means\nthat the clusters in the network can reach those in vpc02 and vpc03.\n\nNote that reachability is **not** bidirectional. That is, if `vpc01: vpc02`\nis specified, then `vpc01` can reach `vpc02`, but not the other way around.\nHence, the workloads in clusters in `vpc01` can access the services\nthrough the exposed gateway hostnames in clusters in `vpc02` . However,\nthe workloads in clusters in `vpc02` cannot access the services exposed\nthrough the gateway hostnames in `vpc01`.","type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"PluginsPluginSource":{"description":"Reference to custom plugin files.","type":"object","required":["configMap"],"properties":{"configMap":{"description":"Kubernetes ConfigMap containing the plugin files.\nThe configMap must be present in same namespace as the gateway install.\n\nTo create this configmap in the gateway install namespace, run:\n\n```yaml\nkubectl create configmap my-plugin --from-file=./my-plugin-dir` -n\n{gw-install-namespace}\n```\n\nand use the name `my-plugin` here.\n\nIn case the configMap cannot be loaded (not found, bad format or any\nother issue reading it), the custom plugin will not be initialised and\nthe config will be rejected by the `tetrate-kong-extender` sidecar.","type":"string","x-order":0}}},"QueryResourcePermissionsResponseResult":{"type":"object","title":"Represents a result for the requested query","required":["request"],"properties":{"request":{"$ref":"#/components/schemas/v2Query"},"rules":{"description":"set of allowed RBAC rules that the current principal has on the matching resource.\nIf the query produced no results, the rules set will be empty.","type":"array","items":{"$ref":"#/components/schemas/v2RoleRule"},"x-order":1}}},"RateLimitServerBackend":{"description":"External Backend Database types. This points to the backend\nused by the ratelimit server as a key/value store.","type":"object","properties":{"redis":{"$ref":"#/components/schemas/BackendRedisSettings"}}},"RelationScopeServiceRelation":{"description":"A relation between logical services.","type":"object","properties":{"source":{"description":"The source resource's fqn of the relation between two logical services.","type":"string","x-order":0},"target":{"description":"The target resource's fqn of the relation between two logical services.","type":"string","x-order":1}}},"RelationScopesRelationScope":{"type":"object","properties":{"type":{"$ref":"#/components/schemas/RelationScopesRelationScopeScopeType"},"scope":{"$ref":"#/components/schemas/RelationScopesRelationScopeScope"}}},"RelationScopesRelationScopeScope":{"type":"object","properties":{"serviceRelation":{"$ref":"#/components/schemas/RelationScopeServiceRelation"}}},"RelationScopesRelationScopeScopeType":{"description":"ScopeType denotes the wingspan of a telemetry source for relation between resources.\n\n - SERVICE: A service telemetry source that belongs to a specific relation between logical services.","type":"string","default":"INVALID","enum":["INVALID","SERVICE"]},"ResourceStatusConfigResourceStatus":{"description":"Individual status for a configuration resource related to the Application/API.","type":"object","properties":{"status":{"$ref":"#/components/schemas/applicationv2Status"},"resource":{"$ref":"#/components/schemas/v2ConfigResource"}}},"RoleResourceType":{"description":"The type of API resource for which the role is being created.","type":"object","required":["apiGroup"],"properties":{"apiGroup":{"description":"A specific API group such as traffic.tsb.tetrate.io/v2.","type":"string","x-order":0},"kinds":{"description":"Specific kinds of APIs under the API group. If omitted, the\nrole will apply to all kinds under the group.","type":"array","items":{"type":"string"},"x-order":1},"scopedAt":{"description":"The list of parent types where the defined kinds will be scoped under.\nIf omitted, no scope limitation is applied.","type":"array","items":{"$ref":"#/components/schemas/v2RoleScopeType"},"x-order":2}}},"Route53SettingsFilterSettings":{"description":"Filter settings for route53 controller.","type":"object","properties":{"annotationFilter":{"description":"Filter out (remove) targets that matches annotation using label selector semantics. Optional.\n*NOTE*: The annotation value currently cannot be longer thant 63 characters.","type":"string","x-order":0},"labelFilter":{"description":"Filter out (remove) targets that matches label selector. Optional.","type":"string","x-order":1},"excludeDomain":{"description":"Exclude subdomains. Optional.","type":"array","items":{"type":"string"},"x-order":2},"zoneType":{"$ref":"#/components/schemas/FilterSettingsAWSZoneType"},"zoneTagFilter":{"description":"When using the AWS provider, filter for zones with this tag. Optional, format: key=value.","type":"array","items":{"type":"string"},"x-order":4},"zoneIdFilter":{"description":"When using the AWS provider, filter for zones with this ID. Optional.","type":"array","items":{"type":"string"},"x-order":5}}},"Route53SettingsPolicy":{"description":"Policy that defines how DNS records are managed.\n\n - SYNC: Allow full synchronization.\n - UPSERT_ONLY: Don't allow delete DNS records.\n - CREATE_ONLY: Allow only creating DNS records.","type":"string","default":"SYNC","enum":["SYNC","UPSERT_ONLY","CREATE_ONLY"]},"RuleTo":{"description":"To includes the target resource (and the workloads that belong to the resource)\nwhich will be destination of a request.","type":"object","properties":{"fqn":{"description":"The target resource identified by FQN which will be the destination of a request.","type":"string","x-order":0}}},"SPMAgentPrioritySetting":{"description":"The deployment priority setting for the agent.","type":"object","properties":{"enabled":{"description":"The agent deploy priority is enabled or not.\nBy default, the value is false.","type":"boolean","x-order":0},"value":{"description":"The agent deploy priority value.\nThe value is following the configuration rule in https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass.\nBy default, the value is 1000000 (for high priority).","type":"integer","format":"int32","x-order":1}}},"SecretsClusterServiceAccount":{"description":"Cluster service account used to authenticate to the Management Plane.","type":"object","properties":{"clusterFQN":{"description":"TSB FQN of the onboarded cluster resource. This will be generate tokens for all Control Plane agents.","type":"string","x-order":0},"JWK":{"description":"Literal JWK used to generate and sign the tokens for all the Control Plane agents.","type":"string","x-order":1},"encodedJWK":{"description":"Base64-encoded JWK used to generate and sign the tokens for all the Control Plane agents.","type":"string","x-order":2}}},"SecretsElasticSearch":{"description":"Secrets to reach the Elasticsearch.","type":"object","properties":{"username":{"description":"The username to access Elasticsearch.","type":"string","x-order":0},"password":{"description":"The password to access Elasticsearch.","type":"string","x-order":1},"cacert":{"description":"Elasticsearch CA cert TLS used by control plane to verify TLS connection.","type":"string","x-order":2}}},"SecretsTSB":{"description":"Secrets to reach the TSB Management Plane.","type":"object","properties":{"cacert":{"description":"CA certificate used to verify TLS certs exposed the Management Plane (front envoy).","type":"string","x-order":0}}},"ServerTLSSettingsFileSource":{"description":"File path configuration of TLS keys and certificates.","type":"object","properties":{"serverCertificate":{"type":"string","title":"The path to the server cert file","x-order":0},"privateKey":{"type":"string","title":"The path to the server private key file","x-order":1},"caCertificates":{"type":"string","title":"The path to the file containing ca certs for verifying clients while using mutual TLS","x-order":2}}},"ServiceAccountKeyPair":{"description":"Represents key-pair associated to the service account.","type":"object","properties":{"id":{"type":"string","title":"Unique identifier for this key-pair. This should be used as the `kid` (key id) when\ngenerating JWT tokens that are signed with this key-pair.\n","x-order":0,"readOnly":true},"publicKey":{"type":"string","title":"The encoded public key associated with the service account.\nThe encoding format is determined by the `encoding` field.\n","x-order":1,"readOnly":true},"privateKey":{"type":"string","title":"The encoded private key associated with the service account.\nTSB does not store the private key and it is up to the client to store it safely.\nThe encoding format is determined by the `encoding` field.\n","x-order":2,"readOnly":true},"encoding":{"$ref":"#/components/schemas/KeyPairEncoding"},"defaultToken":{"type":"string","title":"A default access token that can be used to authenticate to TSB on behalf of the\nservice account. TSB does not store this token and it is only returned when a\nservice account key is created, similar to the private key. It is up to the client\nto store the token for future use or to use the TSB CLI to generate new tokens as\nexplained in: https://docs.tetrate.io/service-bridge/latest/howto/service-accounts\n","x-order":4,"readOnly":true}}},"ServiceMetricConfig":{"type":"object","title":"Configuration for metric aggregation","properties":{"name":{"description":"A user friendly name for this metric.","type":"string","x-order":0},"description":{"description":"A helpful description of what this metric represents.","type":"string","x-order":1},"aggregationKey":{"description":"An aggregation key that can be queried to get metrics for this service.","type":"string","x-order":2},"type":{"$ref":"#/components/schemas/ServiceMetricConfigMetricType"},"serviceDeployment":{"description":"The FQN of the service deployment related with this metric. Will be empty for group metrics.","type":"string","x-order":4},"parentMetric":{"type":"string","title":"The name of the metric config that aggregates this one in a higher level.\nFor example, for a subset in a cluster metric, this field has the name of the metric of the same subset\nacross the clusters","x-order":5}}},"ServiceMetricConfigMetricType":{"description":"MetricType denotes the relation of a metrics with a physical service instance.\n\n - SINGLE_INSTANCE: A single instance metric config belongs to an specific physical service instance.\n - SUBSET: A subset metric config represents subsets across clusters or hostnames across clusters.\n - GLOBAL: A global metric config represents all the physical services.\n - ENDPOINT: An endpoint metric config represents an endpoint across clusters.\n - ENDPOINT_INSTANCE: An endpoint instance metric config represents an endpoint in a specific cluster.","type":"string","default":"INVALID","enum":["INVALID","SINGLE_INSTANCE","SUBSET","GLOBAL","ENDPOINT","ENDPOINT_INSTANCE"]},"ServiceObservabilityServiceDiscovery":{"description":"Configure `Tetrate Service Discovery` component.","type":"object","properties":{"plane":{"$ref":"#/components/schemas/ServiceObservabilityServiceDiscoveryPlane"},"agent":{"$ref":"#/components/schemas/ServiceObservabilityServiceDiscoveryAgent"}}},"ServiceObservabilityServiceDiscoveryAgent":{"description":"Settings for the `Tetrate Service Discovery Agent`.","type":"object","properties":{"version":{"description":"Version of the `Tetrate Service Discovery Agent` to use.\n\nDefaults to the version of the `Tetrate Service Discovery Agent` included into a given TSB release.","type":"string","x-order":0}}},"ServiceObservabilityServiceDiscoveryPlane":{"description":"Configure `Tetrate Service Discovery Plane` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\n\nSupported log levels: \"none\", \"error\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"ServiceRoutePortLevelTrafficSettings":{"description":"PortLevelTrafficSettings explicitly defines the type of traffic for all of\nthe ports exposed by a service for which routing rules need to be set.\nDepending on whether HTTPRoutes or TCTRoutes are specified or not, the main\nsubset weights are applied or not based on the following scenarios:\n1. If HTTPRoutes or TCPRoutes are specified:\n   a. Since Port is mandatory in MatchConditions, whenever a port is used\n      in (HTTP/TCP) MatchCondition, it needs to be present in the global\n      PortLevelTrafficSettings.\n   b. When MatchConditions are present in the routes, then subset-weight\n      combinations within routes will take effect instead of the global ones.\n2. If the routes are not specified, then the traffic will be matched on\n   ports specified in PortLevelTrafficSettings, and the routes will be set\n   according to global subset-weight combinations.","type":"object","required":["port","trafficType"],"properties":{"port":{"type":"integer","format":"int64","title":"Port number to which traffic must be routed","x-order":0},"trafficType":{"$ref":"#/components/schemas/ServiceRouteTrafficType"},"stickySession":{"$ref":"#/components/schemas/ServiceRouteStickySession"}}},"ServiceRouteStickySession":{"description":"If set, all requests from a client will be forward to the same backend.","type":"object","properties":{"header":{"description":"Hash based on a specific HTTP header.","type":"string","x-order":0},"cookie":{"$ref":"#/components/schemas/ServiceRouteStickySessionHTTPCookie"},"useSourceIp":{"description":"Hash based on the source IP address.","type":"boolean","x-order":2}}},"ServiceRouteStickySessionHTTPCookie":{"description":"Describes a HTTP cookie that will be used for sticky sessions. If the cookie is not present, it\nwill be generated.","type":"object","required":["name","path","ttl"],"properties":{"name":{"description":"Name of the cookie.","type":"string","x-order":0},"path":{"description":"Path to set for the cookie.","type":"string","x-order":1},"ttl":{"description":"Lifetime of the cookie.","type":"string","x-order":2}}},"ServiceRouteTrafficType":{"description":"- HTTP: If trafficType is HTTP, then a HTTP route is generated for that port\n - TCP: If trafficType is TCP, then a TCP route is generated for that port\n - TLS_PASSTHROUGH: This mode generates TLS routes for HTTPS traffic. TLS is not terminated at the gateway and is\npassed through to the server","type":"string","title":"TrafficType is the list of allowed traffic types for generating routes","default":"HTTP","enum":["HTTP","TCP","TLS_PASSTHROUGH"]},"ServiceScopesServiceScope":{"description":"A service scope defines the telemetry source wingspan in the mesh of a service.","type":"object","properties":{"type":{"$ref":"#/components/schemas/ServiceScopesServiceScopeScopeType"},"scope":{"$ref":"#/components/schemas/ServiceScopesServiceScopeScope"},"deployment":{"description":"The FQN of the service deployment in a concrete cluster related with this telemetry source scope.\nWill have a value for scope types INSTANCE or SERVICE.","type":"string","x-order":2}}},"ServiceScopesServiceScopeScope":{"description":"Each of the scope properties can have the following values:\n- A non empty value.\n- An empty value or absence of the property act as a wildcard, meaning any possible value.","type":"object","properties":{"instance":{"description":"instance is a concrete value or an empty value meaning any instance.","type":"string","x-order":0},"subset":{"description":"subset can be a concrete value or an empty value meaning any subset.","type":"string","x-order":1},"service":{"description":"service is always a concrete value.","type":"string","x-order":2},"namespace":{"description":"namespace is always a concrete value.","type":"string","x-order":3},"cluster":{"description":"cluster can be a concrete value or an empty value meaning any cluster.","type":"string","x-order":4}}},"ServiceScopesServiceScopeScopeType":{"description":"ScopeType denotes the wingspan of a telemetry source for a service.\n\n - INSTANCE: A instance telemetry source belongs to a specific service instance (pod or VM) in a cluster.\n - SERVICE: A service telemetry source belongs to a specific service, without subsets, in a cluster.\n - SUBSET: A subset telemetry source belongs to a specific service of a concrete subset in a cluster.\n - GLOBAL_SUBSET: A global subset telemetry source represents a concrete subset from a service across cluster.\nSubset scope type does not apply to ingress services.\n - GLOBAL: A global telemetry source represents all subsets from a service across clusters.","type":"string","default":"INVALID","enum":["INVALID","INSTANCE","SERVICE","SUBSET","GLOBAL_SUBSET","GLOBAL"]},"ServiceServiceDeployment":{"description":"ServiceDeployment represents the physical service in a cluster.","type":"object","properties":{"fqn":{"description":"Fully-qualified name of the instance. This field is read-only.","type":"string","x-order":0,"readOnly":true},"source":{"description":"Source of the instance. This field is read-only.","type":"string","x-order":1,"readOnly":true}}},"SetLoggerLevelsRequestAllLoggers":{"description":"Desired level for all loggers.","type":"object","required":["level"],"properties":{"level":{"description":"Desired level for all loggers.","type":"string","x-order":0}}},"SetLoggerLevelsRequestGivenLoggers":{"description":"Desired levels for given loggers.\nAvailable log levels are: trace, debug, info, warning/warn, error, critical, off.\nExamples: {\"config\": \"trace\", \"grpc\": \"debug\", \"http\": \"debug\", \"http2\": \"debug\"}\nSee https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging\nfor more details about loggers' naming.","type":"object","required":["loggerLevels"],"properties":{"loggerLevels":{"description":"Desired levels for given loggers.","type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"SharedGatewayReferenceGrantGatewaySelector":{"description":"GatewaySelector specifies which Gateways are being shared.","type":"object","properties":{"nameSelector":{"$ref":"#/components/schemas/GatewaySelectorNameSelector"},"appLabelSelector":{"$ref":"#/components/schemas/GatewaySelectorAppLabelSelector"}}},"SingleConstraintExists":{"type":"object"},"SourceScopeIngressScopes":{"description":"IngressScopes defines one or many Ingress's hostname telemetry source wingspan in the mesh.","type":"object","properties":{"scopes":{"description":"Multiple IngressScope can be defined to group under a single telemetry source different ingresses.","type":"array","items":{"$ref":"#/components/schemas/IngressScopesIngressScope"},"x-order":0}}},"SourceScopeRelationScopes":{"description":"RelationScopes  represents the physical connection that exists between observable resources.\nA relation can represent for instance the physical connection that exist when a call between services is done:\n- Between a gateway and a service or vice versa.\n- Between a service and another service.\nThis observation can produce client-side measurements, server side measurements or both.","type":"object","properties":{"scopes":{"description":"Multiple RelationScope can be defined to group under a single telemetry source different relations.","type":"array","items":{"$ref":"#/components/schemas/RelationScopesRelationScope"},"x-order":0}}},"SourceScopeServiceScopes":{"description":"ServiceScopes defines one or many service's telemetry source wingspan in the mesh.","type":"object","properties":{"scopes":{"description":"Multiple ServiceScope can be defined to group under a single telemetry source different services.","type":"array","items":{"$ref":"#/components/schemas/ServiceScopesServiceScope"},"x-order":0}}},"SyncOrganizationRequestSyncTeam":{"description":"Information of a team as synchronized from the team source. This differs slightly from a TSB\nuser since the fields here are raw info that does not have the context of the TSB hierarchy.","type":"object","required":["id"],"properties":{"id":{"description":"Unique ID for the group.","type":"string","x-order":0},"description":{"description":"Optional description for the group.","type":"string","x-order":1},"memberUserIds":{"description":"List of user ids for the users that belong to this group.","type":"array","items":{"type":"string"},"x-order":2},"memberGroupIds":{"description":"List of group ids for the groups that are nested into this group.","type":"array","items":{"type":"string"},"x-order":3},"displayName":{"description":"Friendly name to show the group in the different UIs.","type":"string","x-order":4}}},"SyncOrganizationRequestSyncUser":{"description":"Information of a user as synchronized from the team source. This differs slightly from a TSB\nuser since the fields here are raw info that does not have the context of the TSB hierarchy.","type":"object","required":["id"],"properties":{"id":{"description":"Unique ID for the user.","type":"string","x-order":0},"description":{"description":"Optional description for the user.","type":"string","x-order":1},"email":{"type":"string","title":"User's email","x-order":2},"loginName":{"description":"The login username for the user.","type":"string","x-order":3},"displayName":{"description":"Friendly name to show the user in the different UIs.","type":"string","x-order":4}}},"SyncOrganizationResponseFailedIds":{"type":"object","properties":{"removal":{"type":"array","title":"Users or groups that failed to be removed","items":{"type":"string"},"x-order":0},"addition":{"type":"array","title":"Users or groups that failed to be created","items":{"type":"string"},"x-order":1},"update":{"type":"array","title":"Users or groups that failed to be updated","items":{"type":"string"},"x-order":2}}},"WasmExtensionPluginPhase":{"description":"- UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router.\nDo not specify PluginPhase if the plugin is independent of others.\n - AUTHN: Insert plugin before Istio authentication filters.\n - AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters.\n - STATS: Insert plugin before Istio stats filters and after Istio authorization filters.","type":"string","title":"Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase","default":"UNSPECIFIED_PHASE","enum":["UNSPECIFIED_PHASE","AUTHN","AUTHZ","STATS"]},"WasmExtensionPullPolicy":{"description":"The pull behaviour to be applied when fetching a WASM module,\nmirroring K8s behaviour.\n\n - UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag `latest`, for which\nthe default will be Always.\n - IfNotPresent: If an existing version of the image has been pulled before, that\nwill be used. If no version of the image is present locally, we\nwill pull the latest version.\n - Always: We will always pull the latest version of an image when changing\nthis plugin. Note that the change includes `metadata` field as well.","type":"string","default":"UNSPECIFIED_POLICY","enum":["UNSPECIFIED_POLICY","IfNotPresent","Always"]},"WaypointsConfigCommonWaypointConfig":{"description":"Common waypoint configuration shared at the cluster or namespace level.","type":"object","properties":{"enable":{"description":"Enable or disable default waypoint deployment (default is true)\nThis configuration can be made at both the cluster level and also at namespace level.\nCluster level configs will be applied in all the onboarded application namespaces which are\nin the ambient mode and do not have namespace level configs.\nExample, if user wants waypoint to be deployed in selected few namespaces, then user can disable\nthe cluster level config and enable the namespace level config for those namespaces.\nIf both cluster level and namespace level configs are enabled, then namespace level configs will take precedence.\nIf both cluster level and namespace level configs are disabled, then waypoint will not be deployed in any of the namespaces.\nIf cluster level config is enabled and namespace level config is not configured, then waypoint will be deployed in all\nthe onboarded application namespaces which are in the ambient mode.","type":"boolean","x-order":0},"labels":{"description":"Deprecated: Use overlays field to add labels, annotations, tolerations and resource requirements.\n\nLabels to apply to the waypoint","type":"object","additionalProperties":{"type":"string"},"x-order":1},"annotations":{"type":"object","title":"Annotations to apply to the waypoint","additionalProperties":{"type":"string"},"x-order":2},"tolerations":{"type":"object","title":"Tolerations for the waypoint pod","additionalProperties":{"type":"string"},"x-order":3},"resources":{"$ref":"#/components/schemas/installkubernetesResources"},"disableLabelManagement":{"description":"If true, xcp will not apply/remove istio.io/use-waypoint label on/from the namespace of the ambient workloads.\nDefault is false and in that case namespace level waypoint redirection is enabled automatically by xcp.\nIf this is set to true, then user has to manually apply the istio.io/use-waypoint label on the namespace to enable waypoint redirection.\nOtherwise, traffic will not go through waypoints and will be directly routed to the destination ambient workloads.\n\nDisable label management for the waypoint","type":"boolean","x-order":5},"overlays":{"description":"overlays can be used to fully customize waypoint deployments, services and hpa. Example:\n```yaml\nistio:\n  ambient:\n    enable: true\n    waypoints:\n      clusterLevel:\n        xfccWasmPluginUrl: file:///wasm-plugins/xcp-guard.wasm\n        overlays:\n          istio-waypoint:  <-- This is the waypoint's gateway class name.\n            deployment:\n              metadata:\n                annotations:\n                  cluster-level: via-excp-value\n      namespaceLevel:\n      - config:\n          overlays:\n            istio-waypoint:\n              deployment:\n                metadata:\n                  annotations:\n                    via-excp: via-excp-value\n              horizontalPodAutoscaler:\n                spec:\n                  maxReplicas: 3\n                  minReplicas: 1\n        name: echo <-- This is the namespace name.\n```\nThis allows users to customize the waypoint deployments, services and hpa.\n\"clusterLevel\" overlays will be applied to all the waypoints deployed by xcp in the cluster.\nThis includes waypoints deployed in app namespaces and also the waypoints deployed in the\nxcp-multicluster namespace.\n\"namespaceLevel\" overlays will be override the \"clusterLevel\" overlays for the specific namespace.\nNote that namespace level overlays will totally replace the cluster level overlays for the specific namespace.\noverlays will be used to generate the `data:` section of the configmap, as documented at \nhttps://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/, which is created by xcp for waypoint \ncustomization.","x-order":6}}},"WaypointsConfigNamespaceLevelCommonConfig":{"description":"Namespace-level waypoint configuration, including a namespace selector and specific\nwaypoint settings for that namespace.","type":"object","properties":{"name":{"type":"string","title":"Namespace name","x-order":0},"selector":{"$ref":"#/components/schemas/WaypointsConfigNamespaceLevelCommonConfigNamespaceSelector"},"config":{"$ref":"#/components/schemas/WaypointsConfigCommonWaypointConfig"}}},"WaypointsConfigNamespaceLevelCommonConfigNamespaceSelector":{"type":"object","properties":{"labels":{"type":"object","title":"Key-value pairs for selecting namespaces","additionalProperties":{"type":"string"},"x-order":0}}},"WorkloadProxy":{"description":"Info about proxy attached to a workload.","type":"object","properties":{"controlPlaneAddress":{"description":"Address/service of control plane entity controlling the proxy\nlike istiod.istio-system.svc:15012.","type":"string","x-order":0},"envoyVersion":{"description":"Envoy version of the proxy.","type":"string","x-order":1},"istioVersion":{"description":"Istio version of the proxy.","type":"string","x-order":2},"status":{"type":"object","title":"Sync status for each xDS component.\nFor example:\nstatus[\"CDS\"] = \"SYNCED\"\nXDS components are: LDS, RDS, EDS CDS and SRDS.\nRefer to Envoy go-control-plane ConfigStatus for possible status values\nvalues:\nhttps://github.com/envoyproxy/go-control-plane/blob/main/envoy/service/status/v3/csds.pb.go","additionalProperties":{"type":"string"},"x-order":3}}},"XCPCentralAuthMode":{"description":"- UNKNOWN: Default when unset, do not use\n - MUTUAL_TLS: GRPC stream is encrypted with mutual TLS\n - JWT: XCP Edges present a JWT bearer token in the GRPC headers","type":"string","title":"Authentication mode for connections from XCP Edges to XCP Central","default":"UNKNOWN","enum":["UNKNOWN","MUTUAL_TLS","JWT"]},"XCPEdge":{"description":"Secrets for the XCP Edge component.","type":"object","properties":{"cert":{"description":"Edge certificate used for mTLS with XCP Central.","type":"string","x-order":0},"key":{"description":"Key of the Edge certificate used for mTLS with XCP Central.","type":"string","x-order":1},"token":{"description":"JWT token used to authenticate XCP Edge against the XCP Central.","type":"string","x-order":2}}},"apiHttpBody":{"description":"Message that represents an arbitrary HTTP body. It should only be used for\npayload formats that can't be represented as JSON, such as raw binary or\nan HTML page.\n\n\nThis message can be used both in streaming and non-streaming API methods in\nthe request as well as the response.\n\nIt can be used as a top-level request field, which is convenient if one\nwants to extract parameters from either the URL or HTTP template into the\nrequest fields and also want access to the raw HTTP body.\n\nExample:\n\n    message GetResourceRequest {\n      // A unique request id.\n      string request_id = 1;\n\n      // The raw HTTP body is bound to this field.\n      google.api.HttpBody http_body = 2;\n\n    }\n\n    service ResourceService {\n      rpc GetResource(GetResourceRequest)\n        returns (google.api.HttpBody);\n      rpc UpdateResource(google.api.HttpBody)\n        returns (google.protobuf.Empty);\n\n    }\n\nExample with streaming methods:\n\n    service CaldavService {\n      rpc GetCalendar(stream google.api.HttpBody)\n        returns (stream google.api.HttpBody);\n      rpc UpdateCalendar(stream google.api.HttpBody)\n        returns (stream google.api.HttpBody);\n\n    }\n\nUse of this type only changes how the request and response bodies are\nhandled, all other features will continue to work unchanged.","type":"object","properties":{"contentType":{"description":"The HTTP Content-Type header value specifying the content type of the body.","type":"string","x-order":0},"data":{"description":"The HTTP request/response body as raw binary.","type":"string","format":"byte","x-order":1},"extensions":{"description":"Application specific response metadata. Must be set in the first response\nfor streaming APIs.","type":"array","items":{"$ref":"#/components/schemas/protobufAny"},"x-order":2}}},"apitsbv2API":{"description":"An API resource defines an OpenAPI specification that can be used by gateways to validate incoming requests.\n\nThe following API resource example validates incoming requests for certain hostnames and optional paths.\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: API\nmetadata:\n  organization: myorg\n  tenant: mycompany\n  workspace: myapp\n  name: example-api\nspec:\n  openapi: |\n    TODO: add an example with request body definition\n```\n\nThe following gateway definition references the previous API to perform its validations for incoming requests.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  organization: myorg\n  tenant: mycompany\n  workspace: myapp\n  name: example-gateway\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo\n    port: 443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n    openapi:\n      api: organizations/myorg/tenants/mycompany/workspaces/myapp/apis/example-api\n      validation:\n        enabled: true\n```\n\n\n\n","type":"object","required":["openapi"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"openapi":{"description":"The raw OpenAPI spec for this API.","type":"string","x-order":4}}},"apitsbv2ListAPIsResponse":{"description":"List of all API objects in the workspace.","type":"object","properties":{"apis":{"type":"array","items":{"$ref":"#/components/schemas/apitsbv2API"},"x-order":0}}},"apitsbv2ResourceStatus":{"description":"Each resource in TSB is able to provide a status to let the user know it's\ncurrent integrity.\nSome resources, like configurations for ingress, traffic and security, are\nnot immediately applied as soon as TSB accepts any modification from user.\nIn these cases, the status will provide enough information to know when it\nis really applying to the affected workloads.\nThis allows any user or CI/CD process to poll the status of any desired\nresource and proceed accordingly.\n\nThere are two types of resources, the ones that aggregate the status of\nchildren resources and the ones that do not. Check the documentation for the\ndifferent details object types for further information.\n\nAs an example, lets say the user pushes an `IngressGateway` configuration.\n`IngressGateway` does not aggregate status of children resources, but the\nother way around: its parent resource `GatewayGroup` does aggregate its\nstatus.\n\nWhen the requests succeeds in TSB server, that resource's status will reach\nthe `ACCEPTED` status with a TSB_ACCEPTED event in its configEvents details:\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: ResourceStatus\nmetadata:\n  name: bookinfo-gateway\n  organization: my-org\n  tenant: my-tenant\n  workspace: bookinfo-ws\n  gatewaygroup: bookinfo-gw-group\nspec:\n  status: ACCEPTED\n  configEvents:\n    events:\n    - etag: '\"sMlEWPbvm6M=\"'\n      timestamp: \"2022-01-11T10:11:41.784168161Z\"\n      type: TSB_ACCEPTED\n```\n\nThen, when pushed to MPC it succeeds and stays in `ACCEPTED` status, and the\nevent list reflects the new event data, which will become:\n\n```yaml\n// omiting the rest of the fields for simplicity\nspec:\n  status: ACCEPTED\n  configEvents:\n    events:\n    - etag: '\"sMlEWPbvm6M=\"'\n      timestamp: \"2022-01-11T10:11:43.264330637Z\"\n      type: MPC_ACCEPTED\n    - etag: '\"sMlEWPbvm6M=\"'\n      timestamp: \"2022-01-11T10:11:41.784168161Z\"\n      type: TSB_ACCEPTED\n```\n\nLater on, if there is an error in the MPC underlying layers such as XCP\nCentral, a new event will be propagated and appended to the resource status\nthat will change to status `FAILED` with the corresponding message.\n\n```yaml\n# omiting the rest of the fields for simplicity\nspec:\n  status: FAILED\n  message: \"IngressGateway.xcp.tetrate.io \\\"INVALID-96010ce1d9b7df5c\\\" is invalid: metadata.name:\n    Invalid value: \\\"INVALID-96010ce1d9b7df5c\\\": a DNS-1123 subdomain must consist of lower case alphanumeric characters,\n    '-' or '.', and must start and end with an alphanumeric character\n    (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')\"\n  configEvents:\n    events:\n    - etag: '\"sMlEWPbvm6M=\"'\n      message: \"IngressGateway.xcp.tetrate.io \\\"INVALID-96010ce1d9b7df5c\\\" is invalid: metadata.name:\n        Invalid value: \\\"INVALID-96010ce1d9b7df5c\\\": a DNS-1123 subdomain must consist of lower case alphanumeric characters,\n        '-' or '.', and must start and end with an alphanumeric character\n        (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')\"\n      reason: \"ValidationFailed\"\n      timestamp: \"2022-01-11T10:11:43.444335769Z\"\n      type: XCP_REJECTED\n    - etag: '\"sMlEWPbvm6M=\"'\n      timestamp: \"2022-01-11T10:11:43.264330637Z\"\n      type: MPC_ACCEPTED\n    - etag: '\"sMlEWPbvm6M=\"'\n      timestamp: \"2022-01-11T10:11:41.784168161Z\"\n      type: TSB_ACCEPTED\n```\n\nAnother example of a status of a resource that aggregates its children\nstatus could be the following:\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: ResourceStatus\nmetadata:\n  name: bookinfo\n  organization: tetrate\n  tenant: tetrate\n  workspace: bookinfo\nspec:\n  aggregatedStatus:\n    configEvents:\n      events:\n      - etag: '\"XAdtTSjZGic=\"'\n        timestamp: \"2022-01-11T16:50:15.571985056Z\"\n        type: XCP_ACCEPTED\n      - etag: '\"XAdtTSjZGic=\"'\n        timestamp: \"2022-01-11T16:50:15.545956009Z\"\n        type: MPC_ACCEPTED\n      - etag: '\"XAdtTSjZGic=\"'\n        timestamp: \"2022-01-11T16:50:13.547777908Z\"\n        type: TSB_ACCEPTED\n  status: ACCEPTED\n```\nIn case of errors, the children_errors map would be filled.\n\nFinally, an example of a status of a non-configurable resource like a `Tenant`\nwould not have any details. This kind of resources don't aggregate status either.\nThis kind of resource will reach the `READY` status once it's request has\nbeen processed by the TSB server.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: ResourceStatus\nmetadata:\n  name: tetrate\n  organization: tetrate\nspec:\n  status: READY\n```","type":"object","properties":{"status":{"$ref":"#/components/schemas/v2ResourceStatusStatus"},"message":{"description":"User friendly message adding details of the status.","type":"string","x-order":1},"configEvents":{"$ref":"#/components/schemas/v2ConfigEvents"},"aggregatedStatus":{"$ref":"#/components/schemas/v2AggregatedStatus"}}},"apitsbv2Service":{"type":"object","title":"A Kubernetes or a VM service. These are automatically discovered by\nthe Service Bridge agents in the cluster.\n$hide_from_yaml","properties":{"hostname":{"description":"The hostname by which this service is accessed. Can correspond to the\nhostname of an internal service or that of a virtual host on a gateway.","type":"string","x-order":0},"namespace":{"description":"namespace associated with the service.","type":"string","x-order":1},"selector":{"description":"label selectors associated with the service.","type":"object","additionalProperties":{"type":"string"},"x-order":2},"ports":{"description":"The set of ports on which this service is exposed.","type":"array","items":{"$ref":"#/components/schemas/v2ServicePort"},"x-order":3},"kubernetesServiceIp":{"description":"For services running on Kubernetes, the cluster IP of the service in the\ncluster.","type":"string","x-order":4},"kubernetesExternalAddresses":{"description":"For kubernetes services of type load balancer, this field contains the list\nof lb hostnames or IPs assigned to the service. For services of type\nnodePort, this field contains the IP addresses of the nodes in the cluster.","type":"array","items":{"type":"string"},"x-order":5},"numKubernetesEndpoints":{"description":"The number of kubernetes pods providing this service. Note that a\nservice could be hosted on both pods and VMs.","type":"integer","format":"int64","x-order":6},"numVmEndpoints":{"description":"The number of VMs providing this service.","type":"integer","format":"int64","x-order":7},"meshExternal":{"type":"boolean","title":"indicates that this is an external service (service entry MESH_EXTERNAL\nlocation)","x-order":8},"gatewayHost":{"description":"Indicates that this is a service representing a gateway host (used for\nmulti-cluster scenarios).","type":"boolean","x-order":9},"numHops":{"description":"The number of hops from the advertising cluster to the ingress\ngateway that is exposing the gateway host. If the advertiser is the\ncluster owning the ingress gateway host, the hops is 0. If the\nadvertiser is a tier1 cluster exposing gateways via internal or\nexternal Servers, the path hops is 1.","type":"integer","format":"int64","x-order":10},"kubernetesServiceFqdn":{"description":"If this is a gateway host service, this field will indicate the kubernetes\nservice that is running as a gateway and exposing this host to the outside\nworld.","type":"string","x-order":11},"name":{"type":"string","title":"Name assigned to the service","x-order":12},"subsets":{"type":"array","title":"Name of subsets defined for this service","items":{"type":"string"},"x-order":13},"canonicalName":{"description":"17 to match xcp api and make conversion easier.","type":"string","title":"The canonical name of the service defined by labels\n(value of service.istio.io/canonical-name)","x-order":14},"workloads":{"description":"Workloads implementing the Service.","type":"array","items":{"$ref":"#/components/schemas/apitsbv2Workload"},"x-order":15},"tier1GatewayHost":{"description":"Indicates that this is a service representing a gateway host acting as a\ntier1 gateway. This field is being introduced specifically for the\nhostnames exposed through Tier1Gateway's ExternalServers. Fo all other\nhostnames that are exposed exposed on IngessGateways or Tier1Gateway's\nInternalServers gateway_host field is set to true because that is used for\nmulticluster routing setup. For ExternalServer hostnames multicluster\ncluster routing is not setup and hence UI on finding gateway_host as false\nshows these hostnames as internal services incorrectly. To help UI, this\nfield is being introduced. UI would look for either gateway_host or\ntier1_gateway_host to decide if the hostname is a gateway hostname.","type":"boolean","x-order":16},"spiffeIds":{"description":"List of SPIFFE identities used by the workloads of the service.","type":"array","items":{"type":"string"},"x-order":17},"state":{"$ref":"#/components/schemas/v2ServiceState"},"labels":{"type":"object","title":"Labels associated with the service","additionalProperties":{"type":"string"},"x-order":19},"annotations":{"type":"object","title":"Annotations associated with the service","additionalProperties":{"type":"string"},"x-order":20}}},"apitsbv2Workload":{"description":"Info about individual workload implementing the service.","type":"object","properties":{"address":{"description":"Routable address of the workload.","type":"string","x-order":0},"name":{"description":"Instance name of the workload.","type":"string","x-order":1},"isVm":{"description":"Indicates whether the workload is kubernetes endpoint or vm.","type":"boolean","x-order":2},"proxy":{"$ref":"#/components/schemas/WorkloadProxy"}}},"applicationv2Status":{"description":"The computed configuration status for the Application or API.\n\n - UNKNOWN: Unknown indicates that the status has not been computed.\n - MISSING: The missing status indicates that the configuration resource for the Applications\nor APIs do not exist.\n - DIRTY: Dirty Applications and APIs are those that have the corresponding configuration\nobjects (config groups, ingress gateways, etc), but those objects have been\ndirectly modified or they current configuration does not match the one specified\nin the corresponding Application/API.\n - CONFIGURED: Configured Applications and APIs are those that have the corresponding\nconfiguration resources (config groups, ingress gateways, etc) and their\nconfigurations match the ones defined in the Application/API objects.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","MISSING","DIRTY","CONFIGURED"]},"commonCertManagerSettings":{"description":"CertManagerSettings represents the settings used for the cert-manager installation. TSB supports installing and managing\nthe lifecycle of the cert-manager installation.","type":"object","properties":{"managed":{"$ref":"#/components/schemas/CertManagerSettingsManaged"},"certManagerSpec":{"$ref":"#/components/schemas/CertManagerSettingsCertManagerSpec"},"certManagerWebhookSpec":{"$ref":"#/components/schemas/CertManagerSettingsCertManagerWebhookSpec"},"certManagerCaInjector":{"$ref":"#/components/schemas/CertManagerSettingsCertManagerCAInjector"},"certManagerStartupapicheck":{"$ref":"#/components/schemas/CertManagerSettingsCertManagerStartupAPICheck"}}},"commonConfigProtection":{"type":"object","title":"ConfigProtection contains settings for enabling/disabling config protection\nover XCP created resources.\nConfig protections are disabled by default.\nExample:\n```yaml\nconfigProtection:\n  enableAuthorizedUpdateDeleteOnXcpConfigs: true\n  enableAuthorizedCreateUpdateDeleteOnXcpConfigs: true\n  authorizedUsers:\n    - user1\n    - system:serviceaccount:ns1:serviceaccount-1\n```","properties":{"enableAuthorizedUpdateDeleteOnXcpConfigs":{"description":"When enabled, no other user or svc account except AuthorizedUsers would be allowed to delete or update\nthe XCP/Istio API resources created by XCP.","type":"boolean","x-order":0},"enableAuthorizedCreateUpdateDeleteOnXcpConfigs":{"description":"When enabled, no other user or svc account except AuthorizedUsers would be allowed to create, delete or update\nthe XCP/Istio API resources. This acts as a superset of the enableAuthorizedUpdateDeleteOnXcpConfigs.","type":"boolean","x-order":1},"authorizedUsers":{"description":"List of usernames of authorized users or svc accounts to create/update/delete XCP configs when config protection is enabled.","type":"array","items":{"type":"string"},"x-order":2}}},"commonCustomCertProviderSettings":{"description":"CustomCertProviderSettings represents the settings used for the custom certificate provider. Users can configure the CSR signer\nrequired for certificate signing and point to the CA bundle to be used to validate the certificates.","type":"object","required":["csrSignerName","caBundleSecretName"],"properties":{"csrSignerName":{"description":"Name of Kubernetes CSR signer to be used to sign the CSR request by different TSB components for internal purposes.","type":"string","x-order":0},"caBundleSecretName":{"description":"Configure the CABundleSecretName to be used to verify the signed CSR request by different TSB components. If not specified,\nTSB would use the secret with the name ca-bundle-management-plane in the management plane namespace or ca-bundle-control-plane\nin the control plane namespace. The secret should contain the file ca.crt with the cert data.","type":"string","x-order":1}}},"commonGitOps":{"description":"The GitOps component configures the features that allow integrating the Management Plane and/or the\nControl Plane cluster with Continuous Deployment pipelines.","type":"object","properties":{"enabled":{"description":"The GitOps component is in beta and disabled by default.\nIf Management and Control Planes are installed in the same cluster, Continuous Deployment Integration\nshould only be enabled in one of both planes. However, if the GitOps component is enabled in both planes,\nonly the Control Plane GitOps component will remain enabled. The Management Plane GitOps component\nwill not be enabled, even though it is explicitly enabled.","type":"boolean","x-order":0},"reconcileInterval":{"description":"Periodical interval at which the objects will be reconciled after they are successfully synchronized (created,\nupdated, deleted) with the Management Plane.\nThis parameter does not affect retry on unsuccessful operation which are retried with exponential backoff strategy\n(staring with 3s and max delay 120s).\nFormat: 1h/1m/1s/1ms. A value of 0 disables per-object reconciliation and uses the operator's global interval of 10h.\nDefault: 10m.","type":"string","x-order":1},"batchWindow":{"description":"When configured, all admission requests will be paused for the configured duration.\nOnce the window interval is closed, all paused admission requests will be sent together\nto the Management Plane as a single request.\nBatching of requests is disabled by default and should be enabled only if there is high concurrency\nand ordering of resources could be an issue. By configuring a batch window the concurrency\nand ordering issues may be mitigated, although it will introduce a constant latency to all requests\nof the configured time window.\nWhen enabled, it is recommended to use a small value, for example 1 second.","type":"string","x-order":2},"managementplaneRequestTimeout":{"description":"The GitOps component performs operations against the management plane through the k8s webhook.\nThis allows configuring the duration of each operation in order to fail early if it takes too much.\nThis value cannot be lower than `webhook_timeout` due to the request being tied to the ones received\nby the k8s webhook.\nFormat: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 25s.","type":"string","x-order":3},"reconcileRequestTimeout":{"description":"The GitOps component performs operations against the management plane internal reconcile loop.\nThis allows configuring the duration of each operation to fail early if it takes too long.\nFormat: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 2m.","type":"string","x-order":4},"webhookTimeout":{"description":"Timeout that will be set in the k8s gitops webhook resource.\nFormat: 1h/1m/1s/1m. Default: 30s. Allowed values must be between 0s and 30s.","type":"string","x-order":5},"pushMode":{"$ref":"#/components/schemas/GitOpsPushMode"}}},"commonInternalCertProvider":{"description":"InternalCertProvider describes the certificate provider configuration for TSB internal purposes like kubernetes webhook certificate.\nTSB supports cert-manager out of the box.","type":"object","properties":{"certManager":{"$ref":"#/components/schemas/commonCertManagerSettings"},"custom":{"$ref":"#/components/schemas/commonCustomCertProviderSettings"},"tsbManaged":{"$ref":"#/components/schemas/commonTSBManaged"}}},"commonMeshObservabilitySettings":{"description":"Configure mesh observability.\nThe following examples enable the analysis and generation of RED metrics for each\nendpoint of your registered services.\n\nNotice that both, ManagementPlane and ControlPlane, need to be aligned with this configuration.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ManagementPlane\nmetadata:\n  name: managementplane\nspec:\n  meshObservability:\n    settings:\n      apiEndpointMetricsEnabled: true\n```\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshObservability:\n    settings:\n      apiEndpointMetricsEnabled: true\n```","type":"object","properties":{"apiEndpointMetricsEnabled":{"description":"Toggle to process, analyze, and generate api endpoints RED metrics.\nBy default `false` which means disabled.\nIf you want to analyze all your request and generate RED metrics for\neach endpoint of your registered services in the mesh, set it to `true`.","type":"boolean","x-order":0}}},"commonTSBManaged":{"description":"TSBManaged represents the self-signed TSB managed internal certificate provider.","type":"object"},"commonv1alpha1Image":{"description":"Values for the TSB operator image.","type":"object","properties":{"registry":{"description":"Registry used to download the operator image.","type":"string","x-order":0},"tag":{"description":"The tag of the operator image.","type":"string","x-order":1}}},"commonv1alpha1Operator":{"description":"Operator values for the TSB operator application.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/v1alpha1OperatorDeployment"},"service":{"$ref":"#/components/schemas/v1alpha1OperatorService"},"serviceAccount":{"$ref":"#/components/schemas/v1alpha1OperatorServiceAccount"},"controlPlaneMode":{"$ref":"#/components/schemas/v2ControlPlaneMode"},"deletionProtection":{"type":"string","title":"DeletionProtection is the flag for the deletion protection for the control plane\nPossible values are:\n- enabled: The control plane will have deletion protection enabled\n- disabled: The control plane will have deletion protection disabled","x-order":4}}},"controlplanev1alpha1IstioRevision":{"description":"Istio control plane settings for a specific revision.","type":"object","required":["name","istio"],"properties":{"name":{"description":"Name of the IstioRevision. Must be unique at cluster level, across Isolation\nBoundaries. The IstioRevision name is used to deploy revisioned Istio control-plane\ncomponents.\n\nNotice that the value constraints here are stricter than the ones in Istio.\nApparently, Istio validation rules allow values that lead to internal failures\nat runtime, e.g. values with capital letters or values longer than 56 characters.\nStricter validation rules here are meant to prevent those hidden pitfalls.","type":"string","x-order":0},"istio":{"$ref":"#/components/schemas/v1alpha1Istio"},"disable":{"description":"If set to `true`, Istio control plane deployment with this revision will be\ncleaned up from the cluster. This field can be used to clean up revisioned\ncontrol plane deployment while retaining the configurations in the CR. After\ncleanup, it can be again set to `false` to re-deploy revisioned control plane.\nBy default the value is set to `false`.","type":"boolean","x-order":2}}},"controlplanev1alpha1Secrets":{"description":"Secrets available in the ControlPlane installation.","type":"object","properties":{"tsb":{"$ref":"#/components/schemas/SecretsTSB"},"elasticsearch":{"$ref":"#/components/schemas/SecretsElasticSearch"},"xcp":{"$ref":"#/components/schemas/v1alpha1SecretsXCP"},"clusterServiceAccount":{"$ref":"#/components/schemas/SecretsClusterServiceAccount"}}},"corev1Toleration":{"description":"The pod this Toleration is attached to tolerates any taint that matches\nthe triple <key,value,effect> using the matching operator <operator>.","type":"object","properties":{"key":{"type":"string","title":"Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.\n+optional","x-order":0},"operator":{"type":"string","title":"Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.\n+optional","x-order":1},"value":{"type":"string","title":"Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.\n+optional","x-order":2},"effect":{"type":"string","title":"Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n+optional","x-order":3},"tolerationSeconds":{"type":"string","format":"int64","title":"TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.\n+optional","x-order":4}}},"corev3Address":{"description":"Addresses specify either a logical or physical address and port, which are\nused to tell Envoy where to bind/listen, connect to upstream and find\nmanagement servers.","type":"object","properties":{"socketAddress":{"$ref":"#/components/schemas/v3SocketAddress"},"pipe":{"$ref":"#/components/schemas/v3Pipe"},"envoyInternalAddress":{"$ref":"#/components/schemas/v3EnvoyInternalAddress"}}},"corev3Locality":{"description":"Identifies location of where either Envoy runs or where upstream hosts run.","type":"object","properties":{"region":{"description":"Region this :ref:`zone <envoy_v3_api_field_config.core.v3.Locality.zone>` belongs to.","type":"string","x-order":0},"zone":{"description":"Defines the local service zone where Envoy is running. Though optional, it\nshould be set if discovery service routing is used and the discovery\nservice exposes :ref:`zone data <envoy_v3_api_field_config.endpoint.v3.LocalityLbEndpoints.locality>`,\neither in this message or via :option:`--service-zone`. The meaning of zone\nis context dependent, e.g. `Availability Zone (AZ)\n<https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html>`_\non AWS, `Zone <https://cloud.google.com/compute/docs/regions-zones/>`_ on\nGCP, etc.","type":"string","x-order":1},"subZone":{"description":"When used for locality of upstream hosts, this field further splits zone\ninto smaller chunks of sub-zones so they can be load balanced\nindependently.","type":"string","x-order":2}}},"corev3Node":{"type":"object","title":"Identifies a specific Envoy instance. The node identifier is presented to the\nmanagement server, which may use this identifier to distinguish per Envoy\nconfiguration for serving.\n[#next-free-field: 13]","properties":{"id":{"description":"An opaque node identifier for the Envoy node. This also provides the local\nservice node name. It should be set if any of the following features are\nused: :ref:`statsd <arch_overview_statistics>`, :ref:`CDS\n<config_cluster_manager_cds>`, and :ref:`HTTP tracing\n<arch_overview_tracing>`, either in this message or via\n:option:`--service-node`.","type":"string","x-order":0},"cluster":{"description":"Defines the local service cluster name where Envoy is running. Though\noptional, it should be set if any of the following features are used:\n:ref:`statsd <arch_overview_statistics>`, :ref:`health check cluster\nverification\n<envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.service_name_matcher>`,\n:ref:`runtime override directory <envoy_v3_api_msg_config.bootstrap.v3.Runtime>`,\n:ref:`user agent addition\n<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent>`,\n:ref:`HTTP global rate limiting <config_http_filters_rate_limit>`,\n:ref:`CDS <config_cluster_manager_cds>`, and :ref:`HTTP tracing\n<arch_overview_tracing>`, either in this message or via\n:option:`--service-cluster`.","type":"string","x-order":1},"metadata":{"description":"Opaque metadata extending the node identifier. Envoy will pass this\ndirectly to the management server.","type":"object","x-order":2},"dynamicParameters":{"description":"Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike\nother fields in this message). For example, the xDS client may have a shard identifier that\nchanges during the lifetime of the xDS client. In Envoy, this would be achieved by updating the\ndynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic\nparameter then appears in this field during future discovery requests.","type":"object","additionalProperties":{"$ref":"#/components/schemas/v3ContextParams"},"x-order":3},"locality":{"$ref":"#/components/schemas/corev3Locality"},"userAgentName":{"type":"string","title":"Free-form string that identifies the entity requesting config.\nE.g. \"envoy\" or \"grpc\"","x-order":5},"userAgentVersion":{"type":"string","title":"Free-form string that identifies the version of the entity requesting config.\nE.g. \"1.12.2\" or \"abcd1234\", or \"SpecialEnvoyBuild\"","x-order":6},"userAgentBuildVersion":{"$ref":"#/components/schemas/v3BuildVersion"},"extensions":{"description":"List of extensions and their versions supported by the node.","type":"array","items":{"$ref":"#/components/schemas/v3Extension"},"x-order":8},"clientFeatures":{"description":"Client feature support list. These are well known features described\nin the Envoy API repository for a given major version of an API. Client features\nuse reverse DNS naming scheme, for example ``com.acme.feature``.\nSee :ref:`the list of features <client_features>` that xDS client may\nsupport.","type":"array","items":{"type":"string"},"x-order":9},"listeningAddresses":{"description":"Known listening ports on the node as a generic hint to the management server\nfor filtering :ref:`listeners <config_listeners>` to be returned. For example,\nif there is a listener bound to port 80, the list can optionally contain the\nSocketAddress ``(0.0.0.0,80)``. The field is optional and just a hint.","type":"array","items":{"$ref":"#/components/schemas/corev3Address"},"x-order":10}}},"dataplanev1alpha1GatewaySpecType":{"description":"Type defines the different type of use cases and functionalities supported by gateway install.\nEach type configures the gateway workloads specific to a particular use case represented by the type.\nIf not set, UNIFIED is set as default.\n\n - UNIFIED: UNIFIED represents the gateway type supporting all functionalities: INGRESS, EGRESS, and EASTWEST.\nGateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.\n - INGRESS: INGRESS represents the gateway type configured for Ingress use cases.\nGateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.\n - EGRESS: EGRESS represents the gateway type configured for Egress use cases.\nGateway workloads are configured with the default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a ClusterIP type service by default.\n - EASTWEST: EASTWEST represents the gateway type configured for East-West use cases.\nGateway workloads are configured with the default port 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.","type":"string","default":"UNIFIED","enum":["UNIFIED","INGRESS","EGRESS","EASTWEST"]},"extensionv2EnvVar":{"type":"object","required":["name","valueFrom"],"properties":{"name":{"type":"string","title":"Name of the environment variable. Must be a C_IDENTIFIER, by following this regex: [A-Za-z_][A-Za-z0-9_]*","x-order":0},"valueFrom":{"$ref":"#/components/schemas/v2EnvValueSource"},"value":{"description":"Value for the environment variable.\nNote that if `value_from` is `HOST`, it will be ignored.\nDefaults to \"\".","type":"string","x-order":2}}},"gatewayv2EgressGateway":{"description":"`EgressGateway` configures a workload to act as a gateway for\ntraffic exiting the mesh. The egress gateway is meant to be the destination\nof unknown traffic within the mesh (traffic sent to non-mesh services). The\ngateway allows authorization control of traffic sent to it to more finely tune\nwhich services are allowed to send unknown traffic through the gateway. Only HTTP\nis supported at this time.\n\nThe following example declares an egress gateway running on pods in istio-system\nwith the label app=istio-egressgateway. This gateway is setup to allow traffic\nfrom anywhere in the cluster to access www.httpbin.org and from the bookinfo details app\nspecifically, you can access any external host. `EgressGateway`s need to be paired\nwith `TrafficSetting`s in order to be usable. You must set the `egress` field in the\n`TrafficSetting`s to point to the egress gateway and send traffic to port 15443. Once\nthis is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS.\nThe gateway will then decide whether to forward the traffic or not, and use one-way TLS for\nexternal calls.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: EgressGateway\nmetadata:\n  name: my-egress\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1 \n    labels:\n      app: istio-egressgateway\n  authorization:\n    - from:\n        mode: WORKSPACE\n      to: [\"www.httpbin.org\"]\n    - from:\n        mode: CUSTOM\n        serviceAccounts: [\"default/bookinfo-details\"]\n      to: [\"*\"]\n```\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  reachability:\n   mode: CUSTOM\n   hosts:\n   - \"./*\"\n   - \"istio-system/*\"\n  egress:\n    host: istio-system/istio-egressgateway.istio-system.svc.cluster.local\n```\n\nThe following example customizes the `Extensions` field to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: EgressGateway\nmetadata:\n  name: my-egress\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: istio-egressgateway\n  authorization:\n    - from:\n        mode: WORKSPACE\n      to: [\"www.httpbin.org\"]\n    - from:\n        mode: CUSTOM\n        serviceAccounts: [\"default/bookinfo-details\"]\n      to: [\"*\"]\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\n\n-->\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `EgressGateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `EgressGateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"authorization":{"description":"The description of which service accounts can access which hosts.\nIf the list of authorization rules is empty, this egress gateway will deny all traffic.","type":"array","items":{"$ref":"#/components/schemas/v2EgressAuthorization"},"x-order":5},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this EgressGateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":6},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"gatewayv2Gateway":{"description":"The `Gateway` configuration combines the functionalities of both the existing `Tier1Gateway` and `IngressGateway`,\nproviding a unified approach for configuring a workload as a gateway in the mesh.\nEach server within the `Gateway` is configured to route requests either to destination clusters, such as a `Tier1Gateway`,\nor to specific services, like an `IngressGateway`.\n\nThe following example declares a gateway running on pods\nwith `app: gateway` labels in the `ns1` namespace. The gateway\nexposes a host `bookinfo.com` on https port 9443 and http port 9090.\nThe port 9090 is configured to receive plaintext traffic and send a\nredirect to the https port 9443 (site-wide HTTP -> HTTPS redirection).\nAt port 9443, TLS is terminated using the certificates in the Kubernetes\nsecret `bookinfo-certs`. Clients are authenticated using JWT\ntokens, whose keys are obtained from the OIDC provider `www.googleapis.com`.\nThe request is then authorized by an the user's authorization engine\nhosted at `https://company.com/authz` before being forwarded to\nthe `productpage` service in the backend.\nHere, the `gateway` is configured in a manner similar to an\nexisting `IngressGateway` with HTTP server.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      rules:\n        jwt:\n        - issuer: https://accounts.google.com\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n    rateLimiting:\n      settings:\n        rules:\n          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4\n        - dimensions:\n          - remoteAddress:\n              value: 1.2.3.4\n          limit:\n            requestsPerUnit: 10\n            unit: HOUR\n          # Ratelimit at 50 requests/minute for every unique value in the user-agent header\n        - dimensions:\n          - header:\n              name: user-agent\n          limit:\n            requestsPerUnit: 50\n            unit: MINUTE\n          # Ratelimit at 100 requests/second for every unique client remote address\n          # with the HTTP requests having a GET method and the path prefix of /productpage\n        - dimensions:\n          - remoteAddress:\n              value: \"*\"\n          - header:\n              name: \":path\"\n              value:\n                prefix: /productpage\n          - header:\n              name: \":method\"\n              value:\n                exact: \"GET\"\n          limit:\n            requestsPerUnit: 100\n            unit: SECOND\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the `productpage`\nservice in the backend.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n```\n\nIf the `productpage.ns1` service on Kubernetes has a `ServiceRoute`\nwith multiple subsets and weights, the traffic will be split across\nthe subsets accordingly.\n\nThe following example declares a gateway running on pods with\n`app: gateway` labels in the `ns1` namespace. The gateway exposes\nhost `movieinfo.com` on ports 8080, 8443 and `kafka.internal` on port 9000.\nTraffic for these hosts at the ports 8443 and 9000 are TLS terminated and\nforwarded over Istio mutual TLS to the ingress gateways hosting\n`movieinfo.com` host on clusters `c3` for matching prefix `v1` and `c4` for matching `v2`,\nand the internal `kafka.internal` service in cluster `c3` respectively. The server at\nport 8080 is configured to receive plaintext HTTP traffic and redirect\nto port 8443 with \"Permanently Moved\" (HTTP 301) status code.\nHere, the `gateway` is configured in a manner similar to an\nexisting `Tier1Gateway` with external servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    routing:\n      rules:\n        - redirect:\n            authority: movieinfo.com\n            port: 8443\n            redirectCode: 301\n            scheme: https\n            uri: \"/\"\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    routing:\n      rules:\n         - match:\n             - uri:\n                 prefix: \"/v1\"\n           route:\n             clusterDestination:\n               clusters:\n                 - name: c3 # the target gateway IPs will be automatically determined\n                   weight: 100\n         - match:\n             - uri:\n                 prefix: \"/v2\"\n           route:\n             clusterDestination:\n               clusters:\n                 - name: c4 # the target gateway IPs will be automatically determined\n                   weight: 100\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n          - authorization\n  tcp:\n  - name: kafka\n    hostname: kafka.