gateway.tsb.tetrate.io/v2
Resource Types:
EgressGateway
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
kind | string | EgressGateway | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object |
| false |
status | object | false |
EgressGateway.spec
EgressGateway
configures a workload to act as an egress gateway in the mesh.
Name | Type | Description | Required |
---|---|---|---|
workloadSelector | object | Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. | true |
authorization | []object | The description of which service accounts can access which hosts. | false |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
extension | []object | Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. | false |
fqn | string | Fully-qualified name of the resource. | false |
EgressGateway.spec.workloadSelector
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
namespace | string | The namespace where the workload resides. | true |
EgressGateway.spec.authorization[index]
Name | Type | Description | Required |
---|---|---|---|
to | []string | The external hostnames the workload(s) described in this rule can access. | true |
from | object | The workloads or service accounts this authorization rule applies to. | false |
EgressGateway.spec.authorization[index].from
The workloads or service accounts this authorization rule applies to.
Name | Type | Description | Required |
---|---|---|---|
http | object | This is for configuring HTTP request authorization. | false |
identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
rules | object | When the mode is | false |
serviceAccounts | []string | When the mode is | false |
EgressGateway.spec.authorization[index].from.http
This is for configuring HTTP request authorization.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
EgressGateway.spec.authorization[index].from.http.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
EgressGateway.spec.authorization[index].from.http.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
EgressGateway.spec.authorization[index].from.http.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
EgressGateway.spec.authorization[index].from.http.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
EgressGateway.spec.authorization[index].from.http.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
EgressGateway.spec.authorization[index].from.rules
When the mode is RULES
, you can allow or deny workload-to-workload communication by specifying in the rules
field which target workloads are allowed or denied to communicate with other target workloads.
Name | Type | Description | Required |
---|---|---|---|
allow | []object | Allow specifies a list of rules. | false |
deny | []object | Deny specifies a list of rules. | false |
denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
EgressGateway.spec.authorization[index].from.rules.allow[index]
Name | Type | Description | Required |
---|---|---|---|
from | object | From specifies the source of a request. | true |
to | object | To specifies the destination of a request. | true |
EgressGateway.spec.authorization[index].from.rules.allow[index].from
From specifies the source of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the source of a request. | false |
EgressGateway.spec.authorization[index].from.rules.allow[index].to
To specifies the destination of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
EgressGateway.spec.authorization[index].from.rules.deny[index]
Name | Type | Description | Required |
---|---|---|---|
from | object | From specifies the source of a request. | true |
to | object | To specifies the destination of a request. | true |
EgressGateway.spec.authorization[index].from.rules.deny[index].from
From specifies the source of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the source of a request. | false |
EgressGateway.spec.authorization[index].from.rules.deny[index].to
To specifies the destination of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
EgressGateway.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
EgressGateway.spec.extension[index]
Name | Type | Description | Required |
---|---|---|---|
fqn | string | Fqn of the extension to be executed. | true |
config | object | Configuration parameters sent to the WASM plugin execution. | false |
match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
EgressGateway.spec.extension[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
ports | []object | Criteria for selecting traffic by their destination port. | false |
EgressGateway.spec.extension[index].match[index].ports[index]
Name | Type | Description | Required |
---|---|---|---|
number | integer | true |
Gateway
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
kind | string | Gateway | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | The | false |
status | object | false |
Gateway.spec
The Gateway
configuration combines the functionalities of both the existing Tier1Gateway
and IngressGateway
, providing a unified approach for configuring a workload as a gateway in the mesh.
Name | Type | Description | Required |
---|---|---|---|
workloadSelector | object | Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. | true |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
egressAuthorization | []object | External services are onboarded into the mesh via service entry, and these services are exposed on the Gateway for egress access. | false |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
http | []object | One or more HTTP or HTTPS servers exposed by the gateway. | false |
tcp | []object | One or more non-HTTP and non-passthrough servers which use TCP based protocols. | false |
tls | []object | One or more TLS servers exposed by the gateway. | false |
waf | object | WAF settings to be enabled for traffic passing through the HttpServer. | false |
wasmPlugins | []object | WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway with the specific configuration for each plugin. | false |
Gateway.spec.workloadSelector
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
namespace | string | The namespace where the workload resides. | true |
Gateway.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
Gateway.spec.egressAuthorization[index]
Name | Type | Description | Required |
---|---|---|---|
to | []object | The set of hostnames exposed on the Gateway through which external hosts can be accessed. | true |
from | object | Specifies the source workloads or service accounts for this authorization rule. | false |
identityMatch | enum | IdentityMatch defines the client identity used for evaluating the authorization rules. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
Gateway.spec.egressAuthorization[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
host | object | External host. | true |
methods | []string | The HTTP methods allowed by this rule, e.g., ["GET", "HEAD"]. | false |
paths | []string | The request paths allowed for access, e.g., ["/accounts", "/info*", "/user/profile/*"]. | false |
Gateway.spec.egressAuthorization[index].to[index].host
External host.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Gateway.spec.egressAuthorization[index].from
Specifies the source workloads or service accounts for this authorization rule.
