Skip to main content
API docs by Redocly

Tetrate Service Bridge API (next)

Download OpenAPI specification:Download

URL: https://www.tetrate.io/tetrate-service-bridge/

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters
code
string

OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.

error
string

OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong.

Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError

state
required
string

The state parameter sent to the OIDC provider on the authorization request.

errorDescription
string

Optional error description sent by the OIDC provider when an error occurs.

errorUri
string

Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

Content type
application/json
{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters
redirectUri
string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

Content type
application/json
{ }

SidecarConfigurationService

SidecarInfoService

OnboardingAuthorizationService

OnboardingPlaneDiscoveryService

WorkloadRegistrationService

AgentSessionService

Applications

List all existing applications for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "applications": [
    ]
}

Creates a new Application in TSB.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Application)

Applications are logical groupings of services that are related to each other, typically within a trusted group. A common example are three tier applications composed of a frontend, a backend and a datastore service.

Applications are often consumed through APIs, and a single Application can expose one or more of those APIs. These APIs will define the hostnames that are exposed and the methods exposed in each hostname.

apiVersion: application.tsb.tetrate.io/v2
kind: Application
metadata:
  name: three-tier
  organization: myorg
  tenant: tetrate
spec:
  workspace: organizations/myorg/tenants/tetrate/three-tier
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "application": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Get the details of an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Modify an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup
string

Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (*/*) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services
Array of strings

Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by another application, application creation/modification will fail.

workspace
required
string

FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "gatewayGroup": "string",
  • "namespaceSelector": {
    },
  • "services": [
    ],
  • "workspace": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
forceDeleteProtectedGroups
boolean

Force the deletion of internal groups even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

List all APIs attached to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Attach a new API to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (tsbapplicationv2API)

API objects define a set of servers and endpoints that expose the business logic for an Application. APIs are attached to existing Applications to configure how the features exposed by the different services that are part of the Application can be accessed.

The format used to define APIs is based on the OpenAPI v3 spec. Users can attach OpenAPI documents to the applications, and Service Bridge will generate all the configuration that is needed to make the APIs available. Service Bridge also provides a set of custom extensions to the OpenAPI spec that can be used to further customize the APIs in those cases where the standard OpenAPI properties are not sufficient.

The following example shows how an API can be attached to an existing application:

apiversion: application.tsb.tetrate.io/v2
kind: API
metadata:
  organization: my-org
  tenant: tetrate
  application: example-app
  name: ezample-app-api
spec:
  description: An example OpenAPI based API
  workloadSelector:
    namespace: exampleapp
    labels:
      app: exampleapp-gateway
  openapi: |
    openapi: 3.0.0
    info:
      title: Sample API
      description: An example API defined in an OpenAPI spec
      version: 0.1.9
      x-tsb-service: sample-app.sample-ns   # service exposing this api
    servers:
    - url: http://api.example.com/v1
      description: Optional server description, e.g. Main (production) server
    - url: http://staging-api.example.com
    paths:
      /users:
        get:
          summary: Returns a list of users.
          description: Optional extended description in CommonMark or HTML.
          responses:
            '200':    # status code
              description: A JSON array of user names
              content:
                application/json:
                  schema: 
                    type: array
                    items: 
                      type: string
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Get the details of an API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Delete an existing API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

DashboardService

Return the list of available dashboards, alongside their descriptions. Dashboards are identified by their names, which can be used to download them.

Responses

Response samples

Content type
application/json
{
  • "dashboards": [
    ]
}

Download a Grafana dashboard in JSON format by providing the dashboard's name. The downloaded dashboard is intended to be uploaded to a Grafana instance. Platform operators can use each dashboard to monitor specific components of the TSB platform.

path Parameters
name
required
string

The name of the dashboard to download.

Responses

Response samples

Content type
application/json
{
  • "contentType": "string",
  • "data": "string",
  • "extensions": [
    ]
}

ProxyDiagnosticService

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WasmExtension)

The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images. The resource allows specifying extension metadata that helps understand how extensions work and how they can be used. Once defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic is captured and processed by the extension accordingly. By default, extensions are globally available, but they can be assigned to specific Tenants as well to further control and constraint where in the Organization the extensions are allowed to be used.