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      clusterDestination:\n        clusters:\n          - name: c3\n            weight: 100\n```\n\nThis example used to forward mesh internal traffic\nfor Gateway hosts from one cluster to another. This form of\nforwarding will work only if the two clusters cannot reach each\nother directly (e.g., they are on different VPCs that are not\npeered). The following example declares a gateway running on\npods with `app: gateway` labels in the `ns1` namespace. The gateway\nexposes hosts `movieinfo.com`, `bookinfo.com`, and a non-HTTP server\ncalled `kafka.org-internal` within the mesh. Traffic to `movieinfo.com`\nis load balanced across all clusters on `vpc-02`, while traffic to\n`bookinfo.com` and `kafka.org-internal` is load balanced across ingress\ngateways exposing `bookinfo.com` on any cluster. Traffic from the source\n(sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.\nHere, the `gateway` is configured in a manner similar to an\nexisting `Tier1Gateway` with internal servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http: # forwarding gateway (HTTP traffic only)\n  - name: movieinfo\n    transit: true # server marked as internal\n    hostname: movieinfo.com\n    routing:\n      rules:\n      - route:\n          clusterDestination:\n            clusters:\n            - labels:\n                network: vpc-02 # the target gateway IPs will be automatically determined\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.company.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      meshInternalAuthz:\n        external:\n          uri: \"https://auth.company.com\"\n          includeRequestHeaders:\n            - authorization\n  - name: bookinfo\n    transit: true # server marked as internal\n    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com\n    routing:\n      rules:\n      - route:\n          clusterDestination:\n            clusters:\n  tcp: # forwarding non-HTTP traffic within the mesh\n  - name: kafka\n    transit: true # server marked as internal\n    hostname: kafka.org-internal\n    route:\n      clusterDestination:\n        clusters:\n```\n\nThe following example illustrates defining non-HTTP server (based\non TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP\nprotocol and listens on port 9000. The clients have to connect with TLS\nwith the SNI `kafka.myorg.internal`. The TLS is terminated at the gateway\nand the traffic is routed to `kafka.infra.svc.cluster.local:8000`.\n\nIf subsets are defined in the `ServiceRoute` referencing\n`kafka.infra.svc.cluster.local` service, then it is also considered\nwhile routing.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tcp:\n  - name: kafka-gateway\n    hostname: kafka.myorg.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      serviceDestination:\n        host: kafka.infra.svc.cluster.local\n        port: 8000\n```\n\nThis is an example of configuring a gateway for TLS.\nThe gateway will forward the passthrough server traffic to clusters `c1` and `c2`.\nIt is essential to configure TLS on the same hostname at `c1` and `c2` as well.\nHere, the `gateway` is configured similarly to an existing `Tier1Gateway` with passthrough servers.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tls:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n    route:\n      clusterDestination:\n         clusters:\n           - name: c1 # the target gateway IPs will be automatically determined\n             weight: 90\n           - name: c2\n             weight: 10\n```\n\nThis configuration defines a Gateway named `egress-access` intended for egress traffic management.\nIt operates within the namespace `ns` and targets pods labeled with `app: egressgateway`.\nThe Gateway exposes three external hosts for egress access: `example.com`, `httpbin.org`, and `apis.google.com`.\n\nBy default, egress access is denied for all three hosts.\nUsers must explicitly define allow rules for traffic to pass through.\n\nClients in the `cluster-1/client` namespace are granted access to the `example.com` host.\nClients in the `cluster-2/client` namespace can access `httpbin.org`.\nHowever, access to `apis.google.com` is denied for all clients.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: egress-access\n  labels:\n    xcp.tetrate.io/workspace: egress-ws\n    xcp.tetrate.io/gatewayGroup: egress-gw-group\nspec:\n  workloadSelector:\n    namespace: ns\n    labels:\n      app: egressgateway\n  http:\n    - name: example\n      hostname: \"example.com\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/example.com\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n    - name: httpbin\n      hostname: \"httpbin.org\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/httpbin.org\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n    - name: apis\n      hostname: \"apis.google.com\"\n      routing:\n        rules:\n          - route:\n              serviceDestination:\n                host: \"ns/apis.google.com\"\n                tls:\n                  mode: SIMPLE\n                  files:\n                    caCertificates: \"/etc/ssl/certs/ca-certificates.crt\"\n  egressAuthorization:\n    - from:\n        mode: SERVICE_ACCOUNT\n        serviceAccounts:\n          - \"cluster-1/client/*\"\n      to:\n        - host:\n            exact: \"example.com\"\n    - from:\n        mode: SERVICE_ACCOUNT\n        serviceAccounts:\n          - \"cluster-2/client/*\"\n      to:\n        - host:\n            exact: \"httpbin.org\"\n```\n\nTSB provides ways to extend the bundled functionality that comes in with envoy\nusing the `extensions` field.\n\nThe following example shows a Gateway configuration in which the kong's\n`response-transformer` plugin is being used.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Gateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    extensions:\n      kong:\n        plugins:\n          - name: response-transformer\n            priority: 999\n            config:\n              inline:\n                remove:\n                  json:\n                  - example-field\n          - name: custom-header-adder\n            priority: 1000\n            config:\n              inline:\n                request_header_to_add: example-header\n            pluginSource:\n              configMap: cm-containing-this-plugin-in-gw-install-ns\n```\n\n\n\n","type":"object","required":["workloadSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"http":{"description":"One or more HTTP or HTTPS servers exposed by the gateway. The\nserver exposes configuration for TLS termination, request\nauthentication/authorization, HTTP routing, rate limiting, etc.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2HTTP"},"x-order":5},"tls":{"description":"One or more TLS servers exposed by the gateway. The server\ndoes not terminate TLS and exposes config for SNI based routing.","type":"array","items":{"$ref":"#/components/schemas/v2TLS"},"x-order":6},"tcp":{"description":"One or more non-HTTP and non-passthrough servers which use TCP\nbased protocols. This server also exposes configuration for terminating TLS.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2TCP"},"x-order":7},"wasmPlugins":{"description":"WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway\nwith the specific configuration for each plugin. This custom configuration\nwill override the one configured globally to the plugin.\nEach plugin has a global configuration including priority\nthat will condition the execution of the assigned plugins.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":8},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"egressAuthorization":{"description":"External services are onboarded into the mesh via service entry,\nand these services are exposed on the Gateway for egress access.\nBy default, access is denied for these hosts.\nUsers can configure EgressAuthorizationSettings to specify which service accounts are allowed.","type":"array","items":{"$ref":"#/components/schemas/v2EgressAuthorizationSettings"},"x-order":10},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"gatewayv2GatewaySpec":{"description":"GatewaySpec contains the desired state of the Gateway.","type":"object","properties":{"connectionDrainDuration":{"description":"The amount of time the gateway will wait on shutdown for connections to\ncomplete before terminating the gateway. During this drain period, no new\nconnections can be created but existing ones are allowed to complete.","type":"string","x-order":0},"revision":{"description":"Specifies the Istio revision to reconcile with.\nIf specified, the TSB Control Plane operator will reconcile this gateway only\nif the operator's revision matches the revision. The TSB Data Plane operator, which\nruns only when the TSB Control Plane operator has not configured a revision,\nwill ignore the revision and will reconcile the gateway as usual.\nInternally, the revision specifies which Istio Control Plane configures the Gateway deployment.\nSee https://istio.io/latest/docs/setup/upgrade/canary.","type":"string","x-order":1},"type":{"$ref":"#/components/schemas/gatewayv2GatewaySpecType"},"concurrency":{"description":"Number of Envoy worker threads to run. By default, it will be set\nautomatically based on the gateway's CPU resource limits.\n\nSet to `-1` to use the legacy behavior of all cores on the machine.","type":"integer","format":"int32","x-order":3},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"gatewayv2GatewaySpecType":{"description":"Type defines the functionalities supported by the Gateway install.\nEach type configures gateway workloads for a particular use case.\nIf not set, UNIFIED is set as default.\n\n - UNIFIED: UNIFIED represents the gateway type supporting all functionalities: INGRESS, EGRESS, and EASTWEST.\nGateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.\n - INGRESS: INGRESS represents the gateway type configured for Ingress use cases.\nGateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.\n - EGRESS: EGRESS represents the gateway type configured for Egress use cases.\nGateway workloads are configured with the default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS).\nThe gateway is configured with a ClusterIP type service by default.\n - EASTWEST: EASTWEST represents the gateway type configured for East-West use cases.\nGateway workloads are configured with the default port 15443 (ISTIO_mTLS).\nThe gateway is configured with a LoadBalancer type service by default.","type":"string","default":"UNIFIED","enum":["UNIFIED","INGRESS","EGRESS","EASTWEST"]},"gatewayv2HTTP":{"description":"`HTTP` describes the properties of a HTTP server exposed on gateway.","type":"object","required":["name","hostname","routing"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all HTTP, TLS passthrough and TCP servers in a gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed at the gateway workload(pod).\nIf the k8s service, which is fronting the workload pod, has TargetPort as 8443 for the Port 443,\nthis could be configured as 8443 or 443.\n\nTwo servers with different protocols (HTTP and HTTPS) should not\nshare the same port. Note that port 15443 is reserved for internal use.\n\nIf the `transit` flag is set to true, populating the `port` will lead to an error,\nas the server is considered internal to the mesh. TSB will automatically \nconfigure mTLS port(15443) for east-west multicluster traffic.\n\nIf the `trafficMode`` flag is set to `EGRESS`` or the `trafficMode` is set to `AUTO`\nand the gateway deployment is of type EGRESS,\npopulating the port will result in an error, as the server is considered only for egress.\nTSB will automatically configure the mTLS port (15443) on the gateway to receive the mesh traffic.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by clients.","type":"string","x-order":2},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"},"authentication":{"$ref":"#/components/schemas/tsbauthv2Authentication"},"authorization":{"$ref":"#/components/schemas/tsbauthv2Authorization"},"routing":{"$ref":"#/components/schemas/v2HttpRoutingConfig"},"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"},"transit":{"description":"If set to true, the server is configured to be exposed within the mesh.\nThis configuration enables forwarding traffic between two clusters that are not directly reachable.\n\nDeprecated: use `trafficMode: TRANSIT` instead.","type":"boolean","x-order":8},"trafficMode":{"$ref":"#/components/schemas/v2TrafficMode"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"},"openapi":{"$ref":"#/components/schemas/v2OpenAPI"},"extensions":{"$ref":"#/components/schemas/v2Extensions"}}},"gatewayv2HttpRule":{"description":"A single HTTP rule.","type":"object","properties":{"match":{"description":"One or more match conditions (OR-ed).","type":"array","items":{"$ref":"#/components/schemas/v2HttpMatchCondition"},"x-order":0},"modify":{"$ref":"#/components/schemas/v2HttpModifyAction"},"route":{"$ref":"#/components/schemas/v2Route"},"redirect":{"$ref":"#/components/schemas/v2Redirect"},"directResponse":{"$ref":"#/components/schemas/v2HTTPDirectResponse"}}},"gatewayv2TCP":{"description":"A TCP server exposed in a gateway. A TCP server may be used for any TCP based protocol.\nThis is also used for the special case of a non-HTTP protocol requiring TLS termination at the gateway.","type":"object","required":["name","hostname","route"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all HTTP, TLS passthrough and TCP servers in a gateway.","type":"string","x-order":0},"port":{"description":"Valid scenarios (for same port, multiple services)\n1. Multiple protocols (HTTP, non-HTTP) with TLS passthrough/termination\n2. Multiple HTTP services\n3. Single non-HTTP service without TLS\n\nIf the `transit` flag is set to true, populating the `port` will lead to an error,\nas the server is considered internal to the mesh. TSB will automatically \nconfigure mTLS port(15443) for east-west multicluster traffic.","type":"integer","format":"int64","title":"The port where the server is exposed. Note that the port 15443 is reserved. Also\nbeware of the conflict among the services using different protocols on the same port.\nThe conflict occurs in the following scenarios\n1. Using plaintext and TLS (passthrough/termination)\n2. Mixing multiple protocols without TLS (HTTP and non-HTTP protocols like Kafka, Zookeeper etc)\n3. Multiple non-HTTP protocols without TLS","x-order":1},"hostname":{"description":"Hostname to identify the service. When TLS is configured, clients have to use this as\nthe Server Name Indication (SNI) for the TLS connection. When TLS is not configured (opaque TCP),\nthis is used to identify the service traffic for defining routing configs. Usually, this is\nconfigured as the DNS name of the service. For instance, if clients access a zookeeper cluster\nas `zk-1.myorg.internal` then the hostname could be specified as `zk-1.myorg.internal`. This\nalso helps easier identification in the configs.\n\nThis is also used in multicluster routing. In the previous example, clients within the mesh\ncan also use `zk-1.myorg.internal` to access this service (provided authorization policy allows it)","type":"string","x-order":2},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"},"route":{"$ref":"#/components/schemas/v2RouteTo"},"transit":{"description":"If set to true, the server is configured to be exposed within the mesh.\nThis configuration enables forwarding traffic between two clusters that are not directly reachable.\n\nDeprecated: use `trafficMode: TRANSIT` instead.","type":"boolean","x-order":5},"trafficMode":{"$ref":"#/components/schemas/v2TrafficMode"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"}}},"gatewayv2TLSProtocol":{"description":"Enumeration for TLS protocol versions.","type":"string","default":"TLS_AUTO","enum":["TLS_AUTO","TLSV1_0","TLSV1_1","TLSV1_2","TLSV1_3"]},"googlerpcStatus":{"description":"The `Status` type defines a logical error model that is suitable for\ndifferent programming environments, including REST APIs and RPC APIs. It is\nused by [gRPC](https://github.com/grpc). Each `Status` message contains\nthree pieces of data: error code, error message, and error details.\n\nYou can find out more about this error model and how to work with it in the\n[API Design Guide](https://cloud.google.com/apis/design/errors).","type":"object","properties":{"code":{"description":"The status code, which should be an enum value of\n[google.rpc.Code][google.rpc.Code].","type":"integer","format":"int32","x-order":0},"message":{"description":"A developer-facing error message, which should be in English. Any\nuser-facing error message should be localized and sent in the\n[google.rpc.Status.details][google.rpc.Status.details] field, or localized\nby the client.","type":"string","x-order":1},"details":{"description":"A list of messages that carry the error details.  There is a common set of\nmessage types for APIs to use.","type":"array","items":{"$ref":"#/components/schemas/protobufAny"},"x-order":2}}},"installcontrolplanev1alpha1AWSController":{"description":"Kubernetes settings for the AWS Integration Controller component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"installcontrolplanev1alpha1AWSSettings":{"description":"Global settings to AWS.","type":"object","required":["serviceAccountName"],"properties":{"serviceAccountName":{"type":"string","title":"Service account name to use with IAM role association. Required.\nThis service account should have the proper permissions depending on which AWS services are enabled.\n(Route53, Lattice, etc.)","x-order":0}}},"installcontrolplanev1alpha1ElasticSearchSettings":{"description":"Configure an Elasticsearch connection.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  telemetryStore:\n    elastic:\n      host: elastic\n      port: 5678\n      protocol: https\n      selfSigned: true\n      version: 7\n```","type":"object","required":["host","port"],"properties":{"host":{"description":"Elasticsearch host address (can be hostname or IP address).","type":"string","x-order":0},"port":{"description":"Port Elasticsearch is listening on.","type":"integer","format":"int32","x-order":1},"protocol":{"$ref":"#/components/schemas/installcontrolplanev1alpha1ElasticSearchSettingsProtocol"},"selfSigned":{"description":"Use Self-Signed certificates. The Self-signed CA bundle and key must be in a secret called es-certs.","type":"boolean","x-order":3},"version":{"description":"DEPRECATED: Major version of the Elasticsearch cluster.\nCurrently supported Elasticsearch major versions are `6`, `7`, and `8`.","type":"integer","format":"int32","x-order":4},"indexPrefix":{"description":"The prefix of the ElasticSearch indices and templates.\nDefaults to `skywalking`.","type":"string","x-order":5}}},"installcontrolplanev1alpha1ElasticSearchSettingsProtocol":{"description":"The list of supported protocols to communicate with Elasticsearch.","type":"string","default":"https","enum":["https","http"]},"installcontrolplanev1alpha1LatticeSettings":{"description":"Settings specific to Lattice.","type":"object","properties":{"enabled":{"description":"Enable/disable the Lattice integration controller. Default: false.","type":"boolean","x-order":0}}},"installcontrolplanev1alpha1NGAC":{"description":"Kubernetes settings for the NGAC component.","type":"object","properties":{"enabled":{"description":"NGAC is an experimental component. If enabled is false, this component will\nnot be installed.","type":"boolean","x-order":0},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\nSupported log level: \"none\", \"error\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":2}}},"installcontrolplanev1alpha1Oap":{"description":"Kubernetes settings for the OAP (SkyWalking) component.","type":"object","properties":{"streamingLogEnabled":{"description":"Feature flag to determine whether on-demand streaming logs should be\nenabled.","type":"boolean","x-order":0},"onDemandEnvoyMetricsEnabled":{"description":"Feature flag to determine whether on-demand envoy metrics should be\nenabled. If enabled, the envoy proxy will provide a set of metrics that can\nbe queried using the metrics service. OAP will provide a query API that can\nbe used to collect envoy proxy metrics for specific pods. This is only for\ntemporary and real-time queries that can be used, for example, for\napplication troubleshooting use cases. These metrics are not persisted.","type":"boolean","x-order":1},"storageIndexMergingEnabled":{"description":"Feature flag to determine whether metrics/meter and records should be shard into multi-physical indices, or\ninstead if they should be merged into a single physical index.\nBy default \"false\", metric/meter and records are sharded into multi-physical indices.\nInstead of sharding, if enabled by setting it to \"true\", metrics/meter and records will be merged\ninto one physical index template `metrics-all` and `records-all`.\nThis feature flag must be set on all clusters and have the same value as the management plane's one,\notherwise control plane observability data could be written to the wrong or not existing index.\nIn this storage mode, user can adjust each concrete index should have to scale out by setting\n`storageSpecificIndexSettings` field in the management plane install manifest.","type":"boolean","x-order":2},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevel":{"description":"Specifies the log level for OAP component.\nSupported log level: \"all\", \"debug\", \"info\", \"warn\", \"error\", \"fatal\", \"off\" and \"trace\".","type":"string","x-order":4}}},"installcontrolplanev1alpha1OnboardingPlane":{"description":"Configure `Workload Onboarding Plane` component.","type":"object","properties":{"instance":{"$ref":"#/components/schemas/v1alpha1OnboardingPlaneInstance"}}},"installcontrolplanev1alpha1OpenTelemetryCollector":{"description":"Kubernetes settings for the OpenTelemetryCollector component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevel":{"description":"Specifies the log level for OTEL collector component.\nSupported log level: \"debug\", \"info\", \"warn\", \"error\", \"dpanic\", \"panic\", and \"fatal\".","type":"string","x-order":1}}},"installcontrolplanev1alpha1ProviderSettings":{"description":"Configure Kubernetes provider specific settings.\n\nFor example to configure EKS to use network load balancers (NLB) by default:\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  providerSettings:\n    eks:\n      useNlbByDefault: true\n\n```\n\nTo configure Route53 the only option that you must specify is the Service Account name to use for IAM role.\nYou should create the Service Account before enabling the Route53 integration controller. You can do that using `eksctl`. Example:\n\n```bash\n   SA_NAME=route53-controller\n   CP_NAMESPACE=istio-system\n   eksctl create iamserviceaccount \\\n   --cluster $EKS_CLUSTER_NAME \\\n   --name $SA_NAME \\\n   --namespace $CP_NAMESPACE \\\n   --attach-policy-arn $POLICY_ARN \\\n   --approve\n```\n\nwhere:\n* $EKS_CLUSTER_NAME is the name of the EKS cluster.\n* $SA_NAME is the name of the Service Account to create.\n* $CP_NAMESPACE is the namespace where the Control Plane is installed. Usually istio-system.\n* $POLICY_ARN is the ARN of the policy to attach to the Service Account - the policy should allow the Service Account\n  to manage Route53 resources.\n\nMore details can be found in the [Publishing a Service docs](https://docs.tetrate.io/service-express/getting-started/publish-service)\n\nAfter creating the Service Account you can enable the Route53 integration controller using the following configuration:\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  providerSettings:\n    route53:\n      serviceAccountName: $SA_NAME\n```","type":"object","properties":{"eks":{"$ref":"#/components/schemas/v1alpha1EKSSettings"},"route53":{"$ref":"#/components/schemas/v1alpha1Route53Settings"},"aws":{"$ref":"#/components/schemas/installcontrolplanev1alpha1AWSSettings"},"lattice":{"$ref":"#/components/schemas/installcontrolplanev1alpha1LatticeSettings"}}},"installcontrolplanev1alpha1XCP":{"description":"Kubernetes settings for the XCP component.","type":"object","properties":{"centralAuthMode":{"$ref":"#/components/schemas/XCPCentralAuthMode"},"configProtection":{"$ref":"#/components/schemas/commonConfigProtection"},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"revision":{"description":"$hide_from_docs\nConfigures the istio revision tag.\nIf configured, istio upgrade will not be in-place upgrade. A new istio\ncontrol plane with the configured revision will be deployed. Selectively\nsidecars and gateways could be moved to newer control plane. Note that it\nis not the istio version. Istio version is fixed for a particular tsb\nversion and that is not a configurable setting. Revision should be\nconfigured to human readable value for example tsb-1-5. For further\nreference,\nhttps://istio.io/latest/blog/2020/multiple-control-planes/#configuring\nDeprecated: replaced by isolation_boundaries, where each isolation boundary can have\nmulitple revisions.","type":"string","x-order":3},"isolationBoundaries":{"description":"Configures Isolated Istio environments along with Istio revisions for each environment.\nIsolationBoundaries can be empty when the feature flag IstioIsolationBoundaries is disabled.\nOnce enabled, isolation boundaries can be configured.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1IsolationBoundary"},"x-order":4},"enableHttpMeshInternalIdentityPropagation":{"description":"Enables HTTP mesh internal service identity propagation across gateway hops, utilizing the propagated identity\nfor evaluating TSB RBAC rules. Users should enable this feature when they want to create RBAC rules around\nrequest's origin client identity for east west traffic. The most common case for this would be when using\nauthorization features such as ALLOW/DENY rules mode and ServiceSecuritySettings in cross-cluster environment.\nThis feature is enabled by default. Set it to false to disable it.","type":"boolean","x-order":5},"centralProvidedCaCert":{"description":"If true, obtain the CA cert for Istio from XCP central.\nTo enable it, the XCP Central needs to be configured with `certIssuer.clusterIntermediateCASettings: {}`.","type":"boolean","x-order":6},"logLevels":{"description":"Loglevel for XCP.\nSupported log level: \"none\", \"fatal\", \"error\", \"warn\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":7},"remoteDiagnostic":{"$ref":"#/components/schemas/installcontrolplanev1alpha1XCPRemoteDiagnosticSettings"},"enableJwtAuthenticationRequireJwtTokenSetting":{"description":"Enables JWT authentication require JWT token settings via EnvoyFilter with strict validation.\nRequests without a valid JWT token will be rejected with a 401 (Unauthorized) error.\nThis feature is disabled by default. Set it to true to enable it.\nAlong with this, setting the `require_jwt` field in the authentication settings of the gateway is needed.","type":"boolean","x-order":9}}},"installcontrolplanev1alpha1XCPRemoteDiagnosticSettings":{"description":"Remote Diagnostic settings on the Control Plane side.","type":"object","properties":{"enabled":{"description":"Enable Remote Diagnostic on the Control Plane side.\n\nOnce Remote Diagnostic is enabled on the Control Plane side, it will become possible to\nlaunch from the TSB UI a range of predefined diagnostic tasks for execution in the context\nof that cluster.\n\nIn particular, it will be possible to take config dumps, view low-level metrics,\nview and change log levels and stream logs from any Istio Gateway and Istio Sidecar\ndeployed to that cluster.\n\nNotice that Remote Diagnostic has to be enabled on both sides, i.e. the Control Plane side\nand the Management Plane side, which is the default configuration.\n\nDefaults to `true`.","type":"boolean","x-order":0}}},"installdataplanev1alpha1GatewaySpec":{"description":"GatewaySpec defines the desired installed state of a single\ngateway for a given namespace in Service Bridge. Specifying a minimal\nGatewaySpec with a hub will create a default gateway with sensible\nvalues.\n\n","type":"object","properties":{"connectionDrainDuration":{"description":"The amount of time the gateway will wait on shutdown for connections to\ncomplete before terminating the gateway. During this drain period, no new\nconnections can be created but existing ones are allowed complete.","type":"string","x-order":0},"revision":{"type":"string","title":"Specifies the istio revision to reconcile with.\nIf specified, TSB control plane operator will reconcile this gateway only\nif operator's revision matches with it. TSB data plane operator, which\nwould be running only when TSB control plane operator is not configured a\nrevision, will ignore revision field and will reconcile gateway as usual.\nInternally, this revision will guide to pick matching istio control plane\nfor the gateway deployment\nhttps://istio.io/latest/docs/setup/upgrade/canary/","x-order":1},"type":{"$ref":"#/components/schemas/dataplanev1alpha1GatewaySpecType"},"concurrency":{"description":"Number of Envoy worker threads to run. By default it will be set\nautomatically based on the gateway's CPU resource limits.\n\nSet to `-1` to use the legacy behavior of all cores on the machine.","type":"integer","format":"int32","x-order":3},"targetNamespace":{"description":"Namespace where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway.\nIgnored when using as a pure kubernetes resource.","type":"string","x-order":4},"targetCluster":{"description":"Cluster where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway.\nIgnored when using as a pure kubernetes resource.","type":"string","x-order":5},"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":6,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":7},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":8},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":9},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"installkubernetesAffinity":{"type":"object","title":"The scheduling constraints for the pod.\nhttps://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity","properties":{"nodeAffinity":{"$ref":"#/components/schemas/installkubernetesNodeAffinity"},"podAffinity":{"$ref":"#/components/schemas/installkubernetesPodAffinity"},"podAntiAffinity":{"$ref":"#/components/schemas/installkubernetesPodAntiAffinity"}}},"installkubernetesCapabilities":{"description":"See k8s.io.api.core.v1.Capabilities.","type":"object","properties":{"add":{"type":"array","items":{"type":"string"},"x-order":0},"drop":{"type":"array","items":{"type":"string"},"x-order":1}}},"installkubernetesConfigMapKeySelector":{"type":"object","properties":{"localObjectReference":{"$ref":"#/components/schemas/installkubernetesLocalObjectReference"},"key":{"type":"string","x-order":1},"optional":{"type":"boolean","x-order":2}}},"installkubernetesCrossVersionObjectReference":{"type":"object","properties":{"kind":{"type":"string","x-order":0},"name":{"type":"string","x-order":1},"apiVersion":{"type":"string","x-order":2}}},"installkubernetesDeployment":{"type":"object","title":"The Kubernetes resource configuration for all Deployments","properties":{"podAnnotations":{"type":"object","title":"Pod annotations are an unstructured key-value map stored with the Deployment's Pod template.\nThese annotations will be added to the Pod template within the Deployment.\nFor more details: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0},"env":{"type":"array","title":"Environment variables for all containers in the deployment.\nhttps://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/","items":{"$ref":"#/components/schemas/installkubernetesEnvVar"},"x-order":1},"affinity":{"$ref":"#/components/schemas/installkubernetesAffinity"},"replicaCount":{"type":"integer","format":"int64","title":"Number of desired pods.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#deploymentspec-v1-apps","x-order":3},"resources":{"$ref":"#/components/schemas/installkubernetesResources"},"strategy":{"$ref":"#/components/schemas/installkubernetesDeploymentStrategy"},"tolerations":{"type":"array","title":"Tolerations are applied to pods, and allow (but do not require) the pods to\nschedule onto nodes with matching taints. Taints and tolerations work\ntogether to ensure that pods are not scheduled onto inappropriate nodes.\nOne or more taints are applied to a node; this marks that the node should\nnot accept any pods that do not tolerate the taints.\nhttps://kubernetes.io/docs/concepts/configuration/taint-and-toleration/","items":{"$ref":"#/components/schemas/corev1Toleration"},"x-order":6},"hpaSpec":{"$ref":"#/components/schemas/installkubernetesHorizontalPodAutoscalerSpec"},"podSecurityContext":{"$ref":"#/components/schemas/installkubernetesPodSecurityContext"},"containerSecurityContext":{"$ref":"#/components/schemas/installkubernetesSecurityContext"},"labels":{"type":"object","title":"Labels are an unstructured key-value map stored with the Deployment.\nFor Gateway deployments, these labels are propagated to the Pod, Service, etc.\nFor more details: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","additionalProperties":{"type":"string"},"x-order":10}}},"installkubernetesDeploymentStrategy":{"type":"object","title":"The deployment strategy to use to replace existing pods with new ones.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#deploymentstrategy-v1-apps","properties":{"type":{"type":"string","x-order":0},"rollingUpdate":{"$ref":"#/components/schemas/installkubernetesRollingUpdateDeployment"}}},"installkubernetesEnvVar":{"type":"object","properties":{"name":{"type":"string","x-order":0},"value":{"type":"string","x-order":1},"valueFrom":{"$ref":"#/components/schemas/installkubernetesEnvVarSource"}}},"installkubernetesEnvVarSource":{"type":"object","properties":{"fieldRef":{"$ref":"#/components/schemas/installkubernetesObjectFieldSelector"},"resourceFieldRef":{"$ref":"#/components/schemas/installkubernetesResourceFieldSelector"},"configMapKeyRef":{"$ref":"#/components/schemas/installkubernetesConfigMapKeySelector"},"secretKeyRef":{"$ref":"#/components/schemas/installkubernetesSecretKeySelector"}}},"installkubernetesExternalMetricSource":{"type":"object","properties":{"metricName":{"type":"string","x-order":0},"metricSelector":{"$ref":"#/components/schemas/v1LabelSelector"},"targetValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"targetAverageValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"}}},"installkubernetesHorizontalPodAutoscalerSpec":{"description":"Horizontal Pod Autoscaler automatically scales the number of pods in a\ndeployment based on a specified metric. Kubernetes periodically adjusts the\nnumber of replicas in a deployment to match the observed metric to the target\nspecified. This mirrors the Kubernetes spec except from the top level\n`scaleTargetRef` field, which we set for you. The version of Horizontal Pod\nAutoscaler currently used is\n`[v2beta1](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#horizontalpodautoscaler-v2beta1-autoscaling)`.\nhttps://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/\nIf not specified a default HPA with maxReplicas as 10 and 70% average CPU utilisation is created. To disable use `disabled: true`.","type":"object","properties":{"minReplicas":{"type":"integer","format":"int32","title":"Must be set in order to create the HPA resource in Kubernetes","x-order":0},"maxReplicas":{"type":"integer","format":"int32","title":"Must be set in order to create the HPA resource in Kubernetes","x-order":1},"metrics":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesMetricSpec"},"x-order":2},"disabled":{"description":"When disabled is set to true, other values in spec are ignored and HPA is not set up for the component.","type":"boolean","x-order":3}}},"installkubernetesLocalObjectReference":{"description":"LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent.","type":"string","x-order":0}}},"installkubernetesMetricSpec":{"type":"object","properties":{"type":{"type":"string","x-order":0},"object":{"$ref":"#/components/schemas/installkubernetesObjectMetricSource"},"pods":{"$ref":"#/components/schemas/installkubernetesPodsMetricSource"},"resource":{"$ref":"#/components/schemas/installkubernetesResourceMetricSource"},"external":{"$ref":"#/components/schemas/installkubernetesExternalMetricSource"}}},"installkubernetesMetricTarget":{"type":"object","title":"MetricTarget provides compatibility with k8s autoscaling/v2 API","properties":{"type":{"type":"string","x-order":0},"averageUtilization":{"type":"integer","format":"int32","x-order":1},"averageValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"value":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"}}},"installkubernetesNodeAffinity":{"type":"object","title":"Group of node affinity scheduling rules.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#nodeaffinity-v1-core","properties":{"requiredDuringSchedulingIgnoredDuringExecution":{"$ref":"#/components/schemas/installkubernetesNodeSelector"},"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","title":"The scheduler will prefer to schedule pods to nodes that satisfy the\naffinity expressions specified by this field, but it may choose a node that\nviolates one or more of the expressions.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#preferredschedulingterm-v1-core","items":{"$ref":"#/components/schemas/installkubernetesPreferredSchedulingTerm"},"x-order":1}}},"installkubernetesNodeSelector":{"type":"object","properties":{"nodeSelectorTerms":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesNodeSelectorTerm"},"x-order":0}}},"installkubernetesNodeSelectorRequirement":{"type":"object","properties":{"key":{"type":"string","x-order":0},"operator":{"type":"string","x-order":1},"values":{"type":"array","items":{"type":"string"},"x-order":2}}},"installkubernetesNodeSelectorTerm":{"type":"object","properties":{"matchExpressions":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesNodeSelectorRequirement"},"x-order":0},"matchFields":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesNodeSelectorRequirement"},"x-order":1}}},"installkubernetesObjectFieldSelector":{"type":"object","properties":{"apiVersion":{"type":"string","x-order":0},"fieldPath":{"type":"string","x-order":1}}},"installkubernetesObjectMetricSource":{"type":"object","properties":{"target":{"$ref":"#/components/schemas/installkubernetesCrossVersionObjectReference"},"metricName":{"type":"string","x-order":1},"targetValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"selector":{"$ref":"#/components/schemas/v1LabelSelector"},"averageValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"}}},"installkubernetesPodAffinity":{"type":"object","title":"Group of inter-pod affinity scheduling rules.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podaffinity-v1-core","properties":{"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesPodAffinityTerm"},"x-order":0},"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesWeightedPodAffinityTerm"},"x-order":1}}},"installkubernetesPodAffinityTerm":{"type":"object","properties":{"labelSelector":{"$ref":"#/components/schemas/v1LabelSelector"},"namespaces":{"type":"array","items":{"type":"string"},"x-order":1},"topologyKey":{"type":"string","x-order":2}}},"installkubernetesPodAntiAffinity":{"type":"object","title":"Group of inter-pod anti-affinity scheduling rules.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podantiaffinity-v1-core","properties":{"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesPodAffinityTerm"},"x-order":0},"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesWeightedPodAffinityTerm"},"x-order":1}}},"installkubernetesPodSecurityContext":{"description":"See k8s.io.api.core.v1.PodSecurityContext.","type":"object","properties":{"seLinuxOptions":{"$ref":"#/components/schemas/installkubernetesSELinuxOptions"},"runAsUser":{"type":"integer","format":"int64","x-order":1},"runAsNonRoot":{"type":"boolean","x-order":2},"supplementalGroups":{"type":"array","items":{"type":"integer","format":"int64"},"x-order":3},"fsGroup":{"type":"integer","format":"int64","x-order":4},"runAsGroup":{"type":"integer","format":"int64","x-order":5},"sysctls":{"type":"array","items":{"$ref":"#/components/schemas/installkubernetesSysctl"},"x-order":6},"windowsOptions":{"$ref":"#/components/schemas/installkubernetesWindowsSecurityContextOptions"},"fsGroupChangePolicy":{"type":"string","x-order":8},"seccompProfile":{"$ref":"#/components/schemas/installkubernetesSeccompProfile"}}},"installkubernetesPodsMetricSource":{"type":"object","properties":{"metricName":{"type":"string","x-order":0},"targetAverageValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"selector":{"$ref":"#/components/schemas/v1LabelSelector"}}},"installkubernetesPreferredSchedulingTerm":{"type":"object","properties":{"weight":{"type":"integer","format":"int32","x-order":0},"preference":{"$ref":"#/components/schemas/installkubernetesNodeSelectorTerm"}}},"installkubernetesResourceFieldSelector":{"type":"object","properties":{"containerName":{"type":"string","x-order":0},"resource":{"type":"string","x-order":1},"divisor":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"}}},"installkubernetesResourceMetricSource":{"type":"object","properties":{"name":{"type":"string","x-order":0},"targetAverageUtilization":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"targetAverageValue":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"target":{"$ref":"#/components/schemas/installkubernetesMetricTarget"}}},"installkubernetesResources":{"description":"Mirrors k8s.io.api.core.v1.ResourceRequirements for unmarshalling.","type":"object","properties":{"limits":{"type":"object","additionalProperties":{"type":"string"},"x-order":0},"requests":{"type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"installkubernetesRollingUpdateDeployment":{"description":"Mirrors k8s.io.api.apps.v1.RollingUpdateDeployment for unmarshalling.","type":"object","properties":{"maxUnavailable":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"maxSurge":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"}}},"installkubernetesSELinuxOptions":{"description":"See k8s.io.api.core.v1.SELinuxOptions.","type":"object","properties":{"user":{"type":"string","x-order":0},"role":{"type":"string","x-order":1},"type":{"type":"string","x-order":2},"level":{"type":"string","x-order":3}}},"installkubernetesSeccompProfile":{"description":"See k8s.io.api.core.v1.SeccompProfile.","type":"object","properties":{"type":{"type":"string","x-order":0},"localhostProfile":{"type":"string","x-order":1}}},"installkubernetesSecretKeySelector":{"type":"object","properties":{"localObjectReference":{"$ref":"#/components/schemas/installkubernetesLocalObjectReference"},"key":{"type":"string","x-order":1},"optional":{"type":"boolean","x-order":2}}},"installkubernetesSecurityContext":{"description":"See k8s.io.api.core.v1.SecurityContext.","type":"object","properties":{"capabilities":{"$ref":"#/components/schemas/installkubernetesCapabilities"},"privileged":{"type":"boolean","x-order":1},"seLinuxOptions":{"$ref":"#/components/schemas/installkubernetesSELinuxOptions"},"windowsOptions":{"$ref":"#/components/schemas/installkubernetesWindowsSecurityContextOptions"},"runAsUser":{"type":"integer","format":"int64","x-order":4},"runAsGroup":{"type":"integer","format":"int64","x-order":5},"runAsNonRoot":{"type":"boolean","x-order":6},"readOnlyRootFilesystem":{"type":"boolean","x-order":7},"allowPrivilegeEscalation":{"type":"boolean","x-order":8},"procMount":{"type":"string","x-order":9},"seccompProfile":{"$ref":"#/components/schemas/installkubernetesSeccompProfile"}}},"installkubernetesService":{"type":"object","title":"The Kubernetes resource configuration for a Service","properties":{"annotations":{"type":"object","title":"Pod annotations are an unstructured key value map stored with the service.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0},"ports":{"type":"array","title":"List of ports exposed by the component's service.\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#serviceport-v1-core","items":{"$ref":"#/components/schemas/installkubernetesServicePort"},"x-order":1},"type":{"type":"string","title":"Determines how the Service is exposed. Valid options are ExternalName,\nClusterIP, NodePort, and LoadBalancer.\nhttps://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types","x-order":2},"labels":{"type":"object","title":"Labels are an unstructured key value map stored with the deployment.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels","additionalProperties":{"type":"string"},"x-order":3}}},"installkubernetesServiceAccount":{"type":"object","title":"Settings related to the component service account","properties":{"imagePullSecrets":{"type":"array","title":"List of references to secrets in the same namespace to use for pulling any\nimages in pods that reference this ServiceAccount. ImagePullSecrets are\ndistinct from Secrets because Secrets can be mounted in the pod, but\nImagePullSecrets are only accessed by the kubelet. More info:\nhttps://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core","items":{"$ref":"#/components/schemas/installkubernetesLocalObjectReference"},"x-order":0}}},"installkubernetesServicePort":{"type":"object","properties":{"name":{"type":"string","x-order":0},"protocol":{"type":"string","x-order":1},"port":{"type":"integer","format":"int32","x-order":2},"targetPort":{"$ref":"#/components/schemas/operatorv1alpha1IntOrString"},"nodePort":{"type":"integer","format":"int32","x-order":4}}},"installkubernetesSysctl":{"description":"See k8s.io.api.core.v1.Sysctl.","type":"object","properties":{"name":{"type":"string","x-order":0},"value":{"type":"string","x-order":1}}},"installkubernetesWeightedPodAffinityTerm":{"type":"object","properties":{"weight":{"type":"integer","format":"int32","x-order":0},"podAffinityTerm":{"$ref":"#/components/schemas/installkubernetesPodAffinityTerm"}}},"installkubernetesWindowsSecurityContextOptions":{"description":"See k8s.io.api.core.v1.WindowsSecurityContextOptions.","type":"object","properties":{"gmsaCredentialSpecName":{"type":"string","x-order":0},"gmsaCredentialSpec":{"type":"string","x-order":1},"runAsUserName":{"type":"string","x-order":2}}},"kubernetesCNI":{"type":"object","title":"Configure Istio's CNI plugin\nFor further details see: https://istio.io/docs/setup/additional-setup/cni/","properties":{"binaryDirectory":{"description":"Directory on the host to install the CNI binary.\nMust be the same as the environment’s `--cni-bin-dir` setting (kubelet\nparameter).","type":"string","x-order":0},"configurationDirectory":{"description":"Directory on the host to install the CNI config.\nMust be the same as the environment’s `--cni-conf-dir` setting (kubelet\nparameter).","type":"string","x-order":1},"chained":{"description":"Whether to deploy the configuration file as a plugin chain or as a\nstandalone file in the configuration directory. Some Kubernetes flavors\n(e.g. OpenShift) do not support the chain approach.","type":"boolean","x-order":2},"configurationFileName":{"description":"Leave unset to auto-find the first file in the `cni-conf-dir` (as kubelet\ndoes). Primarily used for testing install-cni plugin configuration. If set,\n`install-cni` will inject the plugin configuration into this file in the\n`cni-conf-dir`.","type":"string","x-order":3},"clusterRole":{"description":"The ClusterRole Istio CNI will bind to in the ControlPlane namespace.\nThis is useful if you use Pod Security Policies and want to allow\n`istio-cni` to run as privileged Pods.","type":"string","x-order":4},"revision":{"description":"The revisioned istio-operator that will reconcile the Istio CNI component.\nA revision can only be specified when Isolation Boundaries are enabled and\nconfigured with at least one revision.\nRevision specified here must be an enabled revision under `xcp.isolationBoundaries`.\nIf not provided, it defaults to the latest enabled\nrevision based on their corresponding tsbVersion. If multiple such revisions\nare found, revision names are alphabetically sorted and the first revision\nis considered as the default.","type":"string","x-order":5},"cniDaemonsetNamespace":{"description":"The namespace where the Istio CNI DaemonSet is deployed.\nDefaults to kube-system in sidecar mode (for backward compatibility on upgrades) and istio-operator namespace in the ambient mode.","type":"string","x-order":6}}},"kubernetesGlobalDeployment":{"type":"object","title":"The Kubernetes resource configuration for a Deployment","properties":{"podAnnotations":{"type":"object","title":"Pod annotations are an unstructured key value map stored with the pod.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0},"env":{"type":"array","title":"Environment variables for all containers in the deployment.\nhttps://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/","items":{"$ref":"#/components/schemas/installkubernetesEnvVar"},"x-order":1},"affinity":{"$ref":"#/components/schemas/installkubernetesAffinity"},"strategy":{"$ref":"#/components/schemas/installkubernetesDeploymentStrategy"},"tolerations":{"type":"array","title":"Tolerations are applied to pods, and allow (but do not require) the pods to\nschedule onto nodes with matching taints. Taints and tolerations work\ntogether to ensure that pods are not scheduled onto inappropriate nodes.\nOne or more taints are applied to a node; this marks that the node should\nnot accept any pods that do not tolerate the taints.\nhttps://kubernetes.io/docs/concepts/configuration/taint-and-toleration/","items":{"$ref":"#/components/schemas/corev1Toleration"},"x-order":4},"podSecurityContext":{"$ref":"#/components/schemas/installkubernetesPodSecurityContext"},"containerSecurityContext":{"$ref":"#/components/schemas/installkubernetesSecurityContext"}}},"kubernetesGlobalJob":{"type":"object","title":"The Kubernetes resource configuration for all CronJob or Job","properties":{"podAnnotations":{"type":"object","title":"Pod annotations are an unstructured key value map stored with the pod.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0},"affinity":{"$ref":"#/components/schemas/installkubernetesAffinity"},"tolerations":{"type":"array","title":"Tolerations are applied to pods, and allow (but do not require) the pods to\nschedule onto nodes with matching taints. Taints and tolerations work\ntogether to ensure that pods are not scheduled onto inappropriate nodes.\nOne or more taints are applied to a node; this marks that the node should\nnot accept any pods that do not tolerate the taints.\nhttps://kubernetes.io/docs/concepts/configuration/taint-and-toleration/","items":{"$ref":"#/components/schemas/corev1Toleration"},"x-order":2},"podSecurityContext":{"$ref":"#/components/schemas/installkubernetesPodSecurityContext"},"containerSecurityContext":{"$ref":"#/components/schemas/installkubernetesSecurityContext"}}},"kubernetesGlobalService":{"type":"object","title":"The Kubernetes resource configuration for all the Service","properties":{"annotations":{"type":"object","title":"Pod annotations are an unstructured key value map stored with the service.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0}}},"kubernetesJob":{"type":"object","title":"The Kubernetes resource configuration for a CronJob or Job","properties":{"podAnnotations":{"type":"object","title":"Pod annotations are an unstructured key value map stored with the pod.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0},"env":{"type":"array","title":"Environment variables for all containers in the job.\nhttps://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/","items":{"$ref":"#/components/schemas/installkubernetesEnvVar"},"x-order":1},"affinity":{"$ref":"#/components/schemas/installkubernetesAffinity"},"tolerations":{"type":"array","title":"Tolerations are applied to pods, and allow (but do not require) the pods to\nschedule onto nodes with matching taints. Taints and tolerations work\ntogether to ensure that pods are not scheduled onto inappropriate nodes.\nOne or more taints are applied to a node; this marks that the node should\nnot accept any pods that do not tolerate the taints.\nhttps://kubernetes.io/docs/concepts/configuration/taint-and-toleration/","items":{"$ref":"#/components/schemas/corev1Toleration"},"x-order":3},"podSecurityContext":{"$ref":"#/components/schemas/installkubernetesPodSecurityContext"},"containerSecurityContext":{"$ref":"#/components/schemas/installkubernetesSecurityContext"}}},"kubernetesKubernetesComponentSpec":{"description":"KubernetesComponentSpec is a common set of Kubernetes resource configuration\nfor components.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/installkubernetesDeployment"},"service":{"$ref":"#/components/schemas/installkubernetesService"},"serviceAccount":{"$ref":"#/components/schemas/installkubernetesServiceAccount"},"overlays":{"type":"array","title":"Post-render overlays to mutate Kubernetes manifests\nhttps://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":3}}},"kubernetesKubernetesIstioComponentSpec":{"description":"KubernetesIstioComponentSpec is the common set of Kubernetes resource\nconfiguration for Istio. It differs from the standard component specs in that\nit supports configuring the operator and istiod deployments separately and CNI\nconfiguration.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/installkubernetesDeployment"},"service":{"$ref":"#/components/schemas/installkubernetesService"},"serviceAccount":{"$ref":"#/components/schemas/installkubernetesServiceAccount"},"operatorDeployment":{"$ref":"#/components/schemas/installkubernetesDeployment"},"istiodDeployment":{"$ref":"#/components/schemas/installkubernetesDeployment"},"CNI":{"$ref":"#/components/schemas/kubernetesCNI"},"overlays":{"type":"array","title":"Post-render overlays to mutate Kubernetes manifests\nhttps://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":6}}},"kubernetesKubernetesJobComponentSpec":{"description":"KubernetesJobComponentSpec is a common set of Kubernetes resource\nconfiguration for components with a job associated with them.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/installkubernetesDeployment"},"service":{"$ref":"#/components/schemas/installkubernetesService"},"job":{"$ref":"#/components/schemas/kubernetesJob"},"serviceAccount":{"$ref":"#/components/schemas/installkubernetesServiceAccount"},"overlays":{"type":"array","title":"Post-render overlays to mutate Kubernetes manifests\nhttps://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":4}}},"kubernetesKubernetesSpec":{"description":"KubernetesSpec is a common set of Kubernetes resource configuration for the\ninstall CRs, that will be common to all of its components.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/kubernetesGlobalDeployment"},"service":{"$ref":"#/components/schemas/kubernetesGlobalService"},"account":{"$ref":"#/components/schemas/installkubernetesServiceAccount"},"job":{"$ref":"#/components/schemas/kubernetesGlobalJob"}}},"operatorv1alpha1IntOrString":{"description":"IntOrString is a type that can hold an int32 or a string.  When used in\nJSON or YAML marshalling and unmarshalling, it produces or consumes the\ninner type.  This allows you to have, for example, a JSON field that can\naccept a name or number.","type":"object","properties":{"type":{"type":"string","format":"int64","x-order":0},"intVal":{"type":"integer","format":"int32","x-order":1},"strVal":{"type":"string","x-order":2}}},"protobufAny":{"description":"`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(&foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := &pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := &pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": <string>,\n      \"lastName\": <string>\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }","type":"object","properties":{"@type":{"description":"A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics.","type":"string","x-order":0}},"additionalProperties":{}},"protobufNullValue":{"description":"`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value.","type":"string","default":"NULL_VALUE","enum":["NULL_VALUE"]},"qv2Metadata":{"description":"Metadata includes additional information about an ApprovalPolicy or Access entity and\ntheir respective resources that they apply to.","type":"object","properties":{"details":{"$ref":"#/components/schemas/MetadataDetails"},"rules":{"description":"Permissions includes permissions for which an authenticated user is allowed to perform.\nThis applies to ApprovalPolicy or Access entities respectively.","type":"array","items":{"$ref":"#/components/schemas/v2RoleRule"},"x-order":1}}},"rbacv2Binding":{"description":"A binding associates a role with a set of subjects.\n\nBindings are used to configure policies, where different roles can be\nassigned to different sets of subjects to configure a fine-grained access\ncontrol to the resource protected by the policy.","type":"object","required":["role"],"properties":{"role":{"description":"The role that defines the permissions that will be granted to the target\nresource.","type":"string","x-order":0},"subjects":{"description":"The set of subjects that will be allowed to access the target resource\nwith the permissions defined by the role.","type":"array","items":{"$ref":"#/components/schemas/tsbrbacv2Subject"},"x-order":1}}},"registrationv1alpha1Address":{"description":"Address specifies network address.","type":"object","required":["ip","type"],"properties":{"ip":{"description":"IP address.","type":"string","x-order":0},"type":{"$ref":"#/components/schemas/v1alpha1AddressType"}}},"registryv2Port":{"description":"Port exposed by a service.\nRegistration RPC will complete the instances field by assigning the physical services FQNs.","type":"object","required":["number"],"properties":{"number":{"description":"A valid non-negative integer port number.","type":"integer","format":"int64","x-order":0},"name":{"description":"Name assigned to the port.","type":"string","x-order":1},"serviceDeployments":{"type":"array","title":"The list of FQNs of the instances that expose this port","items":{"type":"string"},"x-order":2,"readOnly":true}}},"registryv2State":{"description":"State denotes how deep is the knowledge of a service by the mesh. Meaning that if a service can be controlled,\nobserved or none of these.\n\n - EXTERNAL: An external service is a service that is known, but that cannot be observed (we can't get metrics for it)\nand cannot be controlled.\n - OBSERVED: An observed service is a known service that we can have metrics for. For example, a service running the\nSkywalking agents.\n - CONTROLLED: A controlled service is a service that is part of the mesh, has a proxy we can configure and can be observed with\nSkywalking agents.","type":"string","default":"INVALID_STATE","enum":["INVALID_STATE","EXTERNAL","OBSERVED","CONTROLLED"]},"registryv2Subset":{"description":"Subset exposed by a service.\nRegistration RPC will complete the instances field by assigning the physical services FQNs.","type":"object","properties":{"name":{"description":"A valid subset name of a service.","type":"string","x-order":0},"serviceDeployments":{"type":"array","title":"The list of FQNs of the service deployments that expose this subset","items":{"type":"string"},"x-order":1,"readOnly":true}}},"securityv2Rule":{"description":"`Rule` matches request from a targeted resource (and the workloads that belong to the resource),\nto another targeted resource (and the workloads that belong to the resource).\nA match occurs when `from` and `to` matches the request.\nOnly resources of type Tenant, Workspace, or Security Group can be targeted.","type":"object","required":["from","to"],"properties":{"from":{"$ref":"#/components/schemas/v2RuleFrom"},"to":{"$ref":"#/components/schemas/RuleTo"}}},"telemetryv2MetricType":{"description":"Metric types are the aggregation function applied to the measurements that took place over a period of time.\nSome metric types like LABELED_COUNTER and PERCENTILE also additionally aggregated over the set of defined labels.","type":"object","properties":{"name":{"$ref":"#/components/schemas/v2MetricTypeType"},"labels":{"description":"The labels associated with the metric type.\nSome aggregation function are not just applied over time. LABELED_COUNTER and PERCENTILE metric types also\naggregate over their labels. For instance, a PERCENTILE metric type over the latency, will aggregate the measured\nlatency over the different defined percentiles, p50, p75, p90, p95, and p99.","type":"array","items":{"$ref":"#/components/schemas/v2MetricTypeLabel"},"x-order":1}}},"telemetryv2Source":{"description":"`Source` describes a set of observed resources that have a group of metrics that emit measurements at runtime.\nA source specifies **what** is being observed (which resource types: service, ingress hostnames,\nrelation, ...) and **how** it is being observed (with which scope of observation).\n\nA telemetry source can observe different types of resources in a single or aggregated way depending on the defined\nscope. A scope can be of type ServiceScope, IngressScope, or RelationScope, and they define the wingspan of the\ntelemetry source in the mesh. Each scope contains information to determine if it is a single standalone source or an\naggregation of standalone sources of the same type.\n\nServiceScope can be one of the following types which define the span of a service's telemetry source in the mesh as:\n- INSTANCE: A single specific service instance (pod or VM) in a cluster.\n- SERVICE: An aggregation of all instances of a specific service of a concrete version (subset) in a cluster.\n- SUBSET: An aggregation of all instances of a specific service of a concrete version (subset) across clusters.\n- GLOBAL: An aggregation of all instances from all the versions of a specific service across clusters.\n\nIngressScope can be one the following types which define the span of Ingress hostname's telemetry source in the mesh as:\n- HOSTNAME: A ingress's hostname in a concrete cluster.\n- GLOBAL: A ingress's hostname across clusters.\n\nA Telemetry source can also observe relation between resources. A relation is the physical connection between\nresources when a call between them has been done. For instance, a relation exists when a gateway calls a service or\nvice versa, or a service calls another service. That relation (call) can be seen (detected) from the server side,\nclient-side, or both.\nFor instance, when a gateway calls a service, and both resources are observed, the relation can be seen from both\nsides, the client and the server. In this case, the gateway is the client-side of the relation observation and the\nservice is the server side of the observation. Each of the observation points (client or server) in the relation will\nproduce different measurements for the same metric. Which means that, if we take the duration metric of the relation,\nwe will have a concrete value (measurement) from the client point of view and another value from the server point\nview, where the client-side observed duration will be greater than the server side duration, in which the difference\nbetween durations is the network/transport introduced latency.\n\nRelationScope can be one the following types which define the span of a relation telemetry source in the mesh as:\n- SERVICE: A relation between logical services.\n\nTo understand a bit better **what** and **how** a telemetry source can observe, let's assume we have deployed the classic\nIstio [bookinfo demo application](https://istio.io/latest/docs/examples/bookinfo/) in 2 clusters, `demo` and\n`demo-disaster-recovery`.\nIf we take as an example the reviews service which has 3 different versions (subsets V1, V2, and V3) for **what** is\nbeing observed, we will have different telemetry sources available which will tell us **how** (which scope) they are\nbeing observed.\n\nAn INSTANCE scoped telemetry source for a concrete review service instance (pod) running on the demo cluster will be:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Source\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  name: reviews-v1-545db77b95-vhtlj\nspec:\n  belongsTo: organizations/myorg/services/reviews.bookinfo\n  metric_source_key: djF8cmV2aWV3c3xib29raW5mb3xkZW1vfC0=.1_cmV2aWV3cy12MS01NDVkYjc3Yjk1LXZodGxq\n  service_scopes:\n    - type: INSTANCE\n      scope:\n        instance: reviews-v1-545db77b95-vhtlj\n        subset: v1\n        service: reviews\n        namespace: bookinfo\n        cluster: demo\n      deployment: organizations/myorg/clusters/demo/namespaces/bookinfo/services/reviews\n```\n\nA SUBSET scoped telemetry source for the reviews service of v1 subset running on the demo cluster will be:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Source\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  name: reviews-v1-demo\nspec:\n  belongsTo: organizations/myorg/services/reviews.bookinfo\n  metric_source_key: djF8cmV2aWV3c3xib29raW5mb3xkZW1vfC0=.1\n  service_scopes:\n    - type: SUBSET\n      scope:\n        subset: v1\n        service: reviews\n        namespace: bookinfo\n        cluster: demo\n      deployment: organizations/myorg/clusters/demo/namespaces/bookinfo/services/reviews\n```\n\nA GLOBAL_SUBSET scope telemetry source for the reviews services of version v1 running across clusters will be:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Source\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  name: reviews-v1\nspec:\n  belongsTo: organizations/myorg/services/reviews.bookinfo\n  metric_source_key: djF8cmV2aWV3c3xib29raW5mb3wqfCo=.1\n  service_scopes:\n    - type: GLOBAL_SUBSET\n      scope:\n        subset: v1\n        service: reviews\n        namespace: bookinfo\n      deployment: organizations/myorg/clusters/demo/namespaces/bookinfo/services/reviews\n```\n\nA GLOBAL scoped telemetry source for the reviews service of all subsets(v1, v2, and v3) running across all clusters\nwill be:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Source\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  name: reviews\nspec:\n  belongsTo: organizations/myorg/services/reviews.bookinfo\n  metric_source_key: djF8cmV2aWV3c3xib29raW5mb3wqfCo=.1\n  service_scopes:\n    - type: GLOBAL\n      scope:\n        service: reviews\n        namespace: bookinfo\n      deployment: organizations/myorg/clusters/demo/namespaces/bookinfo/services/reviews\n```","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the telemetry source.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the telemetry source is observing.\n$hide_from_yaml","x-order":3},"belongsTo":{"description":"Which concrete TSB resource in the configuration hierarchy this telemetry source belongs to.\nFor instance, a telemetry source can belong to a service,or a gateway, or a workspace, or any other resource in the\nconfiguration hierarchy.","type":"string","x-order":4,"readOnly":true},"metricSourceKey":{"description":"A key to query metric measurements from the resources that the telemetry source is observing.","type":"string","x-order":5,"readOnly":true},"type":{"$ref":"#/components/schemas/v2SourceScopeType"},"scope":{"$ref":"#/components/schemas/v2SourceScope"}}},"tsbapplicationv2API":{"description":"API objects define a set of servers and endpoints that expose the business logic\nfor an Application. APIs are attached to existing Applications to configure how the\nfeatures exposed by the different services that are part of the Application can be accessed.