Name | Type | Description | Required |
---|---|---|---|
mode | enum | A shortcut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, SERVICE_ACCOUNT | false |
resources | []string |
| false |
serviceAccounts | []string |
| false |
Gateway.spec.http[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
routing | object | Routing rules associated with HTTP traffic to this server. | true |
authentication | object | Authentication is used to configure the authentication of end-user credentials like JWT. | false |
authorization | object | Authorization is used to configure authorization of end users. | false |
extensions | object | Configure extensions for this hostname. | false |
failoverSettings | object | Failover settings for all clients that try to access the hostname defined in this section. | false |
openapi | object | OpenAPI configuration for the HTTP server. | false |
port | integer | The port where the server is exposed at the gateway workload(pod). | false |
rateLimiting | object | Configuration for rate limiting requests. | false |
tls | object | TLS certificate info. | false |
trafficMode | enum | Traffic mode specifies the type of configuration applied to this server. Enum: AUTO, INGRESS, EGRESS, TRANSIT | false |
transit | boolean | If set to true, the server is configured to be exposed within the mesh. | false |
Gateway.spec.http[index].routing
Routing rules associated with HTTP traffic to this server.
Name | Type | Description | Required |
---|---|---|---|
rules | []object | HTTP routes. | true |
corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
Gateway.spec.http[index].routing.rules[index]
Name | Type | Description | Required |
---|---|---|---|
directResponse | object | Return a fixed response. | false |
disableExternalAuthorization | boolean | If set to true, external authorization is disabled on this route when the hostname is configured with external authorization. | false |
extensions | object | false | |
match | []object | One or more match conditions (OR-ed). | false |
modify | object | One or more mutations to be performed before forwarding. | false |
redirect | object | Redirect the request to a different host or URL or both. | false |
route | object | Forward the request to the specified destination(s). | false |
Gateway.spec.http[index].routing.rules[index].directResponse
Return a fixed response.
Name | Type | Description | Required |
---|---|---|---|
status | integer | Specifies the HTTP response status to be returned. | true |
body | object | Specifies the content of the response body. | false |
Gateway.spec.http[index].routing.rules[index].directResponse.body
Specifies the content of the response body.
Name | Type | Description | Required |
---|---|---|---|
bytes | string | response body as base64 encoded bytes. Format: binary | false |
string | string | false |
Gateway.spec.http[index].routing.rules[index].extensions
Name | Type | Description | Required |
---|---|---|---|
kong | object | Extend using Kong. | false |
Gateway.spec.http[index].routing.rules[index].extensions.kong
Extend using Kong.
Name | Type | Description | Required |
---|---|---|---|
plugins | []object | List of plugins. | false |
Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | Plugin name. | true |
config | object | Configuration for this plugin (Optional). | false |
pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
priority | integer | Priority to be given to this plugin (Optional). | false |
Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index].config
Configuration for this plugin (Optional).
Name | Type | Description | Required |
---|---|---|---|
inline | object | Provide plugin config inline in the | false |
secret | string | false |
Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
Name | Type | Description | Required |
---|---|---|---|
configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
Gateway.spec.http[index].routing.rules[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
uri | object | URI to match. | false |
Gateway.spec.http[index].routing.rules[index].match[index].headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Gateway.spec.http[index].routing.rules[index].match[index].uri
URI to match.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Gateway.spec.http[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
Name | Type | Description | Required |
---|---|---|---|
headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
rewrite | object | Rewrite the HTTP Host or URL or both. | false |
Gateway.spec.http[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
Name | Type | Description | Required |
---|---|---|---|
request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
response | object | Header manipulation rules to apply before returning a response to the caller. | false |
Gateway.spec.http[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
Gateway.spec.http[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
Gateway.spec.http[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | Rewrite the Authority/Host header with this value. | false |
uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
Gateway.spec.http[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
port | integer | false | |
redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
scheme | string | On a redirect, overwrite the scheme with this one. | false |
uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
Gateway.spec.http[index].routing.rules[index].route
Forward the request to the specified destination(s).