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
  organization: org
  name: wasm-auth
spec:
  allowedIn:
    - organizations/org/tenants/tenant1
  url: oci://docker.io/example/my-wasm-extension:1.0
  source: https://github.com/example/wasm-extension
  description: |
    Long description for the extension such as an
    entire README file
  phase: AUTHZ
  priority: 1000
  config:
    some_key: some_value

WASM extensions can also reference HTTP endpoints:

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
  organization: org
  name: wasm-http
spec:
  url: http://tetrate.io/my-extension.wasm
  source: https://github.com/example/wasm-extension
  description: |
    Long description for the extension such as an
    entire README file
  phase: AUTHZ
  priority: 1000
  config:
    some_key: some_value

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "wasmExtension": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Get a WASM extension

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Modify an existing WasmExtension. When modifying the details of an extension in use, such as the image property, enabled flag, phase, or default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live traffic in all those places that reference the extension. Similarly, changes to the allowed_in property may trigger the removal of the extension from all places where the extension was in use that are not allowed to use it anymore, affecting live traffic on the relevant namespaces as well.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
allowedIn
Array of strings

List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.

config
object

Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.

description
string (A description of the extension. $hide_from_yaml)
displayName
string (User friendly name for the extension. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
image
string

Deprecated. Use the url field instead. Repository and tag of the OCI image containing the WASM extension.

imagePullPolicy
string (WasmExtensionPullPolicy)
Default: "UNSPECIFIED_POLICY"
Enum: "UNSPECIFIED_POLICY" "IfNotPresent" "Always"

The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.

  • UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.
  • IfNotPresent: If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.
  • Always: We will always pull the latest version of an image when changing this plugin. Note that the change includes metadata field as well.
imagePullSecret
string

Credentials to use for OCI image pulling. Name of a K8s Secret that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image. If TSB is configured to use the WASM download proxy, this secret must exist in the istio-system namespace of each cluster that has applications that use the extension. If the download proxy is disabled, the secret must exist in each application namespace that is using the extension.

object (v2GlobalTrafficSelector)

GlobalTrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. This setting applies to all WASM Extension attachments. These selectors can be overridden at attachments. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.

phase
string (Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase)
Default: "UNSPECIFIED_PHASE"
Enum: "UNSPECIFIED_PHASE" "AUTHN" "AUTHZ" "STATS"
  • UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.
  • AUTHN: Insert plugin before Istio authentication filters.
  • AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters.
  • STATS: Insert plugin before Istio stats filters and after Istio authorization filters.
priority
integer <int32>

Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.

source
string (Source to find the code for the WASM extension)
url
required
string

URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

object (v2VmConfig)

Configuration for a Wasm VM. more details can be found here.

Responses

Request samples

Content type
application/json
{
  • "allowedIn": [
    ],
  • "config": { },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "image": "string",
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "match": {
    },
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "source": "string",
  • "url": "string",
  • "vmConfig": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{ }

Gateways

List all Install Gateway Template objects.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "templates": [
    ]
}

Create an Install Gateway Template object.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Alpha early access The install gateway template feature is in an early access alpha state. Before trying this in a non production environment, please reach out to Tetrate first. :::)

An InstallGatewayTemplate defines a configuration template for installing gateways in TSB. It allows specifying gateway configurations that will be applied to gateways created in a defined part of the infrastructure determined by selectors that match attributes such as provider, labels, or cluster names. The following example creates an InstallGatewayTemplate named eks-template under the tetrate organization. It enforces the use of a specific annotation for all gateways created in EKS clusters.

apiVersion: gateway.tsb.tetrate.io/v2
kind: InstallGatewayTemplate
metadata:
  name: aws-template
  organization: tetrate
spec:
  displayName: "AWS template"
  description: "Template for AWS EKS gateways"
  environmentSelector:
    provider: "EKS"
  gatewaySpec:
    kubeSpec:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: 'external'