\n\nThe format used to define APIs is based on the OpenAPI v3 spec. Users can attach OpenAPI\ndocuments to the applications, and Service Bridge will generate all the configuration\nthat is needed to make the APIs available. Service Bridge also provides a set of custom\nextensions to the OpenAPI spec that can be used to further customize the APIs in those\ncases where the standard OpenAPI properties are not sufficient.\n\nThe following example shows how an API can be attached to an existing application:\n\n```yaml\napiversion: application.tsb.tetrate.io/v2\nkind: API\nmetadata:\n  organization: my-org\n  tenant: tetrate\n  application: example-app\n  name: ezample-app-api\nspec:\n  description: An example OpenAPI based API\n  workloadSelector:\n    namespace: exampleapp\n    labels:\n      app: exampleapp-gateway\n  openapi: |\n    openapi: 3.0.0\n    info:\n      title: Sample API\n      description: An example API defined in an OpenAPI spec\n      version: 0.1.9\n      x-tsb-service: sample-app.sample-ns   # service exposing this api\n    servers:\n    - url: http://api.example.com/v1\n      description: Optional server description, e.g. Main (production) server\n    - url: http://staging-api.example.com\n    paths:\n      /users:\n        get:\n          summary: Returns a list of users.\n          description: Optional extended description in CommonMark or HTML.\n          responses:\n            '200':    # status code\n              description: A JSON array of user names\n              content:\n                application/json:\n                  schema: \n                    type: array\n                    items: \n                      type: string\n```\n\n\n\n","type":"object","required":["openapi"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"openapi":{"description":"The raw OpenAPI spec for this API.","type":"string","x-order":4},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"servers":{"description":"DEPRECATED: For new created APIs, the exposed servers will be available at httpServers.\nFor APIs created before version 1.7, will still be available in this field.\n\nList of ingress gateways servers that expose the API.\nServer hostnames must be unique in the system, and only one API can expose a specific hostname.","type":"array","items":{"$ref":"#/components/schemas/v2HttpServer"},"x-order":6,"readOnly":true},"endpoints":{"description":"List of endpoints exposed by this API.\nThis field is read-only and generated from the configured OpenAPI spec.","type":"array","items":{"$ref":"#/components/schemas/v2HTTPEndpoint"},"x-order":7,"readOnly":true},"configResources":{"type":"array","title":"The configuration resources that are related to this API object.\n$hide_from_docs","items":{"$ref":"#/components/schemas/v2ConfigResource"},"x-order":8,"readOnly":true},"httpServers":{"description":"List of gateways servers that expose the API.\nServer hostnames must be unique in the system, and only one API can expose a specific hostname.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2HTTP"},"x-order":9,"readOnly":true}}},"tsbapplicationv2ListAPIsResponse":{"description":"List of APIs that have been attached to the given application.","type":"object","properties":{"apis":{"description":"The list of APIs that are registered in the given application.","type":"array","items":{"$ref":"#/components/schemas/tsbapplicationv2API"},"x-order":0}}},"tsbapplicationv2ResourceStatus":{"description":"The ResourceStatus object provides information about the status of the configuration\nrelated to an Application or an API object.\n\nApplications and APIs are translated into configuration objects (config groups, ingress\ngateways, etc). This status object reflects the status of the Application and APIs with\nregard to the generated configuration, and exposes any configuration mismatch.\nThis status only reflects the status of the configuration objects in Service Bridge. It\ndoes not provide information about the status of the generated configuration in the final\nclusters.","type":"object","properties":{"status":{"$ref":"#/components/schemas/applicationv2Status"},"resources":{"description":"List of the individual configuration resource statuses.","type":"array","items":{"$ref":"#/components/schemas/ResourceStatusConfigResourceStatus"},"x-order":1,"readOnly":true}}},"tsbauthv2Authentication":{"type":"object","properties":{"jwt":{"$ref":"#/components/schemas/tsbauthv2AuthenticationJWT"},"rules":{"$ref":"#/components/schemas/AuthenticationRules"},"oidc":{"$ref":"#/components/schemas/v2OIDCConfig"},"requireJwt":{"description":"If set to true, JWT authentication is mandatory and enforced with strict validation.\nRequests without a valid JWT token will be rejected with a 401 (Unauthorized) error.\n\nThis field ONLY applies when JWT authentication is configured (via 'jwt' or 'rules').\nIt is IGNORED when OIDC is configured.\n\nBehavior when JWT is configured:\n- When false (default): JWT tokens are optional, but if provided, they must be valid. \nRequests without tokens are allowed to pass through.\n- When true: All requests must have a valid JWT token from one of the configured providers, otherwise they receive a 401 response.\n  Note that to use this feature xcp.enable_jwt_authentication_require_jwt_token_setting needs to be set to true on controlplane CR.","type":"boolean","x-order":3}}},"tsbauthv2AuthenticationJWT":{"type":"object","required":["issuer"],"properties":{"issuer":{"description":"Identifies the issuer that issued the JWT. See\n[issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)\nA JWT with different `iss` claim will be rejected.\n\nExample: https://foobar.auth0.com\nExample: 1234567-compute@developer.gserviceaccount.com","type":"string","x-order":0},"audiences":{"description":"The list of JWT\n[audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).\nthat are allowed to access. A JWT containing any of these\naudiences will be accepted.\n\nThe service name will be accepted if audiences is empty.","type":"array","items":{"type":"string"},"x-order":1},"jwksUri":{"description":"URL of the provider's public key set to validate signature of\nthe JWT. See [OpenID\nDiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\n\nOptional if the key set document can either (a) be retrieved\nfrom [OpenID\nDiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html)\nof the issuer or (b) inferred from the email domain of the\nissuer (e.g. a Google service account).\n\nExample: `https://www.googleapis.com/oauth2/v1/certs`\n\nNote: Only one of jwks_uri and jwks should be used. jwks_uri\nwill be ignored if it does.","type":"string","x-order":2},"jwks":{"description":"JSON Web Key Set of public keys to validate signature of the JWT.\nSee https://auth0.com/docs/jwks.\n\nNote: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.","type":"string","x-order":3},"outputPayloadToHeader":{"description":"This field specifies the header name to output a successfully verified JWT payload to the\nbackend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified,\nthe payload will not be emitted.","type":"string","x-order":4},"outputClaimToHeaders":{"description":"This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.\nThis differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload.\nOnly claims of type string, boolean, and integer are supported. Array type claims are not supported at this time.\nThe header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.\n```\n  outputClaimToHeaders:\n  - header: x-my-company-jwt-group\n    claim: my-group\n  - header: x-test-environment-flag\n    claim: test-flag\n  - header: x-jwt-claim-group\n    claim: nested.key.group\n```\n[Experimental] This feature is a experimental feature.\n\n[TODO:Update the status whenever this feature is promoted.]","type":"array","items":{"$ref":"#/components/schemas/JWTClaimToHeader"},"x-order":5},"fromHeaders":{"description":"1) The Authorization header using the Bearer schema,\n       e.g. Authorization: Bearer <token>. (see\n       [Authorization Request Header\n       Field](https://tools.ietf.org/html/rfc6750#section-2.1))\n\n    2) The `access_token` query parameter (see\n    [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))\n\nList of header locations from which JWT is expected. For example, below is the location spec\nif JWT is expected to be found in `x-jwt-assertion` header, and have `Bearer ` prefix:\n\n```yaml\n  fromHeaders:\n  - name: x-jwt-assertion\n    prefix: \"Bearer \"\n```\n\nNote: Multiple tokens present on the same request are not supported. \nThe behaviour of authorization policies when there is more than one user identity is undefined","type":"array","title":"This field specifies the locations to extract JWT token.\nIf no explicit location is specified the following default\nlocations are tried in order:","items":{"$ref":"#/components/schemas/JWTJWTHeader"},"x-order":6},"fromCookies":{"description":"fromCookies:\n - auth-token\n\nThen JWT will be extracted from auth-token cookie in the request.\n\nNote: Requests with multiple tokens (at different locations) are not supported.\nThe behaviour of authorization policies when there is more than one user identity is undefined","type":"array","title":"List of cookie names from which JWT is expected.\nFor example, if config is:","items":{"type":"string"},"x-order":7}}},"tsbauthv2Authorization":{"type":"object","title":"Configuration for authorizing a HTTP request","properties":{"external":{"$ref":"#/components/schemas/tsbauthv2AuthorizationExternalAuthzBackend"},"local":{"$ref":"#/components/schemas/tsbauthv2AuthorizationLocalAuthz"}}},"tsbauthv2AuthorizationExternalAuthzBackend":{"type":"object","title":"Use an authorization server running at the specified URI. Support both HTTP and gRPC server.\nIt is recommended to enable TLS validation (SIMPLE or MUTUAL) to secure traffic \nbetween workload and external authorization server\nIf you use gRPC, do not set `includeRequestHeaders`","properties":{"uri":{"type":"string","x-order":0},"includeRequestHeaders":{"type":"array","items":{"type":"string"},"x-order":1},"tls":{"$ref":"#/components/schemas/tsbauthv2ClientTLSSettings"},"pathPrefix":{"description":"Sets a prefix to the value of authorization request header Path.\n\nFor example, if the value of this field is \"/foo\", the value of\nthe authorization request header Path will be \"/foo/<original_path>\".","type":"string","x-order":3},"allowedUpstreamHeaders":{"description":"List of headers from the authorization service that should be added or overridden in the original request and\nforwarded to the upstream when the authorization check result is allowed (HTTP code 200).\nIf not specified, the original request will not be modified and forwarded to backend as-is.\nNote, any existing headers will be overridden.\n\nExact, prefix and suffix matches are supported\n- Exact match: \"abc\" will match on value \"abc\".\n- Prefix match: \"abc*\" will match on value \"abc\" and \"abcd\".\n- Suffix match: \"*abc\" will match on value \"abc\" and \"xabc\".","type":"array","items":{"type":"string"},"x-order":4},"timeout":{"description":"Timeout controls how long the proxy waits for the external authorization backend to respond.\nIf unset, TSB defaults to 1s.","type":"string","x-order":5}}},"tsbauthv2AuthorizationLocalAuthz":{"description":"Authorize the request in Envoy based on the JWT claims.","type":"object","properties":{"rules":{"type":"array","items":{"$ref":"#/components/schemas/tsbauthv2LocalAuthzRule"},"x-order":0}}},"tsbauthv2ClientTLSSettings":{"type":"object","title":"Configure TLS parameters for the client","properties":{"mode":{"$ref":"#/components/schemas/tsbauthv2TLSMode"},"files":{"$ref":"#/components/schemas/tsbauthv2TLSFileSource"},"secretName":{"description":"TLS key source from a Kubernetes Secret.\nThis is applicable for gateway workloads.","type":"string","x-order":2},"subjectAltNames":{"type":"array","title":"Subject alternative names is the list of names that are accepted\nas service name as part of TLS handshake","items":{"type":"string"},"x-order":3}}},"tsbauthv2LocalAuthzRule":{"description":"Bindings define the subjects that can access the resource a policy is attached to,\nand the conditions that need to be met for that access to be granted.\nA policy can have multiple bindings to configure different access controls for specific\nsubjects.","type":"object","title":"LocalAuthzRule","required":["name"],"properties":{"name":{"description":"A friendly name to identify the binding.","type":"string","x-order":0},"from":{"description":"Subjects configure the actors (end users, other services)  that are allowed to access the\ntarget resource.","type":"array","items":{"$ref":"#/components/schemas/tsbauthv2Subject"},"x-order":1},"to":{"description":"A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the\ntarget resource.","type":"array","items":{"$ref":"#/components/schemas/tsbauthv2LocalAuthzRuleHttpOperation"},"x-order":2}}},"tsbauthv2LocalAuthzRuleHttpOperation":{"type":"object","properties":{"paths":{"description":"The request path where the request is made against. E.g. [\"/accounts\"].","type":"array","items":{"type":"string"},"x-order":0},"methods":{"description":"The HTTP methods that are allowed by this rule. E.g. [\"GET\", \"HEAD\"].","type":"array","items":{"type":"string"},"x-order":1}}},"tsbauthv2Subject":{"description":"A subject designates an actor (user, service, etc) that attempts to access a target resource.\nSubjects can be modeled with JWT tokens, service accounts, and decorated with attributes such as\nHTTP request headers, JWT token claims, etc.\nThe fields that define a subject will be matched to incoming requests, to fully qualify where the\nrequest comes from, and to decide if the given request is allowed or not for the target resource.\nAll the fields in a subject are evaluated as AND expressions.","type":"object","title":"Subject","properties":{"jwt":{"$ref":"#/components/schemas/tsbauthv2SubjectJWTClaims"}}},"tsbauthv2SubjectJWTClaims":{"description":"JWT based subjects qualify a subject by matching against a JWT token present in the request.\nBy default the token is expected to be present in the 'Authorization' HTTP header, with the\n'Bearer\" prefix.","type":"object","title":"JWT based subject","properties":{"iss":{"type":"string","x-order":0},"sub":{"type":"string","x-order":1},"other":{"description":"A set of arbitrary claims that are required to qualify the subject.\nE.g. \"iss\": \"*@foo.com\".","type":"object","additionalProperties":{"type":"string"},"x-order":2}}},"tsbauthv2TLSFileSource":{"type":"object","title":"TLSFileSource is used to load the keys and certificates from\nfiles accessible to the workload","properties":{"clientCertificate":{"type":"string","title":"Certificate file to authenticate the client. This\nis mandatory for mutual TLS and must not be\nspecified for simple (one-way) TLS","x-order":0},"privateKey":{"type":"string","title":"Private key file associated with the client certificate.\nThis is mandatory for mutual TLS and must not be\nspecified for simple TLS","x-order":1},"caCertificates":{"type":"string","title":"File containing CA certificates to verify the certificates\npresented by the server. This is mandatory for both simple and\nmutual TLS.\nHere are some common paths for the system CA bundle on Linux and can be\nspecified here if the server certificate is signed by a well known authority,\nalready part of the system CA bundle on the host - \n  /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo etc.)\n  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)\n  /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)","x-order":2}}},"tsbauthv2TLSMode":{"description":"- DISABLED: TLS is not used and communication is\nin plaintext.\n - SIMPLE: Only the server is authenticated.\n - MUTUAL: Both the peers in the communication must\npresent their certificate for TLS authentication","type":"string","title":"Describes how authentication is performed\nas part of establishing TLS connection","default":"DISABLED","enum":["DISABLED","SIMPLE","MUTUAL"]},"tsbdiagnosticv2Workload":{"description":"Name and namespace of a workload.","type":"object","required":["namespace","name"],"properties":{"namespace":{"description":"Namespace of a workload.","type":"string","x-order":0},"name":{"description":"Name of a workload.","type":"string","x-order":1}}},"tsbgatewayv2Authentication":{"type":"object","title":"DEPRECATED. Use auth/v2/Authentication\n$hide_from_docs","properties":{"jwt":{"$ref":"#/components/schemas/tsbgatewayv2AuthenticationJWT"}}},"tsbgatewayv2AuthenticationJWT":{"type":"object","title":"DEPRECATED. Use auth/v2/JWT\n$hide_from_docs","required":["issuer"],"properties":{"issuer":{"description":"Identifies the issuer that issued the JWT. See\n[issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)\nA JWT with different `iss` claim will be rejected.\n\nExample: https://foobar.auth0.com\nExample: 1234567-compute@developer.gserviceaccount.com","type":"string","x-order":0},"audiences":{"description":"The list of JWT\n[audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).\nthat are allowed to access. A JWT containing any of these\naudiences will be accepted.\n\nThe service name will be accepted if audiences is empty.","type":"array","items":{"type":"string"},"x-order":1},"jwksUri":{"description":"URL of the provider's public key set to validate signature of\nthe JWT. See [OpenID\nDiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\n\nOptional if the key set document can either (a) be retrieved\nfrom [OpenID\nDiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html)\nof the issuer or (b) inferred from the email domain of the\nissuer (e.g. a Google service account).\n\nExample: `https://www.googleapis.com/oauth2/v1/certs`\n\nNote: Only one of jwks_uri and jwks should be used. jwks_uri\nwill be ignored if it does.","type":"string","x-order":2},"jwks":{"description":"JSON Web Key Set of public keys to validate signature of the JWT.\nSee https://auth0.com/docs/jwks.\n\nNote: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.","type":"string","x-order":3}}},"tsbgatewayv2Authorization":{"type":"object","title":"DEPRECATED. Use auth/v2/Authorization\nConfiguration for authorizing a HTTP request\n$hide_from_docs","properties":{"external":{"$ref":"#/components/schemas/tsbgatewayv2AuthorizationExternalAuthzBackend"},"local":{"$ref":"#/components/schemas/tsbgatewayv2AuthorizationLocalAuthz"}}},"tsbgatewayv2AuthorizationExternalAuthzBackend":{"type":"object","title":"DEPRECATED. Use auth/v2/ExternalAuthzBackend\nUse an authorization running at the specified URI. Note that this\nmode is supported only for HTTPS servers.\n$hide_from_docs","properties":{"uri":{"type":"string","x-order":0},"includeRequestHeaders":{"type":"array","items":{"type":"string"},"x-order":1}}},"tsbgatewayv2AuthorizationLocalAuthz":{"type":"object","title":"DEPRECATED. Use auth/v2/LocalAuthz\nAuthorize the request in Envoy based on the JWT claims.\n$hide_from_docs","properties":{"rules":{"type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2LocalAuthzRule"},"x-order":0}}},"tsbgatewayv2AuthorizationSettings":{"description":"`AuthorizationSettings` define the set of service accounts in one\nor more namespaces allowed to access a workload (and hence its\nsidecar) in the mesh.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/tsbgatewayv2AuthorizationSettingsMode"},"serviceAccounts":{"description":"`serviceAccounts` specify the allowed\nset of service accounts (and the workloads using them). Must be\nin the `<namespace>/<service-account-name>` format.\n\n- `./*` indicates all service accounts in the namespace where the sidecar resides.\n\n- `ns1/*` indicates all service accounts in the `ns1` namespace.\n\n- `ns1/svc1-sa` indicates `svc1-sa` service account in `ns1` namespace.\n\nNamespace should be a valid Kubernetes namespace, which\nfollows [RFC 1123 Label Names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names) rules.\nService account should be a valid Kubernetes service account, which\nfollows [DNS Subdomain Names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names) rules.","type":"array","items":{"type":"string"},"x-order":1},"resources":{"description":"`resources` specify the allowed set of resources using TSB FQNs.\n\n- `organizations/myorg/tenants/mycompany-a/workspaces/w2` - allow access from workspace w2.\n- `organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/s1` - allow access from security group s1.","type":"array","items":{"type":"string"},"x-order":2}}},"tsbgatewayv2AuthorizationSettingsMode":{"description":"A shortcut for defining the common authorization patterns.\n\n - UNSET: Represents an unset or default mode.\n - NAMESPACE: The workload allows traffic from any other authenticated workload in its own\nnamespace.\n - GROUP: The workload allows traffic from any other authenticated workload in the security group.\n - WORKSPACE: The workload allows traffic from any other authenticated workload in the workspace.\n - CLUSTER: The workload allows traffic from any other authenticated workload in the cluster.\n - SERVICE_ACCOUNT: The workload allows traffic from service accounts defined explicitly.","type":"string","default":"UNSET","enum":["UNSET","NAMESPACE","GROUP","WORKSPACE","CLUSTER","SERVICE_ACCOUNT"]},"tsbgatewayv2ExternalRateLimitServiceSettings":{"description":"Configuration for ratelimiting using an external ratelimit server\nThe ratelimit server must expose\n[Envoy's Rate Limit Service gRPC API](https://www.envoyproxy.io/docs/envoy/latest/configuration/other_features/rate_limit#config-rate-limit-service).\n\nIf the rate limit service is called, and the response for any of\nthe descriptors is over limit, a 429 response is returned. The rate\nlimit filter also sets the x-envoy-ratelimited header.\n\nIf there is an error in calling rate limit service or rate limit\nservice returns an error and failure_mode_deny is set to true, a\n500 response is returned.","type":"object","required":["domain","rateLimitServerUri","rules"],"properties":{"domain":{"description":"The rate limit domain to use when calling the rate limit service.\nRatelimit settings are namespaced to a domain.","type":"string","x-order":0},"failClosed":{"description":"If the rate limit service is unavailable, the request will fail\nif failClosed is set to true. Defaults to false.","type":"boolean","x-order":1},"rateLimitServerUri":{"description":"The URI at which the external rate limit server can be reached.","type":"string","x-order":2},"rules":{"type":"array","title":"A set of rate limit rules.\nEach rule describes a list of dimension to match on.\nOnce matched, a list of descriptors are sent\nto the external rate limit server","items":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitRule"},"x-order":3},"timeout":{"description":"The timeout in seconds for the external rate limit server RPC.\nDefaults to 0.020 seconds (20ms).\nTraffic will not be allowed to the destination if failClosed is set to true\nand the request to the rate limit server times out.","type":"string","x-order":4},"tls":{"$ref":"#/components/schemas/tsbauthv2ClientTLSSettings"}}},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimension":{"type":"object","title":"RateLimitDimension is a set of conditions to match HTTP requests\nOnce the conditions are satisfied,\ncorresponding descriptors (set of keys and values) are emitted and\nsent to the external rate limit server. The server is expected to\nmake a rate limit decision based on these descriptors.\nPlease go through the [Envoy RateLimit descriptor](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/common/ratelimit/v3/ratelimit.proto#envoy-v3-api-msg-extensions-common-ratelimit-v3-ratelimitdescriptor)\nto get more information on descriptors","properties":{"sourceCluster":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionSourceCluster"},"destinationCluster":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionDestinationCluster"},"remoteAddress":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionRemoteAddress"},"requestHeaders":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionRequestHeaders"},"headerValueMatch":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionHeaderValueMatch"}}},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionDestinationCluster":{"description":"Emit descriptor entry - a key-value pair of the form `(\"destination_cluster\",\n\"<routed target cluster>\")` where `destination_cluster` is the destination\nenvoy cluster to which traffic is bound to.","type":"object"},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionHeaderValueMatch":{"description":"Emit descriptor entry - a key-value pair of the form `(\"header_match\",\n\"<descriptor_value>\")`, where `descriptor_value` is a user\nspecified value corresponding to a header match event.","type":"object","required":["headers","descriptorValue"],"properties":{"headers":{"description":"Specifies a set of headers that the rate limit action should\nmatch on. The action will check the request’s headers against\nall the specified headers in the config. A match will happen if\nall the headers in the config are present in the request with\nthe same values (or based on presence if the value field is not\nin the config).  The header keys must be lowercase and use\nhyphen as the separator, e.g. x-request-id.","type":"object","additionalProperties":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"x-order":0},"descriptorValue":{"description":"The value to use in the descriptor entry.","type":"string","x-order":1},"dontMatch":{"description":"If set to true, the condition will be met when the header value does not match.\nDefault value is false.","type":"boolean","x-order":2}}},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionRemoteAddress":{"type":"object","title":"Emit descriptor entry - a key-value pair of the form\n`(\"remote_address\", \"<trusted address from x-forwarded-for>\")`"},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionRequestHeaders":{"description":"Emit descriptor entry - a key-value pair of the form\n`(\"<descriptor_key>\", \"<header_value_queried_from_header>\")`\nwhere `descriptor_key` is a user specified key to emit when the\nHTTP header is seen.","type":"object","required":["headerName","descriptorKey"],"properties":{"headerName":{"description":"The header name to be queried from the request headers. The header’s\nvalue is used to populate the value of the descriptor entry for the\ndescriptor_key.","type":"string","x-order":0},"descriptorKey":{"description":"The key to use in the descriptor entry.","type":"string","x-order":1}}},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimensionSourceCluster":{"description":"Emit descriptor entry - a key-value pair of the form\n`(\"source_cluster\", \"<local service cluster>\")` where `source_cluster`\nis the source envoy cluster (corresponding to the `--service-cluster`\nflag value set by Istio).","type":"object"},"tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitRule":{"type":"object","required":["dimensions"],"properties":{"dimensions":{"description":"A list of dimensions that are to be applied for this rate limit configuration.\nOrder matters as the dimensions are processed sequentially and the descriptor\nis composed by appending descriptor entries in that sequence.\nIf the condition for a dimension is not satisfied and cannot append a descriptor entry,\nno descriptor list is generated for the entire setting.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettingsRateLimitDimension"},"x-order":0}}},"tsbgatewayv2Group":{"description":"Gateway Groups allow grouping the gateways in a set of namespaces\nowned by its parent workspace. Gateway related configurations can\nthen be applied on the group to control the behavior of these\ngateways. The group can be in one of two modes: `BRIDGED` and\n`DIRECT`. `BRIDGED` mode is a minimalistic mode that allows users to\nquickly configure the most commonly used features in the service\nmesh using Tetrate specific APIs, while the `DIRECT` mode provides\nmore flexibility for power users by allowing them to configure the\ngateways's traffic and security properties using a restricted\nsubset of Istio Networking and Security APIs.\n\nThe following example creates a gateway group for the gateways in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIt is possible to create a gateway group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio\nNetworking v1beta1 APIs - `VirtualService`, and `Gateway`, and\nIstio Security v1beta1 APIs - `RequestAuthentication`, and\n`AuthorizationPolicy` to the gateway group. These configurations\nwill be validated for correctness and conflict free operations and\nthen pushed to the appropriate Istio control planes.\n\nThe following example declares a `Gateway` and a `VirtualService`\nfor a specific workload in the `ns1` namespace:\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: Gateway\nmetadata:\n  name: ingress\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/gatewayGroup: g1\nspec:\n  selector:\n      app: my-ingress-gateway\n  servers:\n  - port:\n      number: 80\n      name: http\n      protocol: HTTP\n    hosts:\n    - uk.bookinfo.com\n    - eu.bookinfo.com\n```\n\nand the associated `VirtualService`\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: VirtualService\nmetadata:\n  name: ingress-rule\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/gatewayGroup: g1\nspec:\n  hosts:\n  - uk.bookinfo.com\n  - eu.bookinfo.com\n  gateways:\n  - ns1/ingress # Has to bind to the same gateway\n  http:\n  - route:\n    - destination:\n        port:\n          number: 7777\n        host: reviews.ns1.svc.cluster.local\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent gateway group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\ngateway group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":6},"profiles":{"description":"List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":7},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"tsbgatewayv2LocalAuthzRule":{"description":"Bindings define the subjects that can access the resource a policy is attached to,\nand the conditions that need to be met for that access to be granted.\nA policy can have multiple bindings to configure different access controls for specific\nsubjects.\n$hide_from_docs","type":"object","title":"DEPRECATED. Use auth/v2/LocalAuthzRule\nLocalAuthzRule","required":["name"],"properties":{"name":{"description":"A friendly name to identify the binding.","type":"string","x-order":0},"from":{"description":"Subjects configure the actors (end users, other services)  that are allowed to access the\ntarget resource.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2Subject"},"x-order":1},"to":{"description":"A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the\ntarget resource.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2LocalAuthzRuleHttpOperation"},"x-order":2}}},"tsbgatewayv2LocalAuthzRuleHttpOperation":{"type":"object","title":"DEPRECATED\n$hide_from_docs","properties":{"paths":{"description":"The request path where the request is made against. E.g. [\"/accounts\"].","type":"array","items":{"type":"string"},"x-order":0},"methods":{"description":"The HTTP methods that are allowed by this rule. E.g. [\"GET\", \"HEAD\"].","type":"array","items":{"type":"string"},"x-order":1}}},"tsbgatewayv2NamespaceSelector":{"description":"A template selector based on Cluster namespaces.","type":"object","properties":{"name":{"description":"The namespace name.","type":"string","x-order":0},"labelsSelector":{"$ref":"#/components/schemas/v2LabelsSelector"}}},"tsbgatewayv2RateLimitSettings":{"description":"Configuration for ratelimiting HTTP/gRPC requests\nThis has a list of rate limit rules that can be configured.\nWith each rule a list of dimensions can be defined.\nA request counts towards the limit if all of the dimensions match the\nattributes of the request.\nWhen the matched requests exceed the limit, a 429 response is returned.","type":"object","required":["rules"],"properties":{"rules":{"description":"A list of rules for ratelimiting.\nEach rule defines a list of dimensions to match on and the rate limit value\nfor the rule. Each rule is independant of the other.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitRule"},"x-order":0},"failClosed":{"description":"If the rate limit service is unavailable, the request will fail\nif failClosed is set to true. Defaults to false.","type":"boolean","x-order":1},"timeout":{"description":"The timeout in seconds for the rate limit server RPC.\nDefaults to 0.020 seconds (20ms).\nTraffic will not be allowed to the destination if failClosed is set to true\nand the request to the rate limit server times out.","type":"string","x-order":2}}},"tsbgatewayv2RateLimitSettingsRateLimitDimension":{"description":"RateLimitDimension is a condition to match HTTP requests\nthat should be rate limited.","type":"object","properties":{"remoteAddress":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitDimensionRemoteAddress"},"header":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitDimensionHeader"}}},"tsbgatewayv2RateLimitSettingsRateLimitDimensionHeader":{"type":"object","title":"RateLimit based on certain headers","required":["name"],"properties":{"name":{"description":"Name of the header to match on.","type":"string","x-order":0},"value":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"dontMatch":{"description":"If set to true, the condition will be met when the header value does not match.\nDefault value is false.","type":"boolean","x-order":2}}},"tsbgatewayv2RateLimitSettingsRateLimitDimensionRemoteAddress":{"description":"RateLimit based on the client's remote address, extracted from\nthe trusted X-Forwarded-For header.","type":"object","required":["value"],"properties":{"value":{"description":"Ratelimit on a specific remote address.\nIf the value is set to \"*\", ratelimit on\nevery unique remote address.","type":"string","x-order":0}}},"tsbgatewayv2RateLimitSettingsRateLimitRule":{"description":"RateLimitRule is the block to define each internal ratelimit configuration.","type":"object","required":["dimensions","limit"],"properties":{"dimensions":{"description":"A list of dimensions to define each ratelimit rule.\nRequests count towards the ratelimit value only when each and every\ncondition in a dimension is matched for a given HTTP request.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitDimension"},"x-order":0},"limit":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitValue"}}},"tsbgatewayv2RateLimitSettingsRateLimitValue":{"description":"RateLimitValue specifies the values that will be used\nto determine the rate limit.","type":"object","required":["requestsPerUnit","unit"],"properties":{"requestsPerUnit":{"description":"Specifies the value of the rate limit.","type":"integer","format":"int64","x-order":0},"unit":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettingsRateLimitValueUnit"}}},"tsbgatewayv2RateLimitSettingsRateLimitValueUnit":{"description":"Units of time.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","SECOND","MINUTE","HOUR","DAY"]},"tsbgatewayv2RateLimiting":{"description":"Configuration for ratelimiting\nHTTP/gRPC requests can be rate limited based on a variety of\nattributes in the request such as headers (including cookies), URL\npath/prefixes, client remote address etc.","type":"object","properties":{"settings":{"$ref":"#/components/schemas/tsbgatewayv2RateLimitSettings"},"externalService":{"$ref":"#/components/schemas/tsbgatewayv2ExternalRateLimitServiceSettings"},"local":{"$ref":"#/components/schemas/v2LocalRateLimitSettings"}}},"tsbgatewayv2StringMatch":{"description":"Describes how to match a given string in HTTP headers. Match is case-sensitive.","type":"object","properties":{"exact":{"description":"Exact string match.","type":"string","x-order":0},"prefix":{"description":"Prefix-based match.","type":"string","x-order":1},"regex":{"description":"ECMAscript style regex-based match.","type":"string","x-order":2}}},"tsbgatewayv2Subject":{"description":"A subject designates an actor (user, service, etc) that attempts to access a target resource.\nSubjects can be modeled with JWT tokens, service accounts, and decorated with attributes such as\nHTTP request headers, JWT token claims, etc.\nThe fields that define a subject will be matched to incoming requests, to fully qualify where the\nrequest comes from, and to decide if the given request is allowed or not for the target resource.\nAll the fields in a subject are evaluated as AND expressions.\n$hide_from_docs","type":"object","title":"DEPRECATED. Use auth/v2/Subject\nSubject","properties":{"jwt":{"$ref":"#/components/schemas/tsbgatewayv2SubjectJWTClaims"}}},"tsbgatewayv2SubjectJWTClaims":{"description":"JWT based subjects qualify a subject by matching against a JWT token present in the request.\nBy default the token is expected to be present in the 'Authorization' HTTP header, with the\n'Bearer\" prefix.\n$hide_from_docs","type":"object","title":"DEPRECATED.\nJWT based subject","properties":{"iss":{"type":"string","x-order":0},"sub":{"type":"string","x-order":1},"other":{"description":"A set of arbitrary claims that are required to qualify the subject.\nE.g. \"iss\": \"*@foo.com\".","type":"object","additionalProperties":{"type":"string"},"x-order":2}}},"tsbgatewayv2WorkloadSelector":{"description":"A template selector for Gateway workloads.","type":"object","required":["labelsSelector"],"properties":{"labelsSelector":{"$ref":"#/components/schemas/v2LabelsSelector"}}},"tsbistiointernalv2Group":{"description":"Istio internal groups only allow grouping `DIRECT` mode mesh resources in a set of namespaces\nowned by its parent workspace. This group is aimed for grouping resources not directly related\nto traffic, security, or gateway like `EnvoyFilters` and `ServiceEntry` for instance.\nIstio internal group is meant to group highly coupled and implementation-detailed oriented istio resources that\ndon't provide any `BRIDGE` mode guarantees or backward/forward compatibilities that other groups like\ntraffic, security of gateway can provide.\nEspecially, and mainly because resources like `EnvoyFilters`, are highly customizable and can interfere\nin unpredictable ways, with any other routing, security, listeners, or filter chains among other configurations\nthat TSB may have setup. Therefore, this group is only meant to be used for users/administrators that are confident\nwith those advanced features, knowing that the defined resources under this group will not interfere\nwith the TSB provided mesh governance functionalities.\n\nThe following example creates an istio internal group for resources in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`.\n```yaml\napiVersion: istiointernal.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n```\n\nIt is possible to directly attach Istio APIs such as `EnvoyFilter`, and `ServiceEntry`\nto the istio internal group. These configurations will then pushed to the\nappropriate Istio control planes.\n\nThe following ServiceEntry example declares a few external APIs accessed by internal applications over HTTPS.\nThe sidecar inspects the SNI value in the ClientHello message to route to the appropriate external service.\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: ServiceEntry\nmetadata:\n  name: external-svc-https\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/istioInternalGroup: t1\nspec:\n  hosts:\n  - api.dropboxapi.com\n  - www.googleapis.com\n  - api.facebook.com\n  location: MESH_EXTERNAL\n  ports:\n  - number: 443\n    name: https\n    protocol: TLS\n  resolution: DNS\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent istio internal group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\nistio internal group to which it belongs to.\n\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":5},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"tsbprofilev2AuthenticationSettings":{"description":"Configuration for connection authentication parameters.\nThis allows the enforcement of mutual TLS connections to upstream services\nthat do not have a sidecar.\nThis ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.","type":"object","properties":{"trafficMode":{"$ref":"#/components/schemas/tsbprofilev2AuthenticationSettingsAuthenticationMode"}}},"tsbprofilev2AuthenticationSettingsAuthenticationMode":{"description":"AuthenticationMode configures whether to initiate only mutual TLS\nconnections or to allow plaintext traffic as well.\n\n - UNSET: Default is UNSET.\n - OPTIONAL: Accept both plaintext and mTLS authenticated connections.\n - REQUIRED: Always initiate mutual TLS authenticated connections, and fail if the upstream does not support it.","type":"string","default":"UNSET","enum":["UNSET","OPTIONAL","REQUIRED"]},"tsbprofilev2AutomaticLoadBalancing":{"type":"object","title":"Settings for configuring automatic load balancing between clusters based on observed metrics.\n$hide_from_docs","properties":{"enabled":{"description":"Whether to enable automatic load balancing.","type":"boolean","x-order":0}}},"tsbprofilev2ClientTLSSettings":{"type":"object","title":"Configure TLS parameters for the client","properties":{"mode":{"$ref":"#/components/schemas/tsbprofilev2TLSMode"},"files":{"$ref":"#/components/schemas/tsbprofilev2TLSFileSource"},"secretName":{"description":"TLS key source from a Kubernetes Secret.\nThis is applicable for gateway workloads.","type":"string","x-order":2},"subjectAltNames":{"type":"array","title":"Subject alternative names is the list of names that are accepted\nas service name as part of TLS handshake","items":{"type":"string"},"x-order":3}}},"tsbprofilev2DownstreamResilienceSettings":{"description":"DownstreamResilienceSettings control the reliability knobs in Envoy when accepting\ninbound connections.","type":"object","properties":{"connectionPool":{"$ref":"#/components/schemas/tsbprofilev2DownstreamResilienceSettingsConnectionPoolSettings"},"meshTimeout":{"$ref":"#/components/schemas/tsbprofilev2DownstreamResilienceSettingsMeshTimeout"}}},"tsbprofilev2DownstreamResilienceSettingsConnectionPoolSettings":{"description":"Connection pool settings for downstream connections.","type":"object","properties":{"tcp":{"$ref":"#/components/schemas/tsbprofilev2DownstreamResilienceSettingsConnectionPoolSettingsTCP"}}},"tsbprofilev2DownstreamResilienceSettingsConnectionPoolSettingsTCP":{"description":"TCP Settings for inbound requests.","type":"object","properties":{"keepAlive":{"$ref":"#/components/schemas/tsbprofilev2TcpKeepAlive"}}},"tsbprofilev2DownstreamResilienceSettingsMeshTimeout":{"description":"Connection and Stream timeout settings for the mesh.\nThese apply to the inbound connections at the Sidecars\nand Gateways.","type":"object","properties":{"maxConnectionDuration":{"description":"This specifies the duration of time after which\na downstream and upstream connection will be drained\nand/or closed, starting from when it was first\nestablished. If there are no active streams,\nthe connection will be closed. If there are any active\nstreams, the drain sequence will kick-in, and the connection\nwill be force-closed after the drain period. The default\nvalue of max connection duration is 0 or unlimited,\nwhich means that the connections will never be closed\ndue to aging. This setting applies to the entire HTTP connection\nand all streams (HTTP/2 and HTTP/3) the connection carries.","type":"string","x-order":0},"maxStreamDuration":{"description":"The max stream duration is the maximum time that a stream’s\nlifetime will span.","type":"string","x-order":1},"maxDownstreamConnectionDuration":{"description":"The maximum duration of a TCP connection. The duration is defined\nas the period since a connection was established. If not set,\nthere is no max duration. When max_downstream_connection_duration\nis reached the connection will be closed. This can be used\nalongside with `max_connection_duration`.","type":"string","x-order":2},"proxyType":{"$ref":"#/components/schemas/tsbprofilev2ProxyType"}}},"tsbprofilev2ExternalRateLimitServiceSettings":{"description":"Configuration for ratelimiting using an external ratelimit server\nThe ratelimit server must expose\n[Envoy's Rate Limit Service gRPC API](https://www.envoyproxy.io/docs/envoy/latest/configuration/other_features/rate_limit#config-rate-limit-service).\n\nIf the rate limit service is called, and the response for any of\nthe descriptors is over limit, a 429 response is returned. The rate\nlimit filter also sets the x-envoy-ratelimited header.\n\nIf there is an error in calling rate limit service or rate limit\nservice returns an error and failure_mode_deny is set to true, a\n500 response is returned.","type":"object","required":["domain","rateLimitServerUri","rules"],"properties":{"domain":{"description":"The rate limit domain to use when calling the rate limit service.\nRatelimit settings are namespaced to a domain.","type":"string","x-order":0},"failClosed":{"description":"If the rate limit service is unavailable, the request will fail\nif failClosed is set to true. Defaults to false.","type":"boolean","x-order":1},"rateLimitServerUri":{"description":"The URI at which the external rate limit server can be reached.","type":"string","x-order":2},"rules":{"type":"array","title":"A set of rate limit rules.\nEach rule describes a list of dimension to match on.\nOnce matched, a list of descriptors are sent\nto the external rate limit server","items":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitRule"},"x-order":3},"timeout":{"description":"The timeout in seconds for the external rate limit server RPC.\nDefaults to 0.020 seconds (20ms).\nTraffic will not be allowed to the destination if failClosed is set to true\nand the request to the rate limit server times out.","type":"string","x-order":4},"tls":{"$ref":"#/components/schemas/tsbprofilev2ClientTLSSettings"}}},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimension":{"type":"object","title":"RateLimitDimension is a set of conditions to match HTTP requests\nOnce the conditions are satisfied,\ncorresponding descriptors (set of keys and values) are emitted and\nsent to the external rate limit server. The server is expected to\nmake a rate limit decision based on these descriptors.\nPlease go through the [Envoy RateLimit descriptor](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/common/ratelimit/v3/ratelimit.proto#envoy-v3-api-msg-extensions-common-ratelimit-v3-ratelimitdescriptor)\nto get more information on descriptors","properties":{"sourceCluster":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionSourceCluster"},"destinationCluster":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionDestinationCluster"},"remoteAddress":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionRemoteAddress"},"requestHeaders":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionRequestHeaders"},"headerValueMatch":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionHeaderValueMatch"}}},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionDestinationCluster":{"description":"Emit descriptor entry - a key-value pair of the form `(\"destination_cluster\",\n\"<routed target cluster>\")` where `destination_cluster` is the destination\nenvoy cluster to which traffic is bound to.","type":"object"},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionHeaderValueMatch":{"description":"Emit descriptor entry - a key-value pair of the form `(\"header_match\",\n\"<descriptor_value>\")`, where `descriptor_value` is a user\nspecified value corresponding to a header match event.","type":"object","required":["headers","descriptorValue"],"properties":{"headers":{"description":"Specifies a set of headers that the rate limit action should\nmatch on. The action will check the request’s headers against\nall the specified headers in the config. A match will happen if\nall the headers in the config are present in the request with\nthe same values (or based on presence if the value field is not\nin the config).  The header keys must be lowercase and use\nhyphen as the separator, e.g. x-request-id.","type":"object","additionalProperties":{"$ref":"#/components/schemas/tsbprofilev2StringMatch"},"x-order":0},"descriptorValue":{"description":"The value to use in the descriptor entry.","type":"string","x-order":1},"dontMatch":{"description":"If set to true, the condition will be met when the header value does not match.\nDefault value is false.","type":"boolean","x-order":2}}},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionRemoteAddress":{"type":"object","title":"Emit descriptor entry - a key-value pair of the form\n`(\"remote_address\", \"<trusted address from x-forwarded-for>\")`"},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionRequestHeaders":{"description":"Emit descriptor entry - a key-value pair of the form\n`(\"<descriptor_key>\", \"<header_value_queried_from_header>\")`\nwhere `descriptor_key` is a user specified key to emit when the\nHTTP header is seen.","type":"object","required":["headerName","descriptorKey"],"properties":{"headerName":{"description":"The header name to be queried from the request headers. The header’s\nvalue is used to populate the value of the descriptor entry for the\ndescriptor_key.","type":"string","x-order":0},"descriptorKey":{"description":"The key to use in the descriptor entry.","type":"string","x-order":1}}},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimensionSourceCluster":{"description":"Emit descriptor entry - a key-value pair of the form\n`(\"source_cluster\", \"<local service cluster>\")` where `source_cluster`\nis the source envoy cluster (corresponding to the `--service-cluster`\nflag value set by Istio).","type":"object"},"tsbprofilev2ExternalRateLimitServiceSettingsRateLimitRule":{"type":"object","required":["dimensions"],"properties":{"dimensions":{"description":"A list of dimensions that are to be applied for this rate limit configuration.\nOrder matters as the dimensions are processed sequentially and the descriptor\nis composed by appending descriptor entries in that sequence.\nIf the condition for a dimension is not satisfied and cannot append a descriptor entry,\nno descriptor list is generated for the entire setting.","type":"array","items":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettingsRateLimitDimension"},"x-order":0}}},"tsbprofilev2FailoverSettings":{"description":"Failover settings for all proxies connecting to a host exposed in this workspace/organization\nbased on the settings definition scope. Note that this is a server side setting.","type":"object","properties":{"topologyChoice":{"$ref":"#/components/schemas/tsbprofilev2FailoverSettingsTopologyChoice"},"failoverPriority":{"description":"FailoverPriority specifies the failover priority for traffic. FailoverPriority is an ordered list of labels \nused to sort endpoints to do priority based load balancing. \nThis is to support traffic failover across different groups of endpoints.\nInternally these labels will be matched on both the client and endpoints to determine the priorities for\nthe respective endpoints based on clients.\nNote: For a label to be considered for match, the previous labels must match, i.e. \nnth label would be considered matched only if first n-1 labels match.\nIf for a particular client-endpoint pair, all the n labels match, the endpoint will be considered P(0).bool\nIf first n-1 labels match, the endpoint will be considered P(1) and so on.\n\nFor getting the labels to be populated on the endpoints generated by the TSB for multicluster and eastwest scenario, \nyou will need to label the kubernetes service of your gateway or east-west exposed service\nusing a label with prefix `failover.tetrate.io/`. \nFor example `failover.tetrate.io/version=v1` should be the label present\non the kubernetes service of remote gateway or exposed service for east west traffic.\n\nExample of failoverPriority using these labels:\n```yaml\nfailoverPriority:\n- \"failover.tetrate.io/version=v1\"\n- \"failover.tetrate.io/domain\"\n```\n\nAnother way to label the endpoints for eastwest scenario is to create a ServiceRoute object for the service and\nspecify the labels in the ServiceRoute object. If there is any pod with such label present in the remote cluster,\nthe endpoints for it will have these labels and thus it could be used in failoverPriority API.\n\nFor example:\nSuppose if one of your clusters has service reviews only with version v1 and a second cluster with reviews only with version v2,\nThen use the below serviceroute object to populate service labels to the endpoints dynamically: \n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n  - name: v2\n    labels:\n      version: v2\n```\n\nExample of failoverPriority using these labels:\n```yaml\nfailoverPriority:\n- \"version=v1\"\n- \"failover.tetrate.io/domain\"\n```","type":"array","items":{"type":"string"},"x-order":1},"regionalFailover":{"description":"Locality routing settings for all gateways in the Workspace/Organization for which\nthis is defined.\n\nExplicitly specify the region traffic will land on when endpoints in the local region become unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbprofilev2RegionalFailover"},"x-order":2},"automaticLoadBalancing":{"$ref":"#/components/schemas/tsbprofilev2AutomaticLoadBalancing"}}},"tsbprofilev2FailoverSettingsTopologyChoice":{"description":"TopologyChoice specifies the topology preference for traffic priority.\n\n - NONE: Inherit from parent if possible. Otherwise treated as `CLUSTER`.\n - CLUSTER: Prefer traffic to stay in the cluster as much as possible.\n - LOCALITY: Prefer traffic to stay in the region/zone/subzone as much as possible irrespective of the cluster.","type":"string","default":"NONE","enum":["NONE","CLUSTER","LOCALITY"]},"tsbprofilev2HTTPRetry":{"description":"HTTPRetry defines the parameters for retrying API calls to a service.","type":"object","required":["attempts"],"properties":{"attempts":{"description":"Number of retries for a given request. The interval between retries will be determined\nautomatically (25ms+).\n\nActual number of retries attempted depends on the httpReqTimeout.\n\nThe above field is defined as optional to allow users to specify 0 attempts (zero value) when using it from config profiles.","type":"integer","format":"int32","x-order":0},"perTryTimeout":{"description":"Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.","type":"string","x-order":1},"retryOn":{"description":"Specifies the conditions under which retry takes place.\nOne or more policies can be specified using a ‘,’ delimited list.\nSee the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on)\nand [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on)\nfor more details.","type":"string","x-order":2},"retryBackOff":{"$ref":"#/components/schemas/tsbprofilev2HTTPRetryRetryBackOff"}}},"tsbprofilev2HTTPRetryRetryBackOff":{"description":"Specifies parameters that control exponential retry back off.","type":"object","required":["baseInterval"],"properties":{"baseInterval":{"description":"The base interval between retry attempts.\nThis parameter is required and must be greater than zero. Values less than 1 ms are rounded up to 1 ms.\nThe default value is 25ms.","type":"string","x-order":0},"maxInterval":{"description":"The maximum interval between retry attempts.\nThis parameter is optional but must be greater than or equal to base_interval if set.\nThe default is 10 times the base_interval.","type":"string","x-order":1}}},"tsbprofilev2InboundTrafficSetting":{"description":"Configuration for inbound traffic.","type":"object","properties":{"rateLimiting":{"$ref":"#/components/schemas/tsbprofilev2RateLimiting"},"resilience":{"$ref":"#/components/schemas/tsbprofilev2DownstreamResilienceSettings"},"failoverSettings":{"$ref":"#/components/schemas/tsbprofilev2FailoverSettings"}}},"tsbprofilev2LoadBalancerSettings":{"description":"Defines Load Balancing policies to be applied on the client requests.","type":"object","properties":{"simple":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettingsSimpleLB"},"consistentHash":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettingsConsistentHashLB"}}},"tsbprofilev2LoadBalancerSettingsConsistentHashLB":{"description":"Consistent Hash-based load balancing can be used to provide soft\nsession affinity based on HTTP headers, cookies or other\nproperties. The affinity to a particular destination host may be\nlost when one or more hosts are added/removed from the destination\nservice.\n\nNote: consistent hashing is less reliable at maintaining affinity than common\n\"sticky sessions\" implementations, which often encode a specific destination in\na cookie, ensuring affinity is maintained as long as the backend remains.\nWith consistent hash, the guarantees are weaker; any host addition or removal can\nbreak affinity for `1/backends` requests.\n\nWarning: consistent hashing depends on each proxy having a consistent view of endpoints.\nThis is not the case when locality load balancing is enabled. Locality load balancing\nand consistent hash will only work together when all proxies are in the same locality,\nor a high level load balancer handles locality affinity.","type":"object","properties":{"httpHeaderName":{"description":"Hash based on a specific HTTP header.","type":"string","x-order":0},"httpCookie":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettingsConsistentHashLBHTTPCookie"},"useSourceIp":{"description":"Hash based on the source IP address.\nThis is applicable for both TCP and HTTP connections.","type":"boolean","x-order":2},"httpQueryParameterName":{"description":"Hash based on a specific HTTP query parameter.","type":"string","x-order":3},"ringHash":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettingsConsistentHashLBRingHash"},"maglev":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettingsConsistentHashLBMagLev"}}},"tsbprofilev2LoadBalancerSettingsConsistentHashLBHTTPCookie":{"description":"Describes a HTTP cookie that will be used as the hash key for the\nConsistent Hash load balancer. If the cookie is not present, it will\nbe generated.","type":"object","required":["name","ttl"],"properties":{"name":{"description":"Name of the cookie.","type":"string","x-order":0},"path":{"description":"Path to set for the cookie.","type":"string","x-order":1},"ttl":{"description":"Lifetime of the cookie.","type":"string","x-order":2}}},"tsbprofilev2LoadBalancerSettingsConsistentHashLBMagLev":{"type":"object","title":"Implements consistent hashing to upstream hosts.\nIt can be used as a drop in replacement for `RingHash`. It has higher speed than RingHash with faster hash table lookups.\nPlease refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev","required":["tableSize"],"properties":{"tableSize":{"description":"The table size for Maglev hashing. This helps in controlling the\ndisruption when the backend hosts change.\nIncreasing the table size reduces the amount of disruption.","type":"integer","format":"int64","x-order":0}}},"tsbprofilev2LoadBalancerSettingsConsistentHashLBRingHash":{"type":"object","title":"Implements consistent hashing to upstream hosts.\nEach upstream host is mapped onto a circle (ring) by hashing its address, each request is then\nrouted using some hash property of the request.\nPlease refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash","properties":{"minimumRingSize":{"description":"The minimum number of virtual nodes to use for the hash\nring. Defaults to 1024. Larger ring sizes result in more granular\nload distributions. If the number of hosts in the load balancing\npool is larger than the ring size, each host will be assigned a\nsingle virtual node.","type":"integer","format":"int64","x-order":0}}},"tsbprofilev2LoadBalancerSettingsSimpleLB":{"description":"Standard load balancing algorithms that require no tuning.\n\n - UNSPECIFIED: No load balancing algorithm has been specified by the user.\nAn appropriate default will be used.\n - RANDOM: The random load balancer selects a random healthy host. The random\nload balancer generally performs better than round robin if no health\nchecking policy is configured.\n - PASSTHROUGH: This option will forward the connection to the original IP address\nrequested by the caller without doing any form of load\nbalancing. This option must be used with care. It is meant for\nadvanced use cases. Refer to Original Destination load balancer in\nEnvoy for further details.\n - ROUND_ROBIN: A basic round robin load balancing policy. This is generally unsafe\nfor many scenarios (e.g. when enpoint weighting is used) as it can\noverburden endpoints. In general, prefer to use LEAST_REQUEST as a\ndrop-in replacement for ROUND_ROBIN.\n - LEAST_REQUEST: The least request load balancer spreads load across endpoints, favoring\nendpoints with the least outstanding requests. This is generally safer\nand outperforms ROUND_ROBIN in nearly all cases. Prefer to use\nLEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.","type":"string","default":"UNSPECIFIED","enum":["UNSPECIFIED","RANDOM","PASSTHROUGH","ROUND_ROBIN","LEAST_REQUEST"]},"tsbprofilev2OutboundTrafficSetting":{"type":"object","properties":{"reachability":{"$ref":"#/components/schemas/tsbprofilev2ReachabilitySettings"},"egress":{"$ref":"#/components/schemas/tsbprofilev2OutboundTrafficSettingEgressGateway"},"upstreamTrafficSettings":{"description":"List of hosts and the associated traffic settings to be used by\nthe clients sending traffic to them.","type":"array","items":{"$ref":"#/components/schemas/tsbprofilev2UpstreamTrafficSettings"},"x-order":2}}},"tsbprofilev2OutboundTrafficSettingEgressGateway":{"description":"EgressGateway specifies the gateway where traffic external to the mesh will be redirected.","type":"object","required":["host"],"properties":{"host":{"description":"Specifies the egress gateway hostname. Must be in\n`<namespace>/<fqdn>` format.","type":"string","x-order":0}}},"tsbprofilev2ProxyType":{"description":"ProxyType defines the type of a proxy within the service mesh.\n\nThis enum is used to apply configurations based on the type of\nthe proxy.\n\n - ANY: ANY is the default proxy type that represents both sidecar,\nand gateway proxies. Use this value to apply configurations\nto both sidecars and gateways.\n - SIDECAR: SIDECAR represents a sidecar proxy that runs alongside an\napplication. Use this value to apply configurations only\nto the sidecars.\n - GATEWAY: GATEWAY represents a gateway proxy that runs standalone\nand, acts as an entry/exit point into/out of the service\nmesh. Use this value to apply configurations only to the\ngateways.","type":"string","default":"ANY","enum":["ANY","SIDECAR","GATEWAY"]},"tsbprofilev2RateLimitSettings":{"description":"Configuration for ratelimiting HTTP/gRPC requests\nThis has a list of rate limit rules that can be configured.\nWith each rule a list of dimensions can be defined.\nA request counts towards the limit if all of the dimensions match the\nattributes of the request.\nWhen the matched requests exceed the limit, a 429 response is returned.","type":"object","required":["rules"],"properties":{"rules":{"description":"A list of rules for ratelimiting.\nEach rule defines a list of dimensions to match on and the rate limit value\nfor the rule. Each rule is independant of the other.","type":"array","items":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitRule"},"x-order":0},"failClosed":{"description":"If the rate limit service is unavailable, the request will fail\nif failClosed is set to true. Defaults to false.","type":"boolean","x-order":1},"timeout":{"description":"The timeout in seconds for the rate limit server RPC.\nDefaults to 0.020 seconds (20ms).\nTraffic will not be allowed to the destination if failClosed is set to true\nand the request to the rate limit server times out.","type":"string","x-order":2}}},"tsbprofilev2RateLimitSettingsRateLimitDimension":{"description":"RateLimitDimension is a condition to match HTTP requests\nthat should be rate limited.","type":"object","properties":{"remoteAddress":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitDimensionRemoteAddress"},"header":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitDimensionHeader"}}},"tsbprofilev2RateLimitSettingsRateLimitDimensionHeader":{"type":"object","title":"RateLimit based on certain headers","required":["name"],"properties":{"name":{"description":"Name of the header to match on.","type":"string","x-order":0},"value":{"$ref":"#/components/schemas/tsbprofilev2StringMatch"},"dontMatch":{"description":"If set to true, the condition will be met when the header value does not match.\nDefault value is false.","type":"boolean","x-order":2}}},"tsbprofilev2RateLimitSettingsRateLimitDimensionRemoteAddress":{"description":"RateLimit based on the client's remote address, extracted from\nthe trusted X-Forwarded-For header.","type":"object","required":["value"],"properties":{"value":{"description":"Ratelimit on a specific remote address.\nIf the value is set to \"*\", ratelimit on\nevery unique remote address.","type":"string","x-order":0}}},"tsbprofilev2RateLimitSettingsRateLimitRule":{"description":"RateLimitRule is the block to define each internal ratelimit configuration.","type":"object","required":["dimensions","limit"],"properties":{"dimensions":{"description":"A list of dimensions to define each ratelimit rule.\nRequests count towards the ratelimit value only when each and every\ncondition in a dimension is matched for a given HTTP request.","type":"array","items":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitDimension"},"x-order":0},"limit":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitValue"}}},"tsbprofilev2RateLimitSettingsRateLimitValue":{"description":"RateLimitValue specifies the values that will be used\nto determine the rate limit.","type":"object","required":["requestsPerUnit","unit"],"properties":{"requestsPerUnit":{"description":"Specifies the value of the rate limit.","type":"integer","format":"int64","x-order":0},"unit":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettingsRateLimitValueUnit"}}},"tsbprofilev2RateLimitSettingsRateLimitValueUnit":{"description":"Units of time.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","SECOND","MINUTE","HOUR","DAY"]},"tsbprofilev2RateLimiting":{"description":"Configuration for ratelimiting\nHTTP/gRPC requests can be rate limited based on a variety of\nattributes in the request such as headers (including cookies), URL\npath/prefixes, client remote address etc.","type":"object","properties":{"settings":{"$ref":"#/components/schemas/tsbprofilev2RateLimitSettings"},"externalService":{"$ref":"#/components/schemas/tsbprofilev2ExternalRateLimitServiceSettings"},"local":{"$ref":"#/components/schemas/v2LocalRateLimitSettings"}}},"tsbprofilev2ReachabilitySettings":{"description":"`ReachabilitySettings` define the set of services and hosts\naccessed by a workload (and hence its sidecar) in the\nmesh. Defining the set of services accessed by a workload (i.e. its\ndependencies) in advance reduces the memory and CPU consumption\nboth the Istio control plane and the individual Envoy proxy workloads in\nthe data plane.