Name | Type | Description | Required |
---|---|---|---|
clusterDestination | object | RouteToClusters represents the clusters where the request needs to be routed to from the gateway. | false |
serviceDestination | object | RouteToService represents the service running in clusters. | false |
Gateway.spec.http[index].routing.rules[index].route.clusterDestination
RouteToClusters represents the clusters where the request needs to be routed to from the gateway.
Name | Type | Description | Required |
---|---|---|---|
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
Gateway.spec.http[index].routing.rules[index].route.clusterDestination.clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Gateway.spec.http[index].routing.rules[index].route.serviceDestination
RouteToService represents the service running in clusters.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
tls | object | The | false |
Gateway.spec.http[index].routing.rules[index].route.serviceDestination.tls
The ClientTLSSettings
specifies how the gateway
workload should establish connections to external services.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.http[index].routing.rules[index].route.serviceDestination.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.http[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
Name | Type | Description | Required |
---|---|---|---|
allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. | false |
allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
Gateway.spec.http[index].authentication
Authentication is used to configure the authentication of end-user credentials like JWT.
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
Gateway.spec.http[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Gateway.spec.http[index].authentication.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Gateway.spec.http[index].authentication.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Gateway.spec.http[index].authentication.oidc
Name | Type | Description | Required |
---|---|---|---|
clientId | string | The client_id to be used in the authorize calls. | true |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
provider | object | The OIDC Provider configuration. | true |
redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
Gateway.spec.http[index].authentication.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | The OIDC Provider's issuer identifier. | true |
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
Gateway.spec.http[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.http[index].authentication.oidc.provider.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.http[index].authentication.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
Gateway.spec.http[index].authentication.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Gateway.spec.http[index].authentication.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Gateway.spec.http[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Gateway.spec.http[index].authorization
Authorization is used to configure authorization of end users.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
Gateway.spec.http[index].authorization.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
Gateway.spec.http[index].authorization.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.http[index].authorization.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.http[index].authorization.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
Gateway.spec.http[index].authorization.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
Gateway.spec.http[index].authorization.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
Gateway.spec.http[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
Gateway.spec.http[index].authorization.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
Gateway.spec.http[index].extensions
Configure extensions for this hostname.
Name | Type | Description | Required |
---|---|---|---|
kong | object | Extend using Kong. | false |
Gateway.spec.http[index].extensions.kong
Extend using Kong.
Name | Type | Description | Required |
---|---|---|---|
plugins | []object | List of plugins. | false |
Gateway.spec.http[index].extensions.kong.plugins[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | Plugin name. | true |
config | object | Configuration for this plugin (Optional). | false |
pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
priority | integer | Priority to be given to this plugin (Optional). | false |
Gateway.spec.http[index].extensions.kong.plugins[index].config
Configuration for this plugin (Optional).
Name | Type | Description | Required |
---|---|---|---|
inline | object | Provide plugin config inline in the | false |
secret | string | false |
Gateway.spec.http[index].extensions.kong.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
Name | Type | Description | Required |
---|---|---|---|
configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
Gateway.spec.http[index].failoverSettings
Failover settings for all clients that try to access the hostname defined in this section.
Name | Type | Description | Required |
---|---|---|---|
failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
Gateway.spec.http[index].failoverSettings.regionalFailover[index]
Name | Type | Description | Required |
---|---|---|---|
from | string | Originating region. | false |
to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
Gateway.spec.http[index].openapi
OpenAPI configuration for the HTTP server.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The fqn of the API that holds the OpenAPI spec document. | false |
validation | object | Validation options for the OpenAPI document. | false |
Gateway.spec.http[index].openapi.validation
Validation options for the OpenAPI document.
Name | Type | Description | Required |
---|---|---|---|
allowUndefined | boolean | By default if a request is not defined in the OpenAPI document, it will be rejected. | false |
enabled | boolean | If set to true, the OpenAPI document is enabled for validation. | false |
pathPrefix | string | Prefix to add to the paths in the OpenAPI doc before matching against incoming requests. | false |
Gateway.spec.http[index].rateLimiting
Configuration for rate limiting requests.