Another example creates an InstallGatewayTemplate named mem-template under the tetrate organization. By using a cluster selector, it is scoped to clusters labelled with managed-by: a-team. Furthermore, the scope is narrowed down thanks to the gateway workload selector to only the gateways with the label memory: high-limits that are part of the beforementioned clusters. The template enforces memory limits for the selected gateways.

apiVersion: gateway.tsb.tetrate.io/v2
kind: InstallGatewayTemplate
metadata:
  name: mem-template
  organization: tetrate
spec:
  displayName: "memory template"
  description: "Template for setting memory limits for some specific labelled gateways"
  clusterSelector:
    labelsSelector:
      labels:
        managed-by: "a-team"
  gatewayWorkloadSelector:
    labelsSelector:
      labels:
        memory: "high-limits"
  gatewaySpec:
    kubeSpec:
      deployment:
        resources:
          limits:
            memory: 2Gi

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "template": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "priority": 0,
  • "environmentSelector": {
    },
  • "clusterSelector": {
    },
  • "allClustersSelector": true,
  • "gatewayWorkloadSelector": {
    },
  • "gatewaySpec": {
    }
}

Get the details of the given Install Gateway Template object.

path Parameters
organization
required
string

Organization name.

installgatewaytemplate
required
string

Installgatewaytemplate name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "priority": 0,
  • "environmentSelector": {
    },
  • "clusterSelector": {
    },
  • "allClustersSelector": true,
  • "gatewayWorkloadSelector": {
    },
  • "gatewaySpec": {
    }
}

Modify the given Install Gateway Template object.

path Parameters
organization
required
string

Organization name.

installgatewaytemplate
required
string

Installgatewaytemplate name.

Request Body schema: application/json
required
allClustersSelector
boolean

Selects all the onboarded clusters on TSB.

object (v2ClusterSelector)

A template selector based on Cluster details.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
object (A template selector based on environment details, such as the cloud provider (e.g GKE, EKS, AKS...))
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (gatewayv2GatewaySpec)

GatewaySpec contains the desired state of the Gateway.

object (tsbgatewayv2WorkloadSelector)

A template selector for Gateway workloads.

priority
integer <int32> (Indicates when a template must be chosen in case of multiple selectors of the same type matching a single gateway configuration. Defaults to 0, the highest priority. When two templates have the same priority, they are sorted alphabetically by their names. Templates with different selector types will be resolved in the following order, regardless of the priority value: 1. environment selectors 2. cluster selectors with no namespace selectors 3. cluster selectors with namespace selector matching labels 4. cluster selectors with namespace selector matching name 5. specific InstallGateway TSB resources)

Responses

Request samples

Content type
application/json
{
  • "allClustersSelector": true,
  • "clusterSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "environmentSelector": {
    },
  • "etag": "string",
  • "gatewaySpec": {
    },
  • "gatewayWorkloadSelector": {
    },
  • "priority": 0
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "priority": 0,
  • "environmentSelector": {
    },
  • "clusterSelector": {
    },
  • "allClustersSelector": true,
  • "gatewayWorkloadSelector": {
    },
  • "gatewaySpec": {
    }
}

Delete the given Install Gateway Template object.

path Parameters
organization
required
string

Organization name.

installgatewaytemplate
required
string

Installgatewaytemplate name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled.

Responses

Response samples

Content type
application/json
{ }

List all gateway groups that exist in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbgatewayv2Group)

Gateway Groups allow grouping the gateways in a set of namespaces owned by its parent workspace. Gateway related configurations can then be applied on the group to control the behavior of these gateways. The group can be in one of two modes: BRIDGED and DIRECT. BRIDGED mode is a minimalistic mode that allows users to quickly configure the most commonly used features in the service mesh using Tetrate specific APIs, while the DIRECT mode provides more flexibility for power users by allowing them to configure the gateways's traffic and security properties using a restricted subset of Istio Networking and Security APIs.