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/tsbprofilev2ReachabilitySettingsMode"},"hosts":{"description":"When the mode is `CUSTOM`, `hosts` specify the set of services\nthat the sidecar should be able to reach. Must be in the\n`<namespace>/<fqdn>` format.\n\n- `./*` indicates all services in the namespace where the sidecar resides.\n\n- `ns1/*` indicates all services in the `ns1` namespace.\n\n- `ns1/svc1.com` indicates `svc1.com` service in `ns1` namespace.\n\n- `*/svc1.com` indicates `svc1.com` service in any namespace.","type":"array","items":{"type":"string"},"x-order":1}}},"tsbprofilev2ReachabilitySettingsMode":{"description":"- UNSET: Inherit from parent if possible. Otherwise treated as `CLUSTER`.\n - NAMESPACE: The workload may talk to any service in its own namespace.\n - GROUP: The workload may talk to any service in the traffic group.\n - WORKSPACE: The workload may talk to any service in the workspace.\n - CLUSTER: The workload may talk to any service in the cluster.\n - CUSTOM: The workload may talk to services defined explicitly.","type":"string","title":"A short cut for defining the common reachability patterns","default":"UNSET","enum":["UNSET","NAMESPACE","GROUP","WORKSPACE","CLUSTER","CUSTOM"]},"tsbprofilev2RegionalFailover":{"description":"Specify the traffic failover policy across regions. Since zone and sub-zone\nfailover is supported by default this only needs to be specified for\nregions when the operator needs to constrain traffic failover so that\nthe default behavior of failing over to any endpoint globally does not\napply. This is useful when failing over traffic across regions would not\nimprove service health or may need to be restricted for other reasons\nlike regulatory controls.","type":"object","properties":{"from":{"description":"Originating region.","type":"string","x-order":0},"to":{"description":"Destination region the traffic will fail over to when endpoints in\nthe 'from' region become unhealthy.","type":"string","x-order":1}}},"tsbprofilev2StringMatch":{"description":"Describes how to match a given string in HTTP headers. Match is case-sensitive.","type":"object","properties":{"exact":{"description":"Exact string match.","type":"string","x-order":0},"prefix":{"description":"Prefix-based match.","type":"string","x-order":1},"regex":{"description":"ECMAscript style regex-based match.","type":"string","x-order":2}}},"tsbprofilev2TLSFileSource":{"type":"object","title":"TLSFileSource is used to load the keys and certificates from\nfiles accessible to the workload","properties":{"clientCertificate":{"type":"string","title":"Certificate file to authenticate the client. This\nis mandatory for mutual TLS and must not be\nspecified for simple (one-way) TLS","x-order":0},"privateKey":{"type":"string","title":"Private key file associated with the client certificate.\nThis is mandatory for mutual TLS and must not be\nspecified for simple TLS","x-order":1},"caCertificates":{"type":"string","title":"File containing CA certificates to verify the certificates\npresented by the server. This is mandatory for both simple and\nmutual TLS.\nHere are some common paths for the system CA bundle on Linux and can be\nspecified here if the server certificate is signed by a well known authority,\nalready part of the system CA bundle on the host - \n  /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo etc.)\n  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)\n  /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)","x-order":2}}},"tsbprofilev2TLSMode":{"description":"- DISABLED: TLS is not used and communication is\nin plaintext.\n - SIMPLE: Only the server is authenticated.\n - MUTUAL: Both the peers in the communication must\npresent their certificate for TLS authentication","type":"string","title":"Describes how authentication is performed\nas part of establishing TLS connection","default":"DISABLED","enum":["DISABLED","SIMPLE","MUTUAL"]},"tsbprofilev2TcpKeepAlive":{"type":"object","properties":{"probes":{"description":"The total number of unacknowledged probes to send before deciding\nthe connection is dead. Default is to use the OS level configuration,\nLinux defaults to 9.","type":"integer","format":"int64","x-order":0},"idleTime":{"description":"The number of seconds a connection needs to be idle before keep-alive probes\nstart being sent. Default is to use the OS level configuration,\nLinux defaults to 7200s.","type":"integer","format":"int64","x-order":1},"interval":{"description":"The number of seconds between keep-alive probes. Default is to use the OS\nlevel configuration, Linux defaults to 75s.","type":"integer","format":"int64","x-order":2}}},"tsbprofilev2UpstreamResilienceSettings":{"description":"UpstreamResilienceSettings controls the reliability knobs for client connections\nto the upstream hosts.","type":"object","properties":{"connectionPool":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettings"},"circuitBreakerSensitivity":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettingsSensitivity"},"outlierDetection":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettingsOutlierDetection"}}},"tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettings":{"description":"Connection pool settings for the upstream host.","type":"object","properties":{"http":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettingsHTTP"},"tcp":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettingsTCP"}}},"tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettingsHTTP":{"description":"HTTP Settings for outbound requests.","type":"object","properties":{"requestTimeout":{"description":"Timeout for HTTP requests. format: 1h/1m/1s/1ms. MUST BE >=1ms. Disabled if not set.","type":"string","x-order":0},"retries":{"$ref":"#/components/schemas/tsbprofilev2HTTPRetry"},"maxRequests":{"description":"Maximum number of active requests to the service.\nApplicable to both HTTP/1.1 and HTTP2.\nDefault 0, meaning \"unlimited\", up to 2^32 - 1.","type":"integer","format":"int64","x-order":2},"maxRequestsPerConnection":{"description":"Maximum number of requests per connection to the service.\nIf set to 1, it disables keep alive. Default 0, meaning \"unlimited\", up to 2^29.","type":"integer","format":"int64","x-order":3}}},"tsbprofilev2UpstreamResilienceSettingsConnectionPoolSettingsTCP":{"description":"TCP Settings for outbound requests.","type":"object","properties":{"keepAlive":{"$ref":"#/components/schemas/tsbprofilev2TcpKeepAlive"},"maxConnections":{"description":"Maximum number of HTTP1 /TCP connections to the service.\nDefault 0, meaning \"unlimited\", up to 2^32 - 1.","type":"integer","format":"int64","x-order":1},"connectTimeout":{"description":"TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.","type":"string","x-order":2}}},"tsbprofilev2UpstreamResilienceSettingsOutlierDetection":{"description":"Outlier detection settings for the upstream host.","type":"object","properties":{"consecutiveGatewayFailure":{"description":"The number of consecutive gateway failures (502, 503, 504 status codes)\nbefore a consecutive gateway failure ejection occurs. Defaults to circuitBreakerSensitivity\nof MEDIUM(5) in TSB.","type":"integer","format":"int64","x-order":0},"enforcingConsecutiveGatewayFailure":{"description":"The percentage of a host to be ejected when an outlier status\nis detected through consecutive gateway failures. This setting can be\nused to disable ejection or to ramp it up slowly. Defaults to 100 in TSB.","type":"integer","format":"int64","x-order":1},"consecutive5xx":{"description":"The number of consecutive server-side error responses (for HTTP traffic,\n5xx responses; for TCP traffic, connection failures; for Redis, failure to\nrespond PONG; etc.) before a consecutive 5xx ejection occurs. Defaults to 5.","type":"integer","format":"int64","x-order":2},"enforcingConsecutive5xx":{"description":"The percentage of a host to be actually ejected when an outlier status\nis detected through consecutive 5xx. This setting can be used to disable\nejection or to ramp it up slowly. Defaults to 0 in TSB.","type":"integer","format":"int64","x-order":3},"splitExternalLocalOriginErrors":{"description":"Determines whether to distinguish local origin failures from external errors.\nLocal Origin Failures are errors that occur within the Envoy process itself,\nbefore the request is actually sent to the upstream host.\nexample of these are connection timeout, TCP reset etc.\nExternal errors are errors that occur after the request is sent to the upstream host.\nexample of these are 5xx errors, connection refused etc.\nIf set to true, consecutiveLocalOriginFailure and enforcingConsecutiveLocalOriginFailure will be taken into account.\nDefaults to false.\n\nThe number of consecutive locally originated failures before ejection\n occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors\n is set to true.","type":"boolean","x-order":4},"consecutiveLocalOriginFailure":{"type":"integer","format":"int64","x-order":5},"enforcingConsecutiveLocalOriginFailure":{"description":"The percentage of a host to be actually ejected when an outlier status\nis detected through consecutive locally originated failures. This setting can be\nused to disable ejection or to ramp it up slowly. Defaults to 100.\nParameter takes effect only when splitExternalLocalOriginErrors is set to true.","type":"integer","format":"int64","x-order":6},"interval":{"description":"The time interval between ejection analysis sweeps. This can result in\nboth new ejections as well as hosts being returned to service. Defaults\nto 10000ms or 10s.","type":"string","x-order":7},"baseEjectionTime":{"description":"The base time that a host is ejected for. The real time is equal to the\nbase time multiplied by the number of times the host has been ejected.\nDefaults to 30000ms or 30s.","type":"string","x-order":8},"maxEjectionTime":{"description":"The maximum time that a host is ejected for. If not specified, the default value (300000ms or 300s) or\nbaseEjectionTime value is applied, whatever is larger.","type":"string","x-order":9},"maxEjectionPercent":{"description":"The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 100%.","type":"integer","format":"int64","x-order":10}}},"tsbprofilev2UpstreamResilienceSettingsSensitivity":{"description":"Available sensitivity levels for the circuit breaker.\n\n - UNSET: Default values will be used.\n - LOW: Tolerate up to 20 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - MEDIUM: Tolerate up to 10 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - HIGH: Tolerate up to 5 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - CUSTOM: When selected, the outlier detection settings must be specified\nin the resilience.outlierDetection field.\nIf that field is set but the mode is not CUSTOM, those settings will be ignored.","type":"string","default":"UNSET","enum":["UNSET","LOW","MEDIUM","HIGH","CUSTOM"]},"tsbprofilev2UpstreamTrafficSettings":{"description":"Traffic settings for the clients that are downstreams to the defined\nupstream hosts.","type":"object","properties":{"hosts":{"description":"List of hosts for which the settings will be created. Can contain wildcard hosts.\nThe host should be a service from the service registry or a host declared by ServiceEntries.","type":"array","items":{"type":"string"},"x-order":0},"settings":{"$ref":"#/components/schemas/tsbprofilev2UpstreamTrafficSettingsSettings"}}},"tsbprofilev2UpstreamTrafficSettingsSettings":{"description":"Traffic settings to be applied to the clients of the upstream hosts.","type":"object","properties":{"resilience":{"$ref":"#/components/schemas/tsbprofilev2UpstreamResilienceSettings"},"loadBalancer":{"$ref":"#/components/schemas/tsbprofilev2LoadBalancerSettings"},"authentication":{"$ref":"#/components/schemas/tsbprofilev2AuthenticationSettings"}}},"tsbrbacv2Subject":{"description":"Subject identifies a user or a team under an organization. Roles are\nassigned to subjects for specific resources in the system.","type":"object","properties":{"user":{"type":"string","title":"A user in TSB, created through LDAP sync or API.\nMust use the fully-qualified name (fqn) of the user. \nE.g. organization/myorg/users/alice","x-order":0},"team":{"type":"string","title":"A team in TSB, created through LDAP sync or API.\nMust use the fully-qualified name (fqn) of the team. \nE.g. organization/myorg/teams/t1","x-order":1},"serviceAccount":{"type":"string","title":"A service account in TSB.\nMust use the fully-qualified name (fqn) of the service account. \nE.g. organization/myorg/serviceaccounts/sa1","x-order":2}}},"tsbregistryv2Service":{"description":"Services in the registry represent logically a service that can be running in different compute\nplatforms and different locations. The same service could be running on different Kubernetes\nclusters at the same time, on VMS, etc.\nA service in the registry represents an aggregated and logical view for all those individual\nservices, and provides high-level features such as aggregated metrics.","type":"object","required":["shortName","serviceType","state"],"properties":{"fqn":{"description":"Fully-qualified name of the resource. This field is read-only.","type":"string","x-order":0,"readOnly":true},"displayName":{"description":"User friendly name for the resource.","type":"string","x-order":1},"etag":{"description":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.","type":"string","x-order":2},"description":{"description":"A description of the resource.","type":"string","x-order":3},"shortName":{"description":"Short name for the service, used to uniquely identify it within the organization.","type":"string","x-order":4},"hostnames":{"description":"Deprecated. Use hostname_deployments instead.\nThe hostnames by which this service is accessed. It corresponds to the gateway virtual hosts.\nThis field is expected to be empty if the service is not publicly accessible.","type":"array","items":{"type":"string"},"x-order":5,"readOnly":true},"ports":{"description":"The set of ports on which this service is exposed.","type":"array","items":{"$ref":"#/components/schemas/registryv2Port"},"x-order":6},"subsets":{"description":"Deprecated. Use subset_deployments instead.\nSubset denotes a specific version of a service. By default the 'version'\nlabel is used to designate subsets of a workload.\nKnown subsets for the service.","type":"array","items":{"type":"string"},"x-order":7,"readOnly":true},"serviceType":{"$ref":"#/components/schemas/v2ServiceType"},"externalAddresses":{"description":"For kubernetes services of type load balancer, this field contains the list of lb hostnames or\nIPs assigned to the service.","type":"array","items":{"type":"string"},"x-order":9},"state":{"$ref":"#/components/schemas/registryv2State"},"metrics":{"description":"- global:        *|productpage|bookinfo|*|*\n  - v1:            v1|productpage|bookinfo|*|*\n  - v1 (cluster1): v1|productpage|bookinfo|cluster1|*\n\nThis is only available for Observed and Controlled services.","type":"array","title":"Services may expose different metrics.\nFor example, a regular service may expose the usual red metrics for incoming requests.\nServices running in multiple clusters, may provide different aggregation levels, such as\naggregation by cluster, by subset, etc.\nThis list provides a complete list of all the aggregation keys that are available for this\nparticular service.\nFor example, a service that has instances in multiple clusters could provide the following\nmetrics:","items":{"$ref":"#/components/schemas/ServiceMetricConfig"},"x-order":11,"readOnly":true},"serviceDeployments":{"description":"List of the existing deployments for this service.\nThis is only available for internal and load balancer services and correspond to physical services\nin the onboarded clusters.\nThis field is read-only.","type":"array","items":{"$ref":"#/components/schemas/ServiceServiceDeployment"},"x-order":12,"readOnly":true},"subsetDeployments":{"description":"Subset denotes a specific version of a service. By default the 'version'\nlabel is used to designate subsets of a workload.\nKnown subsets for the service.","type":"array","items":{"$ref":"#/components/schemas/registryv2Subset"},"x-order":13,"readOnly":true},"canonicalName":{"description":"The canonical name of the service defined by user.","type":"string","x-order":14},"spiffeIds":{"description":"List of SPIFFE identities used by the workloads of the service.","type":"array","items":{"type":"string"},"x-order":15},"internalHostnames":{"type":"array","title":"Deprecated. Use internal_hostname_deployments instead.\nThe hostnames by which this service is accessed internally. Can correspond to the\nFQDN of the service or to the hostnames provided by an external service (E.g. service entry)","items":{"type":"string"},"x-order":16,"readOnly":true},"hostnameDeployments":{"description":"The hostnames by which this service is accessed. It corresponds to the gateway virtual hosts.\nThis field is expected to be empty if the service is not publicly accessible.","type":"array","items":{"$ref":"#/components/schemas/v2Hostname"},"x-order":17,"readOnly":true},"internalHostnameDeployments":{"type":"array","title":"The hostnames by which this service is accessed internally. Can correspond to the\nFQDN of the service or to the hostnames provided by an external service (E.g. service entry)","items":{"$ref":"#/components/schemas/v2Hostname"},"x-order":18,"readOnly":true}}},"tsbsecurityv2AuthenticationSettings":{"description":"AuthenticationSettings represents configuration related to authenticating traffic\nwithin the mesh and end-user credentials if present. It is **HIGHLY RECOMMENDED** to\nenable mutual TLS when end-user credentials are present. Sending credentials like JWT\nover plaintext is a security risk.","type":"object","properties":{"trafficMode":{"$ref":"#/components/schemas/v2SecuritySettingAuthenticationMode"},"http":{"$ref":"#/components/schemas/tsbauthv2Authentication"}}},"tsbsecurityv2AuthorizationSettings":{"description":"`AuthorizationSettings` define the set of service accounts in one\nor more namespaces allowed to access a workload (and hence its\nsidecar) in the mesh.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/tsbsecurityv2AuthorizationSettingsMode"},"serviceAccounts":{"description":"When the mode is `CUSTOM`, `serviceAccounts` specify the allowed\nset of service accounts (and the workloads using them). Must be\nin the `<namespace>/<service-account-name>` format.\n\n- `./*` indicates all service accounts in the namespace where the sidecar resides.\n\n- `ns1/*` indicates all service accounts in the `ns1` namespace.\n\n- `ns1/svc1-sa` indicates `svc1-sa` service account in `ns1` namespace.\n\nNamespace should be a valid kubernetes namespace, which\nfollows [RFC 1123 Label Names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names) rules.\nService account should be a valid kubernetes service account, which\nfollows [DNS Subdomain Names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names) rules.","type":"array","items":{"type":"string"},"x-order":1},"http":{"$ref":"#/components/schemas/tsbauthv2Authorization"},"rules":{"$ref":"#/components/schemas/v2AuthorizationRules"},"identityMatch":{"$ref":"#/components/schemas/v2IdentityMatch"}}},"tsbsecurityv2AuthorizationSettingsMode":{"description":"- UNSET: Inherit from parent if possible. Otherwise treated as `DISABLED`.\n - NAMESPACE: The workload allows traffic from any other authenticated workload in its own\nnamespace.\n - GROUP: The workload allows traffic from any other authenticated workload in the security group.\n - WORKSPACE: The workload allows traffic from any other authenticated workload in the workspace.\n - CLUSTER: The workload allows traffic from any other authenticated workload in the cluster.\n - DISABLED: Authorization is disabled.\n - CUSTOM: The workload allows traffic from service accounts defined explicitly.\n - RULES: The workload allows or denies traffic from any other authenticated workload that belongs\nto the specified rules.","type":"string","title":"A short cut for defining the common authorization patterns","default":"UNSET","enum":["UNSET","NAMESPACE","GROUP","WORKSPACE","CLUSTER","DISABLED","CUSTOM","RULES"]},"tsbsecurityv2Group":{"description":"Security Groups allow grouping the proxy workloads in a set of namespaces\nowned by its parent workspace. Security related configurations can\nthen be applied on the group to control the behavior of these\nproxy workloads. The group can be in one of two modes: `BRIDGED` and\n`DIRECT`. `BRIDGED` mode is a minimalistic mode that allows users to\nquickly configure the most commonly used features in the service\nmesh using Tetrate specific APIs, while the `DIRECT` mode provides\nmore flexibility for power users by allowing them to configure the\nproxy workload's security properties using a restricted subset of Istio\nSecurity APIs.\n\nThe following example creates a security group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated security settings for the proxy workloads in the group\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authentication: REQUIRED\n```\n\nUnder the hood, Service Bridge translates these minimalistic\nsettings into Istio APIs such as `PeerAuthentication`,\n`AuthorizationPolicy`, etc. for the namespaces managed by the\nsecurity group. These APIs are then pushed to the Istio control\nplanes of clusters where the workspace is applicable.\n\nIt is possible to create a security group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio\nSecurity v1beta1 APIs - `PeerAuthentication`, and\n`AuthorizationPolicy` to the security group. These configurations\nwill be validated for correctness and conflict free operations and\nthen pushed to the appropriate Istio control planes.\n\nThe following example declares a `PeerAuthentication` policy for a\nspecific workload in the `ns1` namespace:\n\n```yaml\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n  name: workload-mtls-disable\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/securityGroup: t1\nspec:\n  selector:\n    matchLabels:\n      app: reviews\n  mtls:\n    mode: DISABLE\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent security group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\nsecurity group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Security group_, all the children resources will belong to that\nsecurity domain in the same way a _Security setting_ belongs to a _Security group_, a _Security setting_\nwill also belong to the security domain assigned to the _Security group_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string","x-order":6},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":7},"profiles":{"description":"List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":8},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"tsbtrafficv2AuthenticationSettings":{"description":"Configuration for connection authentication parameters.\nThis allows the enforcement of mutual TLS connections to upstream services\nthat do not have a sidecar.\nThis ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.","type":"object","properties":{"trafficMode":{"$ref":"#/components/schemas/tsbtrafficv2AuthenticationSettingsAuthenticationMode"}}},"tsbtrafficv2AuthenticationSettingsAuthenticationMode":{"description":"AuthenticationMode configures whether to initiate only mutual TLS\nconnections or to allow plaintext traffic as well.\n\n - UNSET: Default is UNSET.\n - OPTIONAL: Accept both plaintext and mTLS authenticated connections.\n - REQUIRED: Always initiate mutual TLS authenticated connections, and fail if the upstream does not support it.","type":"string","default":"UNSET","enum":["UNSET","OPTIONAL","REQUIRED"]},"tsbtrafficv2DownstreamResilienceSettings":{"description":"DownstreamResilienceSettings control the reliability knobs in Envoy when accepting\ninbound connections.","type":"object","properties":{"connectionPool":{"$ref":"#/components/schemas/tsbtrafficv2DownstreamResilienceSettingsConnectionPoolSettings"},"meshTimeout":{"$ref":"#/components/schemas/tsbtrafficv2DownstreamResilienceSettingsMeshTimeout"}}},"tsbtrafficv2DownstreamResilienceSettingsConnectionPoolSettings":{"description":"Connection pool settings for downstream connections.","type":"object","properties":{"tcp":{"$ref":"#/components/schemas/tsbtrafficv2DownstreamResilienceSettingsConnectionPoolSettingsTCP"}}},"tsbtrafficv2DownstreamResilienceSettingsConnectionPoolSettingsTCP":{"description":"TCP Settings for inbound requests.","type":"object","properties":{"keepAlive":{"$ref":"#/components/schemas/tsbtrafficv2TcpKeepAlive"}}},"tsbtrafficv2DownstreamResilienceSettingsMeshTimeout":{"description":"Connection and Stream timeout settings for the mesh.\nThese apply to the inbound connections at the Sidecars\nand Gateways.","type":"object","properties":{"maxConnectionDuration":{"description":"This specifies the duration of time after which\na downstream and upstream connection will be drained\nand/or closed, starting from when it was first\nestablished. If there are no active streams,\nthe connection will be closed. If there are any active\nstreams, the drain sequence will kick-in, and the connection\nwill be force-closed after the drain period. The default\nvalue of max connection duration is 0 or unlimited,\nwhich means that the connections will never be closed\ndue to aging. This setting applies to the entire HTTP connection\nand all streams (HTTP/2 and HTTP/3) the connection carries.","type":"string","x-order":0},"maxStreamDuration":{"description":"The max stream duration is the maximum time that a stream’s\nlifetime will span.","type":"string","x-order":1},"maxDownstreamConnectionDuration":{"description":"The maximum duration of a TCP connection. The duration is defined\nas the period since a connection was established. If not set,\nthere is no max duration. When max_downstream_connection_duration\nis reached the connection will be closed. This can be used\nalongside with `max_connection_duration`.","type":"string","x-order":2},"proxyType":{"$ref":"#/components/schemas/tsbtrafficv2ProxyType"}}},"tsbtrafficv2Group":{"description":"A traffic group manages the routing properties of proxy workloads in a\ngroup of namespaces owned by the parent workspace.\n\nTraffic Groups allow grouping the proxy workloads in a set of namespaces\nowned by its parent workspace. Networking and routing related\nconfigurations can then be applied on the group to control the\nbehavior of these proxy workloads. The group can be in one of two modes:\n`BRIDGED` and `DIRECT`. `BRIDGED` mode is a minimalistic mode that\nallows users to quickly configure the most commonly used features\nin the service mesh using Tetrate specific APIs, while the `DIRECT`\nmode provides more flexibility for power users by allowing them to\nconfigure the proxy workload behavior using a restricted subset of Istio\nNetworking APIs.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany` and sets up a `TrafficSetting`\ndefining the resilience properties for proxy workloads in these\nnamespaces.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated traffic settings for the proxy workloads in the group\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  resilience:\n    circuitBreakerSensitivity: MEDIUM\n```\n\nUnder the hood, Service Bridge translates these minimalistic\nsettings into Istio APIs such as `Sidecar`, `DestinationRule`,\netc. for the namespaces managed by the traffic group. These APIs\nare then pushed to the Istio control planes of clusters where the\nworkspace is applicable.\n\nIt is possible to create a traffic group for namespaces in a\nspecific cluster as long as the parent workspace owns those\nnamespaces in that cluster. For example,\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\" # pick ns1 namespace only from c1 cluster\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nIn the `DIRECT` mode, it is possible to directly attach Istio APIs\nsuch as `VirtualService`, `DestinationRule`, and `Sidecar` to the\ntraffic group. These configurations will be validated for\ncorrectness and conflict free operations and then pushed to the\nappropriate Istio control planes.\n\nThe following example declares a `DestinationRule` with two\nsubsets, for the `ratings` service in the `ns1` namespace:\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: DestinationRule\nmetadata:\n  name: ratings-subsets\n  namespace: ns1\n  annotations:\n    tsb.tetrate.io/organization: myorg\n    tsb.tetrate.io/tenant: mycompany\n    tsb.tetrate.io/workspace: w1\n    tsb.tetrate.io/trafficGroup: t1\nspec:\n  host: ratings.ns1.svc.cluster.local\n  subsets:\n  - name: stableversion\n    labels:\n      app: ratings\n      env: prod\n  - name: testversion\n    labels:\n      app: ratings\n      env: uat\n```\n\nThe namespace where the Istio APIs are applied will need to be part\nof the parent traffic group. In addition, each API object will need\nto have annotations to indicate the organization, tenant, workspace and the\ntraffic group to which it belongs to.\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"configMode":{"$ref":"#/components/schemas/v2ConfigMode"},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":6},"profiles":{"description":"List of profiles attached to the traffic group to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":7},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"tsbtrafficv2HTTPRetry":{"description":"HTTPRetry defines the parameters for retrying API calls to a service.","type":"object","required":["attempts"],"properties":{"attempts":{"description":"Number of retries for a given request. The interval between retries will be determined\nautomatically (25ms+).\n\nActual number of retries attempted depends on the httpReqTimeout.","type":"integer","format":"int32","x-order":0},"perTryTimeout":{"description":"Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.","type":"string","x-order":1},"retryOn":{"description":"Specifies the conditions under which retry takes place.\nOne or more policies can be specified using a ‘,’ delimited list.\nSee the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on)\nand [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on)\nfor more details.","type":"string","x-order":2},"retryBackOff":{"$ref":"#/components/schemas/tsbtrafficv2HTTPRetryRetryBackOff"}}},"tsbtrafficv2HTTPRetryRetryBackOff":{"description":"Specifies parameters that control exponential retry back off.","type":"object","required":["baseInterval"],"properties":{"baseInterval":{"description":"The base interval between retry attempts.\nThis parameter is required and must be greater than zero. Values less than 1 ms are rounded up to 1 ms.\nThe default value is 25ms.","type":"string","x-order":0},"maxInterval":{"description":"The maximum interval between retry attempts.\nThis parameter is optional but must be greater than or equal to base_interval if set.\nThe default is 10 times the base_interval.","type":"string","x-order":1}}},"tsbtrafficv2InboundTrafficSetting":{"description":"Configuration for inbound traffic.","type":"object","properties":{"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"},"resilience":{"$ref":"#/components/schemas/tsbtrafficv2DownstreamResilienceSettings"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"}}},"tsbtrafficv2LoadBalancerSettings":{"description":"Defines Load Balancing policies to be applied on the client requests.","type":"object","properties":{"simple":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettingsSimpleLB"},"consistentHash":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettingsConsistentHashLB"}}},"tsbtrafficv2LoadBalancerSettingsConsistentHashLB":{"description":"Consistent Hash-based load balancing can be used to provide soft\nsession affinity based on HTTP headers, cookies or other\nproperties. The affinity to a particular destination host may be\nlost when one or more hosts are added/removed from the destination\nservice.\n\nNote: consistent hashing is less reliable at maintaining affinity than common\n\"sticky sessions\" implementations, which often encode a specific destination in\na cookie, ensuring affinity is maintained as long as the backend remains.\nWith consistent hash, the guarantees are weaker; any host addition or removal can\nbreak affinity for `1/backends` requests.\n\nWarning: consistent hashing depends on each proxy having a consistent view of endpoints.\nThis is not the case when locality load balancing is enabled. Locality load balancing\nand consistent hash will only work together when all proxies are in the same locality,\nor a high level load balancer handles locality affinity.","type":"object","properties":{"httpHeaderName":{"description":"Hash based on a specific HTTP header.","type":"string","x-order":0},"httpCookie":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettingsConsistentHashLBHTTPCookie"},"useSourceIp":{"description":"Hash based on the source IP address.\nThis is applicable for both TCP and HTTP connections.","type":"boolean","x-order":2},"httpQueryParameterName":{"description":"Hash based on a specific HTTP query parameter.","type":"string","x-order":3},"ringHash":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettingsConsistentHashLBRingHash"},"maglev":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettingsConsistentHashLBMagLev"}}},"tsbtrafficv2LoadBalancerSettingsConsistentHashLBHTTPCookie":{"description":"Describes a HTTP cookie that will be used as the hash key for the\nConsistent Hash load balancer. If the cookie is not present, it will\nbe generated.","type":"object","required":["name","ttl"],"properties":{"name":{"description":"Name of the cookie.","type":"string","x-order":0},"path":{"description":"Path to set for the cookie.","type":"string","x-order":1},"ttl":{"description":"Lifetime of the cookie.","type":"string","x-order":2}}},"tsbtrafficv2LoadBalancerSettingsConsistentHashLBMagLev":{"type":"object","title":"Implements consistent hashing to upstream hosts.\nIt can be used as a drop in replacement for `RingHash`. It has higher speed than RingHash with faster hash table lookups.\nPlease refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev","required":["tableSize"],"properties":{"tableSize":{"description":"The table size for Maglev hashing. This helps in controlling the\ndisruption when the backend hosts change.\nIncreasing the table size reduces the amount of disruption.","type":"integer","format":"int64","x-order":0}}},"tsbtrafficv2LoadBalancerSettingsConsistentHashLBRingHash":{"type":"object","title":"Implements consistent hashing to upstream hosts.\nEach upstream host is mapped onto a circle (ring) by hashing its address, each request is then\nrouted using some hash property of the request.\nPlease refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash","properties":{"minimumRingSize":{"description":"The minimum number of virtual nodes to use for the hash\nring. Defaults to 1024. Larger ring sizes result in more granular\nload distributions. If the number of hosts in the load balancing\npool is larger than the ring size, each host will be assigned a\nsingle virtual node.","type":"integer","format":"int64","x-order":0}}},"tsbtrafficv2LoadBalancerSettingsSimpleLB":{"description":"Standard load balancing algorithms that require no tuning.\n\n - UNSPECIFIED: No load balancing algorithm has been specified by the user.\nAn appropriate default will be used.\n - RANDOM: The random load balancer selects a random healthy host. The random\nload balancer generally performs better than round robin if no health\nchecking policy is configured.\n - PASSTHROUGH: This option will forward the connection to the original IP address\nrequested by the caller without doing any form of load\nbalancing. This option must be used with care. It is meant for\nadvanced use cases. Refer to Original Destination load balancer in\nEnvoy for further details.\n - ROUND_ROBIN: A basic round robin load balancing policy. This is generally unsafe\nfor many scenarios (e.g. when enpoint weighting is used) as it can\noverburden endpoints. In general, prefer to use LEAST_REQUEST as a\ndrop-in replacement for ROUND_ROBIN.\n - LEAST_REQUEST: The least request load balancer spreads load across endpoints, favoring\nendpoints with the least outstanding requests. This is generally safer\nand outperforms ROUND_ROBIN in nearly all cases. Prefer to use\nLEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.","type":"string","default":"UNSPECIFIED","enum":["UNSPECIFIED","RANDOM","PASSTHROUGH","ROUND_ROBIN","LEAST_REQUEST"]},"tsbtrafficv2OutboundTrafficSetting":{"description":"Configuration for outbound traffic.","type":"object","properties":{"reachability":{"$ref":"#/components/schemas/tsbtrafficv2ReachabilitySettings"},"egress":{"$ref":"#/components/schemas/tsbtrafficv2OutboundTrafficSettingEgressGateway"},"upstreamTrafficSettings":{"description":"List of hosts and the associated traffic settings to be used by\nthe clients sending traffic to them.","type":"array","items":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamTrafficSettings"},"x-order":2}}},"tsbtrafficv2OutboundTrafficSettingEgressGateway":{"description":"EgressGateway specifies the gateway where traffic external to the mesh will be redirected.","type":"object","required":["host"],"properties":{"host":{"description":"Specifies the egress gateway hostname. Must be in\n`<namespace>/<fqdn>` format.","type":"string","x-order":0}}},"tsbtrafficv2ProxyType":{"description":"ProxyType defines the type of a proxy within the service mesh.\n\nThis enum is used to apply configurations based on the type of\nthe proxy.\n\n - ANY: ANY is the default proxy type that represents both sidecar,\nand gateway proxies. Use this value to apply configurations\nto both sidecars and gateways.\n - SIDECAR: SIDECAR represents a sidecar proxy that runs alongside an\napplication. Use this value to apply configurations only\nto the sidecars.\n - GATEWAY: GATEWAY represents a gateway proxy that runs standalone\nand, acts as an entry/exit point into/out of the service\nmesh. Use this value to apply configurations only to the\ngateways.","type":"string","default":"ANY","enum":["ANY","SIDECAR","GATEWAY"]},"tsbtrafficv2ReachabilitySettings":{"description":"`ReachabilitySettings` define the set of services and hosts\naccessed by a workload (and hence its sidecar) in the\nmesh. Defining the set of services accessed by a workload (i.e. its\ndependencies) in advance reduces the memory and CPU consumption\nboth the Istio control plane and the individual Envoy proxy workloads in\nthe data plane.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/tsbtrafficv2ReachabilitySettingsMode"},"hosts":{"description":"When the mode is `CUSTOM`, `hosts` specify the set of services\nthat the sidecar should be able to reach. Must be in the\n`<namespace>/<fqdn>` format.\n\n- `./*` indicates all services in the namespace where the sidecar resides.\n\n- `ns1/*` indicates all services in the `ns1` namespace.\n\n- `ns1/svc1.com` indicates `svc1.com` service in `ns1` namespace.\n\n- `*/svc1.com` indicates `svc1.com` service in any namespace.","type":"array","items":{"type":"string"},"x-order":1}}},"tsbtrafficv2ReachabilitySettingsMode":{"description":"- UNSET: Inherit from parent if possible. Otherwise treated as `CLUSTER`.\n - NAMESPACE: The workload may talk to any service in its own namespace.\n - GROUP: The workload may talk to any service in the traffic group.\n - WORKSPACE: The workload may talk to any service in the workspace.\n - CLUSTER: The workload may talk to any service in the cluster.\n - CUSTOM: The workload may talk to services defined explicitly.","type":"string","title":"A short cut for defining the common reachability patterns","default":"UNSET","enum":["UNSET","NAMESPACE","GROUP","WORKSPACE","CLUSTER","CUSTOM"]},"tsbtrafficv2TcpKeepAlive":{"type":"object","properties":{"probes":{"description":"The total number of unacknowledged probes to send before deciding\nthe connection is dead. Default is to use the OS level configuration,\nLinux defaults to 9.","type":"integer","format":"int64","x-order":0},"idleTime":{"description":"The number of seconds a connection needs to be idle before keep-alive probes\nstart being sent. Default is to use the OS level configuration,\nLinux defaults to 7200s.","type":"integer","format":"int64","x-order":1},"interval":{"description":"The number of seconds between keep-alive probes. Default is to use the OS\nlevel configuration, Linux defaults to 75s.","type":"integer","format":"int64","x-order":2}}},"tsbtrafficv2UpstreamResilienceSettings":{"description":"UpstreamResilienceSettings controls the reliability knobs for client connections\nto the upstream hosts.","type":"object","properties":{"connectionPool":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettings"},"circuitBreakerSensitivity":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettingsSensitivity"},"outlierDetection":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettingsOutlierDetection"}}},"tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettings":{"description":"Connection pool settings for the upstream host.","type":"object","properties":{"http":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettingsHTTP"},"tcp":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettingsTCP"}}},"tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettingsHTTP":{"description":"HTTP Settings for outbound requests.","type":"object","properties":{"requestTimeout":{"description":"Timeout for HTTP requests. format: 1h/1m/1s/1ms. MUST BE >=1ms. Disabled if not set.","type":"string","x-order":0},"retries":{"$ref":"#/components/schemas/tsbtrafficv2HTTPRetry"},"maxRequests":{"description":"Maximum number of active requests to the service.\nApplicable to both HTTP/1.1 and HTTP2.\nDefault 0, meaning \"unlimited\", up to 2^32 - 1.","type":"integer","format":"int64","x-order":2},"maxRequestsPerConnection":{"description":"Maximum number of requests per connection to the service.\nIf set to 1, it disables keep alive. Default 0, meaning \"unlimited\", up to 2^29.","type":"integer","format":"int64","x-order":3}}},"tsbtrafficv2UpstreamResilienceSettingsConnectionPoolSettingsTCP":{"description":"TCP Settings for outbound requests.","type":"object","properties":{"keepAlive":{"$ref":"#/components/schemas/tsbtrafficv2TcpKeepAlive"},"maxConnections":{"description":"Maximum number of HTTP1 /TCP connections to the service.\nDefault 0, meaning \"unlimited\", up to 2^32 - 1.","type":"integer","format":"int64","x-order":1},"connectTimeout":{"description":"TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.","type":"string","x-order":2}}},"tsbtrafficv2UpstreamResilienceSettingsOutlierDetection":{"description":"Outlier detection settings for the upstream host.","type":"object","properties":{"consecutiveGatewayFailure":{"description":"The number of consecutive gateway failures (502, 503, 504 status codes)\nbefore a consecutive gateway failure ejection occurs. Defaults to circuitBreakerSensitivity\nof MEDIUM(5) in TSB.","type":"integer","format":"int64","x-order":0},"enforcingConsecutiveGatewayFailure":{"description":"The percentage of a host to be ejected when an outlier status\nis detected through consecutive gateway failures. This setting can be\nused to disable ejection or to ramp it up slowly. Defaults to 100 in TSB.","type":"integer","format":"int64","x-order":1},"consecutive5xx":{"description":"The number of consecutive server-side error responses (for HTTP traffic,\n5xx responses; for TCP traffic, connection failures; for Redis, failure to\nrespond PONG; etc.) before a consecutive 5xx ejection occurs. Defaults to 5.","type":"integer","format":"int64","x-order":2},"enforcingConsecutive5xx":{"description":"The percentage of a host to be actually ejected when an outlier status\nis detected through consecutive 5xx. This setting can be used to disable\nejection or to ramp it up slowly. Defaults to 0 in TSB.","type":"integer","format":"int64","x-order":3},"splitExternalLocalOriginErrors":{"description":"Determines whether to distinguish local origin failures from external errors.\nLocal Origin Failures are errors that occur within the Envoy process itself, \nbefore the request is actually sent to the upstream host.\nexample of these are connection timeout, TCP reset etc.\nExternal errors are errors that occur after the request is sent to the upstream host.\nexample of these are 5xx errors, connection refused etc.\nIf set to true, consecutiveLocalOriginFailure and enforcingConsecutiveLocalOriginFailure will be taken into account.\nDefaults to false.\n\nThe number of consecutive locally originated failures before ejection\n occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors\n is set to true.","type":"boolean","x-order":4},"consecutiveLocalOriginFailure":{"type":"integer","format":"int64","x-order":5},"enforcingConsecutiveLocalOriginFailure":{"description":"The percentage of a host to be actually ejected when an outlier status\nis detected through consecutive locally originated failures. This setting can be\nused to disable ejection or to ramp it up slowly. Defaults to 100.\nParameter takes effect only when splitExternalLocalOriginErrors is set to true.","type":"integer","format":"int64","x-order":6},"interval":{"description":"The time interval between ejection analysis sweeps. This can result in\nboth new ejections as well as hosts being returned to service. Defaults\nto 10000ms or 10s.","type":"string","x-order":7},"baseEjectionTime":{"description":"The base time that a host is ejected for. The real time is equal to the\nbase time multiplied by the number of times the host has been ejected.\nDefaults to 30000ms or 30s.","type":"string","x-order":8},"maxEjectionTime":{"description":"The maximum time that a host is ejected for. If not specified, the default value (300000ms or 300s) or\nbaseEjectionTime value is applied, whatever is larger.","type":"string","x-order":9},"maxEjectionPercent":{"description":"The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 100%.","type":"integer","format":"int64","x-order":10}}},"tsbtrafficv2UpstreamResilienceSettingsSensitivity":{"description":"Available sensitivity levels for the circuit breaker.\n\n - UNSET: Default values will be used.\n - LOW: Tolerate up to 20 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - MEDIUM: Tolerate up to 10 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - HIGH: Tolerate up to 5 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - CUSTOM: When selected, the outlier detection settings must be specified \nin the resilience.outlierDetection field.\nIf that field is set but the mode is not CUSTOM, those settings will be ignored.","type":"string","default":"UNSET","enum":["UNSET","LOW","MEDIUM","HIGH","CUSTOM"]},"tsbtrafficv2UpstreamTrafficSettings":{"description":"Traffic settings for the clients that are downstreams to the defined\nupstream hosts.","type":"object","properties":{"hosts":{"description":"List of hosts for which the settings will be created. Can contain wildcard hosts.\nThe host should be a service from the service registry or a host declared by ServiceEntries.","type":"array","items":{"type":"string"},"x-order":0},"settings":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamTrafficSettingsSettings"}}},"tsbtrafficv2UpstreamTrafficSettingsSettings":{"description":"Traffic settings to be applied to the clients of the upstream hosts.","type":"object","properties":{"resilience":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamResilienceSettings"},"loadBalancer":{"$ref":"#/components/schemas/tsbtrafficv2LoadBalancerSettings"},"authentication":{"$ref":"#/components/schemas/tsbtrafficv2AuthenticationSettings"}}},"tsbtypesv2AutomaticLoadBalancing":{"type":"object","title":"Settings for configuring automatic load balancing between clusters based on observed metrics.\n$hide_from_docs","properties":{"enabled":{"description":"Whether to enable automatic load balancing.","type":"boolean","x-order":0}}},"tsbtypesv2FailoverSettings":{"description":"Failover settings for all proxies connecting to a host exposed in this workspace/organization\nbased on the settings definition scope. Note that this is a server side setting.","type":"object","properties":{"topologyChoice":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettingsTopologyChoice"},"failoverPriority":{"description":"FailoverPriority specifies the failover priority for traffic. FailoverPriority is an ordered list of labels \nused to sort endpoints to do priority based load balancing. \nThis is to support traffic failover across different groups of endpoints.\nInternally these labels will be matched on both the client and endpoints to determine the priorities for\nthe respective endpoints based on clients.\nNote: For a label to be considered for match, the previous labels must match, i.e. \nnth label would be considered matched only if first n-1 labels match.\nIf for a particular client-endpoint pair, all the n labels match, the endpoint will be considered P(0).bool\nIf first n-1 labels match, the endpoint will be considered P(1) and so on.\n\nFor getting the labels to be populated on the endpoints generated by the TSB for multicluster and eastwest scenario, \nyou will need to label the kubernetes service of your gateway or east-west exposed service\nusing a label with prefix `failover.tetrate.io/`. \nFor example `failover.tetrate.io/version=v1` should be the label present\non the kubernetes service of remote gateway or exposed service for east west traffic.\n\nExample of failoverPriority using these labels:\n```yaml\nfailoverPriority:\n- \"failover.tetrate.io/version=v1\"\n- \"failover.tetrate.io/domain\"\n```\n\nAnother way to label the endpoints for eastwest scenario is to create a ServiceRoute object for the service and\nspecify the labels in the ServiceRoute object. If there is any pod with such label present in the remote cluster,\nthe endpoints for it will have these labels and thus it could be used in failoverPriority API.\n\nFor example:\nSuppose if one of your clusters has service reviews only with version v1 and a second cluster with reviews only with version v2,\nThen use the below serviceroute object to populate service labels to the endpoints dynamically: \n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n  - name: v2\n    labels:\n      version: v2\n```\n\nExample of failoverPriority using these labels:\n```yaml\nfailoverPriority:\n- \"version=v1\"\n- \"failover.tetrate.io/domain\"\n```","type":"array","items":{"type":"string"},"x-order":1},"regionalFailover":{"description":"Locality routing settings for all gateways in the Workspace/Organization for which\nthis is defined.\n\nExplicitly specify the region traffic will land on when endpoints in the local region become unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbtypesv2RegionalFailover"},"x-order":2},"automaticLoadBalancing":{"$ref":"#/components/schemas/tsbtypesv2AutomaticLoadBalancing"}}},"tsbtypesv2FailoverSettingsTopologyChoice":{"description":"TopologyChoice specifies the topology preference for traffic priority.\n\n - NONE: Inherit from parent if possible. Otherwise treated as `CLUSTER`.\n - CLUSTER: Prefer traffic to stay in the cluster as much as possible.\n - LOCALITY: Prefer traffic to stay in the region/zone/subzone as much as possible irrespective of the cluster.","type":"string","default":"NONE","enum":["NONE","CLUSTER","LOCALITY"]},"tsbtypesv2NamespaceSelector":{"type":"object","title":"`NamespaceSelector` selects a set of namespaces across one or more\nclusters in a tenant. Namespace selectors can be used at Workspace\nlevel to carve out a chunk of resources under a tenant into an\nisolated configuration domain. They can be used in a Traffic,\nSecurity, or a Gateway group to further scope the set of namespaces\nthat will belong to a specific configuration group.\nNames in namespaces selector must be in the form `cluster/namespace`\nwhere:\n- cluster must be a cluster name or an `*` to mean all clusters\n- namespace must be a namespace name, an `*` to mean all namespaces\n  or a prefix like `ns-*` to mean all those namespaces starting\n  by `ns-`","required":["names"],"properties":{"names":{"description":"- `*/ns1` implies `ns1` namespace in any cluster.\n\n- `c1/ns1` implies `ns1` namespace from `c1` cluster.\n\n- `c1/*` implies all namespaces in `c1` cluster.\n\n- `*/*` implies all namespaces in all clusters.\n\n- `c1/ns*` implies all namespaces prefixes by `ns` in `c1` cluster.","type":"array","title":"Under the tenant/workspace/group:","items":{"type":"string"},"x-order":0}}},"tsbtypesv2RegionalFailover":{"description":"Specify the traffic failover policy across regions. Since zone and sub-zone\nfailover is supported by default this only needs to be specified for\nregions when the operator needs to constrain traffic failover so that\nthe default behavior of failing over to any endpoint globally does not\napply. This is useful when failing over traffic across regions would not\nimprove service health or may need to be restricted for other reasons\nlike regulatory controls.","type":"object","properties":{"from":{"description":"Originating region.","type":"string","x-order":0},"to":{"description":"Destination region the traffic will fail over to when endpoints in\nthe 'from' region become unhealthy.","type":"string","x-order":1}}},"tsbtypesv2WorkloadSelector":{"description":"`WorkloadSelector` selects one or more workloads in a\nnamespace. `WorkloadSelector` can be used in TrafficSetting,\nSecuritySetting, and Gateway APIs in `BRIDGED` mode to scope the\nconfiguration to a specific set of workloads.","type":"object","required":["namespace","labels"],"properties":{"namespace":{"description":"The namespace where the workload resides.","type":"string","x-order":0},"labels":{"description":"One or more labels that indicate a specific set of pods/VMs in\nthe namespace. If omitted, the TrafficSetting or SecuritySetting\nconfiguration will apply to all workloads in the\nnamespace. Labels are required for Gateway API resources.","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"tsbv2Cluster":{"description":"A Kubernetes cluster managing both pods and VMs.\n\nEach Kubernetes cluster managed by Service Bridge should be\nonboarded first before configurations can be applied to the\nservices in the cluster. Onboarding a cluster is a two step\nprocess. First, create a cluster object under the appropriate\ntenant. Once a cluster object is created, its status field should\nprovide the set of join tokens that will be used by the Service\nBridge agent on the cluster to talk to Service Bridge management\nplane. The second step is to deploy the Service Bridge agent on the\ncluster with the join tokens and deploy Istio on the cluster. The\nfollowing example creates a cluster named c1 under the tenant\nmycompany, indicating that the cluster is deployed on a network\n\"vpc-01\" corresponding to the AWS VPC where it resides.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Cluster\nmetadata:\n  name: c1\n  organization: myorg\n  labels:\n    env: uat-demo\nspec:\n  tokenTtl: \"1h\"\n  network: vpc-01\n```\n\nNote that configuration profiles such as traffic, security and\ngateway groups will flow to the Bridge agents in the cluster as\nlong their requested cluster exists in the Service Bridge\nhierarchy.\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be\nsent on every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"tokenTtl":{"description":"Lifetime of the tokens. Defaults to 1hr.","type":"string","x-order":4},"network":{"description":"The network (e.g., VPC) where this cluster is present. All\nclusters within the same network will be assumed to be reachable\nfor the purposes of multi-cluster routing. In addition, networks\nmarked as reachable from one another in SystemSettings will also\nbe used for multi-cluster routing.","type":"string","x-order":5},"tier1Cluster":{"description":"Deprecated: This flag is still honored for backward compatibility but will be ignored in future releases.\nIt is advisable not to set it, as all clusters can now host both Tier1 and IngressGateways.\n\nIndicates whether this cluster is hosting a tier1 gateway or not.\nTier1 clusters cannot host other gateways or workloads. Defaults\nto false if not specified.","type":"boolean","x-order":6},"namespaces":{"type":"array","title":"TODO(vikas): move this inside cluster state\nRead-only data for informational purposes. Any user provided\nvalue will be ignored. The data here may be stale depending on\nthe update frequency from the Bridge agents in the cluster.\n$hide_from_yaml","items":{"$ref":"#/components/schemas/tsbv2Namespace"},"x-order":7,"readOnly":true},"labels":{"type":"object","title":"FIXME: this is super clunky to copy each and every metadata field into\nobjects used for multicluster. $hide_from_yaml","additionalProperties":{"type":"string"},"x-order":8},"locality":{"$ref":"#/components/schemas/tsbv2Locality"},"trustDomain":{"description":"Trust domain for this cluster, used for multi-cluster routing.\nIt must be unique for every cluster and should match the one configured in\nthe local control plane. This value is optional, and will be updated by the\nlocal control plane agents. However, it is recommended to set it, if known,\nso that multi-cluster routing works without having to wait for the local\ncontrol planes to update it.","type":"string","x-order":10},"namespaceScope":{"$ref":"#/components/schemas/v2NamespaceScoping"},"state":{"$ref":"#/components/schemas/v2ClusterState"},"serviceAccount":{"$ref":"#/components/schemas/tsbv2ServiceAccount"},"installTemplate":{"$ref":"#/components/schemas/ClusterInstallTemplate"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"tsbv2IstioStatus":{"description":"IstioStatus provides information about the Istio injection status of the namespace.","type":"object","properties":{"istioInjection":{"$ref":"#/components/schemas/IstioStatusIstioInjection"},"istioRevision":{"description":"Istio revision of the namespace.","type":"string","x-order":1}}},"tsbv2Locality":{"description":"The region the cluster resides. Used for failover based routing when\nconfigured in the workspace or global settings.","type":"object","required":["region"],"properties":{"region":{"description":"The geographic location of the cluster.","type":"string","x-order":0}}},"tsbv2Namespace":{"type":"object","title":"A Kubernetes namespace. These are automatically discovered by the\nService Bridge agents in the cluster.\n$hide_from_yaml","properties":{"name":{"type":"string","x-order":0},"services":{"type":"array","items":{"$ref":"#/components/schemas/apitsbv2Service"},"x-order":1},"istio":{"$ref":"#/components/schemas/tsbv2IstioStatus"},"labels":{"description":"The Labels of the namespace.","type":"object","additionalProperties":{"type":"string"},"x-order":3}}},"tsbv2ServiceAccount":{"description":"`ServiceAccount` represents a service account that can be used to access the TSB platform.\nService accounts have a set of associated public and private keys that can be used to generate\nsigned JWT tokens that are suitable to authenticate to TSB.\nA default key-pair is generated on service account creation and the public key is stored in TSB.\nPrivate keys are returned when service accounts are created, but TSB will not store them. It\nis up to the client to store them securely.\n\nThe following example creates a service account named `my-sa` under the organization\n`myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: ServiceAccount\nmetadata:\n  name: my-sa\n  organization: myorg\nspec:\n  displayName: My Service Account\n  description: Service account used for service integrations\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"description":"A description of the resource.","type":"string","x-order":3},"keys":{"type":"array","title":"Keys associated with the service account.\nA default key-pair is automatically created when the Service Account is created. Note that\nTSB does not store the private keys, so it is up to the client to store the returned private\nkeys securely, as they are only returned once after creation.\nAdditional keys can be added (and deleted) by using the corresponding key management APIs.\n","items":{"$ref":"#/components/schemas/ServiceAccountKeyPair"},"x-order":4,"readOnly":true}}},"typesregistrationv1alpha1Settings":{"description":"Settings specifies registration settings.","type":"object","properties":{"connectedOver":{"$ref":"#/components/schemas/v1alpha1AddressType"}}},"typessidecarv1alpha1EnvVar":{"description":"EnvVar specifies a single environment variable.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable.","type":"string","x-order":0},"value":{"description":"Value of the environment variable.","type":"string","x-order":1},"valueEquality":{"$ref":"#/components/schemas/v1alpha1ContentEquality"}}},"v1Dashboard":{"description":"Message containing some metadata of a dashboard.","type":"object","properties":{"name":{"description":"The name of the dashboard.","type":"string","x-order":0},"title":{"description":"The title of the dashboard.","type":"string","x-order":1},"description":{"description":"The description of the dashboard.","type":"string","x-order":2}}},"v1LabelSelector":{"type":"object","title":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.\n+structType=atomic","properties":{"matchLabels":{"type":"object","title":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n+optional","additionalProperties":{"type":"string"},"x-order":0},"matchExpressions":{"type":"array","title":"matchExpressions is a list of label selector requirements. The requirements are ANDed.\n+optional","items":{"$ref":"#/components/schemas/v1LabelSelectorRequirement"},"x-order":1}}},"v1LabelSelectorRequirement":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","properties":{"key":{"type":"string","title":"key is the label key that the selector applies to.\n+patchMergeKey=key\n+patchStrategy=merge","x-order":0},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string","x-order":1},"values":{"type":"array","title":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.\n+optional","items":{"type":"string"},"x-order":2}}},"v1ListDashboardsResponse":{"description":"Response providing a list of available Grafana dashboards.","type":"object","properties":{"dashboards":{"description":"List of available dashboards.","type":"array","items":{"$ref":"#/components/schemas/v1Dashboard"},"x-order":0}}},"v1OperationsResponse":{"description":"The response contains the operations that are allowed from a source resource to a given target.","type":"object","properties":{"operations":{"type":"array","title":"The actual operations list.\nExample:\n```yaml\n- connect\n```","items":{"type":"string"},"x-order":0}}},"v1ResourceAccessResponse":{"description":"Response message for an ResourceAccessRequest.","type":"object","properties":{"accesses":{"description":"Accesses is a map where each key is an operation (e.g., \"connect\") and its value\nis a list of FQNs the source or target is allowed to perform the operation to.\nExample: For a source `organizations/tetrate/tenants/dev/workspaces/eshop`, the \naccesses are:\n```yaml\nconnect:\n- organizations/tetrate/tenants/dev/workspaces/eshop\n- organizations/tetrate/tenants/dev/workspaces/apps\n- organizations/tetrate/clusters/app-cluster-2/namespaces/dev-payments\n- organizations/tetrate/clusters/app-cluster-1/namespaces/app1\n```\nThat means that the source is allowed to connect to these 4 resources and\ntheir descendants.","type":"object","additionalProperties":{"type":"array","items":{"type":"object"}},"x-order":0}}},"v1alpha1AddressType":{"description":"AddressType specifies type of a network address associated with the workload.\n\n - UNSPECIFIED: Not specified.\n - VPC: IP address from the `VPC` range. Commonly referred to as `Private IP` or\n`Internal IP`.\n - INTERNET: IP address from the `Internet` range. Commonly referred to as `Public IP` or\n`External IP`.","type":"string","default":"UNSPECIFIED","enum":["UNSPECIFIED","VPC","INTERNET"]},"v1alpha1AgentInfo":{"description":"AgentInfo specifies information about the `Workload Onboarding Agent`\ninstalled alongside the workload.","type":"object","required":["version"],"properties":{"version":{"description":"Version of the `Workload Onboarding Agent`.","type":"string","x-order":0}}},"v1alpha1ApplyConfigurationResponse":{"description":"Message of the apply sidecar configuration response.","type":"object"},"v1alpha1AuthorizeOnboardingResponse":{"description":"Response to the authorization request.","type":"object","required":["token","expiresAt"],"properties":{"token":{"description":"Bearer token that should be used to authenticate any subsequent requests\nto the `Workload Onboarding Plane`.\nAlso known as a `Workload Onboarding Token`.","type":"string","x-order":0},"expiresAt":{"description":"Expiration time of the returned token.","type":"string","format":"date-time","x-order":1}}},"v1alpha1BanyanDBSettings":{"description":"Configure a BanyanDB connection.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  telemetryStore:\n    banyandb:\n      host: banyandb\n      port: 5678\n```\n$hide_from_docs","type":"object","required":["host","port"],"properties":{"host":{"description":"BanyanDB host address (can be hostname or IP address).","type":"string","x-order":0},"port":{"description":"Port BanyanDB is listening on.","type":"integer","format":"int32","x-order":1}}},"v1alpha1ContentEquality":{"description":"ContentEquality specifies a strategy to compare two text-like values\nfor equality, e.g. old and new values of a certain configuration property.\n\n - BYTES: Compares two values as opaque byte arrays.\n - JSON: Compares two values as JSON values.","type":"string","default":"BYTES","enum":["BYTES","JSON"]},"v1alpha1ControlPlaneComponentSet":{"description":"The set of components that make up the control plane. Use this to override application settings\nor Kubernetes settings for each individual component.","type":"object","properties":{"collector":{"$ref":"#/components/schemas/installcontrolplanev1alpha1OpenTelemetryCollector"},"oap":{"$ref":"#/components/schemas/installcontrolplanev1alpha1Oap"},"xcp":{"$ref":"#/components/schemas/installcontrolplanev1alpha1XCP"},"istio":{"$ref":"#/components/schemas/v1alpha1Istio"},"rateLimitServer":{"$ref":"#/components/schemas/v1alpha1RateLimitServer"},"hpaAdapter":{"$ref":"#/components/schemas/v1alpha1HpaAdapter"},"onboarding":{"$ref":"#/components/schemas/v1alpha1Onboarding"},"satellite":{"$ref":"#/components/schemas/v1alpha1Satellite"},"ngac":{"$ref":"#/components/schemas/installcontrolplanev1alpha1NGAC"},"gitops":{"$ref":"#/components/schemas/commonGitOps"},"internalCertProvider":{"$ref":"#/components/schemas/commonInternalCertProvider"},"defaultKubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesSpec"},"wasmfetcher":{"$ref":"#/components/schemas/v1alpha1WASMFetcher"},"defaultLogLevel":{"description":"The default log level for all components if the per component log level config is not specified.