Name | Type | Description | Required |
---|---|---|---|
externalService | object | Configure ratelimiting using an external ratelimit server. | false |
settings | object | false |
Gateway.spec.http[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
Name | Type | Description | Required |
---|---|---|---|
domain | string | The rate limit domain to use when calling the rate limit service. | true |
rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
rules | []object | A set of rate limit rules. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
Gateway.spec.http[index].rateLimiting.externalService.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
destinationCluster | object | Rate limit on destination envoy cluster. | false |
headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
remoteAddress | object | Rate limit on remote address of client. | false |
requestHeaders | object | Rate limit on the value of certain request headers. | false |
sourceCluster | object | Rate limit on source envoy cluster. | false |
Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorValue | string | The value to use in the descriptor entry. | true |
headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorKey | string | The key to use in the descriptor entry. | true |
headerName | string | The header name to be queried from the request headers. | true |
Gateway.spec.http[index].rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.http[index].rateLimiting.externalService.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.http[index].rateLimiting.settings
Name | Type | Description | Required |
---|---|---|---|
rules | []object | A list of rules for ratelimiting. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the rate limit server RPC. | false |
Gateway.spec.http[index].rateLimiting.settings.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
limit | object | The ratelimit value that will be configured for the above rules. | true |
Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
header | object | Rate limit on certain HTTP headers. | false |
remoteAddress | object | Rate limit on the remote address of client. | false |
Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of the header to match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
value | object | Value of the header to match on if matching on a specific value. | false |
Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
Name | Type | Description | Required |
---|---|---|---|
value | string | Ratelimit on a specific remote address. | true |
Gateway.spec.http[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
Name | Type | Description | Required |
---|---|---|---|
requestsPerUnit | integer | Specifies the value of the rate limit. | true |
unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
Gateway.spec.http[index].tls
TLS certificate info.
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
Gateway.spec.http[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
Gateway.spec.tcp[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname to identify the service. | true |
name | string | A name assigned to the server. | true |
route | object | Forward the connection to the specified destination. | true |
failoverSettings | object | Failover settings for all clients that try to access the hostname defined in this section. | false |
port | integer | The port where the server is exposed. | false |
tls | object | TLS certificate info to terminate the TLS connection. | false |
trafficMode | enum | Traffic mode specifies the type of configuration applied to this server. Enum: AUTO, INGRESS, EGRESS, TRANSIT | false |
transit | boolean | If set to true, the server is configured to be exposed within the mesh. | false |
Gateway.spec.tcp[index].route
Forward the connection to the specified destination.
Name | Type | Description | Required |
---|---|---|---|
clusterDestination | object | RouteToClusters represents the clusters where the request needs to be routed to from the gateway. | false |
serviceDestination | object | RouteToService represents the service running in clusters. | false |
Gateway.spec.tcp[index].route.clusterDestination
RouteToClusters represents the clusters where the request needs to be routed to from the gateway.
Name | Type | Description | Required |
---|---|---|---|
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
Gateway.spec.tcp[index].route.clusterDestination.clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Gateway.spec.tcp[index].route.serviceDestination
RouteToService represents the service running in clusters.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
tls | object | The | false |
Gateway.spec.tcp[index].route.serviceDestination.tls
The ClientTLSSettings
specifies how the gateway
workload should establish connections to external services.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.tcp[index].route.serviceDestination.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.tcp[index].failoverSettings
Failover settings for all clients that try to access the hostname defined in this section.
Name | Type | Description | Required |
---|---|---|---|
failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
Gateway.spec.tcp[index].failoverSettings.regionalFailover[index]
Name | Type | Description | Required |
---|---|---|---|
from | string | Originating region. | false |
to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
Gateway.spec.tcp[index].tls
TLS certificate info to terminate the TLS connection.
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
Gateway.spec.tcp[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
Gateway.spec.tls[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
route | object | Forward the connection to the specified destination. | true |
failoverSettings | object | Failover settings for all clients that try to access the hostname defined in this section. | false |
Gateway.spec.tls[index].route
Forward the connection to the specified destination.
Name | Type | Description | Required |
---|---|---|---|
clusterDestination | object | RouteToClusters represents the clusters where the request needs to be routed to from the gateway. | false |
serviceDestination | object | RouteToService represents the service running in clusters. | false |
Gateway.spec.tls[index].route.clusterDestination
RouteToClusters represents the clusters where the request needs to be routed to from the gateway.
Name | Type | Description | Required |
---|---|---|---|
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
Gateway.spec.tls[index].route.clusterDestination.clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Gateway.spec.tls[index].route.serviceDestination
RouteToService represents the service running in clusters.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
tls | object | The | false |
Gateway.spec.tls[index].route.serviceDestination.tls
The ClientTLSSettings
specifies how the gateway
workload should establish connections to external services.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Gateway.spec.tls[index].route.serviceDestination.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Gateway.spec.tls[index].failoverSettings
Failover settings for all clients that try to access the hostname defined in this section.