The following example creates a gateway group for the gateways in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

It is possible to create a gateway group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1" # pick ns1 namespace only from c1 cluster
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

In the DIRECT mode, it is possible to directly attach Istio Networking v1beta1 APIs - VirtualService, and Gateway, and Istio Security v1beta1 APIs - RequestAuthentication, and AuthorizationPolicy to the gateway group. These configurations will be validated for correctness and conflict free operations and then pushed to the appropriate Istio control planes.

The following example declares a Gateway and a VirtualService for a specific workload in the ns1 namespace:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ingress
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  selector:
      app: my-ingress-gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com

and the associated VirtualService

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ingress-rule
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  hosts:
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - ns1/ingress # Has to bind to the same gateway
  http:
  - route:
    - destination:
        port:
          number: 7777
        host: reviews.ns1.svc.cluster.local

The namespace where the Istio APIs are applied will need to be part of the parent gateway group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the gateway group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

update the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
profiles
Array of strings

List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    },
  • "profiles": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all Egress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "egressGateways": [
    ]
}

Create an Egress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (:::warning Deprecation The functionality provided by the `EgressGateway` is now provided in `Gateway` object, and using it is the recommended approach. The `EgressGateway` resource will be removed in future releases. :::)

EgressGateway configures a workload to act as a gateway for traffic exiting the mesh. The egress gateway is meant to be the destination of unknown traffic within the mesh (traffic sent to non-mesh services). The gateway allows authorization control of traffic sent to it to more finely tune which services are allowed to send unknown traffic through the gateway. Only HTTP is supported at this time.

The following example declares an egress gateway running on pods in istio-system with the label app=istio-egressgateway. This gateway is setup to allow traffic from anywhere in the cluster to access www.httpbin.org and from the bookinfo details app specifically, you can access any external host. EgressGateways need to be paired with TrafficSettings in order to be usable. You must set the egress field in the TrafficSettings to point to the egress gateway and send traffic to port 15443. Once this is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS. The gateway will then decide whether to forward the traffic or not, and use one-way TLS for external calls.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
  name: my-egress
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1 
    labels:
      app: istio-egressgateway
  authorization:
    - from:
        mode: WORKSPACE
      to: ["www.httpbin.org"]
    - from:
        mode: CUSTOM
        serviceAccounts: ["default/bookinfo-details"]
      to: ["*"]

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
   mode: CUSTOM
   hosts:
   - "./*"
   - "istio-system/*"
  egress:
    host: istio-system/istio-egressgateway.istio-system.svc.cluster.local

The following example customizes the Extensions field to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
  name: my-egress
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: istio-egressgateway
  authorization:
    - from:
        mode: WORKSPACE
      to: ["www.httpbin.org"]
    - from:
        mode: CUSTOM
        serviceAccounts: ["default/bookinfo-details"]
      to: ["*"]
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar

-->

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "egressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts)

The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

required
object (tsbtypesv2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "authorization": [
    ],
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Ingress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "ingressGateways": [
    ]
}

Create an Ingress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (:::warning Deprecation The functionality provided by the `IngressGateway` is now provided in `Gateway` object, and using it is the recommended approach. The `IngressGateway` resource will be removed in future releases. :::)

IngressGateway configures a workload to act as a gateway for traffic entering the mesh. The ingress gateway also provides basic API gateway functionalities such as JWT token validation and request authorization. Gateways in privileged workspaces can route to services outside the workspace while those in unprivileged workspaces can only route to services inside the workspace.