\nNote that the supported log level for different components can be different.","type":"string","x-order":13},"route53Controller":{"$ref":"#/components/schemas/v1alpha1Route53Controller"},"awsController":{"$ref":"#/components/schemas/installcontrolplanev1alpha1AWSController"},"spmAgent":{"$ref":"#/components/schemas/v1alpha1SPMAgent"}}},"v1alpha1ControlPlaneSpec":{"description":"ControlPlane resource exposes a set of configurations necessary to automatically install\nthe Service Bridge control plane on a cluster. The installation API is an override API so any\nunset fields that aren't required will use sensible defaults.\n\nPrior to creating the ControlPlane resource, a cluster needs to be created in the management plane.\nControl plane install scripts would create the following secrets in the Kubernetes namespace the control\nplane is deployed into. Make sure they exist:\n\n  - oap-token\n  - otel-token\n\nIf your Elasticsearch backend requires authentication, ensure you create the following secret:\n  - elastic-credentials \n\nA minimal resource must have the container registry hub, telemetryStore, and managementPlane fields set.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  hub: docker.io/tetrate\n  telemetryStore:\n    elastic:\n      host: elastic\n      port: 5678\n  managementPlane:\n    host: tsb.tetrate.io\n    port: 8443\n    clusterName: cluster\n```\n\nTo configure infrastructure specific settings such as resource limits in Kubernetes,\nset the relevant field in a component. Remember that the installation API is an\noverride API so if these fields are unset the operator will use sensible defaults.\nOnly a subset of Kubernetes configuration is available and only for individual components.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  hub: docker.io/tetrate\n  imagePullSecrets:\n  - name: my-registry-creds\n  telemetryStore:\n    elastic:\n      host: elastic\n      port: 5678\n  managementPlane:\n    host: tsb.tetrate.io\n    port: 8443\n    clusterName: cluster\n  components:\n    collector:\n      kubeSpec:\n        resources:\n          limits:\n            memory: 750Mi\n          requests:\n            memory: 500Mi\n```\n\nControlPlaneSpec defines the desired installed state of control plane components.\nSpecifying a minimal ControlPlaneSpec with hub, clusterName, and managementPlane set\nwill create an installation with sensible defaults.","type":"object","required":["hub","managementPlane","telemetryStore"],"properties":{"hub":{"description":"TSB container hub path e.g. docker.io/tetrate.","type":"string","x-order":0},"imagePullSecrets":{"description":"Pull secrets can be specified globally for all components, or defined into the `kubeSpec.serviceAccount`\nof every component if needed. In case both are defined, the most specific one (the one defined at the component)\nlevel is used.\n\nList of references to secrets in the same namespace to use for pulling any\nimages in pods that reference this ServiceAccount. ImagePullSecrets are\ndistinct from Secrets because Secrets can be mounted in the pod, but\nImagePullSecrets are only accessed by the kubelet. More info:\nhttps://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod\nhttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core","type":"array","items":{"$ref":"#/components/schemas/installkubernetesLocalObjectReference"},"x-order":1},"components":{"$ref":"#/components/schemas/v1alpha1ControlPlaneComponentSet"},"providerSettings":{"$ref":"#/components/schemas/installcontrolplanev1alpha1ProviderSettings"},"managementPlane":{"$ref":"#/components/schemas/v1alpha1ManagementPlaneSettings"},"meshExpansion":{"$ref":"#/components/schemas/v1alpha1MeshExpansionSettings"},"telemetryStore":{"$ref":"#/components/schemas/v1alpha1ControlPlaneSpecTelemetryStore"},"meshObservability":{"$ref":"#/components/schemas/v1alpha1ControlPlaneSpecMeshObservability"},"tier1Cluster":{"description":"**DEPRECATED**: This should not be set through Control plane API\nInstead use TSB Cluster API.\nIndicates that this cluster is used for tier1 gateways.\nTier one clusters can only contain tier 1 gateways.\nNon-tier1 clusters contain tier2 gateways but not tier 1.","type":"boolean","x-order":8},"mode":{"$ref":"#/components/schemas/v2ControlPlaneMode"}}},"v1alpha1ControlPlaneSpecMeshObservability":{"description":"Configure how the mesh should be observed, which observability functionalities should be\nenabled to observe your registered services in the mesh, and the store properties\nthat TSB will use to persist application observability data like metrics, traces,\nlogs.\nIf omitted, the operator will assume\na demo installation and for your convenience install a demo grade mesh observability\nsetting.\nSelect one of the `MeshObservability` settings to see complete examples.","type":"object","properties":{"demoSettings":{"$ref":"#/components/schemas/commonMeshObservabilitySettings"},"settings":{"$ref":"#/components/schemas/commonMeshObservabilitySettings"}}},"v1alpha1ControlPlaneSpecTelemetryStore":{"description":"Configure the store that TSB will use to persist application telemetry data.\nSelect one of the `TelemetryStore` settings to see complete examples.","type":"object","properties":{"elastic":{"$ref":"#/components/schemas/installcontrolplanev1alpha1ElasticSearchSettings"},"banyandb":{"$ref":"#/components/schemas/v1alpha1BanyanDBSettings"},"retentionPeriodDays":{"type":"integer","format":"int32","title":"Number of days to retain metrics for. Defaults to 7 days.\nShould be automatically copied from MP and users don't need to set it.\n$hide_from_docs","x-order":2},"tracesRetentionPeriodDays":{"type":"integer","format":"int32","title":"Number of days to retain traces for. Defaults to 3 days.\nShould be automatically copied from MP and users don't need to set it.\n$hide_from_docs","x-order":3}}},"v1alpha1DeleteConfigurationResponse":{"description":"Message of the delete sidecar configuration response.","type":"object"},"v1alpha1DescribeConfigurationResponse":{"description":"Message of the describe sidecar configuration response.","type":"object","properties":{"version":{"description":"Version of the desired sidecar configuration.","type":"string","x-order":0}}},"v1alpha1Dir":{"description":"Dir specifies a directory.","type":"object","required":["path","mode"],"properties":{"path":{"description":"File path.","type":"string","x-order":0},"mode":{"description":"File mode.","type":"integer","format":"int32","x-order":1}}},"v1alpha1DiscoveryInfo":{"description":"DiscoveryInfo specifies response schema of the `Workload Onboarding Plane`\nauto-discovery endpoint.\n\n`Workload Onboarding Agent` uses auto-discovery endpoint to obtain configuration\nspecific to this particular installation of the `Workload Onboarding Plane`.\n\nE.g., this way `Workload Onboarding Agent` gets ahold of the\n`Workload Onboarding Plane` UID that it must use to limit validity of the\ncredential it procures to this `Workload Onboarding Plane` only.\n\nE.g.,\n\n```yaml\nuid: ef67c7b9-10da-4542-ad3b-b95acc1e05ba\n```","type":"object","required":["uid"],"properties":{"uid":{"description":"Unique identifier of this particular installation of the\n`Workload Onboarding Plane`.\n\nIs used in the workload authentication flow to prevent replay attacks\nthat abuse compromised workload credentials intended for a different\ninstallation of the `Workload Onboarding Plane`.","type":"string","x-order":0}}},"v1alpha1EKSSettings":{"description":"Settings specific to Elastic Kubernetes Service (EKS).","type":"object","properties":{"useNlbByDefault":{"description":"When true, gateways will be configured to use NLBs with cross zone load\nbalancing enabled when the load balancer type is not configured. When\nfalse, no additional annotations will be added.","type":"boolean","x-order":0}}},"v1alpha1File":{"description":"File specifies a configuration file.","type":"object","required":["path","mode"],"properties":{"path":{"description":"File path.","type":"string","x-order":0},"mode":{"description":"File mode.","type":"integer","format":"int32","x-order":1},"content":{"description":"File content.","type":"string","format":"byte","x-order":2},"contentEquality":{"$ref":"#/components/schemas/v1alpha1ContentEquality"},"reloadable":{"description":"Reloadable file.","type":"boolean","x-order":4}}},"v1alpha1GetDiscoveryInfoResponse":{"description":"Message of the discovery response.","type":"object","required":["discoveryInfo"],"properties":{"discoveryInfo":{"$ref":"#/components/schemas/v1alpha1DiscoveryInfo"}}},"v1alpha1GetSidecarInfoResponse":{"description":"Message of the sidecar info response.","type":"object","required":["sidecar"],"properties":{"sidecar":{"$ref":"#/components/schemas/v1alpha1SidecarInfo"}}},"v1alpha1HostInfo":{"description":"HostInfo specifies information about the host the workload is running on.","type":"object","required":["addresses"],"properties":{"addresses":{"description":"Network addresses of the host the workload is running on.","type":"array","items":{"$ref":"#/components/schemas/registrationv1alpha1Address"},"x-order":0}}},"v1alpha1HpaAdapter":{"description":"Kubernetes settings for the OAP (SkyWalking) HPA adapter component.","type":"object","properties":{"enabled":{"description":"Enable the OAP (SkyWalking) HPA adapter component that allows pods to be\nscaled based on Skywalking metrics.\nThis is disabled by default.","type":"boolean","x-order":0},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"v1alpha1IsolationBoundary":{"description":"IsolationBoundary is an isolated Istio environment which can spread across\nmultiple revisioned control plane clusters.\n\nExample:\n\n  ```yaml\n  isolationBoundaries:\n  - name: prod\n    revisions:\n    - name: stable\n      istio:\n        tsbVersion: 1.6.0\n  - name: staging\n    revisions:\n    - name: v1_6_3\n      istio:\n        tsbVersion: 1.6.3\n    - name: v1_6_1\n      istio:\n        tsbVersion: 1.6.1\n        disable: true\n  ```\n\nThe `tsbVersion` field can be left empty, which would then default to the\ncurrent TSB released version.\n\n  ```yaml\n  isolationBoundaries:\n  - name: global\n    istio:\n    - revisions: stable\n  ```\n\nFor instance, if isolation boundaries are being added in TSB `1.6.1`, the default\nwould looks something like this:\n\n  ```yaml\n  isolationBoundaries:\n  - name: global\n    revisions:\n    - name: stable\n      istio:\n        tsbVersion: 1.6.1\n  ```","type":"object","required":["name","revisions"],"properties":{"name":{"description":"Name of the IsolationBoundary.","type":"string","x-order":0},"revisions":{"description":"Configure multiple Istio Revisions under the IsolationBoundary.\nOnce IstioIsolationBoundaries is enabled, for any IsolationBoundary\nconfigured - there must be atleast one IstioRevision.","type":"array","items":{"$ref":"#/components/schemas/controlplanev1alpha1IstioRevision"},"x-order":1},"meshExpansion":{"$ref":"#/components/schemas/v1alpha1MeshExpansionSettings"}}},"v1alpha1Istio":{"description":"Mesh and Kubernetes settings for Istio.","type":"object","properties":{"tsbVersion":{"description":"Specifies the tsb release version. This is used by the tsb control plane\noperator in determining the xcp version, which would eventually decide Istio\nversion.\n\nIf not provided explicitly, this defaults to the current tsb version.","type":"string","x-order":0},"mountInternalWasmExtensions":{"description":"When this flag is set, the TSB internal WASM extensions will be mounted into the\nSidecar, Ingress and Egress gateway pods automatically. These extensions will be loaded\nas local files instead of being downloaded from a remote OCI registry or HTTP endpoint.\nThis is enabled by default. Set it to false to disable it.","type":"boolean","x-order":1},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesIstioComponentSpec"},"traceSamplingRate":{"description":"The percentage of traces Envoy will sample.","type":"number","format":"double","x-order":3},"defaultWorkloadCertTTL":{"description":"The default TTL of issued workload certificates.\nThis sets both the default client-side CSR TTL and the default server-side\nissued certificate TTL.","type":"string","x-order":4},"maxWorkloadCertTTL":{"description":"The maximum TTL that can be set in issued workload certificates.","type":"string","x-order":5},"trustDomain":{"description":"The trust domain corresponds to the trust root of a system. Refer to\n[SPIFFE-ID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#21-trust-domain).\nIf omitted, TSB will configure the trust domain as\n`CLUSTER_NAME.tsb.local`, where `CLUSTER_NAME` is the name of the cluster\nobject in TSB for this control plane.","type":"string","x-order":6},"baseOverlays":{"description":"The overlays applied to the Istio base component.\nSee https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioComponentSetSpec.\nWhen this is specified, the overlay in `kubeSpec.overlays` are ignored.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":7},"pilotOverlays":{"description":"The overlays applied to the Istio pilot component.\nSee https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioComponentSetSpec.\nWhen this is specified, the overlay in `kubeSpec.overlays` are ignored.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":8},"cniOverlays":{"description":"The overlays applied to the Istio CNI component.\nSee https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioComponentSetSpec.\nWhen this is specified, the overlay in `kubeSpec.overlays` are ignored.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1K8sObjectOverlay"},"x-order":9},"logLevels":{"description":"Specifies the global logging level settings for the Istio control plane components.","type":"object","additionalProperties":{"type":"string"},"x-order":10},"ambient":{"$ref":"#/components/schemas/IstioAmbient"}}},"v1alpha1IstioSidecarInfo":{"description":"IstioInfo specifies information about the `Istio Sidecar` installed\nalongside the workload.","type":"object","required":["version"],"properties":{"version":{"description":"Version of the `Istio Sidecar`.","type":"string","x-order":0},"revision":{"description":"Istio revision the pre-installed `Istio Sidecar` corresponds to.\n\nE.g., `canary`, `alpha`, etc.\n\nIf omitted, it is assumed that the pre-installed `Istio Sidecar`\ncorresponds to the `default` Istio revision.\n\nNotice that the value constraints here are stricter than the ones in Istio.\nApparently, Istio validation rules allow values that lead to internal failures\nat runtime, e.g. values with capital letters or values longer than 56 characters.\nStricter validation rules here are meant to prevent those hidden pitfalls.","type":"string","x-order":1}}},"v1alpha1JwtAuthenticationConfiguration":{"description":"JwtAuthenticationConfiguration specifies configuration of the workload\nauthentication by means of an [OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).","type":"object","properties":{"issuers":{"description":"List of permitted JWT issuers.\n\nIf a workload authenticates itself by means of an\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken),\nthe issuer of that token must be present in this list, otherwise\nauthentication attempt will be declined.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1JwtIssuer"},"x-order":0}}},"v1alpha1JwtIssuer":{"description":"JwtIssuer specifies configuration associated with a JWT issuer.\n\nFor example,\n\n```yaml\nissuer: \"https://mycompany.corp\"\njwksUri: \"https://mycompany.corp/jwks.json\"\nshortName: \"mycorp\"\ntokenFields:\n  attributes:\n    jsonPath: .custom_attributes\n```","type":"object","required":["issuer","shortName"],"properties":{"issuer":{"description":"JWT `Issuer` identifier.\n\nThe value must be a case sensitive URL using the https scheme that contains\nscheme, host, and optionally, port number and path components and no query\nor fragment components.\n\nE.g., `https://mycompany.corp`, `https://accounts.google.com`,\n`https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/`, etc.\n\nSee https://openid.net/specs/openid-connect-core-1_0.html#IDToken","type":"string","x-order":0},"jwksUri":{"description":"URL of the JSON Web Key Set document.\n\nSource of public keys the `Workload Onboarding Plane` should use\nto validate the signature of an\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).\n\nE.g., `https://mycompany.corp/jwks.json`.\n\nWhen unspecified, URL the JSON Web Key Set document will be resolved using\n[OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)\nprotocol.","type":"string","x-order":1},"jwks":{"description":"Inlined JSON Web Key Set document.\n\nSpecifies public keys the `Workload Onboarding Plane` should use\nto validate the signature of an\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).","type":"string","x-order":2},"shortName":{"description":"Unique short name associated with the issuer.\n\nThe value must consist of lower case alphanumeric characters and hyphen (`-`).\n\nSince this value will be included into the auto-generated name of the\n`WorkloadAutoRegistration` resource, keep it as short as possible.\n\nE.g., `my-corp`, `prod`, `test`, etc.","type":"string","x-order":3},"tokenFields":{"$ref":"#/components/schemas/v1alpha1JwtTokenFields"}}},"v1alpha1JwtTokenField":{"description":"JwtTokenField specifies a custom field included into the\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).","type":"object","required":["jsonPath"],"properties":{"jsonPath":{"description":"Simple JSON Path which is evaluated against custom claims of the\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\nto produce the value of the field.\n\nE.g., `.custom_attributes`, `.google.compute_engine`, etc.\n\nJSON Path must start either from `.` or from `$`. Use of `$` is mandatory\nwhen followed by the array notation.\n\nE.g., `$['custom_attributes']`, `$['google'].compute_engine`, etc.\n\nSpecial symbols (such as `.` or ` `) in property names must be escaped.\n\nE.g., `.custom\\.attributes`, `$['custom\\.attributes']`, etc.\n\nSee https://goessner.net/articles/JsonPath/","type":"string","x-order":0}}},"v1alpha1JwtTokenFields":{"description":"JwtTokenFields specifies custom fields included into the\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).","type":"object","properties":{"attributes":{"$ref":"#/components/schemas/v1alpha1JwtTokenField"}}},"v1alpha1K8sObjectOverlay":{"description":"Patch for an existing Kubernetes resource.","type":"object","properties":{"apiVersion":{"description":"Resource API version.","type":"string","x-order":0},"kind":{"description":"Resource kind.","type":"string","x-order":1},"name":{"description":"Name of resource.\nNamespace is always the component namespace.","type":"string","x-order":2},"patches":{"description":"List of patches to apply to resource.","type":"array","items":{"$ref":"#/components/schemas/K8sObjectOverlayPathValue"},"x-order":3}}},"v1alpha1ManagementPlaneSettings":{"description":"Configure the management plane connection.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  managementPlane:\n    host: tsb.tetrate.io\n    port: 8443\n    selfSigned: true\n    clusterName: control-plane-cluster\n```","type":"object","required":["host","port","clusterName"],"properties":{"host":{"description":"Management plane host address (can be hostname or IPv4/IPv6 address).","type":"string","x-order":0},"port":{"description":"Port management plane is listening on.","type":"integer","format":"int32","x-order":1},"selfSigned":{"description":"Management plane uses a self signed or private TLS certificate.\nIf true, the CA bundle used to verify the MP's TLS certificate must be in\na secret `mp-certs` under the key `ca.crt`.","type":"boolean","x-order":2},"clusterName":{"description":"The name of the Cluster object that was created in the Management Plane representing this Control Plane\ncluster.","type":"string","x-order":3}}},"v1alpha1MeshExpansionSettings":{"description":"Configure mesh expansion to connect workloads external to Kubernetes to the mesh.\n\nTo enable mesh expansion set it to an empty object:\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshExpansion: {}\n```\n\nIf external workloads are unable to communicate with the default mesh expansion gateway via external IPs or hostnames,\nthen you must specify the gateway that enables them to do so. This custom gateway must be configured to forward this communication\nto the VM gateway service:\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshExpansion:\n    customGateway:\n      host: customgateway.tetrate.io\n      port: 15443\n```\n\nTo automate onboarding of workloads from auto-scaling groups of VMs, you need\nto enable the `Workload Onboarding Plane`.\n\n`Workload Onboarding Agent`, a component that you install next to the workload,\nwill connect to the `Workload Onboarding Plane` to authenticate itself, ask\npermission to join the mesh, register the workload into the mesh and retrieve\nboot configuration required to start `Istio Sidecar`.\n\nAll communication between the `Workload Onboarding Agent` and the\n`Workload Onboarding Plane` must occur over TLS.\n\nTherefore, to enable `Workload Onboarding Plane` you must provide a TLS\ncertificate for the endpoint that exposes `Workload Onboarding API` to\n`Workload Onboarding Agents`.\n\nMake sure that TLS certificate is signed by the certificate authority known\nto `Workload Onboarding Agents`.\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshExpansion:\n    onboarding:\n      endpoint:\n        hosts:\n        - onboarding.example.org\n        secretName: onboarding-tls-cert\n      tokenIssuer:\n        jwt:\n          expiration: 1h\n      localRepository: {}\n```\n\nTo onboard workloads from custom on-premise environments, you can leverage support for\n[OIDC ID Tokens](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).\n\nIf workloads in your custom environment can authenticate themselves by means of an\n[OIDC ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken),\nyou can define a list of JWT issuers permitted by the `Workload Onboarding Plane`.\n\nFor example,\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshExpansion:\n    onboarding:\n      endpoint:\n        hosts:\n        - onboarding.example.org\n        secretName: onboarding-tls-cert\n      localRepository: {}\n      workloads:\n        authentication:\n          jwt:\n            issuers:\n            - issuer: \"https://mycompany.corp\"\n              jwksUri: \"https://mycompany.corp/jwks.json\"\n              shortName: \"mycorp\"\n              tokenFields:\n                attributes:\n                  jsonPath: .custom_attributes\n```\n\nTo ensure there will be no traffic loss when an onboarded workload gets\nshutdown, you can configure the time period to delay the shutdown for\nafter deregistering the workload from the mesh, which will give\nenough time to reconfigure all affected mesh nodes to not load balance\nrequests to the deregistered workload before it becomes unavailable.\n\nFor example,\n\n```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ControlPlane\nmetadata:\n  name: controlplane\n  namespace: istio-system\nspec:\n  meshExpansion:\n    onboarding:\n      endpoint:\n        hosts:\n        - onboarding.example.org\n        secretName: onboarding-tls-cert\n      localRepository: {}\n      workloads:\n        deregistration:\n          propagationDelay: 15s\n```","type":"object","properties":{"customGateway":{"$ref":"#/components/schemas/v1alpha1MeshExpansionSettingsGateway"},"onboarding":{"$ref":"#/components/schemas/v1alpha1MeshExpansionSettingsOnboardingPlane"},"hostManagement":{"$ref":"#/components/schemas/MeshExpansionSettingsHostManagement"},"serviceObservability":{"$ref":"#/components/schemas/MeshExpansionSettingsServiceObservability"}}},"v1alpha1MeshExpansionSettingsGateway":{"description":"A custom mesh expansion gateway. This is required when the workload can't access the default gateway directly via the external IP or hostname.","type":"object","required":["host","port"],"properties":{"host":{"description":"Mesh expansion gateway host address (can be hostname or IP address).","type":"string","x-order":0},"port":{"description":"Port mesh expansion gateway is listening on.","type":"integer","format":"int32","x-order":1}}},"v1alpha1MeshExpansionSettingsOnboardingPlane":{"description":"Configuration of the `Workload Onboarding Plane`.","type":"object","required":["endpoint"],"properties":{"uid":{"description":"Unique identifier of this particular installation of the `Workload Onboarding Plane`.\n\nIs used in the workload authentication flow to prevent replay attacks\nthat abuse compromised workload credentials intended for a different\ninstallation of the `Workload Onboarding Plane`.\n\nDefaults to an auto-generated UUID.","type":"string","x-order":0},"endpoint":{"$ref":"#/components/schemas/MeshExpansionSettingsOnboardingPlaneEndpoint"},"tokenIssuer":{"$ref":"#/components/schemas/MeshExpansionSettingsOnboardingPlaneTokenIssuer"},"localRepository":{"$ref":"#/components/schemas/OnboardingPlaneLocalRepository"},"workloads":{"$ref":"#/components/schemas/v1alpha1WorkloadConfiguration"}}},"v1alpha1NamespacedName":{"description":"NamespacedName specifies a namespace-scoped name.","type":"object","required":["namespace","name"],"properties":{"namespace":{"description":"Namespace name.","type":"string","x-order":0},"name":{"description":"Resource name.","type":"string","x-order":1}}},"v1alpha1OIDCSettings":{"description":"```yaml\napiVersion: install.tetrate.io/v1alpha1\nkind: ManagementPlane\nmetadata:\n  name: managementplane\nspec:\n  identityProvider:\n    oidc:\n      clientId: 50076fd0b8f911eb85290242ac130003\n      scopes: ['email', 'profile']\n      redirectUri: https://example.com/iam/v2/oidc/callback\n      providerConfig:\n        dynamic:\n          configurationUri: https://accounts.google.com/.well-known/openid-configuration\n      offlineAccessConfig:\n        deviceCodeAuth:\n          clientId: 981174759bab4dc49d0072294900eade\n```","type":"object","title":"Identity provider configuration for OIDC","required":["clientId","redirectUri","providerConfig"],"properties":{"clientId":{"description":"The client ID from the OIDC provider's application configuration settings.","type":"string","x-order":0},"scopes":{"description":"Scopes passed to the OIDC provider in the Authentication Request.\nRequired scope 'openid' is included by default, any additional scopes will be appended in the Authorization Request.\nAdditional scopes such as 'profile' or 'email' are generally required if user records in TSB can not be identified\nwith the ID Token 'sub' claim alone.","type":"array","items":{"type":"string"},"x-order":1},"redirectUri":{"description":"The public URI where TSB is accessed. This is the location where the OIDC provider will redirect after\nauthentication and must be registered with the OIDC provider. TSB requires that the path matches\n/iam/v2/oidc/callback. For example, if TSB is accessed via https://example.com, then this setting should be\nhttps://example.com/iam/v2/oidc/callback and the OIDC provider application setting for the Redirect URI\nmust match this.","type":"string","x-order":2},"authorizationParams":{"description":"Optional parameters that will be included in the authorization request to the authorization endpoint.\nThis provides a way to add non standard or optional query parameters to the authorization request.\nRequired parameters such as \"client_id\", \"scope, \"state\" and \"redirect_uri\" will take precedence over any\nparameters defined here. In other words, setting any of these parameters here will not have any effect and will\nbe replaced by other TSB configuration.","type":"object","additionalProperties":{"type":"string"},"x-order":3},"maxExpirationSeconds":{"description":"Optional max expiration time of issued tokens. When greater than 0 this sets an upper bounds on the\ntoken expiration. If not provided or if the value is greater than the token expiration issued by the\nOIDC provider then the OIDC provider expiration time takes precedence.","type":"integer","format":"int32","x-order":4},"providerConfig":{"$ref":"#/components/schemas/v1alpha1OIDCSettingsProviderSettings"},"offlineAccessConfig":{"$ref":"#/components/schemas/OIDCSettingsOfflineAccessSettings"}}},"v1alpha1OIDCSettingsProviderSettings":{"description":"OIDC provider's configuration. Either dynamic or static configuration can be used. When dynamic configuration is\nset the TSB operator will configure OIDC settings discovered through the provider's configuration endpoint. If the\nprovider doesn't have a configuration endpoint you can set the required OIDC settings using static values.","type":"object","properties":{"dynamic":{"$ref":"#/components/schemas/OIDCSettingsDynamicSettings"},"static":{"$ref":"#/components/schemas/OIDCSettingsStaticSettings"}}},"v1alpha1Onboarding":{"description":"Settings for the `Workload Onboarding` component.","type":"object","properties":{"operator":{"$ref":"#/components/schemas/v1alpha1OnboardingOperator"},"repository":{"$ref":"#/components/schemas/v1alpha1OnboardingRepository"},"plane":{"$ref":"#/components/schemas/installcontrolplanev1alpha1OnboardingPlane"}}},"v1alpha1OnboardingOperator":{"description":"Kubernetes settings for the `Workload Onboarding Operator` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\nSupported log level: \"none\", \"error\", \"warn\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"v1alpha1OnboardingPlaneInstance":{"description":"Kubernetes settings for the `Workload Onboarding Plane Instance` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\nSupported log level: \"none\", \"error\", \"warn\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"v1alpha1OnboardingRepository":{"description":"Kubernetes settings for the `Workload Onboarding Repository` component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"v1alpha1OperatorDeployment":{"description":"Values for the TSB operator deployment.","type":"object","properties":{"affinity":{"$ref":"#/components/schemas/installkubernetesAffinity"},"annotations":{"type":"object","title":"Custom collection of annotations to add to the deployment.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":1},"env":{"type":"array","title":"Custom collection of environment vars to add to the container.\nhttps://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/","items":{"$ref":"#/components/schemas/installkubernetesEnvVar"},"x-order":2},"podAnnotations":{"description":"Custom collection of annotations to add to the pod.","type":"object","additionalProperties":{"type":"string"},"x-order":3},"replicaCount":{"description":"Number of replicas managed by the deployment.","type":"integer","format":"int32","x-order":4},"strategy":{"$ref":"#/components/schemas/installkubernetesDeploymentStrategy"},"tolerations":{"type":"array","title":"Toleration collection applying to the pod scheduling.\nhttps://kubernetes.io/docs/concepts/configuration/taint-and-toleration/","items":{"$ref":"#/components/schemas/corev1Toleration"},"x-order":6}}},"v1alpha1OperatorService":{"description":"Values for the TSB operator service.","type":"object","properties":{"annotations":{"type":"object","title":"Custom collection of annotations to add to the service.\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/","additionalProperties":{"type":"string"},"x-order":0}}},"v1alpha1OperatorServiceAccount":{"description":"Values for the TSB operator service account.","type":"object","properties":{"annotations":{"description":"Custom collection of annotations to add to the service account.","type":"object","additionalProperties":{"type":"string"},"x-order":0},"imagePullSecrets":{"description":"Collection of secrets names required to be able to pull images from the registry.","type":"array","items":{"type":"string"},"x-order":1},"pullSecret":{"type":"string","title":"A Docker config JSON to be stored in a secret to be used as an image pull secret. If this secret is provided,\nit will be included in the operator service account as reference.\nhttps://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line","x-order":2},"pullUsername":{"description":"Used along pull password and the provided image registry to generate a Docker config JSON that\nwill be stored as a pull secret.","type":"string","x-order":3},"pullPassword":{"description":"Used along pull username and the provided image registry to generate a Docker config JSON that\nwill be stored as a pull secret.","type":"string","x-order":4}}},"v1alpha1RateLimitServer":{"type":"object","title":"Configuration settings for the RateLimit Server","required":["backend"],"properties":{"backend":{"$ref":"#/components/schemas/RateLimitServerBackend"},"domain":{"description":"The domain field allows ratelimits to be namespaced to\na certain domain. To support common ratelimits across multiple clusters\nset this string to a common value, across them. This assumes that the same\nbackend (uri) is being used.\nBy default the domain is set to the name of the control plane cluster.","type":"string","x-order":1},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"v1alpha1RegisterWorkloadResponse":{"description":"Response to the registration request.","type":"object"},"v1alpha1Registration":{"description":"Registration specifies information sent by the `Workload Onboarding Agent`\nto the `Workload Onboarding Plane` to register the workload in the mesh.","type":"object","required":["agent","sidecar","host"],"properties":{"agent":{"$ref":"#/components/schemas/v1alpha1AgentInfo"},"sidecar":{"$ref":"#/components/schemas/v1alpha1SidecarInfo"},"host":{"$ref":"#/components/schemas/v1alpha1HostInfo"},"workload":{"$ref":"#/components/schemas/v1alpha1WorkloadInfo"},"settings":{"$ref":"#/components/schemas/typesregistrationv1alpha1Settings"}}},"v1alpha1Route53Controller":{"description":"Kubernetes settings for the Route53 Integration Controller component.","type":"object","properties":{"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"}}},"v1alpha1Route53Settings":{"description":"Settings for integration with Route53 service.","type":"object","required":["serviceAccountName"],"properties":{"serviceAccountName":{"type":"string","title":"Service account name to use for IAM role. Required. Deprecated, user AWSIntegrationSettings instead.\n$hide_from_docs","x-order":0},"namespaceSelector":{"$ref":"#/components/schemas/v1alpha1Route53SettingsNamespaceSelector"},"policy":{"$ref":"#/components/schemas/Route53SettingsPolicy"},"domainFilter":{"description":"List of domains to limit possible target zones by a domain suffix. Default is empty list with means consider all resources as DNS target.","type":"array","items":{"type":"string"},"x-order":3},"interval":{"description":"Duration of interval between individual synchronizations. Default: 60s.","type":"string","x-order":4},"ttl":{"description":"Default TTL (in seconds) value for DNS records. Default: 300.","type":"string","format":"int64","x-order":5},"evaluateTargetHealth":{"description":"Control whether to evaluate the health of a DNS target. Default: true.","type":"boolean","x-order":6},"filterSettings":{"$ref":"#/components/schemas/Route53SettingsFilterSettings"},"enabled":{"description":"Enable/disable the Route53 integration controller. Default: false.","type":"boolean","x-order":8}}},"v1alpha1Route53SettingsNamespaceSelector":{"description":"NamespaceSelector specifies which namespaces controller will watch.","type":"object","properties":{"namespace":{"description":"Specifies the namespace to watch for resources. Mutually exclusive with `ignore_namespaces`.\nIf not specified (\"\"), all namespaces will be watched which is the default.","type":"string","x-order":0},"ignoreNamespaces":{"description":"Comma separated list of namespaces to ignore when watching for DNS endpoints. When using this option remember\nto include the name of the namespace in which Control Plane is installed. If Management Plane is installed in the same cluster\ninclude the namespace name in this option as well.\nMutually exclusive with `namespace`.\nDefault: the namespace where the controller is running, usually `istio-system`.","type":"string","x-order":1}}},"v1alpha1SPMAgent":{"description":"Kubernetes settings for the SPM Agent component.","type":"object","properties":{"enabled":{"description":"SPM Agent is an optional component. If enabled is true, this component will be installed.","type":"boolean","x-order":0},"hostPath":{"description":"The root directory of each host for SPM agent use.\nBy default, the value is \"/\".\nIn the case of container-in-container, it is necessary to specify the path of the current host directory within the current container.","type":"string","x-order":1},"disableMultiProtocolAnalysis":{"description":"Set to true to disable multiple protocol analysis. Default is false.\nWhen disabled, if the detected protocol is HTTP, the TCP protocol data won't be analyzed.\nWhen enabled, if the detected protocol is HTTP, both the TCP and HTTP protocols will be analyzed together.","type":"boolean","x-order":2},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevel":{"description":"The log level configuration by scopes.\nSupported log level: \"panic\", \"fatal\", \"error\", \"warn\", \"info\", \"debug\" and \"trace\".","type":"string","x-order":4},"priority":{"$ref":"#/components/schemas/SPMAgentPrioritySetting"}}},"v1alpha1Satellite":{"description":"Kubernetes settings for the Satellite (SkyWalking-Satellite) component.","type":"object","properties":{"enabled":{"description":"Satellite is an optional component. If enabled is false, this component\nwill not be installed.","type":"boolean","x-order":0},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevel":{"description":"Specifies the log level for the component.\nSupported log level: \"panic\", \"fatal\", \"info\", \"warn\", \"error\", \"debug\" and \"trace\".","type":"string","x-order":2}}},"v1alpha1SecretsXCP":{"description":"Secrets to reach the XCP Central in the Management Plane.","type":"object","properties":{"autoGenerateCerts":{"description":"Enabling this will auto generate XCP Edge certificate if mTLS is enabled to authenticate to XCP Central. Requires cert-manager.","type":"boolean","x-order":0},"rootca":{"description":"CA certificate of XCP components.","type":"string","x-order":1},"rootcakey":{"description":"Key of the CA certificate of XCP components.","type":"string","x-order":2},"edge":{"$ref":"#/components/schemas/XCPEdge"}}},"v1alpha1SessionResponse":{"description":"SessionResponse specifies response messages sent by the `Workload Onboarding Plane`\nback to the `Workload Onboarding Agent` as part of a single session.","type":"object","properties":{"discoveryResponse":{"$ref":"#/components/schemas/v3DiscoveryResponse"}}},"v1alpha1SidecarConfiguration":{"description":"SidecarConfiguration represents boot configuration of a sidecar, e.g.\n`Istio Sidecar`.","type":"object","properties":{"seed":{"$ref":"#/components/schemas/v1alpha1SidecarConfigurationSeed"},"update":{"$ref":"#/components/schemas/v1alpha1SidecarConfigurationUpdate"}}},"v1alpha1SidecarConfigurationSeed":{"description":"SidecarConfigurationSeed represents seed configuration required to start\na sidecar, e.g. `Istio Sidecar`.","type":"object","required":["command"],"properties":{"command":{"description":"Path to the sidecar executable, i.e. `pilot-agent` binary of the\n`Istio Sidecar`.\n\nNotice that `Workload Onboarding Agent` is not expected to run this command\n\"as is\". Instead, `Workload Onboarding Agent` should use this value to identify\nwhich of (potentially many) executables comprising a sidecar it needs to\nrun.\n\nE.g., `Istio Sidecar` comes with `pilot-agent`, `envoy` and `istio-start.sh`\nexecutables. To clarify that `Workload Onboarding Agent` must use `pilot-agent`\nbinary to start the sidecar, `Workload Onboarding Plane` will use a command value\n`/usr/local/bin/pilot-agent`.","type":"string","x-order":0},"args":{"description":"Arguments to the sidecar command, e.g. Istio `pilot-agent`.","type":"array","items":{"type":"string"},"x-order":1},"env":{"description":"Environment variables of the sidecar command, e.g. Istio `pilot-agent`.","type":"array","items":{"$ref":"#/components/schemas/typessidecarv1alpha1EnvVar"},"x-order":2},"files":{"description":"Configuration files of the sidecar, e.g. Istio `pilot-agent`.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1File"},"x-order":3},"dirs":{"description":"Directories required by the sidecar, e.g. Istio `pilot-agent`.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1Dir"},"x-order":4}}},"v1alpha1SidecarConfigurationUpdate":{"description":"SidecarConfigurationUpdate represents an update to the already known\nseed configuration that can be applied without full restart of the sidecar.","type":"object","properties":{"files":{"description":"Reloadable configuration files of the sidecar, e.g. `Istio token` file\nreloadable by the Istio `pilot-agent`.","type":"array","items":{"$ref":"#/components/schemas/v1alpha1File"},"x-order":0}}},"v1alpha1SidecarInfo":{"description":"SidecarInfo specifies information about the sidecar installed alongside\nthe workload.","type":"object","properties":{"istio":{"$ref":"#/components/schemas/v1alpha1IstioSidecarInfo"}}},"v1alpha1UnregisterWorkloadResponse":{"description":"Response to the unregistration request.","type":"object","properties":{"propagationDelay":{"description":"Estimated amount of time it will take to propagate the unregistration event\nacross all affected mesh nodes.\n\nDuring this time interval affected proxies will continue making requests\nto the deregistered workload until the respective configuration update\narrives.\n\nTo prevent traffic loss, `Workload Onboarding Agent` SHOULD delay shutdown\nof the the workload's sidecar for that time period.","type":"string","x-order":0}}},"v1alpha1Values":{"description":"Values available for the TSB Control Plane chart.\nThis is an alpha API, so future versions could include breaking changes.","type":"object","properties":{"image":{"$ref":"#/components/schemas/commonv1alpha1Image"},"spec":{"$ref":"#/components/schemas/v1alpha1ControlPlaneSpec"},"secrets":{"$ref":"#/components/schemas/controlplanev1alpha1Secrets"},"operator":{"$ref":"#/components/schemas/commonv1alpha1Operator"}}},"v1alpha1WASMFetcher":{"description":"Settings for the WASM Fetcher component.","type":"object","properties":{"cacheDisableInsecureRegistries":{"description":"Denies insecure registries to be used for fetching WASM modules. Defaults to `false`.","type":"boolean","x-order":0},"cacheExpiration":{"description":"WASM Module cache expiration time. Defaults to `24h`.","type":"string","x-order":1},"cacheMaxRetries":{"description":"Maximum number of retries when fetching WASM modules from the OCI registry. Defaults to `5`.","type":"integer","format":"int32","x-order":2},"cachePurgeInterval":{"description":"WASM cache purge interval to periodically clean up the stale WASM modules. Defaults to `1h`.","type":"string","x-order":3},"cacheRequestTimeout":{"description":"Specifies the timeout used when retrieving the WASM plugin from the OCI registry. Defaults to `15s`.","type":"string","x-order":4},"kubeSpec":{"$ref":"#/components/schemas/kubernetesKubernetesComponentSpec"},"logLevels":{"description":"The log level configuration by scopes.\nSupported log levels: \"none\", \"error\", \"info\", \"debug\".","type":"object","additionalProperties":{"type":"string"},"x-order":6}}},"v1alpha1WaypointsConfig":{"type":"object","properties":{"clusterLevel":{"$ref":"#/components/schemas/WaypointsConfigCommonWaypointConfig"},"namespaceLevel":{"description":"List of namespace-level waypoint configurations. Each entry specifies waypoint\nsettings for a specific namespace or set of namespaces.","type":"array","items":{"$ref":"#/components/schemas/WaypointsConfigNamespaceLevelCommonConfig"},"x-order":1}}},"v1alpha1WorkloadAuthenticationConfiguration":{"description":"WorkloadAuthenticationConfiguration specifies configuration of the workload\nauthentication.","type":"object","properties":{"jwt":{"$ref":"#/components/schemas/v1alpha1JwtAuthenticationConfiguration"}}},"v1alpha1WorkloadConfiguration":{"description":"WorkloadConfiguration specifies configuration of the workload handling.\n\nFor example,\n\n```yaml\nauthentication:\n  jwt:\n    issuers:\n    - issuer: \"https://mycompany.corp\"\n      jwksUri: \"https://mycompany.corp/jwks.json\"\n      shortName: \"mycorp\"\n      tokenFields:\n        attributes:\n          jsonPath: .custom_attributes\nderegistration:\n  propagationDelay: 15s\n```","type":"object","properties":{"authentication":{"$ref":"#/components/schemas/v1alpha1WorkloadAuthenticationConfiguration"},"deregistration":{"$ref":"#/components/schemas/v1alpha1WorkloadDeregistrationConfiguration"}}},"v1alpha1WorkloadDeregistrationConfiguration":{"description":"WorkloadDeregistrationConfiguration specifies configuration of the workload\nderegistration.","type":"object","properties":{"propagationDelay":{"description":"Estimated amount of time it takes to propagate the unregistration event\nacross all affected mesh nodes.\n\nDuring this time interval affected proxies will continue making requests\nto the deregistered workload until the respective configuration update\narrives.\n\nTo prevent traffic loss, `Workload Onboarding Agent` SHOULD delay shutdown\nof the the workload's sidecar for that time period.\n\nAs a rule of thumb, this value should remain relatively small, e.g. under\n15 seconds. The reason for this is that shutdown flow on the workload's side\nis time-boxed. E.g., on VMs there is a stop timeout enforced by SystemD,\nwhile on AWS ECS there is a stop timeout enforced by ECS Agent. If you pick\na delay value that is too big, `Workload Onboarding Agent` will delay\nshutdown of the sidecar for too long; as a result sidecar risks to get\nterminated abruptly instead of graceful connection draining.\n\nDefaults to `10s`.","type":"string","x-order":0}}},"v1alpha1WorkloadInfo":{"description":"WorkloadInfo specifies information about the workload.","type":"object","properties":{"labels":{"description":"Labels associated with the workload.","type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"v2Access":{"description":"Access is an access request for a subject with a set of permission.\n\nExample:\nAccess {\n  Subject: \"organizations/demo/tenants/demo/applications/caller\",\n  Permissions: []string{\"GET\"}\n}","type":"object","required":["subject","permissions"],"properties":{"subject":{"description":"Subject is the subject that is requested to access the resource.","type":"string","x-order":0},"permissions":{"description":"Permissions is a list of permissions that the subject is allowed to use.","type":"array","items":{"type":"string"},"x-order":1},"metadata":{"$ref":"#/components/schemas/qv2Metadata"}}},"v2AccessPolicy":{"description":"A policy defines the set of subjects that can access a resource and under\nwhich conditions that access is granted.","type":"object","title":"Policy","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":1},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":2},"allow":{"description":"The list of allowed bindings configures the different access profiles that\nare allowed on the resource configured by the policy.","type":"array","items":{"$ref":"#/components/schemas/rbacv2Binding"},"x-order":3}}},"v2AggregatedStatus":{"description":"`AggregatedStatus` is used by resources with children to aggregate both the\nsequence of events and the status of its children resources.","type":"object","properties":{"configEvents":{"$ref":"#/components/schemas/v2ConfigEvents"},"children":{"description":"Map of children resource FQNs to their status.","type":"object","additionalProperties":{"$ref":"#/components/schemas/AggregatedStatusChildStatus"},"x-order":1},"childrenStatus":{"$ref":"#/components/schemas/AggregatedStatusChildStatus"}}},"v2Application":{"description":"Applications are logical groupings of services that are related to each other,\ntypically within a trusted group.\nA common example are three tier applications composed of a frontend, a backend and a\ndatastore service.\n\nApplications are often consumed through APIs, and a single Application can expose one\nor more of those APIs. These APIs will define the hostnames that are exposed and the\nmethods exposed in each hostname.\n\n```yaml\napiVersion: application.tsb.tetrate.io/v2\nkind: Application\nmetadata:\n  name: three-tier\n  organization: myorg\n  tenant: tetrate\nspec:\n  workspace: organizations/myorg/tenants/tetrate/three-tier\n```\n\n\n\n","type":"object","required":["workspace"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"workspace":{"description":"FQN of the workspace this application is part of.\nThe application will configure IngressGateways for the attached APIs\nin the different namespaces exposed by this workspace.","type":"string","x-order":4},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"gatewayGroup":{"description":"Optional FQN of the Gateway Group to be used by the application.\nIf configured, this gateway group will be used by the application. If\nno namespaces are configured and no existing gateway group is set, a new gateway group claiming all\nnamespaces in the workspace (`*/*`) will be created by default.\nAll Ingress Gateway resources created for the APIs attached to the application will be created in\nthe application's gateway group.","type":"string","x-order":6},"services":{"description":"Optional list of services that are part of the application. This is a list of FQNs of services in the\nservice registry.\nIf omitted, the application is assumed to own all the services in the workspace.\nNote that a service can only be part of one application. If any of the services in the list is already\nin use by an existing application, application creation/modification will fail.\nIf the list of services is not explicitly set and any service in the workspace is already in use by\nanother application, application creation/modification will fail.","type":"array","items":{"type":"string"},"x-order":7},"configResources":{"type":"array","title":"The configuration resources that are related to this Application.\n$hide_from_docs","items":{"$ref":"#/components/schemas/v2ConfigResource"},"x-order":8,"readOnly":true}}},"v2ApprovalPolicy":{"description":"ApprovalPolicy is a set of authorization rules that define access to a resource.\nWhen applied to a resource, the rules enforce access to the resource based on the permission set.\n\nExample:\nApprovalPolicy {\n  Mode: ApprovalPolicy_REQUIRE_APPROVAL,\n  Resource: \"organizations/demo/tenants/demo/applications/target-app\",\n  Approved: []Access {{\n    Subject: \"organizations/demo/tenants/demo/applications/calling-app\",\n    Permissions: []string{\"GET\", \"POST\"}\n  }}\n}","type":"object","required":["mode","resource"],"properties":{"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":0},"mode":{"$ref":"#/components/schemas/v2ApprovalPolicyMode"},"resource":{"description":"Resource is a fully qualified name of the resource that the policy applies to.","type":"string","x-order":2},"requested":{"description":"Requested is a list of subjects that are requested to access the resource but that have not yet been\nexplicitly approved.\nThe access mode of the policy will determine if the subjects in this list are given immediate access to the\nresource.","type":"array","items":{"$ref":"#/components/schemas/v2Access"},"x-order":3},"approved":{"description":"Approved is a list of subjects that are approved to access the resource.","type":"array","items":{"$ref":"#/components/schemas/v2Access"},"x-order":4},"metadata":{"$ref":"#/components/schemas/qv2Metadata"}}},"v2ApprovalPolicyMode":{"description":" - UNRESTRICTED: Allows all subjects in the same policy class to access the resource.\n - ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.\n - REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.","type":"string","default":"UNRESTRICTED","enum":["UNRESTRICTED","ALLOW_REQUESTED","REQUIRE_APPROVAL"]},"v2ArgoRollout":{"description":"ArgoRollout can be used to configure this ServiceRoute to be controlled by Argo Rollouts.\nWhen set, the ServiceRoute should contain two subsets (e.g. stable and canary) to allow traffic\nshifting. Only HTTP and subset level traffic splitting is supported.","type":"object","properties":{"virtualServiceName":{"description":"The name of the VirtualService that the ServiceRoute will create that should be configured\nin the Argo Rollout custom resource.","type":"string","x-order":0},"destinationRuleName":{"description":"The name of the DestinationRule that the ServiceRoute will create that should be configured\nin the Argo Rollout custom resource.","type":"string","x-order":1}}},"v2AuthorizationRules":{"description":"- If deny_all is true, deny the request\n\n- If deny is defined and there are any denied target workload, deny the request.\n\n- If there are no allowed target workload, allow the request.\n\n- If allow is defined and there are any allowed target workload, allow the request.\n\n- Deny the request.","type":"object","title":"`AuthorizationRules` specifies which target workloads are allowed or denied.\nWhen the mode is `RULES`, by default, if no authorization rules are provided all requests will be accepted.\nCurrently, when a list of allow or deny rules are provided, a workload can only be targeted\nby providing the workspace or security group resource the workload belongs to.\nWhen different target workloads are allowed, denied or all workload are denied,\nto evaluate if a request is accepted or rejected, denies are evaluated first, and finally allows.\nAccepting or denying a request from a workload is determined by:","properties":{"allow":{"description":"Allow specifies a list of rules. If a request matches at least one rule, the request is accepted.\nIf no allow rules are provided, all requests are allowed.\nEach rule must be unique, no duplicates are allowed.\nA rule that is fully contained by another rule is not allowed.\nFor instance, defining a rule from workspace `w1` to `w2` and another rule\nfrom security group `sg1` (which belongs to workspace `w1`) to `sg2` (which belongs to workspace `w2`)\nis not allowed. It is not allowed, because from security group `sg1` to `sg2` rule is already allowed by\nthe rule from workspace `w1` to `ws2`.","type":"array","items":{"$ref":"#/components/schemas/securityv2Rule"},"x-order":0},"denyAll":{"description":"Deny all specifies whether all requests should be rejected.\nIf it is true all requests will be rejected.\nIf it is false the list of deny rules will be evaluated.","type":"boolean","x-order":1},"deny":{"description":"Deny specifies a list of rules. If a request matches at least one rule, the request is rejected.\nIf deny rules are provided, the match will never occur, so no request can be rejected.\nEach rule must be unique, no duplicates are allowed.\nA rule that is fully contained by another rule is not allowed.\nFor instance, defining a rule from workspace `w1` to `w2` and another rule\nfrom security group `sg1` (which belongs to workspace `w1`) to `sg2` (which belongs to workspace `w2`)\nis not allowed. It is not allowed, because from security group `sg1` to `sg2` rule is already denied by\nthe rule from workspace `w1` to `w2`.","type":"array","items":{"$ref":"#/components/schemas/securityv2Rule"},"x-order":2}}},"v2BlameResponse":{"type":"object","title":"effectiveProfileMandatedPaths:\n  - authenticationSettings\n  - authenticationSettings.trafficMode\n```","properties":{"effectiveProfileConfig":{"$ref":"#/components/schemas/v2ProfileConfig"},"effectiveProfilePaths":{"description":"Map of profile config field paths to the resource FQNs that set the value at that path.","type":"object","additionalProperties":{"type":"string"},"x-order":1},"effectiveProfileMandatedPaths":{"description":"Subset of the effective paths which values are set by mandates.","type":"array","items":{"type":"string"},"x-order":2},"effectiveProfileAttachmentPaths":{"description":"Like effective_profile_paths, but the FQNs are from the resources that attach the profiles.","type":"object","additionalProperties":{"type":"string"},"x-order":3}}},"v2CleanupResourcesRequest":{"description":"Request message for finding and optionally cleaning up resources.","type":"object","properties":{"usage":{"$ref":"#/components/schemas/CleanupResourcesRequestUsage"},"hostname":{"description":"Optional hostname filter: return or apply changes only for resources\nrelated to the specified hostname (for example, gateways exposing it).","type":"string","x-order":1},"path":{"description":"Optional path filter: specify a specific path to further narrow down the resources.\nRequires hostname to be set.\nNote: path filtering is currently not supported.","type":"string","x-order":2},"apply":{"description":"When true, applies the changes; when false or unset, performs a dry-run.","type":"boolean","x-order":3},"force":{"description":"When true, forces the changes even if the resources are still marked as in use\nor when running without a scoped filter (hostname/path).","type":"boolean","x-order":4}}},"v2CleanupResourcesResponse":{"description":"Response message for cleanup of unused resources.","type":"object","properties":{"changes":{"description":"The set of proposed or applied changes.","type":"array","items":{"$ref":"#/components/schemas/CleanupResourcesResponseChange"},"x-order":0},"applied":{"description":"True if the request was executed with apply=true and the changes were applied.\nFalse indicates a dry-run with no changes enforced.","type":"boolean","x-order":1}}},"v2ClusterConfig":{"type":"object","title":"Cluster configurations.\n$hide_from_docs","properties":{"observability":{"$ref":"#/components/schemas/v2ClusterObservabilityConfig"}}},"v2ClusterDestination":{"type":"object","properties":{"name":{"description":"The name of the destination cluster. Only one of name or labels\nmust be specified.","type":"string","x-order":0},"labels":{"description":"Labels associated with the cluster. Any cluster with matching\nlabels will be selected as a target. Only one of name or labels\nmust be specified.","type":"object","additionalProperties":{"type":"string"},"x-order":1},"network":{"description":"The network associated with the destination clusters. In addition to\nname/label selectors, only clusters matching the selected networks\nwill be used as a target. At least one of name/labels, and/or network\nmust be specified.\n\nDeprecated: The `network` field is deprecated and will be removed in future releases.\nOnly `labels` matching against the cluster object is supported.","type":"string","x-order":2},"weight":{"description":"The weight for traffic to a given destination.","type":"integer","format":"int64","x-order":3}}},"v2ClusterObservabilityConfig":{"type":"object","title":"The observability configurations for a cluster.\n$hide_from_docs","properties":{"retentionPeriodDays":{"description":"The retention period of telemetry metrics data in days.","type":"integer","format":"int32","x-order":0},"tracesRetentionPeriodDays":{"description":"The retention period of telemetry traces data in days.","type":"integer","format":"int32","x-order":1},"apiEndpointMetricsEnabled":{"description":"Whether the API endpoint metrics feature is enabled in MP,\nif this feature is disabled in MP, all CP must disable this\nfeature too because this feature requires MP to create indices,\nif this feature is enabled in MP, CP clusters can choose whether\nto enable it or not as per their needs.","type":"boolean","x-order":2},"spmAgentReceiverEnabled":{"description":"Whether the SPM Agent is enabled or disabled in MP.\nIf the SPM Agent is disabled in MP, then it should also be turned off in CP to prevent the OAP crash in CP.","type":"boolean","x-order":3}}},"v2ClusterOnboardingConfig":{"description":"Configuration for onboarding a cluster.\n\n\n\n","type":"object","required":["namespaces"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the cluster onboarding configuration.\n$hide_from_yaml","x-order":0,"readOnly":true},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be\nsent on every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":1},"namespaces":{"description":"Set of namespaces configuration for the cluster.","type":"array","items":{"$ref":"#/components/schemas/ClusterOnboardingConfigNamespaceConfig"},"x-order":2}}},"v2ClusterOnboardingStatus":{"description":"The onboarding status for a cluster.","type":"object","properties":{"namespaces":{"description":"The status of the namespaces in the cluster.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterOnboardingStatusNamespaceStatus"},"x-order":0}}},"v2ClusterOnboardingStatusNamespaceStatus":{"description":"The status of the namespaces in the cluster.","type":"object","properties":{"name":{"description":"The name of the namespace.","type":"string","x-order":0},"desiredState":{"$ref":"#/components/schemas/v2NamespaceDesiredState"},"currentState":{"$ref":"#/components/schemas/v2NamespaceCurrentState"},"currentStateDetails":{"description":"Details about the actual state of the namespace.","type":"string","x-order":3}}},"v2ClusterSelector":{"description":"A template selector based on Cluster details.","type":"object","properties":{"name":{"description":"Matches the name of the cluster.","type":"string","x-order":0},"labelsSelector":{"$ref":"#/components/schemas/v2LabelsSelector"},"namespaceSelector":{"description":"Selector to target namespaces in the matching cluster.\nWhen empty, any Cluster namespace is matched.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2NamespaceSelector"},"x-order":2}}},"v2ClusterState":{"type":"object","title":"State represents the cluster info learned from the onboarded cluster","properties":{"lastSyncTime":{"type":"string","format":"date-time","title":"last time xcp edge(cp) synced with central(mp) in the UTC format","x-order":0},"provider":{"type":"string","title":"cluster provider. Ex: GKE, EKS, AKS","x-order":1},"istioVersions":{"description":"This shows currently running istio versions in the cluster.","type":"array","items":{"type":"string"},"x-order":2},"xcpVersion":{"type":"string","title":"xcp-edge version which is running at the cluster","x-order":3},"tsbCpVersion":{"type":"string","title":"TSB controlplane version","x-order":4},"discoveredLocality":{"$ref":"#/components/schemas/tsbv2Locality"},"mode":{"$ref":"#/components/schemas/v2ControlPlaneMode"},"istioRevisions":{"description":"Metadata of different Istio revision found in the cluster.\nAn empty istio revisions field represents there was no Istio\ndiscovered in the cluster.\nField should not be empty in ControlMode as TSB will install\nand depend on Istio.\nIn Observe mode, an empty field represents that a vanilla kubernetes\ncluster.","type":"array","items":{"$ref":"#/components/schemas/ClusterStateIstioRevision"},"x-order":7}}},"v2ClusterStatus":{"description":"The status message for a cluster resource contains the set of join\ntokens that should be used by Service Bridge's agents on the\ncluster.","type":"object","properties":{"tokens":{"description":"Tokens for various agents.","type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"v2Composer":{"type":"object","title":"Composer extension configuration.\n$hide_from_docs","properties":{"plugins":{"description":"List of plugins.","type":"array","items":{"$ref":"#/components/schemas/v2ComposerPlugin"},"x-order":0}}},"v2ComposerPlugin":{"description":"Plugin definition.","type":"object","required":["name"],"properties":{"name":{"description":"Plugin name.\n\nThis can be one of the [Tetrate built in\nplugins](https://docs.tetrate.io/service-bridge/) or a\ncustom plugin.\n\nTetrate built in plugins are bundled with TSB and can run directly.\nHowever providing `pluginSource` is required if this is a custom plugin.","type":"string","x-order":0},"priority":{"description":"Priority to be given to this plugin (Optional).\n\nPriority decides the order of execution of plugins.\nFor example. Plugin P1(priority=10) will be executed\nbefore Plugin P2(priority=100).","type":"integer","format":"int32","x-order":1},"config":{"$ref":"#/components/schemas/ComposerPluginPluginConfig"},"url":{"description":"Optional reference to a custom plugin. This url will be used to load the\ncustom plugin binary.\n\nThis is required if this is a custom plugin and can be empty for Tetrate\nbuilt in plugins.\n\nOnly OCI registry urls are supported for now. For example:\noci://my-registry.io/my-repo/my-plugin:latest","type":"string","x-order":3}}},"v2ConfigEvents":{"description":"`ConfigEvents` provides a way to notify the status of a configuration\npropagation as a sequence of events.","type":"object","properties":{"events":{"description":"Sequence of events occurred under the configuration propagation flow.\nIt's ordered by event timestamp, newest first.","type":"array","items":{"$ref":"#/components/schemas/v2ConfigEventsEvent"},"x-order":0}}},"v2ConfigEventsEvent":{"description":"Single `Event` event occurred in the configuration propagation flow.","type":"object","properties":{"type":{"$ref":"#/components/schemas/ConfigEventsEventType"},"reason":{"description":"Optional code that extends the type of the occurred event.","type":"string","x-order":1},"message":{"description":"Optional message describing the reason in a human readable way.","type":"string","x-order":2},"timestamp":{"description":"Time of the event occurrence.","type":"string","format":"date-time","x-order":3},"etag":{"description":"The etag of the resource which configuration triggered this event.","type":"string","x-order":4},"edgesState":{"description":"Stores the `edge cluster name` to `EdgeConfigState` mapping. `EdgeConfigState` holds the\n[status + reason] for a resource config that is being applied at edges.\nReason accompanying the Status is useful for pin-pointed debugging at edge level.\nFor instance, a config whose config status is something other than `APPLIED` is\naccompanied by a reason telling why an error occurred while applying the config.\nThis will help in debugging issues at an edge.","type":"object","additionalProperties":{"$ref":"#/components/schemas/ConfigEventsEdgeConfigState"},"x-order":5},"details":{"$ref":"#/components/schemas/v2EventDetails"}}},"v2ConfigGeneration":{"description":"ConfigGeneration provides details about the generation of\nconfigurations. It is used to give additional information about events\nrelated to the generation of configurations, such as when the\nconfiguration generation fails.","type":"object","properties":{"success":{"description":"Whether configuration generation was successful.","type":"boolean","x-order":0},"resourceTypes":{"description":"The types of resources that were generated.","type":"array","items":{"type":"string"},"x-order":1},"phase":{"description":"The phase of configuration generation.","type":"string","x-order":2},"errorMessage":{"description":"The error message, if configuration generation failed.","type":"string","x-order":3},"errorType":{"description":"The type of the error, if configuration generation failed.","type":"string","x-order":4}}},"v2ConfigGenerationMetadata":{"description":"`ConfigGenerationMetadata` allows to setup extra metadata that will be added in the final Istio generated configurations.\nLike new labels or annotations.\nDefining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default\nvalues for those configs that belong to it.