Name | Type | Description | Required |
---|---|---|---|
failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
Gateway.spec.tls[index].failoverSettings.regionalFailover[index]
Name | Type | Description | Required |
---|---|---|---|
from | string | Originating region. | false |
to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
Gateway.spec.waf
WAF settings to be enabled for traffic passing through the HttpServer.
Name | Type | Description | Required |
---|---|---|---|
rules | []string | Rules to be leveraged by WAF. | true |
Gateway.spec.wasmPlugins[index]
Name | Type | Description | Required |
---|---|---|---|
fqn | string | Fqn of the extension to be executed. | true |
config | object | Configuration parameters sent to the WASM plugin execution. | false |
match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
Gateway.spec.wasmPlugins[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
ports | []object | Criteria for selecting traffic by their destination port. | false |
Gateway.spec.wasmPlugins[index].match[index].ports[index]
Name | Type | Description | Required |
---|---|---|---|
number | integer | true |
Group
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
kind | string | Group | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | A gateway group manages the gateways in a group of namespaces owned by the parent workspace. | false |
status | object | false |
Group.spec
A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
Name | Type | Description | Required |
---|---|---|---|
namespaceSelector | object | Set of namespaces owned exclusively by this group. | true |
configGenerationMetadata | object | Default metadata values that will be propagated to the children Istio generated configurations. | false |
configMode | enum | The Configuration types that will be added to this group. Enum: BRIDGED, DIRECT | false |
deletionProtectionEnabled | boolean | When set, prevents the resource from being deleted. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
profiles | []string | List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children. | false |
Group.spec.namespaceSelector
Set of namespaces owned exclusively by this group.
Name | Type | Description | Required |
---|---|---|---|
names | []string | Under the tenant/workspace/group: - | true |
Group.spec.configGenerationMetadata
Default metadata values that will be propagated to the children Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
IngressGateway
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
kind | string | IngressGateway | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object |
| false |
status | object | false |
IngressGateway.spec
IngressGateway
configures a workload to act as an ingress gateway into the mesh.
Name | Type | Description | Required |
---|---|---|---|
workloadSelector | object | Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. | true |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
extension | []object | Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension. | false |
fqn | string | Fully-qualified name of the resource. | false |
http | []object | One or more HTTP or HTTPS servers exposed by the gateway. | false |
tcp | []object | One or more non-HTTP and non-passthrough servers which use TCP based protocols. | false |
tlsPassthrough | []object | One or more TLS servers exposed by the gateway. | false |
waf | object | WAF settings to be enabled for traffic passing through the HttpServer. | false |
IngressGateway.spec.workloadSelector
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
namespace | string | The namespace where the workload resides. | true |
IngressGateway.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
IngressGateway.spec.extension[index]
Name | Type | Description | Required |
---|---|---|---|
fqn | string | Fqn of the extension to be executed. | true |
config | object | Configuration parameters sent to the WASM plugin execution. | false |
match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
IngressGateway.spec.extension[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
ports | []object | Criteria for selecting traffic by their destination port. | false |
IngressGateway.spec.extension[index].match[index].ports[index]
Name | Type | Description | Required |
---|---|---|---|
number | integer | true |
IngressGateway.spec.http[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
routing | object | Routing rules associated with HTTP traffic to this service. | true |
authentication | object | Configuration to authenticate clients. | false |
authorization | object | Configuration to authorize a request. | false |
rateLimiting | object | Configuration for rate limiting requests. | false |
tls | object | TLS certificate info. | false |
xxxOldAuthentication | object | false | |
xxxOldAuthorization | object | false |
IngressGateway.spec.http[index].routing
Routing rules associated with HTTP traffic to this service.
Name | Type | Description | Required |
---|---|---|---|
rules | []object | HTTP routes. | true |
corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
IngressGateway.spec.http[index].routing.rules[index]
Name | Type | Description | Required |
---|---|---|---|
directResponse | object | Return a fixed response. | false |
match | []object | One or more match conditions (OR-ed). | false |
modify | object | One or more mutations to be performed before forwarding. | false |
redirect | object | Redirect the request to a different host or URL or both. | false |
route | object | Forward the request to the specified destination(s). | false |
IngressGateway.spec.http[index].routing.rules[index].directResponse
Return a fixed response.
Name | Type | Description | Required |
---|---|---|---|
status | integer | Specifies the HTTP response status to be returned. | true |
body | object | Specifies the content of the response body. | false |
IngressGateway.spec.http[index].routing.rules[index].directResponse.body
Specifies the content of the response body.
Name | Type | Description | Required |
---|---|---|---|
bytes | string | response body as base64 encoded bytes. Format: binary | false |
string | string | false |
IngressGateway.spec.http[index].routing.rules[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
uri | object | URI to match. | false |
IngressGateway.spec.http[index].routing.rules[index].match[index].headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].routing.rules[index].match[index].uri
URI to match.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
Name | Type | Description | Required |
---|---|---|---|
headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
rewrite | object | Rewrite the HTTP Host or URL or both. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
Name | Type | Description | Required |
---|---|---|---|
request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
response | object | Header manipulation rules to apply before returning a response to the caller. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
IngressGateway.spec.http[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | Rewrite the Authority/Host header with this value. | false |
uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
IngressGateway.spec.http[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
port | integer | false | |
redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
scheme | string | On a redirect, overwrite the scheme with this one. | false |
uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
IngressGateway.spec.http[index].routing.rules[index].route
Forward the request to the specified destination(s).
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
IngressGateway.spec.http[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
Name | Type | Description | Required |
---|---|---|---|
allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. | false |
allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
IngressGateway.spec.http[index].authentication
Configuration to authenticate clients.
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
IngressGateway.spec.http[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
IngressGateway.spec.http[index].authentication.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
IngressGateway.spec.http[index].authentication.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
IngressGateway.spec.http[index].authentication.oidc
Name | Type | Description | Required |
---|---|---|---|
clientId | string | The client_id to be used in the authorize calls. | true |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
provider | object | The OIDC Provider configuration. | true |
redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
IngressGateway.spec.http[index].authentication.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | The OIDC Provider's issuer identifier. | true |
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
IngressGateway.spec.http[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
IngressGateway.spec.http[index].authentication.oidc.provider.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
IngressGateway.spec.http[index].authentication.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
IngressGateway.spec.http[index].authentication.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
IngressGateway.spec.http[index].authentication.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
IngressGateway.spec.http[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
IngressGateway.spec.http[index].authorization
Configuration to authorize a request.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
IngressGateway.spec.http[index].authorization.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
IngressGateway.spec.http[index].authorization.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
IngressGateway.spec.http[index].authorization.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
IngressGateway.spec.http[index].authorization.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
IngressGateway.spec.http[index].authorization.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
IngressGateway.spec.http[index].authorization.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
IngressGateway.spec.http[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
IngressGateway.spec.http[index].authorization.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
IngressGateway.spec.http[index].rateLimiting
Configuration for rate limiting requests.
Name | Type | Description | Required |
---|---|---|---|
externalService | object | Configure ratelimiting using an external ratelimit server. | false |
settings | object | false |
IngressGateway.spec.http[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
Name | Type | Description | Required |
---|---|---|---|
domain | string | The rate limit domain to use when calling the rate limit service. | true |
rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
rules | []object | A set of rate limit rules. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
destinationCluster | object | Rate limit on destination envoy cluster. | false |
headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
remoteAddress | object | Rate limit on remote address of client. | false |
requestHeaders | object | Rate limit on the value of certain request headers. | false |
sourceCluster | object | Rate limit on source envoy cluster. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorValue | string | The value to use in the descriptor entry. | true |
headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorKey | string | The key to use in the descriptor entry. | true |
headerName | string | The header name to be queried from the request headers. | true |
IngressGateway.spec.http[index].rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
IngressGateway.spec.http[index].rateLimiting.externalService.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
IngressGateway.spec.http[index].rateLimiting.settings
Name | Type | Description | Required |
---|---|---|---|
rules | []object | A list of rules for ratelimiting. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the rate limit server RPC. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
limit | object | The ratelimit value that will be configured for the above rules. | true |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
header | object | Rate limit on certain HTTP headers. | false |
remoteAddress | object | Rate limit on the remote address of client. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of the header to match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
value | object | Value of the header to match on if matching on a specific value. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
Name | Type | Description | Required |
---|---|---|---|
value | string | Ratelimit on a specific remote address. | true |
IngressGateway.spec.http[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
Name | Type | Description | Required |
---|---|---|---|
requestsPerUnit | integer | Specifies the value of the rate limit. | true |
unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
IngressGateway.spec.http[index].tls
TLS certificate info.