\nDefining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the\nones defined in the tenancy resources.","type":"object","properties":{"labels":{"description":"Set of key value paris that will be added into the `metadata.labels` field of the Istio generated configurations.","type":"object","additionalProperties":{"type":"string"},"x-order":0},"annotations":{"description":"Set of key value paris that will be added into the `metadata.annotations` field of the Istio generated configurations.","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"v2ConfigMode":{"description":"The configuration mode used by a traffic, security or a gateway group.\n\n - BRIDGED: Indicates that the configurations to be added to the group will\nuse macro APIs that automatically generate Istio APIs under the\nhood.\n - DIRECT: Indicates that the configurations to be added to the group will\ndirectly use Istio APIs.","type":"string","default":"BRIDGED","enum":["BRIDGED","DIRECT"]},"v2ConfigResource":{"description":"ConfigResource represents a configuration object (group, ingress gateway, etc)\nthat is related to an Application or API.","type":"object","properties":{"fqn":{"description":"The FQN of the resource this status is computed for.","type":"string","x-order":0,"readOnly":true},"expectedEtag":{"description":"The expected etag field is used to check the if the configuration resource contents have\nchanged. This might not be relevant for all configuration resources, so this field may\nnot be set. If it is not set, the status will only report the presence or absence of the\nconfiguration resource, but not differences in its contents.\n\nWhen this field is present, the status will also reflect changes in the contents of the\nconfiguration resource, and report it as DIRTY if there are differences.","type":"string","x-order":1,"readOnly":true},"exclusivelyOwned":{"description":"The exclusively owned flag indicates if the referenced configuration resource is exclusively\nowned by the object. Configuration resources that are exclusively owned by an object will\nbe deleted when the object is deleted.","type":"boolean","x-order":2,"readOnly":true}}},"v2ControlPlaneMode":{"description":"Available Control Plane modes for the Control Plane deployment.\n\n - UNSET: Default mode will be used.\n - CONTROL: Default mode installed in Control plane clusters.\nThe Control Plane will be deployed with the entire TSB feature set\nenabled for this cluster.\n - OBSERVE: The Control Plane will be deployed with only service\ndiscovery and observability features enabled.\nOther features of TSB like configuration propagation,\ncross-cluster discovery, etc, will not be available in this cluster.","type":"string","default":"UNSET","enum":["UNSET","CONTROL","OBSERVE"]},"v2CorsPolicy":{"type":"object","properties":{"allowOrigin":{"description":"The list of origins that are allowed to perform CORS requests. The content will be serialized\ninto the Access-Control-Allow-Origin header. Wildcard * will allow all origins.","type":"array","items":{"type":"string"},"x-order":0},"allowMethods":{"description":"List of HTTP methods allowed to access the resource. The content will be serialized into the\nAccess-Control-Allow-Methods header.","type":"array","items":{"type":"string"},"x-order":1},"allowHeaders":{"description":"List of HTTP headers that can be used when requesting the resource. Serialized to\nAccess-Control-Allow-Headers header.","type":"array","items":{"type":"string"},"x-order":2},"exposeHeaders":{"description":"A white list of HTTP headers that the browsers are allowed to access. Serialized into\nAccess-Control-Expose-Headers header.","type":"array","items":{"type":"string"},"x-order":3},"maxAge":{"description":"Specifies how long the results of a preflight request can be cached. Translates to the\nAccess-Control-Max-Age header.","type":"string","x-order":4},"allowCredentials":{"description":"Indicates whether the caller is allowed to send the actual request (not the preflight) using\ncredentials. Translates to Access-Control-Allow-Credentials header.","type":"boolean","x-order":5}}},"v2CreateOrganizationRequest":{"type":"object","title":"Request to create a organization.\n$hide_from_docs","required":["name","organization"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string","x-order":0},"organization":{"$ref":"#/components/schemas/v2Organization"}}},"v2CreateRoleRequest":{"description":"Request to create a Role.","type":"object","required":["name","role"],"properties":{"name":{"description":"The short name for the resource to be created.","type":"string","x-order":0},"role":{"$ref":"#/components/schemas/v2Role"}}},"v2DeploymentDetails":{"description":"DeploymentDetails provides the details of a\ndeployment.","type":"object","properties":{"readyReplicas":{"description":"The number of replicas that are desired for the deployment.","type":"integer","format":"int32","x-order":0},"availableReplicas":{"description":"The number of replicas that are available for the deployment.","type":"integer","format":"int32","x-order":1},"isReady":{"description":"Indicates whether the deployment is fully ready. A deployment is considered ready\nwhen it has reached the desired number of replicas, and all replicas are available\nand in a ready state.","type":"boolean","x-order":2}}},"v2DeviceCodeResponse":{"type":"object","title":"Response with device codes for use with the Device Authorization flow.\nFor additional information on the response parameters please refer to the Device Authorization Response section\nof the RFC https://datatracker.ietf.org/doc/html/rfc8628#section-3.2","properties":{"deviceCode":{"type":"string","title":"Code that the device uses to poll for tokens","x-order":0},"userCode":{"type":"string","title":"Code the user enters in the verification URI","x-order":1},"verificationUri":{"type":"string","title":"URI where to enter the user code","x-order":2},"interval":{"type":"integer","format":"int32","title":"Rate in which to poll the token endpoint with the device code","x-order":3},"expiresIn":{"type":"integer","format":"int32","title":"Expiration time of the device code in seconds","x-order":4},"error":{"$ref":"#/components/schemas/v2Error"},"errorMessage":{"description":"Optional error message that contains more details about the error that occurred.","type":"string","x-order":6}}},"v2EastWestGateway":{"description":"EastWestGateway is for configuring a gateway to handle east-west traffic of\nthe services that are not exposed through Ingress or Tier1 gateways (internal\nservices). Currently, this is restricted to specifying at Workspace level\nin WorkspaceSetting.","type":"object","required":["workloadSelector"],"properties":{"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"exposedServices":{"description":"Exposed services is used to specify the match criteria to select specific services\nfor internal multicluster routing (east-west routing between clusters).\nIf it is not defined or contains no elements, all the services within the workspace\nwill be exposed to the configured gateway.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceSelector"},"x-order":1},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2EgressAuthorization":{"type":"object","title":"EgressAuthorization is used to dictate which service accounts can access a set of external hosts","required":["to"],"properties":{"from":{"$ref":"#/components/schemas/tsbsecurityv2AuthorizationSettings"},"to":{"type":"array","title":"The external hostnames the workload(s) described in this rule can access.\nHosts cannot be specified more than once. Use \"*\" to allow access to any external host","items":{"type":"string"},"x-order":1}}},"v2EgressAuthorizationSettings":{"description":"EgressAuthorizationSettings define rules for allowing specific service accounts to access external hosts.\nBy default, when a host is configured for egress access on the Gateway, access is denied.","type":"object","required":["to"],"properties":{"from":{"$ref":"#/components/schemas/tsbgatewayv2AuthorizationSettings"},"to":{"description":"The set of hostnames exposed on the Gateway through which external hosts\ncan be accessed.","type":"array","items":{"$ref":"#/components/schemas/EgressAuthorizationSettingsHostDetails"},"x-order":1},"identityMatch":{"$ref":"#/components/schemas/v2IdentityMatch"}}},"v2EnvValueSource":{"description":" - INLINE: Explicitly given key-value pairs to be injected to this VM.\n - HOST: *Istio-proxy's* environment variables exposed to this VM.","type":"string","default":"INLINE","enum":["INLINE","HOST"]},"v2EnvironmentSelector":{"type":"object","title":"A template selector based on environment details, such as the cloud provider (e.g GKE, EKS, AKS...)","required":["provider"],"properties":{"provider":{"description":"The provider name to match against the Cluster State provider field (case-insensitive match).","type":"string","x-order":0}}},"v2Error":{"type":"string","title":"OAuth2 error codes","default":"NO_ERROR","enum":["NO_ERROR","INVALID_REQUEST","INVALID_CLIENT","INVALID_GRANT","UNAUTHORIZED_CLIENT","UNSUPPORTED_GRANT_TYPE","AUTHORIZATION_PENDING","SLOW_DOWN","ACCESS_DENIED","EXPIRED_TOKEN","SERVER_ERROR"]},"v2EventDetails":{"description":"EventDetails is used to provide details about the event\nin a machine readable structured way. It represents the event's\nreason and/or message in a structured format.","type":"object","properties":{"workload":{"$ref":"#/components/schemas/v2GatewayWorkloadDetails"},"configGeneration":{"$ref":"#/components/schemas/v2ConfigGeneration"}}},"v2ExposedBy":{"description":"The exposer of an HTTPEndpoint.","type":"object","properties":{"service":{"description":"The FQN of the service in the service registry that is exposing a concrete endpoint.","type":"string","x-order":0,"readOnly":true},"clusterGroup":{"$ref":"#/components/schemas/v2ExposedByClusters"}}},"v2ExposedByCluster":{"description":"ExposedByCluster is a cluster or set of clusters identified by the labels that are\nexposing an endpoint.","type":"object","properties":{"name":{"description":"The name of the cluster exposing the endpoint. Only one of name or labels\nmust be specified.","type":"string","x-order":0},"labels":{"description":"Labels associated with the cluster. Any cluster with matching\nlabels will be selected as an exposer. Only one of name or labels\nmust be specified.","type":"object","additionalProperties":{"type":"string"},"x-order":1},"weight":{"description":"The weight for traffic to a cluster exposing the endpoint.","type":"integer","format":"int64","x-order":2}}},"v2ExposedByClusters":{"description":"ExposedByClusters represents the clusters that are exposing a concrete endpoint.","type":"object","properties":{"clusters":{"description":"The clusters that contain gateways exposing the HTTPEndpoint.","type":"array","items":{"$ref":"#/components/schemas/v2ExposedByCluster"},"x-order":0}}},"v2Extensions":{"description":"Extensions extend TSB functionality.","type":"object","properties":{"kong":{"$ref":"#/components/schemas/v2Kong"},"composer":{"$ref":"#/components/schemas/v2Composer"}}},"v2FlaggerDestination":{"description":"FlaggerDestination will route traffic based on a Flagger Canary resource.\nThe Canary resource must exist in the control plane cluster and have service delegation set to true.","type":"object","required":["canary","namespace"],"properties":{"canary":{"description":"Name of the Canary resource that will manage the deployment.","type":"string","x-order":0},"namespace":{"description":"Namespace of the Canary resource that will manage the deployment.","type":"string","x-order":1}}},"v2GatewayWorkloadDetails":{"description":"GatewayWorkloadDetails provides the details of a\ngateway workload (Deployment and Service). It must be\nused to provide more information about events related\nto the Gateway resource from the install.tetrate.io api.","type":"object","properties":{"deployment":{"$ref":"#/components/schemas/v2DeploymentDetails"},"service":{"$ref":"#/components/schemas/v2ServiceDetails"},"isReady":{"description":"Indicates whether the gateway workload is ready. A gateway workload\nis considered ready when both the deployment and service are ready.","type":"boolean","x-order":2}}},"v2GetClusterStatsResponse":{"type":"object","title":"Response to the request for the cluster stats of an Istio Proxy.\nReturns the output of the `/clusters` endpoint of the Envoy Admin interface.\nSee https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--clusters","properties":{"output":{"description":"Output of the cluster stats endpoint of an Istio Proxy.","type":"string","x-order":0},"outputFormat":{"$ref":"#/components/schemas/GetClusterStatsRequestClusterStatsFormat"}}},"v2GetConfigDumpRequestAll":{"description":"Dump all configuration.","type":"object","properties":{"includeEds":{"description":"Include EDS into config dump.","type":"boolean","x-order":0}}},"v2GetConfigDumpRequestEndpoints":{"description":"Dump endpoint configuration.","type":"object"},"v2GetConfigDumpRequestSecrets":{"description":"Dump secret configuration.","type":"object"},"v2GetConfigDumpResponse":{"type":"object","title":"Response to the request for a config dump from an Istio Proxy.\nReturns the output of the `/config_dump` endpoint of the Envoy Admin interface.\nSee https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump","properties":{"output":{"description":"Config in JSON format.","type":"string","x-order":0}}},"v2GetResourcePermissionsResponse":{"description":"Response with permission rules.","type":"object","properties":{"rules":{"type":"array","items":{"$ref":"#/components/schemas/v2RoleRule"},"x-order":0}}},"v2GetServerStatsResponse":{"type":"object","title":"Response to the request for the server stats of an Istio Proxy.\nReturns the output of the `/stats` endpoint of the Envoy Admin interface.\nSee https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--stats","properties":{"output":{"description":"Output of the server stats endpoint of an Istio Proxy.","type":"string","x-order":0},"outputFormat":{"$ref":"#/components/schemas/GetServerStatsRequestServerStatsFormat"}}},"v2GlobalTrafficSelector":{"description":"GlobalTrafficSelector provides a mechanism to select a specific traffic flow\nfor which this Wasm Extension will be enabled. This setting applies to all WASM\nExtension attachments. These selectors can be overridden at attachments.\nWhen all the sub conditions in the TrafficSelector are satisfied, the\ntraffic will be selected.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/v2WorkloadMode"}}},"v2GrantResponse":{"description":"Token grant response.","type":"object","properties":{"accessToken":{"description":"Access token issued by the authorization server.","type":"string","x-order":0},"tokenType":{"description":"Access token type such as \"bearer\" or \"mac\".","type":"string","x-order":1},"expiresIn":{"description":"Expiration time of the access token in seconds.","type":"integer","format":"int32","x-order":2},"refreshToken":{"description":"Optional refresh token issued when the authorization server\nand client are configured to use refresh tokens.","type":"string","x-order":3},"clientId":{"description":"Optional client ID used during the grant process.\nWhen present the client ID for subsequent refresh grant calls.\nWhile not a standard field on an OAuth grant response, this helps remove ambiguity\nwhen multiple OIDC configurations are present in TSB.","type":"string","x-order":4},"error":{"$ref":"#/components/schemas/v2Error"},"errorMessage":{"description":"Optional error message that contains more details about the error that occurred.","type":"string","x-order":6}}},"v2GrantType":{"description":"OAuth2 grant types that are currently supported.","type":"string","default":"UNSPECIFIED","enum":["UNSPECIFIED","REFRESH_TOKEN","DEVICE_CODE_URN","CLIENT_CREDENTIALS","TOKEN_EXCHANGE"]},"v2GroupLookupResponse":{"description":"List of groups that configure the requested service.","type":"object","properties":{"trafficGroups":{"description":"The traffic groups that configure the given registered service.","type":"array","items":{"$ref":"#/components/schemas/tsbtrafficv2Group"},"x-order":0},"securityGroups":{"description":"The security groups that configure the given registered service.","type":"array","items":{"$ref":"#/components/schemas/tsbsecurityv2Group"},"x-order":1},"gatewayGroups":{"description":"The gateway groups that configure the given registered service.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2Group"},"x-order":2},"istioInternalGroups":{"description":"The istio internal groups that configure the given registered service.","type":"array","items":{"$ref":"#/components/schemas/tsbistiointernalv2Group"},"x-order":3}}},"v2HTTPDirectResponse":{"description":"Configures an HTTP response to be generated. This can be used to implement\nhealth check paths where the gateways will directly reply with a preconfigured\nresponse when traffic hits certain exposed paths.","type":"object","required":["status"],"properties":{"status":{"description":"Specifies the HTTP response status to be returned.","type":"integer","format":"int64","x-order":0},"body":{"$ref":"#/components/schemas/HTTPDirectResponseHTTPBody"}}},"v2HTTPEndpoint":{"description":"An HTTP Endpoint represents an individual HTTP path exposed in the API.","type":"object","properties":{"path":{"description":"The HTTP path of the endpoint, relative to the hostnames exposed by the API.","type":"string","x-order":0,"readOnly":true},"methods":{"description":"The list of HTTP methods this endpoint supports.","type":"array","items":{"type":"string"},"x-order":1,"readOnly":true},"hostnames":{"description":"The list of hostnames where this endpoint is exposed.\nIf omitted, the endpoint is assumed to be exposed in all hostnames defined for the API.","type":"array","items":{"type":"string"},"x-order":2,"readOnly":true},"service":{"description":"DEPRECATED: For new created APIs, the exposed servers will be available at httpServers.\nFor APIs created before version 1.7, will still be available in this field.\nThe FQN of the service in the service registry that is exposing this endpoint.","type":"string","x-order":3,"readOnly":true},"exposedBy":{"$ref":"#/components/schemas/v2ExposedBy"}}},"v2HTTPFaultInjection":{"description":"HTTPFaultInjection can be used to specify one or more faults to inject\nwhile forwarding HTTP requests to the destination specified in a route.\nFaults include aborting the HTTP request from downstream service, and/or\ndelaying proxying of requests. A fault rule MUST HAVE delay or abort or\nboth.\nNote that delay and abort faults are independent of one another, even if\nboth are specified simultaneously.","type":"object","properties":{"delay":{"$ref":"#/components/schemas/HTTPFaultInjectionDelay"},"abort":{"$ref":"#/components/schemas/HTTPFaultInjectionAbort"}}},"v2HTTPMatchCondition":{"description":"HTTPMatchCondition is the set of conditions to match incoming HTTP traffic\nand route accordingly. We could have used HttpMatchCondition from\ningress_gateway.proto but it doesn't have a port field, so it's better to\ncreate one natively.","type":"object","required":["name"],"properties":{"name":{"type":"string","title":"Name of the match condition","x-order":0},"uri":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"headers":{"type":"object","title":"Headers to match in incoming traffic for routing forward","additionalProperties":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"x-order":2},"port":{"type":"integer","format":"int64","title":"Port to match in incoming traffic","x-order":3}}},"v2HTTPMirror":{"description":"HTTPMirror can be used to specify the destinations to mirror HTTP traffic in addition to the original destination.\nMirrored traffic is on a best effort basis where the sidecar/gateway will not wait for the mirrored destinations\nto respond before returning the response from the original destination.","type":"object","required":["port"],"properties":{"host":{"description":"The host where traffic should be routed to. This should either be a FQDN\nor a short name for the k8s service. For example, \"reviews\" as destination_host will\nbe interpreted as \"reviews.ns1.cluster.local\"\nIf empty, the host will be inferred from the Service Route service field.","type":"string","x-order":0},"subset":{"type":"string","title":"Subset is the version of the service where traffic should be routed to","x-order":1},"port":{"type":"integer","format":"int64","title":"The port corresponding to the service host where traffic should be routed","x-order":2},"percentage":{"description":"Percentage of the traffic to be mirrored.\nIf this field is absent, the max value 100% will be mirrored.","type":"number","format":"double","x-order":3}}},"v2HTTPRewrite":{"description":"Configuration for an URL rewrite rule.","type":"object","properties":{"uri":{"description":"Rewrite the path (or the prefix) portion of the URI with this value. If the original URI was\nmatched based on prefix, the value provided in this field will replace the corresponding\nmatched prefix.","type":"string","x-order":0},"authority":{"description":"Rewrite the Authority/Host header with this value.","type":"string","x-order":1}}},"v2HTTPRoute":{"description":"HTTPRoute describes match conditions and actions for HTTP traffic routing to service destinations.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the route.","type":"string","x-order":0},"match":{"type":"array","title":"Match conditions for incoming HTTP traffic","items":{"$ref":"#/components/schemas/v2HTTPMatchCondition"},"x-order":1},"destination":{"description":"Destination host:port and subset where HTTP traffic should be directed.\n**Note**: Only one of `destination` and `flagger` must be configured per route.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceDestination"},"x-order":2},"flagger":{"$ref":"#/components/schemas/v2FlaggerDestination"},"fault":{"$ref":"#/components/schemas/v2HTTPFaultInjection"},"mirrors":{"description":"Mirror HTTP traffic to multiple destinations in addition to forwarding the\nrequests to the intended destination. Mirrored traffic is on a best effort\nbasis, so it won't wait for the mirrored destinations response to respond\nto the intended destination.","type":"array","items":{"$ref":"#/components/schemas/v2HTTPMirror"},"x-order":5}}},"v2Headers":{"description":"Header manipulation rules.","type":"object","properties":{"request":{"$ref":"#/components/schemas/HeadersHeaderOperations"},"response":{"$ref":"#/components/schemas/HeadersHeaderOperations"}}},"v2Hostname":{"description":"Hostname represents a hostname that is used to access a service.\nIt can be a public hostname (e.g. productpage.example.com) or an internal hostname\n(e.g. productpage.bookinfo.svc.cluster.local).\nIt provides the list of service deployments that expose this hostname.","type":"object","required":["name"],"properties":{"name":{"description":"A valid hostname.","type":"string","x-order":0},"serviceDeployments":{"type":"array","title":"The list of FQNs of the service deployments that expose this hostname","items":{"type":"string"},"x-order":1,"readOnly":true}}},"v2HostsReachability":{"description":"`HostsReachability` defines the list of gateway hosts that this workspace can reach.\nIn multicluster deployments, hosts are reachable to all namespaces(`*`) by default.\nHowever, this may not always be necessary, as clients may only be present in a few namespaces.\nBy configuring this, a list of namespaces can be limited to the namespaces configured in the workspace.\nWorkspaces with no hosts reachability configuration are considered to have reachable to all hosts.","type":"object","required":["hostnames"],"properties":{"hostnames":{"description":"The Gateway hostname that can be one of the following. Hostnames should match hosts configured in the Gateway.\n\n- Exact hostnames.\nFor example, `echo.tetrate.io`.\n\n- Prefix hostnames.\nFor example, `echo`. Hosts starting with `echo` are considered.\n\n- Regex hostnames.\nFor example, `^echo.*io$`. Hosts starting with `echo` and ending with `io` are considered.\n\n- List can be empty `[]`.\nWorkspaces with explicitly empty hostnames are considered to not want to see any hosts.","type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"x-order":0}}},"v2HttpMatchCondition":{"description":"A single match clause to match all aspects of a request.","type":"object","properties":{"uri":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"headers":{"description":"The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id.","type":"object","additionalProperties":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"x-order":1}}},"v2HttpModifyAction":{"description":"HTTP path/url/header modification.","type":"object","properties":{"rewrite":{"$ref":"#/components/schemas/v2HTTPRewrite"},"headers":{"$ref":"#/components/schemas/v2Headers"}}},"v2HttpRouteRule":{"description":"A single HTTP rule.","type":"object","properties":{"match":{"description":"One or more match conditions (OR-ed).","type":"array","items":{"$ref":"#/components/schemas/v2HttpMatchCondition"},"x-order":0},"modify":{"$ref":"#/components/schemas/v2HttpModifyAction"},"route":{"$ref":"#/components/schemas/v2RouteTo"},"redirect":{"$ref":"#/components/schemas/v2Redirect"},"directResponse":{"$ref":"#/components/schemas/v2HTTPDirectResponse"},"disableExternalAuthorization":{"description":"If set to true, external authorization is disabled on this route\nwhen the hostname is configured with external authorization.","type":"boolean","x-order":5},"extensions":{"$ref":"#/components/schemas/v2Extensions"}}},"v2HttpRouting":{"type":"object","required":["rules"],"properties":{"corsPolicy":{"$ref":"#/components/schemas/v2CorsPolicy"},"rules":{"description":"HTTP routes.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2HttpRule"},"x-order":1}}},"v2HttpRoutingConfig":{"description":"`HttpRoutingConfig` defines a list of HTTP route rules that determine how incoming requests are routed.","type":"object","required":["rules"],"properties":{"corsPolicy":{"$ref":"#/components/schemas/v2CorsPolicy"},"rules":{"description":"HTTP routes.","type":"array","items":{"$ref":"#/components/schemas/v2HttpRouteRule"},"x-order":1}}},"v2HttpServer":{"description":"An HTTP server exposed in an ingress gateway.","type":"object","required":["name","port","hostname","routing"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all servers in a gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed. Two servers with different protocols (HTTP and HTTPS) should not\nshare the same port. Note that port 15443 is reserved for internal use.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by clients.\n**NOTE:** The hostname must be unique across all gateways in the cluster in order for multicluster routing to work.","type":"string","x-order":2},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"},"xxxOldAuthentication":{"$ref":"#/components/schemas/tsbgatewayv2Authentication"},"authentication":{"$ref":"#/components/schemas/tsbauthv2Authentication"},"xxxOldAuthorization":{"$ref":"#/components/schemas/tsbgatewayv2Authorization"},"authorization":{"$ref":"#/components/schemas/tsbauthv2Authorization"},"routing":{"$ref":"#/components/schemas/v2HttpRouting"},"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"}}},"v2IdentityMatch":{"description":"IdentityMatch defines the strategy for utilizing service identities during the evaluation of authorization (authz) rules.\nIt specifies how the identity of a service or workload is verified and used in the context of authz policies.\nThe strictness of identity verification progresses in the following order:\nUNKNOWN < PERMISSIVE < PEER_CERTIFICATE < SOURCE_IDENTITY.\n\n - UNKNOWN: UNKNOWN represents the default state when identityMatch is not explicitly set.\nIn practice, it behaves identically to the PERMISSIVE mode, allowing for a flexible approach to\nidentity verification. This mode is typically used as a fallback or when the specific identity verification\nstrategy is undecided.\n - PEER_CERTIFICATE: PEER_CERTIFICATE mode mandates the use of Mutual TLS (mTLS) certificates for identity verification.\nSpecifically, it utilizes the SPIFFE(Secure Production Identity Framework For Everyone) IDs presented in\npeer certificates as the basis for authz decision-making. This mode aligns with Istio's Principal match\nauthorization policies, offering a secure method of asserting service identities through cryptographic certificates.\nIt is suitable for environments where strong, certificate-based identity validation is required.\n - PERMISSIVE: PERMISSIVE mode offers a flexible, transitional approach to identity verification, allowing the evaluation of authz\nrules based on either SOURCE_IDENTITY or PEER_CERTIFICATE identities. This mode is designed to facilitate\ngradual adoption of identity verification practices or to ease system upgrades. It is particularly useful\nin mixed environments where some services use SPIFFE IDs and others use a different form of service identity.\n\nIn ALLOW rules contexts, PERMISSIVE mode authorizes workloads if either their SOURCE_IDENTITY or PEER_CERTIFICATE\nmatches the allowed principals. This approach broadens the range of clients that can be permitted,\noffering more flexibility during policy enforcement.\n\nConversely, in DENY rules contexts, PERMISSIVE mode restricts access to workloads if either their\nSOURCE_IDENTITY or PEER_CERTIFICATE matches the denied principals. This results in a more conservative\nset of clients being allowed, enhancing security by restricting access more broadly.\n - SOURCE_IDENTITY: SOURCE_IDENTITY mode strictly uses the service identity for authz rules evaluation. This identity is propagated\nfrom the originating client to the target service workload, which then assesses authz rules based on this received\nidentity. The mode ensures that authz decisions are made based on the explicit identity of the requesting service,\nfacilitating fine-grained access control and enhancing security by strictly adhering to the principle of least privilege.\n\nThis mode is optimal in environments that require strict enforcement of service identities,\nwhere the assurance of the caller's identity is paramount for secure access control.","type":"string","default":"UNKNOWN","enum":["UNKNOWN","PEER_CERTIFICATE","PERMISSIVE","SOURCE_IDENTITY"]},"v2Impact":{"description":"Impact represents a single impact on a field. It specifies how a profile\naffects a field and the type of the impact (e.g., effective or overridden).","type":"object","properties":{"fieldPath":{"description":"The path to the field that is impacted by the profile. This path uniquely\nidentifies the field within the resource.","type":"string","x-order":0},"type":{"$ref":"#/components/schemas/ImpactImpactType"},"source":{"$ref":"#/components/schemas/v2ImpactSource"},"stringValue":{"description":"The value of the field that is impacted by the profile.","type":"string","x-order":3}}},"v2ImpactAnalysis":{"description":"ImpactAnalysis represents the impact of a profile on a resource.","type":"object","properties":{"effectiveImpactsCount":{"description":"The number of effective impacts, which refers to the number of fields\nthat are directly impacted by the profile being analyzed.","type":"integer","format":"int32","x-order":0},"overriddenImpactsCount":{"description":"The number of overridden impacts, which refers to fields that have been\nimpacted by another configuration, such as another profile or settings like\norganization default setting, tenant default settings, workspace default settings,\ntraffic settings, etc.","type":"integer","format":"int32","x-order":1},"impacts":{"description":"The list of individual impacts that were detected during the analysis.\nEach impact corresponds to a field that is affected by the profile.","type":"array","items":{"$ref":"#/components/schemas/v2Impact"},"x-order":2}}},"v2ImpactAnalysisResponse":{"description":"ImpactAnalysisResponse represents the response to the ImpactAnalysisRequest.\nIt contains detailed information about the impacts of the analyzed profiles.","type":"object","properties":{"fqn":{"description":"The fully-qualified name (FQN) of the resource impacted.","type":"string","x-order":0},"current":{"$ref":"#/components/schemas/v2ImpactAnalysis"},"modified":{"$ref":"#/components/schemas/v2ImpactAnalysis"}}},"v2ImpactSource":{"description":"The source of the impact. This specifies where the impact originated from,\nsuch as a profile default, a profile mandate, or a configuration setting.","type":"object","properties":{"fqn":{"description":"The fully-qualified name (FQN) of the resource that impacts the field.","type":"string","x-order":0},"type":{"$ref":"#/components/schemas/ImpactSourceType"}}},"v2IngressGateway":{"description":"`IngressGateway` configures a workload to act as a gateway for\ntraffic entering the mesh. The ingress gateway also provides basic\nAPI gateway functionalities such as JWT token validation \nand request authorization. Gateways in privileged\nworkspaces can route to services outside the workspace while those\nin unprivileged workspaces can only route to services inside the\nworkspace.\n\nThe following example declares an ingress gateway running on pods\nwith `app: gateway` labels in the `ns1` namespace. The gateway\nexposes a host `bookinfo.com` on https port 9443 and http port 9090.\nThe port 9090 is configured to receive plaintext traffic and send a\nredirect to the https port 9443 (site-wide HTTP -> HTTPS redirection).\nAt port 9443, TLS is terminated using the certificates in the Kubernetes\nsecret `bookinfo-certs`. Clients are authenticated using JWT\ntokens, whose keys are obtained from the OIDC provider `www.googleapis.com`.\nThe request is then authorized by an the user's authorization engine\nhosted at `https://company.com/authz` before being forwarded to \nthe `productpage` service in the backend.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n      - redirect:\n          authority: bookinfo.com\n          port: 9443\n          redirectCode: 301\n          scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      rules:\n        jwt:\n        - issuer: https://accounts.google.com\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n        - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          host: ns1/productpage.ns1.svc.cluster.local\n    rateLimiting:\n      settings:\n        rules:\n          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4 \n        - dimensions: \n          - remoteAddress:\n              value: 1.2.3.4\n          limit:\n            requestsPerUnit: 10\n            unit: HOUR\n          # Ratelimit at 50 requests/minute for every unique value in the user-agent header\n        - dimensions:\n          - header:\n              name: user-agent\n          limit:\n            requestsPerUnit: 50\n            unit: MINUTE\n          # Ratelimit at 100 requests/second for every unique client remote address\n          # with the HTTP requests having a GET method and the path prefix of /productpage\n        - dimensions:\n          - remoteAddress:\n              value: \"*\"\n          - header:\n              name: \":path\"\n              value:\n                prefix: /productpage\n          - header:\n              name: \":method\"\n              value:\n                exact: \"GET\"\n          limit:\n            requestsPerUnit: 100\n            unit: SECOND\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the `productpage`\nservice in the backend.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  http:\n  - name: bookinfo-plaintext\n    port: 9090\n    hostname: bookinfo.com\n    routing:\n      rules:\n        - redirect:\n            authority: bookinfo.com\n            port: 9443\n            redirectCode: 301\n            scheme: https\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n    tls:\n      mode: SIMPLE\n      secretName: bookinfo-certs\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: https://company.com/authz\n        includeRequestHeaders:\n          - Authorization # forwards the header to the authorization service.\n    routing:\n      rules:\n      - route:\n          serviceDestination:\n            host: ns1/productpage.ns1.svc.cluster.local\n```\n\nIf the `productpage.ns1` service on Kubernetes has a `ServiceRoute`\nwith multiple subsets and weights, the traffic will be split across\nthe subsets accordingly.\n\nThe following example illustrates defining non-HTTP servers (based\non TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP\nprotocol and listens on port 9000. The clients have to connect with TLS\nwith the SNI `kafka.myorg.internal`. The TLS is terminated at the gateway\nand the traffic is routed to `kafka.infra.svc.cluster.local:8000`.\n\nIf subsets are defined in the `ServiceRoute` referencing\n`kafka.infra.svc.cluster.local` service, then it is also considered\nwhile routing.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tcp:\n  - name: kafka-gateway\n    hostname: kafka.myorg.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    route:\n      host: kafka.infra.svc.cluster.local\n      port: 8000\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n  namespace: ns1\n  labels:\n    app: gateway\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n  http:\n  - name: bookinfo\n    port: 80\n    hostname: bookinfo.com\n    routing:\n      rules:\n      - route:\n        host: ns1/productpage.ns1.svc.cluster.local\n\n`IngressGateway` also allows you to apply ModSecurity/Coraza compatible Web\nApplication Firewall rules to traffic passing through the gateway.\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: waf-gw\n    namespace: ns1\n    labels:\n      app: waf-gateway\n  http:\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n  waf:\n    rules:\n      - Include @recommended-conf\n      - SecResponseBodyAccess Off\n      - Include @owasp_crs/*.conf\n```\n\n\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `IngressGateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `IngressGateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"http":{"description":"One or more HTTP or HTTPS servers exposed by the gateway. The\nserver exposes configuration for TLS termination, request\nauthentication/authorization, HTTP routing, etc.","type":"array","items":{"$ref":"#/components/schemas/v2HttpServer"},"x-order":5},"tlsPassthrough":{"description":"One or more TLS servers exposed by the gateway. The server\ndoes not terminate TLS and exposes config for SNI based routing.","type":"array","items":{"$ref":"#/components/schemas/v2TLSPassthroughServer"},"x-order":6},"tcp":{"type":"array","title":"One or more non-HTTP and non-passthrough servers which use TCP\nbased protocols. This server also exposes configuration for terminating TLS","items":{"$ref":"#/components/schemas/v2TCPServer"},"x-order":7},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this IngressGateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":8},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2InstallGatewayTemplate":{"description":"An InstallGatewayTemplate defines a configuration template for installing gateways in TSB.\nIt allows specifying gateway configurations that will be applied to gateways created in a defined part\nof the infrastructure determined by selectors that match attributes such as provider, labels, or cluster names.\nThe following example creates an InstallGatewayTemplate named `eks-template` under the `tetrate` organization.\nIt enforces the use of a specific annotation for all gateways created in EKS clusters.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: InstallGatewayTemplate\nmetadata:\n  name: aws-template\n  organization: tetrate\nspec:\n  displayName: \"AWS template\"\n  description: \"Template for AWS EKS gateways\"\n  environmentSelector:\n    provider: \"EKS\"\n  gatewaySpec:\n    kubeSpec:\n      annotations:\n        service.beta.kubernetes.io/aws-load-balancer-type: 'external'\n```\n\nAnother example creates an InstallGatewayTemplate named `mem-template` under the `tetrate` organization.\nBy using a cluster selector, it is scoped to clusters labelled with `managed-by: a-team`. Furthermore, the scope\nis narrowed down thanks to the gateway workload selector to only the gateways with the label `memory: high-limits` that\nare part of the beforementioned clusters. The template enforces memory limits for the selected gateways.\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: InstallGatewayTemplate\nmetadata:\n  name: mem-template\n  organization: tetrate\nspec:\n  displayName: \"memory template\"\n  description: \"Template for setting memory limits for some specific labelled gateways\"\n  clusterSelector:\n    labelsSelector:\n      labels:\n        managed-by: \"a-team\"\n  gatewayWorkloadSelector:\n    labelsSelector:\n      labels:\n        memory: \"high-limits\"\n  gatewaySpec:\n    kubeSpec:\n      deployment:\n        resources:\n          limits:\n            memory: 2Gi\n```\n\n\n\n","type":"object","title":":::warning Alpha early access\nThe install gateway template feature is in an early access alpha state. Before trying this in a\nnon production environment, please reach out to Tetrate first.\n:::","required":["gatewaySpec"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":4},"priority":{"type":"integer","format":"int32","title":"Indicates when a template must be chosen in case of multiple\nselectors of the same type matching a single gateway configuration.\nDefaults to 0, the highest priority. When two templates have the same\npriority, they are sorted alphabetically by their names.\nTemplates with different selector types will be resolved in the\nfollowing order, regardless of the priority value:\n1. environment selectors\n2. cluster selectors with no namespace selectors\n3. cluster selectors with namespace selector matching labels\n4. cluster selectors with namespace selector matching name\n5. specific InstallGateway TSB resources","x-order":5},"environmentSelector":{"$ref":"#/components/schemas/v2EnvironmentSelector"},"clusterSelector":{"$ref":"#/components/schemas/v2ClusterSelector"},"allClustersSelector":{"description":"Selects all the onboarded clusters on TSB.","type":"boolean","x-order":8},"gatewayWorkloadSelector":{"$ref":"#/components/schemas/tsbgatewayv2WorkloadSelector"},"gatewaySpec":{"$ref":"#/components/schemas/gatewayv2GatewaySpec"}}},"v2JWKS":{"type":"object","title":"JSON Web Key Set. Refer to https://datatracker.ietf.org/doc/html/rfc7517","properties":{"keys":{"type":"array","title":"List of public JWKs","items":{"$ref":"#/components/schemas/JWKSJWK"},"x-order":0}}},"v2KeepAliveSettings":{"description":"Keep Alive Settings.","type":"object","properties":{"tcp":{"$ref":"#/components/schemas/v2TcpKeepAliveSettings"}}},"v2Kong":{"description":"Kong extension configuration.","type":"object","properties":{"plugins":{"description":"List of plugins.","type":"array","items":{"$ref":"#/components/schemas/KongPlugins"},"x-order":0}}},"v2LabelsSelector":{"description":"A template selector based on label matching.","type":"object","properties":{"labels":{"type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"v2ListApplicationsResponse":{"description":"List of applications in the given tenant.","type":"object","properties":{"applications":{"description":"The list of applications that are registered in the given tenant.","type":"array","items":{"$ref":"#/components/schemas/v2Application"},"x-order":0}}},"v2ListAvailableProfilesResponse":{"description":"List of profiles that can be attached to a given resource.","type":"object","properties":{"profiles":{"description":"List of profiles.","type":"array","items":{"$ref":"#/components/schemas/v2Profile"},"x-order":0}}},"v2ListClusterOnboardingConfigsResponse":{"description":"List of onboarding configurations for a cluster.","type":"object","properties":{"configs":{"description":"The list of onboarding configurations for the cluster.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterOnboardingConfig"},"x-order":0}}},"v2ListClustersResponse":{"description":"List of clusters that are registered in the platform.","type":"object","properties":{"clusters":{"description":"The list of clusters that are registered in the platform.","type":"array","items":{"$ref":"#/components/schemas/tsbv2Cluster"},"x-order":0}}},"v2ListEgressGatewaysResponse":{"description":"Lost of all Egress Gateway objects in the gateway group.","type":"object","properties":{"egressGateways":{"type":"array","items":{"$ref":"#/components/schemas/gatewayv2EgressGateway"},"x-order":0}}},"v2ListGatewayGroupsResponse":{"description":"List of all gateway groups in the workspace.","type":"object","properties":{"groups":{"type":"array","items":{"$ref":"#/components/schemas/tsbgatewayv2Group"},"x-order":0}}},"v2ListGatewaysResponse":{"description":"List of all Gateway objects in the gateway group.","type":"object","properties":{"gateways":{"description":"List of all Gateway objects.","type":"array","items":{"$ref":"#/components/schemas/gatewayv2Gateway"},"x-order":0}}},"v2ListIngressGatewaysResponse":{"description":"List of all Ingress Gateway objects in the gateway group.","type":"object","properties":{"ingressGateways":{"type":"array","items":{"$ref":"#/components/schemas/v2IngressGateway"},"x-order":0}}},"v2ListInstallGatewayTemplatesResponse":{"description":"List of all InstallGatewayTemplate objects.","type":"object","properties":{"templates":{"type":"array","items":{"$ref":"#/components/schemas/v2InstallGatewayTemplate"},"x-order":0}}},"v2ListInstallGatewaysResponse":{"description":"List of all Install Gateway objects in the gateway group.","type":"object","properties":{"installGateways":{"type":"array","items":{"$ref":"#/components/schemas/installdataplanev1alpha1GatewaySpec"},"x-order":0}}},"v2ListIstioInternalGroupsResponse":{"description":"List of all Istio internal in the workspace.","type":"object","properties":{"groups":{"description":"The list of requested groups.","type":"array","items":{"$ref":"#/components/schemas/tsbistiointernalv2Group"},"x-order":0}}},"v2ListMetricsResponse":{"description":"List of telemetry metrics from the resource.","type":"object","properties":{"metrics":{"type":"array","items":{"$ref":"#/components/schemas/v2Metric"},"x-order":0}}},"v2ListOIDCsResponse":{"description":"List of OIDC configurations.","type":"object","properties":{"oidcs":{"description":"The list of OIDC configurations.","type":"array","items":{"$ref":"#/components/schemas/v2OIDC"},"x-order":0}}},"v2ListOrganizationSettingsResponse":{"description":"List of all existing Organization settings objects in the Organization group.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2OrganizationSetting"},"x-order":0}}},"v2ListOrganizationsResponse":{"type":"object","title":"List of organizations that exist in TSB.\n$hide_from_docs","properties":{"organizations":{"type":"array","items":{"$ref":"#/components/schemas/v2Organization"},"x-order":0}}},"v2ListProfilesResponse":{"description":"List of profiles belonging to a given resource.","type":"object","properties":{"profiles":{"description":"List of profiles.","type":"array","items":{"$ref":"#/components/schemas/v2Profile"},"x-order":0}}},"v2ListRolesResponse":{"description":"List of all existing roles.","type":"object","properties":{"roles":{"type":"array","items":{"$ref":"#/components/schemas/v2Role"},"x-order":0}}},"v2ListSecurityGroupsResponse":{"description":"List of all security groups in the workspace.","type":"object","properties":{"groups":{"type":"array","items":{"$ref":"#/components/schemas/tsbsecurityv2Group"},"x-order":0}}},"v2ListSecuritySettingsResponse":{"description":"List of all security settings objects attached to the group.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2SecuritySetting"},"x-order":0}}},"v2ListServiceAccountsResponse":{"description":"List of existing Service Accounts.","type":"object","properties":{"serviceAccounts":{"type":"array","items":{"$ref":"#/components/schemas/tsbv2ServiceAccount"},"x-order":0}}},"v2ListServiceRoutesResponse":{"description":"List of all service routes defined in the traffic group.","type":"object","properties":{"serviceRoutes":{"type":"array","items":{"$ref":"#/components/schemas/v2ServiceRoute"},"x-order":0}}},"v2ListServiceSecuritySettingsResponse":{"description":"List of all Service Security Settings objects attached to the group.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2ServiceSecuritySetting"},"x-order":0}}},"v2ListServiceTrafficSettingsResponse":{"description":"List of all Service Traffic Settings objects attached to the group.","type":"object","properties":{"serviceSettings":{"description":"List of Service Traffic Setting objects.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceTrafficSetting"},"x-order":0}}},"v2ListServicesResponse":{"type":"object","title":"Response with a list of registered services","properties":{"services":{"type":"array","title":"The requested registered services","items":{"$ref":"#/components/schemas/tsbregistryv2Service"},"x-order":0}}},"v2ListSharedGatewayReferenceGrantsResponse":{"description":"List of all SharedGatewayReferenceGrants in the gateway group.","type":"object","properties":{"sharedGatewayReferenceGrants":{"description":"Details of the SharedGatewayReferenceGrants found in the gateway group.","type":"array","items":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrant"},"x-order":0}}},"v2ListSharedGatewaysResponse":{"description":"List of all shared gateways that have a shared reference grant.","type":"object","properties":{"sharedGateways":{"description":"List of shared gateways.","type":"array","items":{"$ref":"#/components/schemas/ListSharedGatewaysResponseSharedGateway"},"x-order":0}}},"v2ListSourcesResponse":{"description":"List of telemetry sources from the resource.","type":"object","properties":{"sources":{"type":"array","items":{"$ref":"#/components/schemas/telemetryv2Source"},"x-order":0}}},"v2ListTeamsResponse":{"description":"List of existing teams.","type":"object","properties":{"teams":{"type":"array","items":{"$ref":"#/components/schemas/v2Team"},"x-order":0}}},"v2ListTenantExtensionsResponse":{"description":"List of all existing WasmExtensions objects assigned to the Tenant.","type":"object","properties":{"extensions":{"type":"array","items":{"$ref":"#/components/schemas/v2WasmExtension"},"x-order":0}}},"v2ListTenantSettingsResponse":{"description":"List of all existing Tenant settings objects in the Tenant.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2TenantSetting"},"x-order":0}}},"v2ListTenantsResponse":{"description":"List of available tenants.","type":"object","properties":{"tenants":{"description":"The list of available tenants.","type":"array","items":{"$ref":"#/components/schemas/v2Tenant"},"x-order":0}}},"v2ListTier1GatewaysResponse":{"description":"List of all Tier1 Gateway objects in the gateway group.","type":"object","properties":{"tier1Gateways":{"type":"array","items":{"$ref":"#/components/schemas/v2Tier1Gateway"},"x-order":0}}},"v2ListTrafficGroupsResponse":{"description":"List of all existing traffic groups in the workspace.","type":"object","properties":{"groups":{"type":"array","items":{"$ref":"#/components/schemas/tsbtrafficv2Group"},"x-order":0}}},"v2ListTrafficSettingsResponse":{"description":"List of all existing traffic settings objects in the traffic group.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2TrafficSetting"},"x-order":0}}},"v2ListUsersResponse":{"description":"List of existing Users.","type":"object","properties":{"users":{"type":"array","items":{"$ref":"#/components/schemas/v2User"},"x-order":0}}},"v2ListWasmExtensionResponse":{"description":"List of WASM Extensions.","type":"object","properties":{"extensions":{"type":"array","items":{"$ref":"#/components/schemas/v2WasmExtension"},"x-order":0}}},"v2ListWorkloadsResponse":{"description":"Response to the request for a list of Workloads.","type":"object","properties":{"workloads":{"description":"List of workloads.","type":"array","items":{"$ref":"#/components/schemas/tsbdiagnosticv2Workload"},"x-order":0},"nextPageToken":{"description":"A token, which can be sent as `page_token` to retrieve the next page.\nIf this field is omitted, there are no subsequent pages.","type":"string","x-order":1},"totalSize":{"description":"Total number of Workloads.\nIf a filter was included in the request, this reflects the total number\nafter the filtering is applied.","type":"integer","format":"int32","x-order":2}}},"v2ListWorkspaceSettingsResponse":{"description":"The existing settings objects for the given workspace.","type":"object","properties":{"settings":{"type":"array","items":{"$ref":"#/components/schemas/v2WorkspaceSetting"},"x-order":0}}},"v2ListWorkspacesResponse":{"description":"The existing workspaces for the given tenant.","type":"object","properties":{"workspaces":{"type":"array","items":{"$ref":"#/components/schemas/v2Workspace"},"x-order":0}}},"v2LocalRateLimitSettings":{"description":"Configuration for ratelimiting HTTP/gRPC requests\nThis has a list of rate limit rules that can be configured.\nWith each rule a list of dimensions can be defined.\nA request counts towards the limit if all of the dimensions match the\nattributes of the request.\nWhen the matched requests exceed the limit, a 429 response is returned.","type":"object","required":["rules"],"properties":{"rules":{"description":"A list of rules for ratelimiting.\nEach rule defines a list of dimensions to match on and the rate limit value\nfor the rule. Each rule is independent of the other synonymous to\nhaving an OR relationship.","type":"array","items":{"$ref":"#/components/schemas/v2LocalRateLimitSettingsRateLimitRule"},"x-order":0},"maxWildcardDimensions":{"description":"The maximum number of unique values that will be kept for dimensions with a wildcard.\nThis limits memory usage, when this number is reached, the least recently used entry\nwill be dropped. If this is set too low, the rate limits will not apply to all users.\nDefaults to 20.","type":"integer","format":"int64","x-order":1}}},"v2LocalRateLimitSettingsRateLimitDimension":{"description":"RateLimitDimension is a condition to match HTTP requests\nthat should be rate limited.","type":"object","properties":{"remoteAddress":{"$ref":"#/components/schemas/v2LocalRateLimitSettingsRateLimitDimensionRemoteAddress"},"header":{"$ref":"#/components/schemas/v2LocalRateLimitSettingsRateLimitDimensionHeader"}}},"v2LocalRateLimitSettingsRateLimitDimensionHeader":{"type":"object","title":"RateLimit based on certain headers","required":["name"],"properties":{"name":{"description":"Name of the header to match on.","type":"string","x-order":0},"value":{"$ref":"#/components/schemas/tsbgatewayv2StringMatch"},"dontMatch":{"description":"If set to true, the condition will be met when the header value does not match.\nDefault value is false.","type":"boolean","x-order":2}}},"v2LocalRateLimitSettingsRateLimitDimensionRemoteAddress":{"description":"Rate limit based on the client's remote address, extracted from the trusted\n`X-Forwarded-For` header.\nThis requires that the proxy sees either the `X-Forwarded-For` header or the request's\nsource IP. This may require additional configuration on the load balancer and/or the use of\n`externalTrafficPolicy: Local` on the service.","type":"object","required":["value"],"properties":{"value":{"description":"Ratelimit on a specific remote address.\nIf the value is set to \"*\", ratelimit on every unique remote address.","type":"string","x-order":0}}},"v2LocalRateLimitSettingsRateLimitRule":{"description":"RateLimitRule is the block to define each internal ratelimit configuration.","type":"object","required":["dimensions","tokenBucket"],"properties":{"dimensions":{"description":"A list of dimensions to define each ratelimit rule.\nRequests count towards the ratelimit value only when each and every\ndimension is matched for a given HTTP request synonymous\nto having an AND relationship.","type":"array","items":{"$ref":"#/components/schemas/v2LocalRateLimitSettingsRateLimitDimension"},"x-order":0},"tokenBucket":{"$ref":"#/components/schemas/LocalRateLimitSettingsTokenBucket"}}},"v2LoggerLevelsResponse":{"description":"Response to the request for effective logger levels of an Istio Proxy.\nReturns the output of the `/logging` endpoint of the Envoy Admin interface.","type":"object","properties":{"supportedLevels":{"description":"Supported logging levels.","type":"array","items":{"type":"string"},"x-order":0},"loggerLevels":{"description":"Effective logger levels.","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"v2Measure":{"description":"A measure represents the name and unit of a measurement.\nFor example, request latency in ms and the number of errors are examples of measures to collect from a server. In\nthis case latency would be the type and ms (millisecond) is the unit.","type":"object","properties":{"name":{"description":"The name of the measure. For instance latency in ms. More reference values can be found at\nMeshControlledMeasureNames.","type":"string","x-order":0},"unit":{"description":"The unit of measure, which follow the [unified code for units of measure](https://ucum.org/ucum.html).\nFor COUNTABLE measures, as number of requests or network packets, SHOULD use the default unit, the unity, and\n[annotations](https://ucum.org/ucum.html#para-curly) with curly braces to give additional meaning.\nFor example {requests}, {packets}, {errors}, {faults}, etc.","type":"string","x-order":1}}},"v2Metric":{"description":"A metric is a measurement about a service, captured at runtime. Logically, the moment of capturing one of\nthese measurements is known as a metric event which consists not only of the measurement itself, but the time\nthat it was captured and associated metadata..\n\nThe key aspects of a metric are the measure, the metric type, the metric origin, and the metric detect point:\n- The measure describes the type and unit of a metric event also known as measurement.\n- The metric type is the aggregation over time applied to the measurements.\n- The metric origin tells from where the metric measurements come from.\n- The detect point is the point from which the metric is observed, in service, server side, or client side.\nIt is useful to differentiate between metrics that observe a concrete service (often self observing), or metrics that\nfocus on service to service communications.\n\nAn TSB controlled (is part of the mesh and has a proxy we can configure) service has several metrics available\nwhich leverages a consistent monitoring of services.\nSome of them cover what is known as the RED metrics set, which are a set of very useful metrics for\nHTTP/RPC request based services. RED stands for:\n- Rate (R): The number of requests per second.\n- Errors (E): The number of failed requests.\n- Duration (D): The amount of time to process a request.\n\nTo understand a bit better which metrics are available given a concrete telemetry source, let's assume we have\ndeployed the classic Istio [bookinfo demo application](https://istio.io/latest/docs/examples/bookinfo/).\nLet's see some RED based metrics available for an observed and managed service by TSB, for instance the review\nservice using the GLOBAL scoped telemetry source.\n\nThe following metric is the number of request per minute that the reviews service is handling at a GLOBAL scope:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Metric\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  source: reviews\n  name: service_cpm\nspec:\n  observedResource: organizations/myorg/services/reviews.bookinfo\n  measure:\n    type: REQUESTS\n    unit: \"{request}\"\n  metricType:\n    type: CPM\n  origin: MESH_OBSERVED\n  detectPoint: SERVER_SIDE\n```\n\nThe metric for the average duration of the handled request by the reviews service at a GLOBAL scope:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Metric\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  source: reviews\n  name: service_resp_time\nspec:\n  observedResource: organizations/myorg/services/reviews.bookinfo\n  measure:\n    type: LATENCY\n    unit: ms\n  metricType:\n    type: AVERAGE\n  origin: MESH_OBSERVED\n  detectPoint: SERVER_SIDE\n```\n\nThe metric for the errors of the handled request by the reviews at a GLOBAL scope. In this case the number of errors\nare expresses as a percentage of the total number of handled requests:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Metric\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  source: reviews\n  name: service_sla\nspec:\n  observedResource: organizations/myorg/services/reviews.bookinfo\n  measure:\n    type: STATUS\n    unit: NUMBER\n  metricType:\n    type: PERCENT\n  origin: MESH_OBSERVED\n  detectPoint: SERVER_SIDE\n```\nUsing a different telemetry source for the same metric will gives a different view of the same observed measurements.\nFor instance, if we want to know how many requests per minute subset v1 from the reviews is handling, we need to use\nthe same metric but from a different telemetry source, in this case reviews-v1:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Metric\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  source: reviews-v1\n  name: service_cpm\nspec:\n  observedResource: organizations/myorg/services/reviews.bookinfo\n  measure:\n    type: REQUESTS\n    unit: NUMBER\n  metricType:\n    type: CPM\n  origin: MESH_OBSERVED\n  detectPoint: SERVER_SIDE\n```\n\nThe duration or latency measurements can also be aggregated in different percentiles over time.\nThe duration percentiles for the handled request by the reviews at a GLOBAL scope:\n```yaml\napiVersion: observability.telemetry.tsb.tetrate.io/v2\nkind: Metric\nmetadata:\n  organization: myorg\n  service: reviews.bookinfo\n  source: reviews\n  name: service_percentile\nspec:\n  observedResource: organizations/myorg/services/reviews.bookinfo\n  measure:\n    type: LATENCY\n    unit: ms\n  metricType:\n    type: PERCENTILE\n    labels:\n    - key: \"0\"\n      value: \"p50\"\n    - key: \"1\"\n      value: \"p75\"\n    - key: \"2\"\n      value: \"p90\"\n    - key: \"3\"\n      value: \"p05\"\n    - key: \"4\"\n      value: \"p99\"\n  origin: MESH_OBSERVED\n  detectPoint: SERVER_SIDE\n```","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the metric.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the metric.\n$hide_from_yaml","x-order":3},"observedResource":{"description":"Which concrete TSB resource in the configuration hierarchy this metric observes and belongs to.\nFor instance, a metric can observe a service, a concrete service workload (pod or Vm), or a gateway,\nor a workspace, or any other resource in the configuration hierarchy.","type":"string","x-order":4,"readOnly":true},"measure":{"$ref":"#/components/schemas/v2Measure"},"type":{"$ref":"#/components/schemas/telemetryv2MetricType"},"origin":{"$ref":"#/components/schemas/v2MetricOrigin"},"detectionPoint":{"$ref":"#/components/schemas/v2MetricDetectionPoint"}}},"v2MetricDetectionPoint":{"description":"From which detection point the metric is observed.\n\n - IN_SERVICE: Self observability metrics uses in service detect point.\n - CLIENT_SIDE: Client side is how the client is observing the metric. When service A calls service B, service A acts\nas a client side.\n - SERVER_SIDE: Server side is how the server is observing the metric. When service A calls service B, service B\nacts as the server side.","type":"string","default":"INVALID_METRIC_DETECTION_POINT","enum":["INVALID_METRIC_DETECTION_POINT","IN_SERVICE","CLIENT_SIDE","SERVER_SIDE"]},"v2MetricOrigin":{"description":"From where the metric measurements come from.\n\n - MESH_CONTROLLED: The metrics origin is from a TSB configured mesh, capturing the metrics from the\nsidecar's available observability.\n - AGENT_OBSERVED: An agent which can be standalone or service with automatically instrumentation via byte code injection.\nCurrently not available. Part of hybrid observability.\n - MESH_IMPORTED: Other known mesh generated metrics that are not configured and handled by TSB.\nCurrently not available. Part of hybrid observability.\n - EXTERNAL_IMPORTED: External captured metrics that are either imported into TSB observability stack or queried at runtime.\nCurrently not available. Part of hybrid observability.","type":"string","default":"INVALID_METRIC_ORIGIN","enum":["INVALID_METRIC_ORIGIN","MESH_CONTROLLED","AGENT_OBSERVED","MESH_IMPORTED","EXTERNAL_IMPORTED"]},"v2MetricTypeLabel":{"description":"Label of metric type. Also seen a other dimensions of aggregation besides the time interval on which measurements\nare aggregated over.","type":"object","properties":{"key":{"description":"The label key.","type":"string","x-order":0},"value":{"description":"The label value, for instance p50, or p75.","type":"string","x-order":1}}},"v2MetricTypeType":{"description":" - GAUGE: Is the last seen measurement over a period of time.\n - COUNTER: Is the sum of number of measurement over a period of time. Used in number of request style of metrics.\n - AVERAGE: Average function applied to the measurements. Used in Duration/latency style of metrics.\n - PERCENT: Percentage function applied to a given observed value over the total observer values.\nUsed in SLA style of metrics, for example the percentage of errored responses over the total server responses.\n - APDEX: Application Performance Index monitors end-user satisfaction.\n[Apdex score](https://www.tetrate.io/blog/the-apdex-score-for-measuring-service-mesh-health)\n - HEATMAPS: Heat maps are a three dimensional visualization, using x and y coordinates for two dimensions, and color\nintensity for the third. They can reveal detail that summary statistics, such as line charts of averages,\ncan miss. Latency measurements can be aggregated using Heatmaps/histograms. One dimension is often time, the\nother is the latency, and the third one (the intensity) is the frequency of that latency in the given time range.\n - LABELED_COUNTER: Is the sum of number of measurement over time grouped by concrete label values. Used for counting responses by\ntheir http response code for instance.\n - PERCENTILE: This is a specific subtype of LABELED_COUNTER. Used in duration/latency style metrics.\n - CPM: Calls per minute used. Used in requests per minute, or in 5xx http errors per minute, 4xx http errors per\nminute, among other metrics.\n - MAX: Selects the highest measurement over a period of time. Envoy max allocated style metrics.","type":"string","default":"INVALID_METRIC_TYPE","enum":["INVALID_METRIC_TYPE","GAUGE","COUNTER","AVERAGE","PERCENT","APDEX","HEATMAPS","LABELED_COUNTER","PERCENTILE","CPM","MAX"]},"v2ModifyAttachedProfiles":{"description":"ModifyAttachedProfiles represents a request to analyze the impact of modifying\nthe attached profiles of a resource.","type":"object","required":["fqn"],"properties":{"fqn":{"description":"The fully-qualified name (FQN) of the resource to which profiles are attached.","type":"string","x-order":0},"profiles":{"description":"A list of profiles attached to the resource that will be analyzed for impact.\nThese profiles are used to propagate default and mandatory configurations to\nchild resources, and any changes to them will be reflected in the impact analysis.","type":"array","items":{"type":"string"},"x-order":1}}},"v2ModifyProfile":{"description":"ModifyProfile represents a request to analyze the impact of modifying a profile.","type":"object","required":["fqn","profile"],"properties":{"fqn":{"description":"The fully-qualified name (FQN) of the profile to analyze. This should refer to a specific profile in the system.","type":"string","x-order":0},"profile":{"$ref":"#/components/schemas/v2Profile"}}},"v2NamespaceCurrentState":{"description":"The current state of a namespace.\n\n - CURRENT_UNDEFINED: Undefined state.\n - CURRENT_UNKNOWN: The TSB CP is not able to determine the state of the namespace.\n - CURRENT_SYSTEM: The namespace has been detected as TSB system namespace, as cloud provider system namespace, or\nas a namespace with system components specified in the Cluster Onboarding Config as\n`DESIRED_SYSTEM`.\nIt should not have sidecars injected and should not be configured with Istio injection.\n - CURRENT_DISABLED: The namespace has been detected with no sidecars injected and is not configured with Istio injection.\nCheck the `current_state_details` field for more information.\n - CURRENT_ENABLED: The namespace has been detected with sidecars injected and is configured with Istio injection.","type":"string","default":"CURRENT_UNDEFINED","enum":["CURRENT_UNDEFINED","CURRENT_UNKNOWN","CURRENT_SYSTEM","CURRENT_DISABLED","CURRENT_ENABLED"]},"v2NamespaceDesiredState":{"description":"The desired state of a namespace.\n\n - DESIRED_UNDEFINED: Undefined state.\n - DESIRED_UNASSIGNED: The user did not specify a desired state for the namespace.\n - DESIRED_DISABLED: The namespace should have no sidecars injected and don't be configured with Istio injection.\n - DESIRED_IGNORED: TSB should not modify the Istio injection.\n - DESIRED_ONBOARDED: The namespace should have a sidecars injected and be configured with Istio injection.\n - DESIRED_SYSTEM: The namespace should be considered as a system namespace. Which means that the namespace\ncontain system components and should not have sidecars injected and don't be\nconfigured with Istio injection.\nIt is similar in terms of sidecar injection to `DESIRED_DISABLED` but it\nis used to mark the namespace as a system namespace as well.","type":"string","default":"DESIRED_UNDEFINED","enum":["DESIRED_UNDEFINED","DESIRED_UNASSIGNED","DESIRED_DISABLED","DESIRED_IGNORED","DESIRED_ONBOARDED","DESIRED_SYSTEM"]},"v2NamespaceScoping":{"description":"Configure the default scoping of namespaces in this cluster.","type":"object","properties":{"scope":{"$ref":"#/components/schemas/v2NamespaceScopingScope"},"exceptions":{"description":"Namespaces to be excluded form the default scope.\nIf the scope is set to global, this list will contain namespaces that are\nconsidered local. If the scope is set to local, this list will contain\nnamespaces that are considered global.","type":"array","items":{"type":"string"},"x-order":1}}},"v2NamespaceScopingScope":{"description":" - GLOBAL: Global configures namespaces in this cluster to be considered global.\nNamespaces that exist in other clusters with the same name will be\nconsidered to be the same logical namespace.\n - LOCAL: Configures local scoping for namespaces, so that namespaces with the same\nname in different clusters will not be considered the same logical\nnamespace.","type":"string","default":"GLOBAL","enum":["GLOBAL","LOCAL"]},"v2OIDC":{"description":"`OIDC` represents an OpenID Connect (OIDC) configuration that can be used to\nauthenticate users in Service Bridge. Multiple OIDC configurations can be\ncreated to support different identity providers.\n\nThe OIDC configuration contains the settings for the OIDC provider and the\nclient secret used to authenticate with the provider. The secret must be\nbase64 encoded. Note that the secret is not stored in the database; it is\nsecurely stored in the Kubernetes cluster as a Secret resource.\n\nThe following example creates an OIDC configuration named `corporate-idp`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: OIDC\nmetadata:\n  name: corporate-idp\n  organization: myorg\nspec:\n  config:\n    clientId: my-client-id\n    issuer: https://idp.example.com\n    redirectUri: https://tsb.example.com/v2/oidc/callback\n    providerConfig:\n      dynamic:\n        configurationUri: https://corporate.idp.com/.well-known/openid-configuration\n  secret: bXktY2xpZW50LXNlY3JldA==\n```\n\n\n\n","type":"object","required":["config","secret"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":4},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"config":{"$ref":"#/components/schemas/v1alpha1OIDCSettings"},"secret":{"description":"Base64 encoded client secret for the OIDC provider.","type":"string","x-order":7}}},"v2OIDCAuthType":{"description":"Configures how client_id and client_secret are sent in OAuth client to OAuth server requests.\n\n - DEFAULT_AUTH_TYPE: If no authentication type is specified, the default authentication type will be used.\nCurrently, the default authentication type is set to `BASIC_AUTH` because it is widely supported by the majority of OIDC providers\n - URL_ENCODED_BODY: The `client_id` and `client_secret` will be sent in the URL encoded request body.\nThis type should only be used when Auth server does not support Basic authentication.\n - BASIC_AUTH: The `client_id` and `client_secret` will be sent using HTTP Basic authentication scheme.","type":"string","default":"DEFAULT_AUTH_TYPE","enum":["DEFAULT_AUTH_TYPE","URL_ENCODED_BODY","BASIC_AUTH"]},"v2OIDCConfig":{"type":"object","title":"Configure OIDC authentication for a given hostname","required":["clientId","clientTokenSecret","redirectUri","provider"],"properties":{"grantType":{"$ref":"#/components/schemas/v2OIDCGrantType"},"clientId":{"description":"The client_id to be used in the authorize calls.\nThis value will be URL encoded when sent to the OAuth server.","type":"string","x-order":1},"clientTokenSecret":{"description":"The name of the Kubernetes secret containing the client secret.\n\nKubernetes generic opaque secret should contain `istio_generic_secret` key with base64 encoded client_secret as value. \n\nFor example\n---\napiVersion: v1\nmetadata:\n  name: bar\n  namespace: foo\ndata:\n  istio_generic_secret: e2Jhc2U2NF9lbmNvZGVkX3Rva2VuX3NlY3JldH0=\nkind: Secret\ntype: Opaque\n\nThe secret must be present in the same namespace as the gateway or sidecar deployment\nfor which the configuration is being applied for.\nThe (gateway/ sidecar) deployment must also have RBAC permissions to view secrets\nin the current namespace. For gateways this is already configured, while for sidecar\nthe permission should be added if not already present.\n\nThe secret token stored will be URL encoded when sent to the OAuth server.","type":"string","x-order":2},"redirectUri":{"description":"It can also be formulated from request parameters\nFor example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback\n\nThis URI should not contain any query parameters.","type":"string","title":"The redirect URI passed to the authorization endpoint","x-order":3},"provider":{"$ref":"#/components/schemas/v2OIDCProviderConfig"},"authType":{"$ref":"#/components/schemas/v2OIDCAuthType"},"authScopes":{"type":"array","title":"Optional list of OAuth scopes to be claimed in the authorization request.\nIf not specified, defaults to `user` scope.\nOAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3","items":{"type":"string"},"x-order":6},"redirectPathMatcher":{"description":"Matching criteria used to determine whether a path appears to be the\nresult of a redirect from the authorization server.\nThe query and fragment string (if present) are removed in the URL path portion.\nFor example, the path `/data` will match URI header `/data#fragment?param=value`.\n\nIf not provided, default is derived from redirect_uri path\nOnly exact match is configurable","type":"string","x-order":7},"signoutPath":{"description":"The path to sign a user out, clearing their credential cookies.\n\nIf not provided, default is `/signout`\nOnly exact match is configurable","type":"string","x-order":8},"useRefreshToken":{"description":"Enable automatic access token refresh using associated refresh token\n[(see RFC 6749 section 6)](https://datatracker.ietf.org/doc/html/rfc6749#section-6)\nprovided that the OAuth server supports that.\n\nIf not set defaults to `true`.","type":"boolean","x-order":9}}},"v2OIDCGrantType":{"description":"- DEFAULT_GRANT_TYPE: If no grant type is explicitly specified, the default grant type will be used.\nThe specific behavior of the default grant type may vary based on the type of workload to which the authentication settings are applied.\nCurrently, only `AUTHORIZATION_CODE` is available, so this will be in effect in the future when additional grant types are introduced.\n - AUTHORIZATION_CODE: Use authorization code flow","type":"string","title":"Configures authentication flow to be used","default":"DEFAULT_GRANT_TYPE","enum":["DEFAULT_GRANT_TYPE","AUTHORIZATION_CODE"]},"v2OIDCProviderConfig":{"description":"OIDCProviderConfig defines the OIDC Provider configuration.\n\nIt has two modes `dynamic` and `static` meaning if the configuration\nhas to be derived from the Issuer's Well-Known endpoint dynamically\nor is statically configured.\nTo use `dynamic` configuration only `issuer` field should be set. If any other\nfield along with `issuer` is set then the configuration will be treated as `static`.\n\nFor AUTHORIZATION_CODE grant type, fields that are needed if configuration is `static`:\n1. Issuer\n2. AuthorizationEndpoint\n3. TokenEndpoint\n4. oneof (JwksURI or Jwks)","type":"object","required":["issuer"],"properties":{"issuer":{"description":"The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).","type":"string","x-order":0},"authorizationEndpoint":{"description":"The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).\nIf not provided, it will be discovered from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).","type":"string","x-order":1},"tokenEndpoint":{"description":"The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).\nIf not provided, it will be discovered from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).","type":"string","x-order":2},"jwksUri":{"description":"URI for the OIDC provider's JSON Web Key Sets. This can be found in the OIDC provider's configuration response.\nThe JWKS are used for token verification.","type":"string","x-order":3},"jwks":{"description":"JSON string with the OIDC provider's JSON Web Key Sets. In general the URI for the Key Set is the preferred\nmethod for configuring JWKS. This setting is provided in case the provider doesn't publish JWKS via a\npublic URI.","type":"string","x-order":4},"tls":{"$ref":"#/components/schemas/tsbauthv2ClientTLSSettings"}}},"v2OpenAPI":{"description":"OpenAPI configuration for the HTTP server.","type":"object","properties":{"fqn":{"description":"The fqn of the API that holds the OpenAPI spec document.","type":"string","x-order":0},"validation":{"$ref":"#/components/schemas/OpenAPIValidation"}}},"v2Organization":{"description":"`Organization` is a root of the Service Bridge object hierarchy. Each\norganization is completely independent of the other with its own set of\ntenants, users, teams, clusters and workspaces.\n\nOrganizations in TSB are tied to an Identity Provider (IdP). Users and teams,\nrepresenting the organizational structure, are periodically synchronized\nfrom the IdP into TSB in order to make them available for access policy\nconfiguration.\n\nThe following example creates an organization named `myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Organization\nmetadata:\n  name: myorg\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":4},"profiles":{"description":"List of profiles attached to the Organization to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":5},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"},"systemNamespaces":{"description":"List of namespaces that will be considered as system namespaces for the organization\nand will not be able to be onboarded into TSB.\nSystem namespaces are namespaces that should not have sidecars injected and don't be\nconfigured with Istio injection.\nThis is useful for namespaces that are used for infrastructure components like monitoring,\nlogging, cloud provider components, etc. and that should not be managed by TSB in the\ncluster namespace onboarding workflows.","type":"array","items":{"type":"string"},"x-order":7}}},"v2OrganizationSetting":{"description":"Organization Setting allows configuring global settings for the organization.\nSettings such as network reachability or regional failover that apply globally\nto the organization are configured in the Organizations Setting object.\n\nThis is a global object that uniquely configures the organization, and there can\nbe only one organization setting object defined for each organization.\n\nThe following example shows how these settings can be used to describe the organization's\nnetwork reachability settings and some regional failover configurations.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: OrganizationSetting\nmetadata:\n  name: org-settings\n  organization: myorg\nspec:\n  networkSettings:\n    networkReachability:\n      vpc01: vpc02,vpc03\n  regionalFailover:\n    - from: us-east1\n      to: us-central1\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"networkSettings":{"$ref":"#/components/schemas/OrganizationSettingNetworkSettings"},"regionalFailover":{"description":"Default locality routing settings for all gateways.\nPlease use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.\n\nExplicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbtypesv2RegionalFailover"},"x-order":5},"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"}}},"v2Permission":{"description":"A permission defines an action that can be performed on a\nresource. By default access to resources is denied unless an\nexplicit permission grants access to perform an operation against\nit.\n\n - INVALID: Default value to designate no value was explicitly set for the permission.\n - READ: The read permission grants read-only access to the resource.\n - WRITE: The write permission allows the subject to modify an existing resource.\n - CREATE: The create permission allows subjects to create child resources on the resource.\n - DELETE: The delete permission grants permissions to delete the resource.\n - SET_POLICY: The set-iam permission allows subjects to manage the access policies for the resources.","type":"string","default":"INVALID","enum":["INVALID","READ","WRITE","CREATE","DELETE","SET_POLICY"]},"v2PortSelector":{"description":"PortSelector is the criteria for specifying if a policy can be applied to\na listener having a specific port.","type":"object","required":["number"],"properties":{"number":{"type":"integer","format":"int64","title":"Port number","x-order":0}}},"v2Profile":{"description":"A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces,\nand then can be attached to Organizations, Tenants, Workspaces and Groups.\nProfiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies \n(e.g. authorization policies) related to relationships between resources.\nThey contain Default configurations, which can be overridden, and Mandates configurations, which can't be.\n\nThe following example creates a Profile named `myprofile` that enforces mutual TLS authenticated connections across the whole `tetrate` \norganization. It also sets the default circuit-breaking sensitivity to `MEDIUM`, and configures a TCP KeepAlive timeout of 300 seconds\nfor all inbound connections to all the proxies within the `tetrate` organization.\n\n```yaml\napiVersion: profile.tsb.tetrate.io/v2\nkind: Profile\nmetadata:\n  name: myprofile\n  organization: tetrate\nspec:\n  displayName: \"mTLS enforcement and default circuit breaking\"\n  mandates:\n    authenticationSettings:\n      trafficMode: \"REQUIRED\"\n  defaults:\n    traffic:\n      inbound:\n        resilience:\n          connectionPool:\n            tcp:\n              keepAlive:\n                idleTime: 300\n      outbound:\n        upstreamTrafficSettings:\n        - hosts:\n          - '*'\n          settings:\n            resilience:\n              circuitBreakerSensitivity: MEDIUM\n```\n\n\n\n","type":"object","title":":::warning Beta feature\nThe Configuration Profiles feature is in beta state for release 1.13. Please contact Tetrate if you have any questions or concerns.\n:::","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":4},"defaults":{"$ref":"#/components/schemas/v2ProfileConfig"},"mandates":{"$ref":"#/components/schemas/v2ProfileConfig"}}},"v2ProfileConfig":{"description":"ProfileConfig holds the configuration objects that can be used as defaults or mandates.","type":"object","properties":{"trafficSettings":{"$ref":"#/components/schemas/v2TrafficSetting"},"authenticationSettings":{"$ref":"#/components/schemas/tsbsecurityv2AuthenticationSettings"},"wafSettings":{"$ref":"#/components/schemas/v2WAFSettings"},"wasmExtensions":{"description":"Wasm Extensions specifies all the WasmExtensions assigned to this profile\nwith the specific configuration for each extension.\nThe WASM extensions configured here only apply to workloads, not gateways.\nThis will be moved under a `security` section in the future.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":3},"unsetFields":{"type":"array","title":"Unset fields specify fields that must not have any value.\nIn Mandates, fields in this list must remain unset, even if subsequent evaluated Profile Mandates define them.\nIn Defaults, fields in this list are removed if defined in previously evaluated Profile Defaults.\nItems in this list are dot-separated paths to the fields, relative to the root of ProfileConfig.\nField names are in camelCase, as in JSON/YAML.\nPaths that navigate lists or maps unset the sub-path for all elements.\nFor example:\n- \"traffic.outbound.reachability.hosts\"\n- \"traffic.inbound.resilience.meshTimeout.maxConnectionDuration\"","items":{"type":"string"},"x-order":4},"traffic":{"$ref":"#/components/schemas/v2TrafficSettings"}}},"v2PropagationStrategy":{"description":"The PropagationStrategy is the key differentiating factor to decide how a security\npolicy should be propagated and applied at runtime across clusters.\nThe default propagation strategy is REPLACE, in which a lower level SecuritySetting\nin the configuration hierarchy replaces a higher level SecuritySetting.\nThe STRICTER PropagationStrategy on the other hand makes sure the default\nSecuritySettings configured at the parent level are always enforced and propagated\ndown the hierarchy unless additional SecuritySettings are defined and restricted\nfurther in the configuration hierarchy.\n\n* `REPLACE` should be used when resources in the hierarchy are allowed to override the default\nsettings configured at the higher levels.\n* `STRICTER` should be used when the default settings must prevail, and the settings can only be\nmade more restrictive by child resources at lower levels of the hierarchy.\n\nWhen a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless\nof the defined strategy (`REPLACE` or `STRICTER`), a parent defined resource or a property of the\nresource will be used (propagated) in absence of a child resource or a property of it.\n\nFor example, the following policy configures optional mTLS for traffic within the workspace, but\nit allows SecuritySettings to modify it. The example shows a workspace that configures\nservice-to-service access so that only services in the same workspace can talk to each other.\nThe `REPLACE` propagation policy allows individual settings to override it. In the example, the\nSecuritySettings allows services within that group to be reachable from any\nservice in the cluster, regardless for the workspace they belong to, even though the Workspace\nrestricts service-to-service access to only services in the Workspace.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultSecuritySetting:\n    propagationStrategy: REPLACE\n    authorization:\n      mode: WORKSPACE\n---\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authorization:\n    mode: CLUSTER\n```\n\n`STRICTER` propagation configures defaults that can be only be restricted down the hierarchy.\nThe following example configures the same WorkspaceSetting but with a `STRICTER` propagation mode.\nThe `defaults` SecuritySetting further narrows down that access to the `GROUP` scope, which is\nallowed because GROUP is more strict than WORKSPACE. However, the `defaults-invalid` SecuritySetting\nconfigures `CLUSTER` access, which would widen the scope defined at the Workspace. That settings will\nnot be allowed based on the `STRICTER` propagation policy.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultSecuritySetting:\n    propagationStrategy: STRICTER\n    authorization:\n      mode: WORKSPACE\n---\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authorization:\n    mode: GROUP\n---\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults-invalid\n  group: t2\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authorization:\n    mode: CLUSTER\n```\n\nFurther details of how security settings are resolved between in `STRICTER` mode between a parent and a\nchild resource can be found in the [SecuritySettings reference](../../security/v2/security_setting#securitysetting).\n\n - REPLACE: Is the default configuration propagation strategy.\nA lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy.\nOtherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will\nprevail.\nFor instance, a defined default propagation strategy for workspace default security settings\nwill replace tenant's defined default security settings.\n - STRICTER: STRICTER propagation strategy propagates the strictest configuration between a defined higher level and\na defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy\nis not defined, the higher one will prevail.\nWhich configuration is stricter than the other is defined by each concrete configuration that allows specifying\na propagation strategy.","type":"string","default":"REPLACE","enum":["REPLACE","STRICTER"]},"v2Query":{"type":"object","title":"Query format of the resource lookup for the permission check","properties":{"queryId":{"description":"Optional ID that is an open string the caller can use for correlation purposes.","type":"string","x-order":0},"fqn":{"description":"Fully-qualified name of the resource.","type":"string","x-order":1}}},"v2QueryPoliciesResponse":{"description":"QueryPoliciesResponse is the response message for QueryPolicies.","type":"object","properties":{"policies":{"description":"Policies is a list of policies that match the query.","type":"array","items":{"$ref":"#/components/schemas/v2ApprovalPolicy"},"x-order":0}}},"v2QueryResourcePermissionsRequest":{"description":"Request to query permissions on multiple records.\n\nExample:\nQueryResourcePermissionsRequest {\n  Queries: []Query{\n    Query{\n      QueryID: \"1234\",\n      Kind: Query_Fqn{\n        Fqn: \"tetrate/tenants/default/workspaces/example\"\n      }\n    }\n  }\n}","type":"object","properties":{"queries":{"description":"One or more resources to query permissions on, limited to 100 per request.","type":"array","items":{"$ref":"#/components/schemas/v2Query"},"x-order":0}}},"v2QueryResourcePermissionsResponse":{"description":"Response with permissions for the requested queries.\n\nExample:\nQueryResourcePermissionsResponse {\n  Results: []Result{\n    Result{\n      Request: Query{\n        QueryID: \"1234\",\n        Kind: Query_Fqn{\n          Fqn: \"tetrate/tenants/default/workspaces/example\"\n        }\n      },\n      Rules: []*Role_Rule{\n        {\n           Types: []*Role_ResourceType{\n             {\n               ApiGroup: \"api.tsb.tetrate.io/v2\",\n               Kinds: []string{\"Workspace\"}\n             }\n           },\n           Permissions: []Permission{\"READ\"}\n        }\n      }\n    }\n  }\n}","type":"object","properties":{"results":{"type":"array","title":"List of permission results for the requested queries","items":{"$ref":"#/components/schemas/QueryResourcePermissionsResponseResult"},"x-order":0}}},"v2Redirect":{"type":"object","properties":{"uri":{"description":"On a redirect, overwrite the Path portion of the URL with this value.","type":"string","x-order":0},"authority":{"description":"On a redirect, overwrite the Authority/Host portion of the URL with this value.","type":"string","x-order":1},"redirectCode":{"description":"On a redirect, Specifies the HTTP status code to use in the redirect\nresponse. It is expected to be 3XX. The default response code is MOVED_PERMANENTLY (301).","type":"integer","format":"int64","x-order":2},"port":{"type":"integer","format":"int64","title":"On a redirect, overwrite the Port portion of the URL with this value","x-order":3},"scheme":{"description":"On a redirect, overwrite the scheme with this one. This can be used\nto perform http -> https redirect by setting this to \"https\". Currently,\nthe only supported values are \"http\" and \"https\" (in lower-case).","type":"string","x-order":4}}},"v2ResilienceSettings":{"description":"ResilienceSettings control the reliability knobs in Envoy when making\noutbound connections from a gateway or proxy workload.","type":"object","properties":{"httpRequestTimeout":{"description":"This field is DEPRECATED in favor of `upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout`.\nTimeout for HTTP requests. Disabled if not set.","type":"string","x-order":0},"httpRetries":{"$ref":"#/components/schemas/tsbtrafficv2HTTPRetry"},"keepAlive":{"$ref":"#/components/schemas/v2KeepAliveSettings"},"circuitBreakerSensitivity":{"$ref":"#/components/schemas/v2ResilienceSettingsSensitivity"}}},"v2ResilienceSettingsSensitivity":{"description":"Available sensitivity levels for the circuit breaker.\n\n - UNSET: Default values will be used.\n - LOW: Tolerate up to 20 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - MEDIUM: Tolerate up to 10 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.\n - HIGH: Tolerate up to 5 consecutive 5xx or connection failures from an\nendpoint before ejecting it temporarily from the load balancing\npool.","type":"string","default":"UNSET","enum":["UNSET","LOW","MEDIUM","HIGH"]},"v2ResourceStatusStatus":{"description":"Simple `Status` of the current resource. It's a projection of its details\n(events, etc.) that allows to easily know the status of the resource\nwithout requiring to check the details.\n\n - INVALID: INVALID status should never be reached.\nIt indicates some problem occurred with the resource status, and would\nneed to contact the admin to troubleshoot it.\nIt's the default value but it's always expected to have one of the other\nvalues.\n - ACCEPTED: ACCEPTED is reached when the provided configuration has been validated\nand persisted by the TSB server.\n - READY: READY is reached when the resource is ready to be used.\nNon-configurable resources, like Organizations, Tenants or Users, will\nbe ready as soon they are created.\nThe configurable ones are ready when its configuration has been\npropagated to all the clusters.\n - FAILED: FAILED is reached in different situations, such as when:\n- a resource configuration triggered some internal error.\n- an offending resource affects the correct behaviour of the configuration.\nThe `message` and `details` fields of the `ResourceStatus` provides the\nroot cause of the error.\n - DIRTY: DIRTY is reached when the resources that are dependent on others\nhave not reached the desired status (even when they are not FAILED).\nFor example, an `API` resource that caused the creation of an `IngressGateway`\ncould reach this status if the `IngressGateway` has been modified or removed directly.\n - PARTIAL: PARTIAL is reached for those resources that are dependent on other resources statuses,\nand not all the resources share the same status.\n - ACCEPTED_COMPOSED: ACCEPTED_COMPOSED is reached when a resource is composed from config profiles and\nconfig settings (like tenant settings, workspace settings, etc.) and it's accepted by\ndifferent TSB components (like MPC and XCP) waiting to transition to READY_COMPOSED.\n - READY_COMPOSED: READY_COMPOSED is reached when a resource is composed from config profiles and\nconfig settings (like tenant settings, workspace settings, etc.) and it is ready to be used.","type":"string","default":"INVALID","enum":["INVALID","ACCEPTED","READY","FAILED","DIRTY","PARTIAL","ACCEPTED_COMPOSED","READY_COMPOSED"]},"v2ResourceStatusWithDetails":{"description":"Contains the ResourceStatus with metadata about the resource.","type":"object","properties":{"fqn":{"description":"The fqn of the resource.","type":"string","x-order":0,"readOnly":true},"apiVersion":{"description":"API version of the resource.","type":"string","x-order":1,"readOnly":true},"name":{"description":"Resource name.","type":"string","x-order":2,"readOnly":true},"status":{"$ref":"#/components/schemas/apitsbv2ResourceStatus"},"clusters":{"description":"The names of the clusters to which the resource is scoped to based on the parents' namespace selector.\nIndependently from the resource status, clusters field is returned based on the resource's configuration.","type":"array","items":{"type":"string"},"x-order":4,"readOnly":true}}},"v2Role":{"description":"`Role` is a named collection of permissions that can be assigned to\nany user or team in the system. The set of actions that can be\nperformed by a user, such as the ability to create, delete, or\nupdate configuration will depend on the permissions associated with\nthe user's role. Roles are global resources that are defined\nonce. `AccessBindings` in each configuration group will bind a user\nto a specific role defined apriori.\n\nTSB comes with the following predefined roles:\n\n| Role | Permissions | Description |    \n| -----| ----------- | ----------- |\n| rbac/admin | `*` | Grants full access to the target resource and its child objects |\n| rbac/editor | `Read` `Write` `Create` | Grants read/write access to a resource and allows creating child resources |\n| rbac/creator | `Read` `Create` | Useful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself |\n| rbac/writer | `Read` `Write` | Grants Read and Write access permissions |\n| rbac/reader | `Read` | Grants read-only permissions to a resource |\n\nThe following example declares a custom `workspace-admin` role with\nthe ability to create, delete configurations and the ability to set\nRBAC policies on the groups within the workspace.\n\n```yaml\napiVersion: rbac.tsb.tetrate.io/v2\nkind: Role\nmetadata:\n  name: role1\nspec:\n  rules:\n  - types:\n    - apiGroup: api.tsb.tetrate.io/v2\n      kinds:\n      - WorkspaceSetting\n    permissions:\n    - CREATE\n    - READ\n    - DELETE\n    - WRITE\n    - SET_POLICY\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"rules":{"description":"A set of rules that define the permissions associated with each API group.","type":"array","items":{"$ref":"#/components/schemas/v2RoleRule"},"x-order":4}}},"v2RoleRule":{"type":"object","title":"A rule defines the set of api groups","required":["permissions"],"properties":{"types":{"description":"The set of API groups and the api Kinds within the group on which this rule is applicable.\nIf omitted, the permissions will globally apply to all resource types.","type":"array","items":{"$ref":"#/components/schemas/RoleResourceType"},"x-order":0},"permissions":{"description":"The set of actions allowed for these APIs.\nThe current version supports requires the kind, but this constraint will be relaxed in\nupcoming releases so that rules can apply globally to an entire API group.","type":"array","items":{"$ref":"#/components/schemas/v2Permission"},"x-order":1}}},"v2RoleScopeType":{"type":"object","required":["apiGroup","kind"],"properties":{"apiGroup":{"description":"A specific API group such as traffic.tsb.tetrate.io/v2.","type":"string","x-order":0},"kind":{"description":"Specific kind of API under the API group.","type":"string","x-order":1}}},"v2Route":{"description":"One or more destinations in a local/remote cluster for the given request.","type":"object","required":["host"],"properties":{"host":{"description":"The destination service in `<namespace>/<fqdn>` format for\n`IngressGateway` resources. For `Tier1Gateway` resources, the\ndestination must be in `<clusterName>/<namespace>/<fqdn>` format,\nwhere cluster name corresponds to a cluster name created in the\nmanagement plane. The `fqdn` must be the fully qualified name of\nthe destination service in a cluster.","type":"string","x-order":0},"port":{"description":"The port on the service to forward the request to. Omit only if\nthe destination service has only one port. When used for routing\nfrom Tier1 gateways, the port specified here will be used only if\nthe Tier1 gateway is doing TLS passthrough.","type":"integer","format":"int64","x-order":1}}},"v2RouteTo":{"description":"RouteTo defines the how the traffic has been forwarded for the given request.\nOne of `ClusterDestination` or `ServiceDestination` must be specified.","type":"object","properties":{"clusterDestination":{"$ref":"#/components/schemas/v2RouteToClusters"},"serviceDestination":{"$ref":"#/components/schemas/v2RouteToService"}}},"v2RouteToClusters":{"description":"RouteToClusters represents the clusters where the request\nneeds to be routed to from the gateway.","type":"object","properties":{"clusters":{"description":"The destination clusters that contain ingress gateways exposing the hostname.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":0}}},"v2RouteToService":{"description":"RouteToService represents the service running in clusters.","type":"object","required":["host"],"properties":{"host":{"description":"The destination service in `<namespace>/<fqdn>`.\n\nIf the `trafficMode`` flag is set to `EGRESS`` or the `trafficMode` is set to `AUTO`\nand the gateway deployment is of type EGRESS,\nthe gateway routes traffic to an external service through a user-created service entry.\nThe service entry should only be created in the gateway deployment namespace with the location set to MESH_EXTERNAL.","type":"string","x-order":0},"port":{"description":"The port on the service to forward the request to. Omit only if\nthe destination service has only one port.","type":"integer","format":"int64","x-order":1},"tls":{"$ref":"#/components/schemas/tsbauthv2ClientTLSSettings"}}},"v2RuleFrom":{"description":"From includes the target resource (and the workloads that belong to the resource)\nwhich will be the source of a request.","type":"object","properties":{"fqn":{"description":"The target resource identified by FQN which will be the source of a request.","type":"string","x-order":0}}},"v2SearchStatusResponse":{"description":"Response of the search query for the status of resources related to specified search criteria.","type":"object","properties":{"statuses":{"description":"Collections of status of resources related to the specified search criteria.","type":"array","items":{"$ref":"#/components/schemas/v2ResourceStatusWithDetails"},"x-order":0}}},"v2SecuritySetting":{"description":"`SecuritySetting` allows configuring security related properties\nsuch as TLS authentication and access control for traffic arriving\nat a proxy workload in a security group.\n\nThis is a global object that uniquely configures the security group, and there can \nbe only one security setting object defined for each security group.\n\nSecurity settings can be propagated along any defined security settings in the configuration hierarchy.\nHow security settings are propagated can be configured by specifying a *PropagationStrategy*.\n\nThe following example creates a security group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany` and defines a security setting that\nonly allows mutual TLS authenticated traffic from other proxy workloads in\nthe same group.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated security settings for all proxy workloads in the group\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: GROUP\n```\n\nThe following example customizes the `allowedSources` to allow\ntraffic from the namespaces within the group as well as the\n`catalog-sa` service account from `ns4` namespace.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: custom\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n    http:\n      rules:\n        jwt:\n        - issuer: \"https://auth.tetrate.io\"\n          jwksUri: \"https://oauth2.auth.tetrate.io/certs\"\n        - issuer: \"https://auth.tetrate.internal\"\n          jwksUri: \"https://oauth2.auth.tetrate.internal/certs\"\n  authorization:\n    mode: CUSTOM\n    serviceAccounts:\n    - \"ns1/*\"\n    - \"ns2/*\"\n    - \"ns3/*\"\n    - \"ns4/catalog-sa\"\n    http:\n      external:\n        uri: \"https://policy.auth.tetrate.io\"\n        includeRequestHeaders:\n        - authorization\n```\n\nThe following example **rejects all** traffic arriving at workloads from namespaces\nthat belong to security group `t1`.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      denyAll: true\n```\n\nThe following example **accepts all** traffic arriving at workloads from namespaces\nthat belong to security group `t1`. All authenticated requests are accepted\nbecause any workload is targeted to be allowed nor denied.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n```\n\nThe following example **accepts all** traffic arriving at workloads in namespaces that belong\nto security group `t1` traffic, **except** from workloads belonging to workspace `w2`.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      deny:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w2\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1\n```\n\nThe following example accepts traffic arriving at workloads in namespaces that belong\nto security group `t1` traffic, from workloads belonging to workspace `w2`.\nHence, only authenticated request to workloads in security group `t1` coming from\nworkloads in workspace `w2` are accepted. All other request will be rejected.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      allow:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w2\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1\n```\n\nThe following example uses a combination of allows and denies to show how rules are evaluated.\nLet's say we have a workspace `w3` which contains 3 security groups, `sg31`, `sg32`, and `sg33`. Besides we also\nhave workspace `w1` and `w2`.\nSecurity group `sg31` contains workloads that handle sensitive data, and we want to\nonly accept requests arriving from the same workspace `w3` and explicitly reject requests coming from `sg32`.\nHence, only authenticated request to workloads in security group `sg31` coming from\nworkloads in workspace `w3` and security group `sg31` or `sg33` will be accepted. Requests coming from `sg32`\nwill be rejected. Moreover, a request coming from any workload that belongs to another\nworkspace (`w1`, or `w2`), or security group that belong to another workspace, will also be reject\nby default because it is not in the list of allowed resource FQNs.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: sg31\n  workspace: w3\n  tenant: mycompany\n  organization: myorg\nspec:\n  authenticationSettings:\n    trafficMode: REQUIRED\n  authorization:\n    mode: RULES\n    rules:\n      allow:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31\n      deny:\n       - from:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32\n         to:\n           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31\n```\n\nThe following example customizes the `WAFSettings` to enforce Web Application\nFirewall rules on sidecars in namespaces reside in SecurityGroup.\n\nPlease **DO NOT** use it in production.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  waf:\n    rules:\n      - SecRuleEngine ON\n      - Include @owasp_crs/*.conf\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the WasmExtensions list specified, detailing\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"authentication":{"$ref":"#/components/schemas/v2SecuritySettingAuthenticationMode"},"authorization":{"$ref":"#/components/schemas/tsbsecurityv2AuthorizationSettings"},"authenticationSettings":{"$ref":"#/components/schemas/tsbsecurityv2AuthenticationSettings"},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"propagationStrategy":{"$ref":"#/components/schemas/v2PropagationStrategy"},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this SecuritySettings\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enabling and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":9},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2SecuritySettingAuthenticationMode":{"description":"AuthenticationMode indicates whether to accept only Istio mutual\nTLS authenticated traffic or allow legacy plaintext traffic as\nwell.\n\n - UNSET: Inherit from parent, if has one. Otherwise treated as OPTIONAL.\n - OPTIONAL: Accept both plaintext and mTLS authenticated connections.\n - REQUIRED: Accept only mutual TLS authenticated connections.","type":"string","default":"UNSET","enum":["UNSET","OPTIONAL","REQUIRED"]},"v2ServerTLSSettings":{"type":"object","properties":{"mode":{"$ref":"#/components/schemas/v2ServerTLSSettingsTLSMode"},"secretName":{"description":"The name of the secret in Kubernetes that holds the TLS certs\nincluding the CA certificates. For Unified Gateway config, if the secret is\nin a different namespace than the gateway, it must be prefixed with the namespace\nin the format of <namespace>/<secret_name>. For all other gateway types, the secret\nmust be in the same namespace as the gateway resource. The secret (type generic) should\ncontain the following keys and values: key: `<privateKey>`, cert:\n`<serverCert>`, cacert: `<CACertificate>`.","type":"string","x-order":1},"files":{"$ref":"#/components/schemas/ServerTLSSettingsFileSource"},"minProtocolVersion":{"$ref":"#/components/schemas/gatewayv2TLSProtocol"},"maxProtocolVersion":{"$ref":"#/components/schemas/gatewayv2TLSProtocol"},"cipherSuites":{"type":"array","title":"List of cipher suites to be used for TLS connections.\nExamples of cipher suites:\n- \"TLS_RSA_WITH_AES_256_CBC_SHA\"\n- \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n- \"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\"\n- \"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\"\n- \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\"","items":{"type":"string"},"x-order":5},"subjectAltNames":{"description":"List of Subject Alternative Names (SAN) from the client's certificate that are accepted\nfor client identity verification during the TLS handshake.","type":"array","items":{"type":"string"},"x-order":6}}},"v2ServerTLSSettingsTLSMode":{"description":" - OPTIONAL_MUTUAL: Similar to MUTUAL mode, except that the client certificate\nis optional. Unlike SIMPLE mode, A client certificate will\nstill be explicitly requested during handshake, but the client\nis not required to send a certificate. If a client certificate\nis presented, it will be validated. ca_certificates should\nbe specified for validating client certificates.","type":"string","default":"DISABLED","enum":["DISABLED","SIMPLE","MUTUAL","OPTIONAL_MUTUAL"]},"v2ServiceDestination":{"type":"object","title":"ServiceDestination is the destination service, port and subset where traffic\nshould be routed","required":["port"],"properties":{"subset":{"type":"string","title":"Subset is the version of the service where traffic should be routed to","x-order":0},"weight":{"type":"integer","format":"int64","title":"Weight defines the amount of traffic that needs to be routed to this specific\nversion","x-order":1},"port":{"type":"integer","format":"int64","title":"The port corresponding to the service host where traffic should be routed","x-order":2},"destinationHost":{"description":"Service host where traffic should be routed to. This should either be a FQDN\nor a short name for the k8s service. For example, \"reviews\" as destination_host will\nbe interpreted as \"reviews.ns1.cluster.local\"\nIf empty, the host will be inferred from the Service Route service field.","type":"string","x-order":3}}},"v2ServiceDetails":{"description":"ServiceDetails provides the details of a\nservice.","type":"object","properties":{"type":{"description":"The type of the service. It can be either ClusterIP, NodePort or LoadBalancer.","type":"string","x-order":0},"isReady":{"description":"Indicates whether the service is ready. A service is considered ready\nwhen the Kubernetes service has an assigned IP address (for LoadBalancer type)\nor is reachable within the cluster.","type":"boolean","x-order":1}}},"v2ServiceLookupRequest":{"description":"Request for all the services in the registry that are part of the given selector.","type":"object","required":["selector","parent"],"properties":{"selector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"parent":{"type":"string","title":"The FQN of the parent object where services will be looked up","x-order":1}}},"v2ServiceLookupResponse":{"description":"List of services that are included in the provided namespace selector.","type":"object","properties":{"services":{"type":"array","title":"The affected services","items":{"$ref":"#/components/schemas/tsbregistryv2Service"},"x-order":0}}},"v2ServicePort":{"type":"object","properties":{"number":{"description":"A valid non-negative integer port number.","type":"integer","format":"int64","x-order":0},"name":{"description":"Name assigned to the port.","type":"string","x-order":1},"kubernetesNodePort":{"description":"Indicates the node port attached to a physical deployment on a kubernetes\ncluster.","type":"integer","format":"int64","x-order":2}}},"v2ServiceRoute":{"description":"A service route controls routing configurations for traffic to a\nservice in a traffic group.\n\nService Routes can be used by service owners to configure traffic shifting\nacross different versions of a service in a Traffic Group. The traffic to\nthis service can originate from sidecars in the same or different traffic\ngroups, as well as gateways.\n\nThe following example yaml defines a Traffic Group `t1` in the namespaces\n`ns1`, `ns2` and `ns3`, owned by its parent Workspace `w1`.\nThen it defines a Service Route for the `reviews` service in the `ns1`\nnamespace with two subsets: `v1` and `v2`, where 80% of the traffic to the\nreviews service is sent to `v1` while the remaining 20% is sent to `v2`.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelectors:\n  - name: \"*/ns1\"\n  - name: \"*/ns2\"\n  - name: \"*/ns3\"\n  configMode: BRIDGED\n---\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n    weight: 80\n  - name: v2\n    labels:\n      version: v2\n    weight: 20\n```\n\nServer side load balancing can be set through the combination of\n`portLevelSettings` and `stickySession`.\nThe following ServiceRoute will generate two routes:\n1. An HTTP route matching traffic on port 8080 and routing it 80:20 between\n   v1:v2, targeting port 8080. The server side load balancing will be based\n   on `header`.\n2. A TCP route matching traffic on port 443, and routing it 80:20 between\n   v1:v2, targeting port 443. The server side load balancing will be based\n   on `source IP`.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n  - port: 8080\n    trafficType: HTTP\n    stickySession:\n      header: x-session-hash\n  - port: 443\n    trafficType: TCP\n    stickySession:\n      useSourceIp: true\n  subsets:\n  - name: v1\n    labels:\n      version: v1\n    weight: 80\n  - name: v2\n    labels:\n      version: v2\n    weight: 20\n```\n\n**Note**: For TCP routes, only source IP (`useSourceIp: true`) is a valid\nload balancing hash key. Any other hash keys will be invalid.\n\nYou can also apply port settings just to a subset, such as in the following\nexample where for subset `v2` the source IP is used for sticky sessions.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n   - port: 8000\n     trafficType: TCP\n   - port: 443\n     trafficType: HTTP\n     stickySession:\n       header: x-sticky-hash\n subsets:\n   - name: v1\n     labels:\n       version: v1\n     weight: 80\n   - name: v2\n     labels:\n       version: v2\n     weight: 20\n     portLevelSettings:\n       - port: 8000\n         trafficType: TCP\n         stickySession:\n           useSourceIp: true\n```\n\nIf the service exposes more than one port, then all such ports with\nprotocols need to be specified in top level `portLevelSettings`. Explicit\nroutes can be specified within `httpRoutes` or `tcpRoutes` sections. You can\nalso specify match conditions within each httpRoute to match the incoming\ntraffic and route the traffic accordingly.\n\nService Routes can also be used to delegate traffic weighting to a\n[Flagger Canary resource](https://docs.flagger.app).\nFirst create the resource with delegation enabled in each cluster, for example:\n```yaml\napiVersion: flagger.app/v1beta1\nkind: Canary\nmetadata:\n  name: reviews-canary\n  namespace: bookinfo\nspec:\n  targetRef:\n    apiVersion: apps/v1\n    kind: Deployment\n    name: reviews\n  service:\n    port: 9080\n    delegation: true\n  analysis:\n    threshold: 5\n    maxWeight: 50\n    stepWeight: 10\n```\n\nThen the following ServiceRoute will delegate all traffic on port 9080 to the above Flagger\nCanary.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews-sr\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: bookinfo/reviews.bookinfo.svc.cluster.local\n  portLevelSettings:\n    - port: 9080\n      trafficType: HTTP\n  httpRoutes:\n    - name: reviews-flagger\n      match:\n        - name: port-9080\n          port: 9080\n      flagger:\n        canary: reviews-canary\n        namespace: bookinfo\n```\n\nThe ServiceRoute below has two HTTP routes:\n1. The first route matches traffic on\n  `reviews.ns1.svc.cluster.local:8080/reviews` endpoint and `end-user: jason`\n  header and routes 80% of traffic to subset \"v1\" and 20% to subset \"v2\".\n2. The second route is the default HTTP route, which matches traffic on\n   `reviews.ns1.svc.cluster.local:8080/reviews` endpoint, and routes 50% of\n   traffic to subset \"v1\" and remaining 50% to subset \"v2\".\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n  httpRoutes:\n    - name: http-route-match-reviews-endpoint\n      match:\n        - name: match-reviews-endpoint\n          uri:\n            prefix: /reviews\n          headers:\n            end-user:\n              exact: jason\n          port: 8080\n      destination:\n        - subset: v1\n          weight: 80\n          port: 8080\n        - subset: v2\n          weight: 20\n          port: 8080\n    - name: http-route-default\n      match:\n        - name: match-default\n          uri:\n            prefix: /reviews\n          port: 8080\n      destination:\n        - subset: v1\n          weight: 50\n          port: 8080\n        - subset: v2\n          weight: 50\n          port: 8080\n```\n\n**Note**: Default routes will be generated automatically **only** if a port\nis specified in top level `portLevelSettings` but not used in any match\nconditions of httpRoutes, tcpRoutes or tlsRoutes (or if no routes are\nspecified). In all other conditions, all routes have to be defined\n**explicitly**.\n\nFor example, the ServiceRoute below will generate a `default-http-route`\nmatching on port `8080` and will route traffic in the ratio 80:20 between\nv1:v2.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n```\n\nA similar example for TCP traffic where all the traffic for port\n6666 will be sent to the v1 subset.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n  name: reviews\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 6666\n      trafficType: TCP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 50\n    - name: v2\n      labels:\n        version: v2\n      weight: 50\n  tcpRoutes:\n    - name: tcp-route-match-port-6666-v1-100\n      match:\n        - name: match-condition-port-6666-v1-100\n          port: 6666\n      destination:\n        - subset: v1\n          weight: 100\n          port: 6666\n```\n\nFor HTTP traffic routes, fault injection allows delaying or aborting requests,\nand traffic mirroring allows mirroring a percentage of the traffic to multiple\ndifferent destinations.\n\nIn the next example, a Service Route defines a single HTTP route that\nmatches traffic on the `reviews` service on port 8080, with a 80/20 weight\nfor v1/v2 subsets.\nFor the specific `/reviews` path and `end-user: jason-chaos` header, an HTTP Route is defined with a\ndifferent subset where 100% of requests will go to v1, and have a the following fault injections:\n- 2 out of 100 requests will have a 5 second delay\n- 1 out of 1000 will return a 400 HTTP status code.\n\nOn top of that, for all the `/reviews` requests, 5 out of 1000 will be mirrored to the service\n`debug-reviews.ns1.svc.cluster.local` on port 8888.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceRoute\nmetadata:\n   name: reviews\n   group: t1\n   workspace: w1\n   tenant: mycompany\n   organization: myorg\nspec:\n  service: ns1/reviews.ns1.svc.cluster.local\n  portLevelSettings:\n    - port: 8080\n      trafficType: HTTP\n  subsets:\n    - name: v1\n      labels:\n        version: v1\n      weight: 80\n    - name: v2\n      labels:\n        version: v2\n      weight: 20\n  httpRoutes:\n    - name: http-route-match-reviews-endpoint\n      match:\n        - name: match-reviews-endpoint\n          uri:\n            prefix: /reviews\n          headers:\n            end-user:\n              exact: jason-chaos\n          port: 8080\n      destination:\n        - subset: v1\n          port: 8080\n      fault:\n        delay:\n          percentage: 2\n          fixedDelay: 5s\n        abort:\n          percentage: 0.1\n          httpStatus: 400\n      mirrors:\n        - host: reviews.ns1.svc.cluster.local\n          subset: v2\n          port: 8080\n          percentage: 0.5\n```\n\n\n\n","type":"object","required":["service"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.","type":"string","x-order":4},"subsets":{"description":"The set of versions of a service and the percentage of traffic to\nsend to each version.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceRouteSubset"},"x-order":5},"stickySession":{"$ref":"#/components/schemas/ServiceRouteStickySession"},"portLevelSettings":{"type":"array","title":"In order to support multi-protocol routing, a list of all port/protocol combinations is needed.\nThese port settings are applied to all the subsets","items":{"$ref":"#/components/schemas/ServiceRoutePortLevelTrafficSettings"},"x-order":7},"httpRoutes":{"description":"HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers\nand port and destination routes need to be set using subset-weight\ncombinations specified within the route.\n**Note**: If a route is specified, then the global subset-weight\ncombinations (specified under subsets) will be ignored for the matched\nport, as subsets within route will take effect.","type":"array","items":{"$ref":"#/components/schemas/v2HTTPRoute"},"x-order":8},"tcpRoutes":{"description":"TCPRoutes match TCP traffic based on port number. The subset-weight\nconfiguration and priority have the same behaviour as HTTPRoutes.","type":"array","items":{"$ref":"#/components/schemas/v2TCPRoute"},"x-order":9},"argoRollout":{"$ref":"#/components/schemas/v2ArgoRollout"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2ServiceRouteSubset":{"description":"Subset denotes a specific version of a service. The pods/VMs of a\nsubset should be uniquely identifiable using their labels.","type":"object","required":["name"],"properties":{"name":{"description":"Name used to refer to the subset.","type":"string","x-order":0},"labels":{"description":"Labels apply a filter over the endpoints of a service in the service registry.","type":"object","additionalProperties":{"type":"string"},"x-order":1},"weight":{"description":"Percentage of traffic to be sent to this subset. Weight if not\nspecified will be assumed to be 0 if there are multiple\nsubsets. If there is only one subset, the weight will be\nassumed to be 1.","type":"integer","format":"int64","x-order":2},"portLevelSettings":{"description":"Port/Protocol/StickySession combination for which routes need to be generated specifically for\na subset. These settings are meant to override the global PortLevelTrafficSettings, i.e. first, \nglobal PortLevelTrafficSettings are used to generate routes and then we use non-conflicting subset level \nPortLevelTrafficSettings to modify existing routes. If provided, PortLevelTrafficSettings should be provided for \nall subsets for proper load balancing.","type":"array","items":{"$ref":"#/components/schemas/ServiceRoutePortLevelTrafficSettings"},"x-order":3}}},"v2ServiceSecuritySetting":{"description":"`ServiceSecuritySetting` allows configuring security related properties\nsuch as TLS authentication and access control for traffic arriving\nat a particular service in a security group. These settings will replace\nthe security group wide settings for this service.\n\nThe following example defines a security setting that applies to the service\n`foo` in namespace `ns1` that only allows mutual TLS authenticated traffic\nfrom other proxy workloads in the same group.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: ServiceSecuritySetting\nmetadata:\n  name: foo-auth\n  group: sg1\n  workspace: w1\n  tenant: mycompany\n  org: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    authentication: REQUIRED\n    authorization:\n      mode: GROUP\n```\n\nThe following example customizes the `Extensions` to enable\nthe execution of the WasmExtensions list specified, detailing\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: ServiceSecuritySetting\nmetadata:\n  name: foo-wasm-plugin\n  group: sg1\n  workspace: w1\n  tenant: mycompany\n  org: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    extension:\n    - fqn: hello-world # fqn of imported extensions in TSB\n      config:\n        foo: bar\n```\n\n\n\n","type":"object","required":["service"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.","type":"string","x-order":4},"settings":{"$ref":"#/components/schemas/v2SecuritySetting"},"subsets":{"description":"Subset specific settings that will replace the service wide settings for the specified service\nsubsets.","type":"array","items":{"$ref":"#/components/schemas/v2ServiceSecuritySettingSubset"},"x-order":6},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2ServiceSecuritySettingSubset":{"description":"Subset allows replacing the settings for a specific version of a service.","type":"object","required":["name","settings"],"properties":{"name":{"description":"Name used to refer to the subset.\nThis must match a subset defined in the ServiceRoute for this service, else it will be omitted.","type":"string","x-order":0},"settings":{"$ref":"#/components/schemas/v2SecuritySetting"}}},"v2ServiceSelector":{"type":"object","title":"ServiceSelector represents the match criteria to select services within a\nparticular scope (namespace, workspace, cluster etc)","required":["serviceLabels"],"properties":{"serviceLabels":{"type":"object","title":"One or more labels that indicate a specific set of services within a particular scope","additionalProperties":{"type":"string"},"x-order":0}}},"v2ServiceState":{"description":"State denotes the interactions the service can have with the mesh. A service can exist in one of the states\nwhich represents the set of interactions(Observability and Control) the mesh can have with these services.\n\n - EXTERNAL: An external service is a service that is known, but that cannot be observed (we can't get metrics for it)\nand cannot be controlled.\n - OBSERVED: An observed service is a known service that we can have metrics for. For example, a service running the\nSkywalking agents.\n - CONTROLLED: A controlled service is a service that is part of the mesh, has a proxy we can configure and can be observed with\nSkywalking agents.","type":"string","default":"INVALID_STATE","enum":["INVALID_STATE","EXTERNAL","OBSERVED","CONTROLLED"]},"v2ServiceTrafficSetting":{"description":"A service traffic setting applies configuration to a service in a\ntraffic group. Unset fields will inherit values from the\nworkspace-wide setting if any.\n\n`ServiceTrafficSetting` allows configuring traffic related properties\nsuch as resiliency, reachability, load balancing and egress proxy for a\nparticular service in a traffic group. These settings will merge and\noverwrite the traffic group wide settings.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace `w1` under\ntenant `mycompany`. It then defines a service traffic setting for the workloads\nselected by service `foo.ns1.svc.cluster.local`. This setting limits the workloads\nof `foo.ns1.svc.cluster.local` to only discover services in in `ns1`, `ns2`, `ns3`\nand `db` namespace. It also configures that outbound traffic to a service or IP which\nis not a part of the mesh should be forwarded through through egress gateway deployed\nin `istio-system` namespace.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelectors:\n  - name: \"*/ns1\"\n  - name: \"*/ns2\"\n  - name: \"*/ns3\"\n  configMode: BRIDGED\n\nAnd the associated service traffic settings:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceTrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    outbound:\n      reachability:\n        mode: CUSTOM\n        hosts:\n        - \"ns1/*\"\n        - \"ns2/*\"\n        - \"ns3/*\"\n        - \"db/*\"\n      upstreamTrafficSettings:\n      - hosts:\n        - \"*\"\n        settings:\n          resilience:\n            circuitBreakerSensitivity: MEDIUM\n      egress:\n        host: istio-system/istio-egressgateway\n```\n\nThe following service traffic setting confines the reachability of the service\n`foo.ns1.svc.cluster.local` sidecar proxies in the traffic group `t1` to other\nnamespaces inside the group. The resilience and egress gateway settings will be\ninherited from the workspace wide traffic setting.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: ServiceTrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  service: ns1/foo.ns1.svc.cluster.local\n  settings:\n    outbound:\n      reachability:\n        mode: GROUP\n```\n\n\n\n","type":"object","required":["service","settings"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"service":{"description":"The service on which the configuration is being applied. Must be in namespace/FQDN format.\n\nOnly one service traffic setting can be given per service. Any conflicting configuration created\nlater will be rejected by TSB.","type":"string","x-order":4},"settings":{"$ref":"#/components/schemas/v2TrafficSetting"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2ServiceType":{"description":"ServiceType denotes the exposition of a service in the mesh.\n\n - INTERNAL: A regular service that is not directly exposed to the outside world.\n - LOADBALANCER: A load balancer service running only the proxy as the workload.\n - MESH_EXTERNAL: A mesh external service.","type":"string","default":"INVALID_TYPE","enum":["INVALID_TYPE","INTERNAL","LOADBALANCER","MESH_EXTERNAL"]},"v2SharedGatewayReferenceGrant":{"description":"Shared Gateway Reference Grants allows sharing a Gateway with other Workspaces or Gateway Groups, so\nthat the referencing Workspaces or Gateway Groups can apply their own configurations to the shared Gateway.\n\nThe following example creates a Shared Gateway Reference Grant for the Gateway `shared-gw1` and allows the Workspace `w2`\nto reference it and apply its own configurations. Any shared Gateway configurations that are applied to `shared-gw1`\nin Workspace `w2` will be applied to the Gateway `shared-gw1` in Workspace `w1`.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: SharedGatewayReferenceGrant\nmetadata:\n  name: shared-gw1-grant\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  gatewaySelectors:\n  - nameSelector:\n      name: shared-gw1\n  from:\n    fqn:\n    - organizations/tetrate/tenants/mycompany/workspaces/w2\n```\n\n\n\n","type":"object","required":["from","gatewaySelectors"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"updateProtectionEnabled":{"description":"When set, prevents the resource from being deleted or updated. In order to delete or update the resource\nthis property needs to be set to `false` first.","type":"boolean","x-order":4},"from":{"$ref":"#/components/schemas/v2SharedGatewayReferenceGrantFrom"},"gatewaySelectors":{"description":"A list of Gateway Selectors that specify which Gateways are being shared.","type":"array","items":{"$ref":"#/components/schemas/SharedGatewayReferenceGrantGatewaySelector"},"x-order":6}}},"v2SharedGatewayReferenceGrantFrom":{"description":"From specifies the resource that is granted access to the shared Gateway.","type":"object","required":["fqn"],"properties":{"fqn":{"description":"The fully-qualified name of the resource that is being granted access to the\nshared Gateway. This can be a Tenant, Workspace or a Gateway Group.","type":"array","items":{"type":"string"},"x-order":0}}},"v2SourceScope":{"description":"Source scope defines the source's wingspan in the mesh. It defines how we are observing the resources.\nFor instance we can observer a resources at service, ingress, or relation level.","type":"object","properties":{"serviceScopes":{"$ref":"#/components/schemas/SourceScopeServiceScopes"},"ingressScopes":{"$ref":"#/components/schemas/SourceScopeIngressScopes"},"relationScopes":{"$ref":"#/components/schemas/SourceScopeRelationScopes"}}},"v2SourceScopeType":{"description":"The type of scopes which defines telemetry source's wingspan in the mesh.\n\n - SERVICE: A telemetry source service based scope.\n - INGRESS: A telemetry source ingress's hostname based scope.\n - RELATION: A telemetry source relation based scope.","type":"string","default":"INVALID","enum":["INVALID","SERVICE","INGRESS","RELATION"]},"v2SourceType":{"description":"`SourceType` describes where teams come from.\nTeams can be synchronized from the Identity Provider but can also be manually\ncreated using the Team API to create convenient groupings of users and other\nteams in order to configure fine-grained permissions in the Management Plane.\n\n - LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.\n - LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and\ndo not exist in the Identity Provider.\nDeprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.\n - AZURE: AZURE is used for users synchronized from an Azure Active Directory.\n - MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated.\nMANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will\nbe removed in future versions.