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
IngressGateway.spec.http[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
IngressGateway.spec.http[index].xxxOldAuthentication
Name | Type | Description | Required |
---|---|---|---|
jwt | object | false |
IngressGateway.spec.http[index].xxxOldAuthentication.jwt
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
IngressGateway.spec.http[index].xxxOldAuthorization
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
IngressGateway.spec.http[index].xxxOldAuthorization.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
uri | string | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
IngressGateway.spec.tcp[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname to identify the service. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
route | object | Forward the connection to the specified destination. | false |
tls | object | false |
IngressGateway.spec.tcp[index].route
Forward the connection to the specified destination.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
IngressGateway.spec.tcp[index].tls
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
IngressGateway.spec.tcp[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
IngressGateway.spec.tlsPassthrough[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
route | object | Forward the connection to the specified destination. | true |
IngressGateway.spec.tlsPassthrough[index].route
Forward the connection to the specified destination.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
IngressGateway.spec.waf
WAF settings to be enabled for traffic passing through the HttpServer.
Name | Type | Description | Required |
---|---|---|---|
rules | []string | Rules to be leveraged by WAF. | true |
Tier1Gateway
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | gateway.tsb.tetrate.io/v2 | true |
kind | string | Tier1Gateway | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object |
| false |
status | object | false |
Tier1Gateway.spec
Tier1Gateway
configures a workload to act as a tier1 gateway into the mesh.
Name | Type | Description | Required |
---|---|---|---|
workloadSelector | object | Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. | true |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
extension | []object | Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension. | false |
externalServers | []object | One or more servers exposed by the gateway externally. | false |
fqn | string | Fully-qualified name of the resource. | false |
internalServers | []object | One or more servers exposed by the gateway internally for cross cluster forwarding. | false |
passthroughServers | []object | One or more tls passthrough servers exposed by the gateway externally. | false |
tcpExternalServers | []object | One or more tcp servers exposed by the gateway externally. | false |
tcpInternalServers | []object | One or more tcp servers exposed by the gateway for mesh internal traffic. | false |
waf | object | WAF settings to be enabled for traffic passing through this Tier1 gateway. | false |
Tier1Gateway.spec.workloadSelector
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
namespace | string | The namespace where the workload resides. | true |
Tier1Gateway.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
Tier1Gateway.spec.extension[index]
Name | Type | Description | Required |
---|---|---|---|
fqn | string | Fqn of the extension to be executed. | true |
config | object | Configuration parameters sent to the WASM plugin execution. | false |
match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
Tier1Gateway.spec.extension[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
ports | []object | Criteria for selecting traffic by their destination port. | false |
Tier1Gateway.spec.extension[index].match[index].ports[index]
Name | Type | Description | Required |
---|---|---|---|
number | integer | true |
Tier1Gateway.spec.externalServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
authentication | object | Authentication is used to configure the authentication of end-user credentials like JWT. | false |
authorization | object | Authorization is used to configure authorization of end users. | false |
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
rateLimiting | object | Configuration for rate limiting requests. | false |
redirect | object | Redirect allows configuring HTTP redirect. | false |
tls | object | TLS certificate info. | false |
Tier1Gateway.spec.externalServers[index].authentication
Authentication is used to configure the authentication of end-user credentials like JWT.
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
Tier1Gateway.spec.externalServers[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Tier1Gateway.spec.externalServers[index].authentication.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Tier1Gateway.spec.externalServers[index].authentication.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Tier1Gateway.spec.externalServers[index].authentication.oidc
Name | Type | Description | Required |
---|---|---|---|
clientId | string | The client_id to be used in the authorize calls. | true |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
provider | object | The OIDC Provider configuration. | true |
redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
Tier1Gateway.spec.externalServers[index].authentication.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | The OIDC Provider's issuer identifier. | true |
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
Tier1Gateway.spec.externalServers[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Tier1Gateway.spec.externalServers[index].authentication.oidc.provider.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.externalServers[index].authentication.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Tier1Gateway.spec.externalServers[index].authorization
Authorization is used to configure authorization of end users.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
Tier1Gateway.spec.externalServers[index].authorization.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
Tier1Gateway.spec.externalServers[index].authorization.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Tier1Gateway.spec.externalServers[index].authorization.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.externalServers[index].authorization.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
Tier1Gateway.spec.externalServers[index].clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting
Configuration for rate limiting requests.