\n - PINGAM: PINGAM is used for users and teams that are automatically synchronized from Ping Identity Access Management (PingAM).","type":"string","default":"INVALID","enum":["INVALID","LDAP","LOCAL","AZURE","MANUAL","PINGAM"]},"v2StreamLogsResponse":{"description":"Response to the request to stream logs of an Istio Proxy.","type":"object","properties":{"output":{"description":"Logs of an Istio Proxy.","type":"string","x-order":0}}},"v2SyncOrganizationResponse":{"description":"Result of the organization users and team synchronization.","type":"object","properties":{"failedUsers":{"$ref":"#/components/schemas/SyncOrganizationResponseFailedIds"},"failedTeams":{"$ref":"#/components/schemas/SyncOrganizationResponseFailedIds"}}},"v2TCPMatchCondition":{"type":"object","title":"TCPMatchCondition is the set of conditions to match incoming TCP traffic\nand route accordingly","required":["name","port"],"properties":{"name":{"type":"string","title":"Name of the match condition","x-order":0},"port":{"type":"integer","format":"int64","title":"TCP match conditions only have port in match conditions","x-order":1}}},"v2TCPRoute":{"description":"TCPRoute is used to set TCP routes to service destinations on the basis of match conditions.","type":"object","required":["name"],"properties":{"name":{"type":"string","title":"Name of TCPRoute","x-order":0},"match":{"type":"array","title":"Match conditions for incoming TCP traffic","items":{"$ref":"#/components/schemas/v2TCPMatchCondition"},"x-order":1},"destination":{"type":"array","title":"Destination host:port and subset where TCP traffic should be directed","items":{"$ref":"#/components/schemas/v2ServiceDestination"},"x-order":2}}},"v2TCPServer":{"type":"object","title":"A TCP server exposed in an ingress gateway. A TCP server may be used for any TCP based protocol.\nThis is also used for the special case of a non-HTTP protocol requiring TLS termination at the gateway","required":["name","port","hostname"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all HTTP, TLS passthrough and TCP servers in a gateway.","type":"string","x-order":0},"port":{"type":"integer","format":"int64","title":"The port where the server is exposed. Two servers with different protocols can share the same port\nonly when both of them use TLS (either terminated at the gateway or pass-through)","x-order":1},"hostname":{"description":"Hostname to identify the service. When TLS is configured, clients have to use this as\nthe Server Name Indication (SNI) for the TLS connection. When TLS is not configured (opaque TCP),\nthis is used to identify the service traffic for defining routing configs. Usually, this is\nconfigured as the DNS name of the service. For instance, if clients access a zookeeper cluster\nas `zk-1.myorg.internal` then the hostname could be specified as `zk-1.myorg.internal`. This\nalso helps easier identification in the configs.\n\nThis is also used in multicluster routing. In the previous example, clients within the mesh\ncan also use `zk-1.myorg.internal` to access this service (provided authorization policy allows it)","type":"string","x-order":2},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"},"route":{"$ref":"#/components/schemas/v2Route"}}},"v2TLS":{"description":"A TLS server exposed in a gateway. For TLS servers, the gateways do not terminate\nconnections and use SNI based routing.","type":"object","required":["name","port","hostname","route"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all HTTP, TLS passthrough and TCP servers in a gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed. Two servers with different protocols (HTTP and HTTPS) should not\nshare the same port. Note that port 15443 is reserved for internal use.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by clients.\nRouting will be done based on SNI matches for this hostname.\n**NOTE:** The \"hostname:port\" must be unique across all gateways in the cluster in order for\nmulticluster routing to work.","type":"string","x-order":2},"route":{"$ref":"#/components/schemas/v2RouteTo"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"}}},"v2TLSPassthroughServer":{"description":"A TLS server exposed in an ingress gateway. For TLS servers the gateways don't terminate\nconnections and use SNI based routing.","type":"object","required":["name","port","hostname","route"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all HTTP, TCP and TLS servers in a gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed. Two servers with different protocols (HTTP and HTTPS) should not\nshare the same port. Note that port 15443 is reserved for internal use.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by clients.\nRouting will be done based on SNI matches for this hostname.\n**NOTE:** The hostname must be unique across all gateways in the cluster in order for multicluster routing to work.","type":"string","x-order":2},"route":{"$ref":"#/components/schemas/v2Route"}}},"v2TcpKeepAliveSettings":{"description":"TCP Keep Alive Settings.","type":"object","properties":{"downstream":{"$ref":"#/components/schemas/tsbtrafficv2TcpKeepAlive"},"upstream":{"$ref":"#/components/schemas/tsbtrafficv2TcpKeepAlive"}}},"v2Team":{"description":"`Team` is a named collection of users, service accounts, and other\nteams. Teams can be assigned access permissions on various\nresources. All members of a team inherit the access permissions\nassigned to the team.\n\nThe following example creates a team named `org` under the organization\n`myorg` with all members of `product1` and `product2` teams, and\nusers `alice` and `bob`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Team\nmetadata:\n  name: org\n  organization: myorg\nspec:\n  members:\n  - organizations/myorg/users/alice\n  - organizations/myorg/users/bob\n  - organizations/myorg/teams/product1\n  - organizations/myorg/teams/product2\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"members":{"description":"List of members under the team.\nThe elements of this list are the FQNs of the team members. Team members can be\nusers, service accounts or other teams.","type":"array","items":{"type":"string"},"x-order":4},"sourceType":{"$ref":"#/components/schemas/v2SourceType"}}},"v2Tenant":{"description":"`Tenant` is a self-contained entity within an organization in\nthe Service Bridge object hierarchy. Tenants can be business units,\norganization units, or any logical grouping that matches a corporate\nstructure.\n\nThe following example creates a tenant named `mycompany` in an organization\nnamed `myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Tenant\nmetadata:\n  organization: myorg\n  name: mycompany\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Tenant_, all the children resources will belong to that\nsecurity domain in the same way a _Workspace_ belongs to a _Tenant_, a _Workspace_ will also belong\nto the security domain assigned to the _Tenant_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string","x-order":4},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":5},"profiles":{"description":"List of profiles attached to the tenant to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":6},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2TenantSetting":{"description":"Tenant Setting allows configuring default settings for the tenant.\n\nThis is a global object that uniquely configures the tenant, and there can \nbe only one tenant setting object defined for each tenant.\n\nTraffic and security settings can be defined as default for a tenant, meaning that they\nwill be applied to all the workspaces of the tenant.\nThese defaults settings can be overridden by creating proper WorkspaceSetting, TrafficSetting or SecuritySetting\ninto the desired workspace or group.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: TenantSetting\nmetadata:\n  name: tenant-settings\n  organization: myorg\n  tenant: mytenant\nspec:\n  defaultTrafficSetting:\n    outbound:\n      reachability:\n        mode: WORKSPACE\n      egress:\n        host: bookinfo-perimeter/tsb-egress\n  defaultSecuritySetting:\n    authenticationSettings:\n      trafficMode: REQUIRED\n    authorization:\n      mode: GROUP\n```\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"}}},"v2Tier1ExternalServer":{"description":"Tier1ExternalServer describes the properties of a server exposed\noutside the mesh. Traffic arriving at a Tier1 external server is\nusually TLS terminated and then forwarded over Istio mTLS to all\nthe lower tier2 clusters.","type":"object","required":["name","port","hostname"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all external servers in the gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed. Note that port 15443 is reserved.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by\nclients.","type":"string","x-order":2},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"},"clusters":{"description":"The destination clusters that contain ingress gateways exposing\nthe hostname. If omitted, traffic will be automatically load\nbalanced across all tier2 clusters whose ingress gateways expose\nthe above hostname. If `redirect` is configured then this field\ncannot be configured.\nTo do failover and locality based routing among clusters, either omit\nthe clusters field or omit the weights from all the cluster destinations.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":4},"redirect":{"$ref":"#/components/schemas/v2Redirect"},"authentication":{"$ref":"#/components/schemas/tsbauthv2Authentication"},"authorization":{"$ref":"#/components/schemas/tsbauthv2Authorization"},"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"}}},"v2Tier1Gateway":{"description":"`Tier1Gateway` configures a workload to act as a gateway that\ndistributes traffic across one or more ingress gateways in other\nclusters.\n\n**NOTE:** Tier1 gateways cannot be used to route traffic to the\nsame cluster. A cluster with tier1 gateway cannot have any other\ngateways or workloads.\n\nThe following example declares a tier1 gateway running on pods with\n`app: gateway` labels in the `ns1` namespace. The gateway exposes\nhost `movieinfo.com` on ports 8080, 8443 and `kafka.internal` on port 9000.\nTraffic for these hosts at the ports 8443 and 9000 are TLS terminated and\nforwarded over Istio mutual TLS to the ingress gateways hosting\n`movieinfo.com` host on clusters `c3` and `c4` and the internal\n`kafka.internal` service in cluster `c3` respectively. The server at\nport 8080 is configured to receive plaintext HTTP traffic and redirect\nto port 8443 with \"Permanently Moved\" (HTTP 301) status code.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    clusters:\n    - name: c3 # the target gateway IPs will be automatically determined\n      weight: 90\n    - name: c4\n      weight: 10\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.mycompany.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n  tcpExternalServers:\n  - name: kafka\n    hostname: kafka.internal\n    port: 9000\n    tls:\n      mode: SIMPLE\n      secretName: kafka-cred\n    clusters:\n    - name: c3\n      weight: 100\n```\n\nIn the following example, the clients are authenticated using an external OIDC provider using\n[AUTHORIZATION_CODE grant type](https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow).\nOnce the client request is authenticated, it gets forwarded to the c3 or c4.\nThe access_token generated after client authentication is set as `Bearer` in request headers.\nThe state of authentication is stored in cookies.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  - name: movieinfo\n    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream\n    port: 8443\n    tls:\n      mode: SIMPLE\n      secretName: movieinfo-secrets\n    clusters:\n    - name: c3 # the target gateway IPs will be automatically determined\n      weight: 90\n    - name: c4\n      weight: 10\n    authentication:\n      oidc:\n        grantType: AUTHORIZATION_CODE\n        clientId: \"my-client\"\n        clientTokenSecret: \"my-secret\"\n        redirectUri: https://httpbin.example.com/bearer\n        provider:\n          issuer: https://accounts.google.com\n          authorizationEndpoint: https://accounts.google.com/v1/authorize\n          tokenEndpoint: https://accounts.google.com/v1/token\n          jwksUri: https://www.googleapis.com/oauth2/v3/certs\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n```\n\nTier1 gateways can also be used to forward mesh internal traffic\nfor Gateway hosts from one cluster to another. This form of\nforwarding will work only if the two clusters cannot reach each\nother directly (e.g., they are on different VPCs that are not\npeered). The following example declares a tier1 gateway running on\npods with `app: gateway` labels in the `ns1` namespace. The gateway\nexposes hosts `movieinfo.com`, `bookinfo.com`, and a non-HTTP server\ncalled `kafka.org-internal` within the mesh. Traffic to `movieinfo.com`\nis load balanced across all clusters on `vpc-02`, while traffic to\n`bookinfo.com` and `kafka.org-internal` is load balanced across ingress\ngateways exposing `bookinfo.com` on any cluster. Traffic from the source\n(sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  internalServers: # forwarding gateway (HTTP traffic only)\n  - name: movieinfo\n    hostname: movieinfo.com\n    clusters:\n    - labels:\n        network: vpc-02 # the target gateway IPs will be automatically determined\n    authentication:\n      rules:\n        jwt:\n        - issuer: \"auth.mycompany.com\"\n          jwksUri: https://auth.company.com/oauth2/jwks\n        - issuer: \"auth.othercompany.com\"\n          jwksUri: https://auth.othercompany.com/oauth2/jwks\n    authorization:\n      external:\n        uri: \"https://auth.company.com\"\n        includeRequestHeaders:\n        - authorization\n  - name: bookinfo\n    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com\n  tcpInternalServers: # forwarding non-HTTP traffic within the mesh\n  - name: kafka\n    hostname: kafka.org-internal\n```\n\n** NOTE:** If two clusters have direct connectivity, declaring\na tier1 internal server will have no effect.\n\nTier1 gateways can also be configured to expose hostnames in the\nTLS passthrough mode. Tier1 gateway will forward the pasthrough server traffic to \nany tier2 pass through servers exposing the same hostname. In other words,\nTo be able to leverage passthrough at tier1, it is a MUST that passthrough is configured\nat t2 IngressGateway as well.\n\n** NOTE:** A hostname like `abc.com` can only be exposed either in passthrough mode OR\nin terminating tls mode(External/Internal servers), not in both the modes.\n\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  passthroughServers:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n```\n\nThe Tier1Gateway above will require the corresponding, at least one or more, IngressGateway(s), e.g.:\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  tlsPassthrough:\n    - name: nginx\n      port: 443\n      hostname: nginx.example.com\n      route:\n        host: \"ns1/my-nginx.default.svc.cluster.local\"\n        port: 443\n```\n\nThe following example customizes the `Extensions` field to enable\nthe execution of the specified WasmExtensions list and details\ncustom properties for the execution of each extension.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-tls-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  externalServers:\n  - name: movieinfo-plain\n    hostname: movieinfo.com # Plaintext and HTTPS redirect\n    port: 8080\n    redirect:\n      authority: movieinfo.com\n      uri: \"/\"\n      redirectCode: 301\n      port: 8443\n      scheme: https\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n```\n\nWhenever traffic is to be sent from one cluster to another, one or more of\nthe following would have to be true for it to succeed:\n- Both clusters belong to the same network.\n- Destination cluster network is not named.\n- [Organization Setting](https://docs.tetrate.io/service-bridge/en-us/refs/tsb/v2/organization_setting#organizationsetting)\nis set up to send traffic from source cluster to destination cluster.\n\n`Tier1Gateway` also allows you to apply ModSecurity/Coraza compatible Web\nApplication Firewall rules to traffic passing through the gateway.\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-waf-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  passthroughServers:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n  waf:\n    rules:\n      - Include @owasp_crs/*.conf\n```\n\n\n\n","type":"object","title":":::warning Deprecation\nThe functionality provided by the `Tier1Gateway` is now provided in `Gateway` object, and\nusing it is the recommended approach. The `Tier1Gateway` resource will be removed in future releases.\n:::","required":["workloadSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"workloadSelector":{"$ref":"#/components/schemas/tsbtypesv2WorkloadSelector"},"externalServers":{"description":"One or more servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1ExternalServer"},"x-order":5},"internalServers":{"description":"One or more servers exposed by the gateway internally for cross cluster forwarding.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1InternalServer"},"x-order":6},"passthroughServers":{"description":"One or more tls passthrough servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1PassthroughServer"},"x-order":7},"tcpExternalServers":{"description":"One or more tcp servers exposed by the gateway externally.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1TCPExternalServer"},"x-order":8},"tcpInternalServers":{"description":"One or more tcp servers exposed by the gateway for mesh internal traffic.","type":"array","items":{"$ref":"#/components/schemas/v2Tier1TCPInternalServer"},"x-order":9},"extension":{"description":"Extensions specifies all the WasmExtensions assigned to this Tier1Gateway\nwith the specific configuration for each extension. This custom configuration\nwill override the one configured globally to the extension.\nEach extension has a global configuration including enablement and priority\nthat will condition the execution of the assigned extensions.","type":"array","items":{"$ref":"#/components/schemas/v2WasmExtensionAttachment"},"x-order":10},"waf":{"$ref":"#/components/schemas/v2WAFSettings"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2Tier1InternalServer":{"description":"Tier1InternalServer describes the properties of a server exposed\nwithin the mesh, for the purposes of forwarding traffic between two\nclusters that cannot otherwise directly reach each other. Traffic\narriving at a Tier1 internal server should be over Istio\nmTLS. After TLS termination and metrics extraction, it is forwarded\nto tier2 clusters based on the selection criteria.","type":"object","required":["name","hostname"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all internal servers in the gateway.","type":"string","x-order":0},"hostname":{"description":"Hostname with which the service can be expected to be accessed by\nsidecars in the mesh.","type":"string","x-order":1},"clusters":{"description":"The destination clusters that contain ingress gateways exposing\nthe hostname. If omitted, traffic will be automatically load\nbalanced across all tier2 clusters whose ingress gateways expose\nthe above hostname.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":2},"authentication":{"$ref":"#/components/schemas/tsbauthv2Authentication"},"authorization":{"$ref":"#/components/schemas/tsbauthv2Authorization"}}},"v2Tier1PassthroughServer":{"description":"Tier1PassthroughServer describes the properties of a server exposed\nto the external world. Traffic arriving at a Tier1 passthrough server is\nnot TLS terminated and rather forwarded over to all the lower tier2 clusters.","type":"object","required":["name","port","hostname"],"properties":{"name":{"description":"A name assigned to the server. The name will be visible in the generated metrics. The name must be\nunique across all external servers in the gateway.","type":"string","x-order":0},"port":{"description":"The port where the server is exposed. Note that port 15443 is reserved.","type":"integer","format":"int64","x-order":1},"hostname":{"description":"Hostname with which the service can be expected to be accessed by\nclients.","type":"string","x-order":2},"clusters":{"description":"The destination clusters that contain ingress gateways exposing\nthe hostname on passthrough servers. If omitted, traffic will be automatically load\nbalanced across all tier2 clusters whose ingress gateways expose\nthe above hostname.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":3}}},"v2Tier1TCPExternalServer":{"description":"Tier1TCPExternalServer is used to describe the properties of a TCP server\n(used for opaque TCP or non-HTTP protocols) exposed to the external world.\nIf the protocol is known to be HTTP, then please use `externalServers` as\nit allows using HTTP-specific features.\n\nCaveat - Currently, we don't support multicluster routing when Tier2 gateway\nsettings are specified in the direct mode for TCP services. So please use\nthe bridged mode.","type":"object","required":["name","port","hostname"],"properties":{"name":{"type":"string","title":"A name assigned to the server. This name is used in the generated metrics. The name\nmust be unique across all TCP servers in the gateway","x-order":0},"port":{"description":"Valid scenarios (for same port, multiple services)\n1. Multiple protocols (HTTP, non-HTTP) with TLS passthrough/termination\n2. Multiple HTTP services\n3. Single non-HTTP service without TLS\n\nNote on service port - If a service is exposed on port 6789 in the tier1 gateway,\nthen it must be exposed on the same port with the same hostname (without wildcard)\nin the tier2 gateway as well.","type":"integer","format":"int64","title":"The port where the server is exposed. Note that the port 15443 is reserved. Also\nbeware of the conflict among the services using different protocols on the same port.\nThe conflict occurs in the following scenarios\n1. Using plaintext and TLS (passthrough/termination)\n2. Mixing multiple protocols without TLS (HTTP and non-HTTP protocols like Kafka, Zookeeper etc)\n3. Multiple non-HTTP protocols without TLS","x-order":1},"hostname":{"description":"Although hostname or authority does not make sense in the non-HTTP context, this\nis used to define the routing rules. Wildcard hostnames are not yet supported.","type":"string","x-order":2},"clusters":{"description":"The destination clusters contain ingress gateways exposing the service.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":3},"tls":{"$ref":"#/components/schemas/v2ServerTLSSettings"}}},"v2Tier1TCPInternalServer":{"description":"Tier1TCPInternalServer is used to describe the properties of a TCP server\nwhich is used exclusively within the mesh.","type":"object","required":["name","hostname"],"properties":{"name":{"description":"A name assigned to the server. This name is used in the generated metrics. The name\nmust be unique across all TCP servers in the gateway.","type":"string","x-order":0},"hostname":{"description":"The name of the service used. Although hostname or authority does not make sense\nin the non-HTTP context, this is used for the multicluster routing purposes. Consider\nthe case where there are two non-HTTP services listening on the same port 6000,\nbut are hosted on different workloads. Here, the service name is used to distinguish\nbetween the two for routing to the correct workload. We do not support wildcard hostnames\nyet. The ports are determined automatically by the cluster updates of the remote edge\nclusters. Suppose there is a service called `foo.com` and the remote cluster says that\nit exposes ports 8080 and 8443, then we can route east-west traffic for both the ports\nthrough this server. The changes to the port or protocol settings are picked up automatically.","type":"string","x-order":1},"clusters":{"description":"The destination clusters contain ingress gateways exposing the service.","type":"array","items":{"$ref":"#/components/schemas/v2ClusterDestination"},"x-order":2}}},"v2TokenResponse":{"description":"Contains a pair of tokens for a user that can be used to authenticate against TSB.","type":"object","properties":{"accessToken":{"description":"Bearer access token that can be used to access TSB.\nThis token is usually short-lived. The refresh token, when present, can be used to\nobtain a new access token when it expires.","type":"string","x-order":0},"refreshToken":{"description":"Refresh token that can be used to obtain a new Bearer access token.\nThis token is usually long-lived and should be stored securely.","type":"string","x-order":1}}},"v2TokenType":{"type":"string","default":"TOKEN_TYPE_UNSPECIFIED","enum":["TOKEN_TYPE_UNSPECIFIED","TOKEN_TYPE_ACCESS_TOKEN","TOKEN_TYPE_REFRESH_TOKEN","TOKEN_TYPE_ID_TOKEN","TOKEN_TYPE_JWT"]},"v2TrafficMode":{"description":"Traffic mode defines the type of configuration that has been configured on a Gateway server.\n\n - AUTO: AUTO mode indicates that the type of configuration is automatically detected from the underlying Gateway deployment.\n - INGRESS: INGRESS mode specifies the configuration for managing incoming traffic into the mesh.\nIn this mode, the Gateway server is responsible for handling incoming requests from external sources\nand routing them to appropriate services within the mesh.\n - EGRESS: EGRESS mode specifies the configuration for managing outgoing traffic from the mesh to external destinations.\nIn this mode, the Gateway server controls traffic leaving the mesh and enforces policies and security measures\nfor accessing external services.\n - TRANSIT: TRANSIT mode specifies that the Gateway is configured to facilitate transit traffic between different clusters\nwithin the mesh that are not directly reachable. This mode enables forwarding of traffic between clusters\nvia the Gateway, allowing communication between services deployed in separate clusters.","type":"string","default":"AUTO","enum":["AUTO","INGRESS","EGRESS","TRANSIT"]},"v2TrafficSelector":{"description":"TrafficSelector provides a mechanism to select a specific traffic flow\nfor which this Wasm Extension will be enabled.\nWhen all the sub conditions in the TrafficSelector are satisfied, the\ntraffic will be selected.","type":"object","properties":{"mode":{"$ref":"#/components/schemas/v2WorkloadMode"},"ports":{"description":"Criteria for selecting traffic by their destination port.\nMore specifically, for the outbound traffic, the destination port would be\nthe port of the target service. On the other hand, for the inbound traffic,\nthe destination port is the port bound by the server process in the same Pod.\n\nIf one of the given `ports` is matched, this condition is evaluated to true.\nIf not specified, this condition is evaluated to true for any port.","type":"array","items":{"$ref":"#/components/schemas/v2PortSelector"},"x-order":1}}},"v2TrafficSetting":{"description":"A traffic setting applies configuration to a set of proxy workloads in a\ntraffic group or a workspace. When applied to a traffic group,\nmissing fields will inherit values from the workspace-wide setting if any.\n\nTraffic Settings allow configuring the behavior of the proxy workloads in\na set of namespaces owned by a traffic group. Specifically, it\nallows configuring the dependencies of proxy workloads on namespaces\noutside the traffic group as well as reliability settings for\noutbound calls made by the proxy workloads to other services.\n\nThis is a global object that uniquely configures the traffic group, and there can \nbe only one traffic setting object defined for each traffic group.\n\nThe following example creates a traffic group for the proxy workloads in\n`ns1`, `ns2` and `ns3` namespaces owned by its parent workspace\n`w1` under tenant `mycompany`. It then defines a traffic setting\nfor the all workloads in these namespaces, adding a dependency on\nall the services in the shared `db` namespace, and forwarding all\nunknown traffic via the egress gateway in the `istio-system`\nnamespace.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n```\n\nAnd the associated traffic settings for the proxy workloads:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    reachability:\n      mode: CUSTOM\n      hosts:\n      - \"ns1/*\"\n      - \"ns2/*\"\n      - \"ns3/*\"\n      - \"db/*\"\n    upstreamTrafficSettings:\n    - hosts:\n      - '*'\n      settings:\n        resilience:\n          circuitBreakerSensitivity: MEDIUM\n    egress:\n      host: istio-system/istio-egressgateway\n```\n\n\nTo setup load balancing algorithm as `ROUND_ROBIN` for all outbound requests\nto service `foo.bar.svc.cluster.local` from clients in `t1` traffic group:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - 'foo.bar.svc.cluster.local'\n      settings:\n        loadBalancer:\n          simple: ROUND_ROBIN\n```\n\n`upstreamTrafficSettings` can be used to configure the outbound traffic\nwith grouping a particular group of upstream hosts to have a certain setting.\nIn the below example all outbound requests to hosts matching wildcard\n`*.ns1.svc.cluster.local` will use request timeout of 10s while hosts matching\n`*.ns2.svc.cluster.local` and `*.ns3.svc.cluster.local` will use request timeout of 5s.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - '*.ns1.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 10s\n    - hosts:\n      - '*.ns2.svc.cluster.local'\n      - '*.ns3.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 5s\n```\n\nThe following traffic setting confines the reachability of proxy workloads\nin the traffic group `t1` to other namespaces inside the group. The\nresilience and egress gateway settings will be inherited from the\nworkspace wide traffic setting.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    reachability:\n      mode: GROUP\n```\n\nThe above fields are now moved to two different sections called `inbound`\nand `outbound` to allow better control over these fields. Please refer the\nbelow example to configure a traffic setting for all services in traffic group\n`t1` configuring similar knobs as explained in earlier examples:\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  inbound:\n    resilience:\n      connectionPool:\n        tcp:\n          keepAlive:\n            idleTime: 300\n  outbound:\n    reachability:\n      mode: GROUP\n    upstreamTrafficSettings:\n    - hosts:\n      - '*.ns1.svc.cluster.local'\n      settings:\n        resilience:\n          connectionPool:\n            http:\n              requestTimeout: 10s\n```\n\nThis traffic setting configuration specifies upstream traffic settings\nfor specific hosts within the `client` namespace. It is associated with\nthe `w1` workspace and the `t1` traffic group.\n\n```yaml\napiVersion: traffic.tsb.tetrate.io/v2\nkind: TrafficSetting\nmetadata:\n  name: client-upstream-traffic-setting\n  namespace: client\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  outbound:\n    upstreamTrafficSettings:\n    - hosts:\n      - 'httpbin.app1.svc.cluster.local'\n      - '*.app3.svc.cluster.local'\n      - '*.app4.svc.cluster.local'\n      settings:\n        authentication:\n          trafficMode: REQUIRED\n    - hosts:\n      - '*.app2.svc.cluster.local'\n      - 'tetrate.app4.svc.cluster.local'\n      settings:\n        authentication:\n          trafficMode: OPTIONAL\n```\n\nThis configuration specifies authentication requirements for traffic to the following hosts:\n- `httpbin.app1.svc.cluster.local` requires mTLS authentication.\n- All non-injected services in `app3` namespace require mTLS authentication.\n- All non-injected services in `app4` namespace require mTLS authentication, except for `tetrate.app4.svc.cluster.local`, which is excluded.\n- Authentication enforcement is skipped for all non-injected services in `app2` namespace.\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"reachability":{"$ref":"#/components/schemas/tsbtrafficv2ReachabilitySettings"},"resilience":{"$ref":"#/components/schemas/v2ResilienceSettings"},"egress":{"$ref":"#/components/schemas/v2TrafficSettingEgressGateway"},"rateLimiting":{"$ref":"#/components/schemas/tsbgatewayv2RateLimiting"},"upstreamTrafficSettings":{"description":"List of hosts and the associated traffic settings to be used by\nthe clients that are downstreams to the defined upstream hosts.\n\nDEPRECATED. Moved to `outbound`.","type":"array","items":{"$ref":"#/components/schemas/tsbtrafficv2UpstreamTrafficSettings"},"x-order":8},"inbound":{"$ref":"#/components/schemas/tsbtrafficv2InboundTrafficSetting"},"outbound":{"$ref":"#/components/schemas/tsbtrafficv2OutboundTrafficSetting"},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2TrafficSettingEgressGateway":{"description":"EgressGateway specifies the gateway where traffic external to the mesh will be redirected.","type":"object","required":["host"],"properties":{"host":{"description":"Specifies the egress gateway hostname. Must be in\n`<namespace>/<fqdn>` format.","type":"string","x-order":0},"port":{"description":"Deprecated. This field is ignored and will be removed in upcoming releases.\nSpecifies the port on the host to connect to.","type":"integer","format":"int32","x-order":1}}},"v2TrafficSettings":{"description":"Traffic settings is used to configure inbound and outbound traffic of proxy workloads\nbelonging to traffic groups or workspaces via profiles. When applied to a traffic group,\nmissing fields will inherit values from the workspace-wide setting if any.","type":"object","properties":{"inbound":{"$ref":"#/components/schemas/tsbprofilev2InboundTrafficSetting"},"outbound":{"$ref":"#/components/schemas/tsbprofilev2OutboundTrafficSetting"}}},"v2User":{"description":"`User` represents a user that has been loaded from a configured\nIdentity Provider (IdP) that can log into the platform.\nCurrently, users are automatically synchronized by TSB from a\nconfigured LDAP server.\n\nThe following example creates a user named `john` under the organization\n`myorg`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: User\nmetadata:\n  name: john\n  organization: myorg\nspec:\n  loginName: john\n  firstName: John\n  lastName: Doe\n  displayName: John Doe\n  email: john.doe@acme.com\n```\n\n\n\n","type":"object","required":["loginName"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"loginName":{"description":"The username used in the login credentials.","type":"string","x-order":3},"firstName":{"description":"The first name of the user.","type":"string","x-order":4},"lastName":{"description":"The last name of the user, if any.","type":"string","x-order":5},"email":{"description":"Email for the user where alerts and other notifications will be sent.","type":"string","x-order":6},"sourceType":{"$ref":"#/components/schemas/v2SourceType"}}},"v2VmConfig":{"description":"Configuration for a Wasm VM.\nmore details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).","type":"object","properties":{"env":{"description":"Specifies environment variables to be injected to this VM.\nNote that if a key does not exist, it will be ignored.","type":"array","items":{"$ref":"#/components/schemas/extensionv2EnvVar"},"x-order":0}}},"v2WAFSettings":{"description":"The following example creates a security group for the sidecars in `ns1`,\n`ns2` and `ns3` namespaces owned by its parent workspace `w1` under tenant\n`mycompany`, and a security setting that applies the WAF Settings. And the\nsecurity group and security settings to which this WAF Settings is applied to.\n\n```yaml\napiVersion: security.tsb.tetrate.io/v2\nkind: Group\nmetadata:\n  name: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n    - \"*/ns3\"\n  configMode: BRIDGED\n---\napiVersion: security.tsb.tetrate.io/v2\nkind: SecuritySetting\nmetadata:\n  name: defaults\n  group: t1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  waf:\n    rules:\n      - Include @recommended-conf\n```\n\nIn the following examples, the security rule for blocking XSS requests is\nenabled on `Tier1Gateway` and `IngressGateway` respectively, with an ad-hoc\ndebug configuration, instead of the one defined in the security rule.\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: Tier1Gateway\nmetadata:\n  name: tier1-waf-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: gateway\n  passthroughServers:\n  - name: nginx\n    port: 8443\n    hostname: nginx.example.com\n  waf:\n    rules:\n      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf\n```\n\n```yaml\napiVersion: gateway.xcp.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: waf-gw\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n    namespace: ns1\n    labels:\n      app: waf-gateway\n  waf:\n    rules:\n      - SecRuleEngine DETECTION_ONLY\n      - SecDebugLogLevel 5\n      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf\n  http:\n  - name: bookinfo\n    port: 9443\n    hostname: bookinfo.com\n```","type":"object","title":"WAFSettings configure WAF based on seclang\nSee https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives","required":["rules"],"properties":{"rules":{"description":"Rules to be leveraged by WAF. The parser evaluates the list of rules from the top to the bottom.","type":"array","items":{"type":"string"},"x-order":0}}},"v2WasmExtension":{"description":"The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images.\nThe resource allows specifying extension metadata that helps understand how extensions work and how they can be used.\nOnce defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic\nis captured and processed by the extension accordingly.\nBy default, extensions are globally available, but they can be assigned to specific Tenants as well\nto further control and constraint where in the Organization the extensions are allowed to be used.\n\n```yaml\napiVersion: extension.tsb.tetrate.io/v2\nkind: WasmExtension\nmetadata:\n  organization: org\n  name: wasm-auth\nspec:\n  allowedIn:\n    - organizations/org/tenants/tenant1\n  url: oci://docker.io/example/my-wasm-extension:1.0\n  source: https://github.com/example/wasm-extension\n  description: |\n    Long description for the extension such as an\n    entire README file\n  phase: AUTHZ\n  priority: 1000\n  config:\n    some_key: some_value\n```\n\nWASM extensions can also reference HTTP endpoints:\n\n```yaml\napiVersion: extension.tsb.tetrate.io/v2\nkind: WasmExtension\nmetadata:\n  organization: org\n  name: wasm-http\nspec:\n  url: http://tetrate.io/my-extension.wasm\n  source: https://github.com/example/wasm-extension\n  description: |\n    Long description for the extension such as an\n    entire README file\n  phase: AUTHZ\n  priority: 1000\n  config:\n    some_key: some_value\n```\n\n\n\n","type":"object","required":["url"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the extension.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the extension.\n$hide_from_yaml","x-order":3},"allowedIn":{"description":"List of fqns where this extension is allowed to run.\nIf it is empty, the extension can be used across the entire organization.\nCurrently only Tenant resources are considered.","type":"array","items":{"type":"string"},"x-order":4},"image":{"description":"Deprecated. Use the `url` field instead.\nRepository and tag of the OCI image containing the WASM extension.","type":"string","x-order":5},"source":{"type":"string","title":"Source to find the code for the WASM extension","x-order":6},"phase":{"$ref":"#/components/schemas/WasmExtensionPluginPhase"},"priority":{"description":"Determines the ordering of WasmExtensions in the same phase.\nWhen multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order.\nIf no priority is assigned it will use the default 0 value.\nIn case of several extensions having the same priority in the same phase, the fqn will be used to sort them.","type":"integer","format":"int32","x-order":8},"config":{"description":"Configuration parameters sent to the WASM plugin execution\nThe configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups.\nThe config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.","type":"object","x-order":9},"imagePullPolicy":{"$ref":"#/components/schemas/WasmExtensionPullPolicy"},"imagePullSecret":{"description":"Credentials to use for OCI image pulling.\nName of a K8s Secret that contains a docker pull secret which is to be used\nto authenticate against the registry when pulling the image.\nIf TSB is configured to use the WASM download proxy, this secret must exist in\nthe `istio-system` namespace of each cluster that has applications that use the\nextension. If the download proxy is disabled, the secret must exist in each\napplication namespace that is using the extension.","type":"string","x-order":11},"vmConfig":{"$ref":"#/components/schemas/v2VmConfig"},"url":{"description":"URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image.\nOther valid schemes are file:// for referencing .wasm module files present locally within the proxy container,\nand http[s]:// for .wasm module files hosted remotely.","type":"string","x-order":13},"match":{"$ref":"#/components/schemas/v2GlobalTrafficSelector"}}},"v2WasmExtensionAttachment":{"description":"WasmExtensionAttachment defines the WASM extension attached to this resource\nincluding the name to identify the extension and also the specific configuration\nthat will override the global extension configuration.\nOnly those extensions globally enabled will be considered although they can be\nassociated to the target resources.\nMatch configuration allows you to specify which traffic is sent through the Wasm\nextension. Users can select the traffic based on different workload modes and ports.\n\n```yaml\napiVersion: gateway.tsb.tetrate.io/v2\nkind: IngressGateway\nmetadata:\n  name: ingress-bookinfo\n  group: g1\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  workloadSelector:\n  namespace: ns1\n  labels:\n    app: gateway\n  extension:\n  - fqn: hello-world # fqn of imported extensions in TSB\n    config:\n      foo: bar\n    match:\n    - ports:\n      - number: 80\n      mode: CLIENT_AND_SERVER\n  http:\n  - name: bookinfo\n    port: 80\n    hostname: bookinfo.com\n    routing:\n      rules:\n      - route:\n        host: ns1/productpage.ns1.svc.cluster.local\n```","type":"object","required":["fqn"],"properties":{"fqn":{"description":"Fqn of the extension to be executed.","type":"string","x-order":0},"config":{"description":"Configuration parameters sent to the WASM plugin execution.\nThis configuration will overwrite the one specified globally in the extension.\nThis config will be passed as-is to the extension. It is up to the extension to deserialize the config and use it.","type":"object","x-order":1},"match":{"description":"Specifies the criteria to determine which traffic is passed to WasmExtension.\nIf a traffic satisfies any of TrafficSelectors,\nthe traffic passes to the WasmExtension.","type":"array","items":{"$ref":"#/components/schemas/v2TrafficSelector"},"x-order":2}}},"v2WorkloadMode":{"description":"WorkloadMode allows selection of the role of the underlying workload in\nnetwork traffic. A workload is considered as acting as a SERVER if it is\nthe destination of the traffic (that is, traffic direction, from the\nperspective of the workload is *inbound*). If the workload is the source of\nthe network traffic, it is considered to be in CLIENT mode (traffic is\n*outbound* from the workload).\n\n - UNDEFINED: Default value, which will be interpreted by its own usage.\n - CLIENT: Selects for scenarios when the workload is the\nsource of the network traffic. In addition,\nif the workload is a gateway, selects this.\n - SERVER: Selects for scenarios when the workload is the\ndestination of the network traffic.\n - CLIENT_AND_SERVER: Selects for scenarios when the workload is either the\nsource or destination of the network traffic.","type":"string","default":"UNDEFINED","enum":["UNDEFINED","CLIENT","SERVER","CLIENT_AND_SERVER"]},"v2Workspace":{"description":"A Workspace carves a chunk of the cluster resources owned by a\ntenant into an isolated configuration domain.\n\nThe following example claims `ns1` and `ns2` namespaces across all\nclusters owned by the tenant `mycompany`.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n    - \"*/ns2\"\n```\n\nThe following example claims `ns1` namespace only from the `c1`\ncluster and claims all namespaces from the `c2` cluster.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  namespaceSelector:\n    names:\n    - \"c1/ns1\"\n    - \"c2/*\"\n```\n\nCustom labels and annotations can be propagated to the final Istio translation that\nwill be applied at the clusters.\nThis could help with third-party integrations or to set custom identifier.\nThe following example configures the annotation `my.org.environment` to be applied to\nall final Istio translations generated under this Workspace, for example Gateways or Virtual Services.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: Workspace\nmetadata:\n  name: w1\n  tenant: mycompany\n  organization: myorg\n  annotations:\n    my.org.environment: dev\nspec:\n  namespaceSelector:\n    names:\n    - \"*/ns1\"\n```\n\n\n\n","type":"object","required":["namespaceSelector"],"properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"namespaceSelector":{"$ref":"#/components/schemas/tsbtypesv2NamespaceSelector"},"privileged":{"description":"If set to true, allows Gateways in the workspace to route to\nservices in other workspaces. Set this to true for workspaces\nowning cluster-wide gateways shared by multiple teams.","type":"boolean","x-order":5},"isolationBoundary":{"description":"Istio Isolation Boundary name to which this workspace belongs.\nIf not provided explicitly, the workspace looks for an isolation boundary with\nname set as \"global\". \nTherefore, in order to move existing workspaces to isolation boundaries, and\nbe a part of revisioned control plane, it is recommended to configure an\nisolation boundary with the name \"global\".","type":"string","x-order":6},"securityDomain":{"description":"Security domains can be used to group different resources under the same security domain.\nAlthough security domain is not resource itself currently, it follows a fqn format\n`organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's\nsecurity domain.\nOnce a security domain is assigned to a _Workspace_, all the children resources will belong to that\nsecurity domain in the same way a _Security group_ belongs to a _Workspace_, a _Security group_ will also belong\nto the security domain assigned to the _Workspace_.\nSecurity domains can also be used to define _Security settings Authorization rules_ in which you can allow\nor deny request from or to a security domain.","type":"string","x-order":7},"deletionProtectionEnabled":{"description":"When set, prevents the resource from being deleted. In order to delete the resource this\nproperty needs to be set to `false` first.","type":"boolean","x-order":8},"profiles":{"description":"List of profiles attached to the workspace to be used to propagate default and mandatory configurations down to the children.","type":"array","items":{"type":"string"},"x-order":9},"configGenerationMetadata":{"$ref":"#/components/schemas/v2ConfigGenerationMetadata"}}},"v2WorkspaceSetting":{"description":"Workspace setting allows configuring the default traffic, security and\neast-west gateway settings for all the workloads in the namespaces owned by\nthe workspace. Any namespace in the workspace that is not part of a\ntraffic or security group with specific settings will use these default\nsettings.\n\nThis is a global object that uniquely configures the workspace, and there can \nbe only one workspace setting object defined for each workspace.\n\nThe following example sets the default security policy to accept\neither mutual TLS or plaintext traffic, and only accept connections\nat a proxy workload from services within the same namespace. The default\ntraffic policy allows unknown traffic from a proxy workload to be\nforwarded via an egress gateway `tsb-egress` in the `perimeter`\nnamespace in the same cluster.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultSecuritySetting:\n    authenticationSettings:\n      trafficMode: REQUIRED\n  defaultTrafficSetting:\n    outbound:\n      egress:\n        host: bookinfo-perimeter/tsb-egress\n```\n\nIn order to set all the proxies in a workspace to use a specific load balancer\nalgorithm such as `LEAST_REQUEST` for all outbound requests, the `defaultTrafficSetting`\nresource can be defined as following.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultTrafficSetting:\n    outbound:\n      upstreamTrafficSettings:\n      - hosts:\n        - '*' // asterisk '*' selects all upstream hosts\n        settings:\n          loadBalancer:\n            simple: LEAST_REQUEST\n```\n\nThe above traffic settings are for outbound requests from proxies in the workspace.\nThe inbound traffic can also be configured for proxies at a workspace level. For example\nthe following configures the tcp keep alive for all downstream connections to workloads in\nthis workspace with 300 seconds idle time.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultTrafficSetting:\n    inbound:\n      resilience:\n        connectionPool:\n          tcp:\n            keepAlive:\n              idleTime: 300\n```\n\nSimilarly other traffic setting properties can be set at a workspace level. Refer\nto `TrafficSettings` documentation for more information. Note that a workspace level\ntraffic configuration can be overwritten by more granular configuration such as\n`TrafficSettings` or `ServiceTrafficSettings`.\n\nThe next example sets the defaults for east-west traffic configuring gateways\nfor two different app groups.\nThe first setting configures the gateway from the namespace `platinum` to manage the traffic\nfor all those workloads with the labels `tier: platinum` and `critical: true`.\nThe second one configures the gateway from the namespace `internal` to manage the traffic\nfor all those workloads with the labels `app: eshop` or `internal-critical: true`.\nSetting up multiple east-west gateways allows isolating also the cross-cluster traffic.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  defaultEastWestGatewaySettings:\n  - workloadSelector:\n      namespace: platinum\n      labels:\n        app: eastwest-gw\n    exposedServices:\n    - serviceLabels:\n        tier: platinum\n        critical: \"true\"\n  - workloadSelector:\n      namespace: internal\n      labels:\n        app: eastwest-gw\n    exposedServices:\n    - serviceLabels:\n        app: eshop\n    - serviceLabels:\n        internal-critical: \"true\"\n```\n\nThe next example configures workspace settings for different workspaces\nwith a list of gateway hosts that they can reach.\n\nThe first one configures the hostname `echo-1.tetrate.io` which is reachable\nfrom workspace w1.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w1-settings\n  workspace: w1\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames:\n     - exact: echo-1.tetrate.io\n```\n\nThe second one configures the hostnames `echo-1.tetrate.io` and\n`echo-2.tetrate.io` which are reachable from workspace w2.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w2-settings\n  workspace: w2\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames:\n     - exact: echo-1.tetrate.io\n     - exact: echo-2.tetrate.io\n```\n\nThe third configures nothing.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w3-settings\n  workspace: w3\n  tenant: mycompany\n  organization: myorg\nspec:\n```\n\nThe last one configures an empty hostname list.\n\n```yaml\napiVersion: api.tsb.tetrate.io/v2\nkind: WorkspaceSetting\nmetadata:\n  name: w4-settings\n  workspace: w4\n  tenant: mycompany\n  organization: myorg\nspec:\n  hostsReachability:\n    hostnames: []\n```\n\nIn summary, the previous example makes:\n- The host `echo-1.tetrate.io` to be reachable from namespaces configured in workspaces `w1`, `w2` and `w3`.\n- The host `echo-2.tetrate.io` to be reachable from namespaces configured in workspaces `w2` and `w3``.\n- All hosts to be reachable from namespaces configured in workspace `w3`.\n- Workspace `w4` cannot reach any hosts.\n\n\n\n","type":"object","properties":{"fqn":{"type":"string","title":"Fully-qualified name of the resource. This field is read-only.\n$hide_from_yaml","x-order":0,"readOnly":true},"displayName":{"type":"string","title":"User friendly name for the resource.\n$hide_from_yaml","x-order":1},"etag":{"type":"string","title":"The etag for the resource. This field is automatically computed and must be sent\non every update to the resource to prevent concurrent modifications.\n$hide_from_yaml","x-order":2},"description":{"type":"string","title":"A description of the resource.\n$hide_from_yaml","x-order":3},"defaultSecuritySetting":{"$ref":"#/components/schemas/v2SecuritySetting"},"defaultTrafficSetting":{"$ref":"#/components/schemas/v2TrafficSetting"},"regionalFailover":{"description":"Locality routing settings for all gateways in the workspace. Overrides any global settings.\nPlease use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.\n\nExplicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.\nShould be used together with OutlierDetection to detect unhealthy endpoints.\nNote: if no OutlierDetection specified, this will not take effect.","type":"array","items":{"$ref":"#/components/schemas/tsbtypesv2RegionalFailover"},"x-order":6},"defaultEastWestGatewaySettings":{"description":"Default east west gateway settings specifies workspace-wide east-west gateway configuration.\nThis is used to configure east-west routing (required for fail-over) for the services that\nare not exposed on the gateways. All the services matching the specified criteria is picked\nup for exposing on the east-west gateway workload selected by the workload selector. In case,\na service matches selectors in multiple items, the one which comes first is picked up.","type":"array","items":{"$ref":"#/components/schemas/v2EastWestGateway"},"x-order":7},"hostsReachability":{"$ref":"#/components/schemas/v2HostsReachability"},"failoverSettings":{"$ref":"#/components/schemas/tsbtypesv2FailoverSettings"}}},"v3BuildVersion":{"description":"BuildVersion combines SemVer version of extension with free-form build information\n(i.e. 'alpha', 'private-build') as a set of strings.","type":"object","properties":{"version":{"$ref":"#/components/schemas/v3SemanticVersion"},"metadata":{"type":"object","title":"Free-form build information.\nEnvoy defines several well known keys in the source/common/version/version.h file","x-order":1}}},"v3ContextParams":{"description":"`xds.resource.listening_address`: The value is \"IP:port\" (e.g. \"10.1.1.3:8080\") which is\n  the listening address of a Listener. Used in a Listener resource query.","type":"object","title":"Additional parameters that can be used to select resource variants. These include any\nglobal context parameters, per-resource type client feature capabilities and per-resource\ntype functional attributes. All per-resource type attributes will be `xds.resource.`\nprefixed and some of these are documented below:","properties":{"params":{"type":"object","additionalProperties":{"type":"string"},"x-order":0}}},"v3ControlPlane":{"description":"Identifies a specific ControlPlane instance that Envoy is connected to.","type":"object","properties":{"identifier":{"description":"An opaque control plane identifier that uniquely identifies an instance\nof control plane. This can be used to identify which control plane instance,\nthe Envoy is connected to.","type":"string","x-order":0}}},"v3DiscoveryRequest":{"type":"object","title":"A DiscoveryRequest requests a set of versioned resources of the same type for\na given Envoy node on some API.\n[#next-free-field: 8]","properties":{"versionInfo":{"description":"The version_info provided in the request messages will be the version_info\nreceived with the most recent successfully processed response or empty on\nthe first request. It is expected that no new request is sent after a\nresponse is received until the Envoy instance is ready to ACK/NACK the new\nconfiguration. ACK/NACK takes place by returning the new API config version\nas applied or the previous API config version respectively. Each type_url\n(see below) has an independent version associated with it.","type":"string","x-order":0},"node":{"$ref":"#/components/schemas/corev3Node"},"resourceNames":{"description":"List of resources to subscribe to, e.g. list of cluster names or a route\nconfiguration name. If this is empty, all resources for the API are\nreturned. LDS/CDS may have empty resource_names, which will cause all\nresources for the Envoy instance to be returned. The LDS and CDS responses\nwill then imply a number of resources that need to be fetched via EDS/RDS,\nwhich will be explicitly enumerated in resource_names.","type":"array","items":{"type":"string"},"x-order":2},"resourceLocators":{"description":"[#not-implemented-hide:]\nAlternative to ``resource_names`` field that allows specifying dynamic\nparameters along with each resource name. Clients that populate this\nfield must be able to handle responses from the server where resources\nare wrapped in a Resource message.\nNote that it is legal for a request to have some resources listed\nin ``resource_names`` and others in ``resource_locators``.","type":"array","items":{"$ref":"#/components/schemas/v3ResourceLocator"},"x-order":3},"typeUrl":{"description":"Type of the resource that is being requested, e.g.\n\"type.googleapis.com/envoy.api.v2.ClusterLoadAssignment\". This is implicit\nin requests made via singleton xDS APIs such as CDS, LDS, etc. but is\nrequired for ADS.","type":"string","x-order":4},"responseNonce":{"description":"nonce corresponding to DiscoveryResponse being ACK/NACKed. See above\ndiscussion on version_info and the DiscoveryResponse nonce comment. This\nmay be empty only if 1) this is a non-persistent-stream xDS such as HTTP,\nor 2) the client has not yet accepted an update in this xDS stream (unlike\ndelta, where it is populated only for new explicit ACKs).","type":"string","x-order":5},"errorDetail":{"$ref":"#/components/schemas/googlerpcStatus"}}},"v3DiscoveryResponse":{"type":"object","title":"[#next-free-field: 8]","properties":{"versionInfo":{"description":"The version of the response data.","type":"string","x-order":0},"resources":{"description":"The response resources. These resources are typed and depend on the API being called.","type":"array","items":{"$ref":"#/components/schemas/protobufAny"},"x-order":1},"canary":{"description":"* --terminate-on-canary-transition-failure. When set, Envoy is able to\n  terminate if it detects that configuration is stuck at canary. Consider\n  this example sequence of updates:\n  - Management server applies a canary config successfully.\n  - Management server rolls back to a production config.\n  - Envoy rejects the new production config.\n  Since there is no sensible way to continue receiving configuration\n  updates, Envoy will then terminate and apply production config from a\n  clean slate.\n* --dry-run-canary. When set, a canary response will never be applied, only\n  validated via a dry run.","type":"boolean","title":"[#not-implemented-hide:]\nCanary is used to support two Envoy command line flags:","x-order":2},"typeUrl":{"description":"Type URL for resources. Identifies the xDS API when muxing over ADS.\nMust be consistent with the type_url in the 'resources' repeated Any (if non-empty).","type":"string","x-order":3},"nonce":{"description":"For gRPC based subscriptions, the nonce provides a way to explicitly ack a\nspecific DiscoveryResponse in a following DiscoveryRequest. Additional\nmessages may have been sent by Envoy to the management server for the\nprevious version on the stream prior to this DiscoveryResponse, that were\nunprocessed at response send time. The nonce allows the management server\nto ignore any further DiscoveryRequests for the previous version until a\nDiscoveryRequest bearing the nonce. The nonce is optional and is not\nrequired for non-stream based xDS implementations.","type":"string","x-order":4},"controlPlane":{"$ref":"#/components/schemas/v3ControlPlane"},"resourceErrors":{"description":"[#not-implemented-hide:]\nErrors associated with specific resources. Clients are expected to\nremember the most recent error for a given resource across responses;\nthe error condition is not considered to be cleared until a response is\nreceived that contains the resource in the 'resources' field.","type":"array","items":{"$ref":"#/components/schemas/v3ResourceError"},"x-order":6}}},"v3DynamicParameterConstraints":{"description":"A set of dynamic parameter constraints associated with a variant of an individual xDS resource.\nThese constraints determine whether the resource matches a subscription based on the set of\ndynamic parameters in the subscription, as specified in the\n:ref:`ResourceLocator.dynamic_parameters<envoy_v3_api_field_service.discovery.v3.ResourceLocator.dynamic_parameters>`\nfield. This allows xDS implementations (clients, servers, and caching proxies) to determine\nwhich variant of a resource is appropriate for a given client.","type":"object","properties":{"constraint":{"$ref":"#/components/schemas/DynamicParameterConstraintsSingleConstraint"},"orConstraints":{"$ref":"#/components/schemas/DynamicParameterConstraintsConstraintList"},"andConstraints":{"$ref":"#/components/schemas/DynamicParameterConstraintsConstraintList"},"notConstraints":{"$ref":"#/components/schemas/v3DynamicParameterConstraints"}}},"v3EnvoyInternalAddress":{"type":"object","title":"The address represents an envoy internal listener.\n[#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.]","properties":{"serverListenerName":{"description":"Specifies the :ref:`name <envoy_v3_api_field_config.listener.v3.Listener.name>` of the\ninternal listener.","type":"string","x-order":0},"endpointId":{"description":"Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a\nsingle upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for\nexample, may be set to the final destination IP for the target internal listener.","type":"string","x-order":1}}},"v3Extension":{"type":"object","title":"Version and identification for an Envoy extension.\n[#next-free-field: 7]","properties":{"name":{"description":"This is the name of the Envoy filter as specified in the Envoy\nconfiguration, e.g. envoy.filters.http.router, com.acme.widget.","type":"string","x-order":0},"category":{"type":"string","title":"Category of the extension.\nExtension category names use reverse DNS notation. For instance \"envoy.filters.listener\"\nfor Envoy's built-in listener filters or \"com.acme.filters.http\" for HTTP filters from\nacme.com vendor.\n[#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.]","x-order":1},"typeDescriptor":{"type":"string","title":"[#not-implemented-hide:] Type descriptor of extension configuration proto.\n[#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.]\n[#comment:TODO(yanavlasov): Add tests when PR #9391 lands.]","x-order":2},"version":{"$ref":"#/components/schemas/v3BuildVersion"},"disabled":{"description":"Indicates that the extension is present but was disabled via dynamic configuration.","type":"boolean","x-order":4},"typeUrls":{"description":"Type URLs of extension configuration protos.","type":"array","items":{"type":"string"},"x-order":5}}},"v3Pipe":{"type":"object","properties":{"path":{"description":"Unix Domain Socket path. On Linux, paths starting with '@' will use the\nabstract namespace. The starting '@' is replaced by a null byte by Envoy.\nPaths starting with '@' will result in an error in environments other than\nLinux.","type":"string","x-order":0},"mode":{"description":"The mode for the Pipe. Not applicable for abstract sockets.","type":"integer","format":"int64","x-order":1}}},"v3ResourceError":{"description":"[#not-implemented-hide:]\nAn error associated with a specific resource name, returned to the\nclient by the server.","type":"object","properties":{"resourceName":{"$ref":"#/components/schemas/v3ResourceName"},"errorDetail":{"$ref":"#/components/schemas/googlerpcStatus"}}},"v3ResourceLocator":{"description":"Specifies a resource to be subscribed to.","type":"object","properties":{"name":{"description":"The resource name to subscribe to.","type":"string","x-order":0},"dynamicParameters":{"description":"A set of dynamic parameters used to match against the dynamic parameter\nconstraints on the resource. This allows clients to select between\nmultiple variants of the same resource.","type":"object","additionalProperties":{"type":"string"},"x-order":1}}},"v3ResourceName":{"description":"Specifies a concrete resource name.","type":"object","properties":{"name":{"description":"The name of the resource.","type":"string","x-order":0},"dynamicParameterConstraints":{"$ref":"#/components/schemas/v3DynamicParameterConstraints"}}},"v3SemanticVersion":{"description":"Envoy uses SemVer (https://semver.org/). Major/minor versions indicate\nexpected behaviors and APIs, the patch version field is used only\nfor security fixes and can be generally ignored.","type":"object","properties":{"majorNumber":{"type":"integer","format":"int64","x-order":0},"minorNumber":{"type":"integer","format":"int64","x-order":1},"patch":{"type":"integer","format":"int64","x-order":2}}},"v3SocketAddress":{"type":"object","title":"[#next-free-field: 8]","properties":{"protocol":{"$ref":"#/components/schemas/v3SocketAddressProtocol"},"address":{"description":"The address for this socket. :ref:`Listeners <config_listeners>` will bind\nto the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::``\nto bind to any address. [#comment:TODO(zuercher) reinstate when implemented:\nIt is possible to distinguish a Listener address via the prefix/suffix matching\nin :ref:`FilterChainMatch <envoy_v3_api_msg_config.listener.v3.FilterChainMatch>`.] When used\nwithin an upstream :ref:`BindConfig <envoy_v3_api_msg_config.core.v3.BindConfig>`, the address\ncontrols the source address of outbound connections. For :ref:`clusters\n<envoy_v3_api_msg_config.cluster.v3.Cluster>`, the cluster type determines whether the\naddress must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS\n(``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized\nvia :ref:`resolver_name <envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>`.","type":"string","x-order":1},"portValue":{"type":"integer","format":"int64","x-order":2},"namedPort":{"description":"This is only valid if :ref:`resolver_name\n<envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>` is specified below and the\nnamed resolver is capable of named port resolution.","type":"string","x-order":3},"resolverName":{"description":"The name of the custom resolver. This must have been registered with Envoy. If\nthis is empty, a context dependent default applies. If the address is a concrete\nIP address, no resolution will occur. If address is a hostname this\nshould be set for resolution other than DNS. Specifying a custom resolver with\n``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime.","type":"string","x-order":4},"ipv4Compat":{"description":"When binding to an IPv6 address above, this enables `IPv4 compatibility\n<https://tools.ietf.org/html/rfc3493#page-11>`_. Binding to ``::`` will\nallow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into\nIPv6 space as ``::FFFF:<IPv4-address>``.","type":"boolean","x-order":5},"networkNamespaceFilepath":{"type":"string","title":"The Linux network namespace to bind the socket to. If this is set, Envoy will\ncreate the socket in the specified network namespace. Only supported on Linux.\n[#not-implemented-hide:]","x-order":6}}},"v3SocketAddressProtocol":{"type":"string","default":"TCP","enum":["TCP","UDP"]}}}}