Name | Type | Description | Required |
---|---|---|---|
externalService | object | Configure ratelimiting using an external ratelimit server. | false |
settings | object | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
Name | Type | Description | Required |
---|---|---|---|
domain | string | The rate limit domain to use when calling the rate limit service. | true |
rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
rules | []object | A set of rate limit rules. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
destinationCluster | object | Rate limit on destination envoy cluster. | false |
headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
remoteAddress | object | Rate limit on remote address of client. | false |
requestHeaders | object | Rate limit on the value of certain request headers. | false |
sourceCluster | object | Rate limit on source envoy cluster. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorValue | string | The value to use in the descriptor entry. | true |
headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorKey | string | The key to use in the descriptor entry. | true |
headerName | string | The header name to be queried from the request headers. | true |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings
Name | Type | Description | Required |
---|---|---|---|
rules | []object | A list of rules for ratelimiting. | true |
failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
timeout | string | The timeout in seconds for the rate limit server RPC. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
limit | object | The ratelimit value that will be configured for the above rules. | true |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
header | object | Rate limit on certain HTTP headers. | false |
remoteAddress | object | Rate limit on the remote address of client. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of the header to match on. | true |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
value | object | Value of the header to match on if matching on a specific value. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
Name | Type | Description | Required |
---|---|---|---|
value | string | Ratelimit on a specific remote address. | true |
Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
Name | Type | Description | Required |
---|---|---|---|
requestsPerUnit | integer | Specifies the value of the rate limit. | true |
unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
Tier1Gateway.spec.externalServers[index].redirect
Redirect allows configuring HTTP redirect.
Name | Type | Description | Required |
---|---|---|---|
authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
port | integer | false | |
redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
scheme | string | On a redirect, overwrite the scheme with this one. | false |
uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
Tier1Gateway.spec.externalServers[index].tls
TLS certificate info.
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
Tier1Gateway.spec.externalServers[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
Tier1Gateway.spec.internalServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by sidecars in the mesh. | true |
name | string | A name assigned to the server. | true |
authentication | object | Authentication is used to configure the authentication of end-user credentials like JWT. | false |
authorization | object | Authorization is used to configure authorization of end user and traffic. | false |
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
Tier1Gateway.spec.internalServers[index].authentication
Authentication is used to configure the authentication of end-user credentials like JWT.
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
Tier1Gateway.spec.internalServers[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Tier1Gateway.spec.internalServers[index].authentication.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Tier1Gateway.spec.internalServers[index].authentication.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Tier1Gateway.spec.internalServers[index].authentication.oidc
Name | Type | Description | Required |
---|---|---|---|
clientId | string | The client_id to be used in the authorize calls. | true |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
provider | object | The OIDC Provider configuration. | true |
redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
Tier1Gateway.spec.internalServers[index].authentication.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | The OIDC Provider's issuer identifier. | true |
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
Tier1Gateway.spec.internalServers[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Tier1Gateway.spec.internalServers[index].authentication.oidc.provider.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.internalServers[index].authentication.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
Tier1Gateway.spec.internalServers[index].authorization
Authorization is used to configure authorization of end user and traffic.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
Tier1Gateway.spec.internalServers[index].authorization.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
Tier1Gateway.spec.internalServers[index].authorization.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
Tier1Gateway.spec.internalServers[index].authorization.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
Tier1Gateway.spec.internalServers[index].authorization.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | A friendly name to identify the binding. | true |
from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
Tier1Gateway.spec.internalServers[index].clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Tier1Gateway.spec.passthroughServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname on passthrough servers. | false |
Tier1Gateway.spec.passthroughServers[index].clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Tier1Gateway.spec.tcpExternalServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Although hostname or authority does not make sense in the non-HTTP context, this is used to define the routing rules. | true |
name | string | A name assigned to the server. | true |
port | integer | The port where the server is exposed. | true |
clusters | []object | The destination clusters contain ingress gateways exposing the service. | false |
tls | object | TLS certificate information to terminate TLS. | false |
Tier1Gateway.spec.tcpExternalServers[index].clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Tier1Gateway.spec.tcpExternalServers[index].tls
TLS certificate information to terminate TLS.
Name | Type | Description | Required |
---|---|---|---|
cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
Tier1Gateway.spec.tcpExternalServers[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
privateKey | string | false | |
serverCertificate | string | false |
Tier1Gateway.spec.tcpInternalServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | The name of the service used. | true |
name | string | A name assigned to the server. | true |
clusters | []object | The destination clusters contain ingress gateways exposing the service. | false |
Tier1Gateway.spec.tcpInternalServers[index].clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
Tier1Gateway.spec.waf
WAF settings to be enabled for traffic passing through this Tier1 gateway.
Name | Type | Description | Required |
---|---|---|---|
rules | []string | Rules to be leveraged by WAF. | true |