The following example declares an ingress gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes a host bookinfo.com on https port 9443 and http port 9090. The port 9090 is configured to receive plaintext traffic and send a redirect to the https port 9443 (site-wide HTTP -> HTTPS redirection). At port 9443, TLS is terminated using the certificates in the Kubernetes secret bookinfo-certs. Clients are authenticated using JWT tokens, whose keys are obtained from the OIDC provider www.googleapis.com. The request is then authorized by an the user's authorization engine hosted at https://company.com/authz before being forwarded to the productpage service in the backend.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
      - redirect:
          authority: bookinfo.com
          port: 9443
          redirectCode: 301
          scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      rules:
        jwt:
        - issuer: https://accounts.google.com
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
        - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          host: ns1/productpage.ns1.svc.cluster.local
    rateLimiting:
      settings:
        rules:
          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4 
        - dimensions: 
          - remoteAddress:
              value: 1.2.3.4
          limit:
            requestsPerUnit: 10
            unit: HOUR
          # Ratelimit at 50 requests/minute for every unique value in the user-agent header
        - dimensions:
          - header:
              name: user-agent
          limit:
            requestsPerUnit: 50
            unit: MINUTE
          # Ratelimit at 100 requests/second for every unique client remote address
          # with the HTTP requests having a GET method and the path prefix of /productpage
        - dimensions:
          - remoteAddress:
              value: "*"
          - header:
              name: ":path"
              value:
                prefix: /productpage
          - header:
              name: ":method"
              value:
                exact: "GET"
          limit:
            requestsPerUnit: 100
            unit: SECOND

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the productpage service in the backend. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local

If the productpage.ns1 service on Kubernetes has a ServiceRoute with multiple subsets and weights, the traffic will be split across the subsets accordingly.

The following example illustrates defining non-HTTP servers (based on TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP protocol and listens on port 9000. The clients have to connect with TLS with the SNI kafka.myorg.internal. The TLS is terminated at the gateway and the traffic is routed to kafka.infra.svc.cluster.local:8000.

If subsets are defined in the ServiceRoute referencing kafka.infra.svc.cluster.local service, then it is also considered while routing.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tcp:
  - name: kafka-gateway
    hostname: kafka.myorg.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      host: kafka.infra.svc.cluster.local
      port: 8000

The following example customizes the Extensions to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
  namespace: ns1
  labels:
    app: gateway
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
  http:
  - name: bookinfo
    port: 80
    hostname: bookinfo.com
    routing:
      rules:
      - route:
        host: ns1/productpage.ns1.svc.cluster.local

`IngressGateway` also allows you to apply ModSecurity/Coraza compatible Web
Application Firewall rules to traffic passing through the gateway.

```yaml
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
    namespace: ns1
    labels:
      app: waf-gateway
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
  waf:
    rules:
      - Include @recommended-conf
      - SecResponseBodyAccess Off
      - Include @owasp_crs/*.conf
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "ingressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Get the details of the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Modify the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2HttpServer)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, etc.

Array of objects (One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS)
Array of objects (v2TLSPassthroughServer)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf

apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
required
object (tsbtypesv2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "http": [
    ],
  • "tcp": [
    ],
  • "tlsPassthrough": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Install Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "installGateways": [
    ]
}

Create an Install Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (installdataplanev1alpha1GatewaySpec)

GatewaySpec defines the desired installed state of a single gateway for a given namespace in Service Bridge. Specifying a minimal GatewaySpec with a hub will create a default gateway with sensible values.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "gateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Get the details of the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Responses

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Modify the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Request Body schema: application/json
required
concurrency
integer <int32>

Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits.

Set to -1 to use the legacy behavior of all cores on the machine.

connectionDrainDuration
string

The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (kubernetesKubernetesComponentSpec)

KubernetesComponentSpec is a common set of Kubernetes resource configuration for components.

revision
string (Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/)
targetCluster
string

Cluster where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.

targetNamespace
string

Namespace where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.

type
string (dataplanev1alpha1GatewaySpecType)
Default: "UNIFIED"
Enum: "UNIFIED" "INGRESS" "EGRESS" "EASTWEST"

Type defines the different type of use cases and functionalities supported by gateway install. Each type configures the gateway workloads specific to a particular use case represented by the type. If not set, UNIFIED is set as default.

  • UNIFIED: UNIFIED represents the gateway type supporting all functionalities: INGRESS, EGRESS, and EASTWEST. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
  • INGRESS: INGRESS represents the gateway type configured for Ingress use cases. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
  • EGRESS: EGRESS represents the gateway type configured for Egress use cases. Gateway workloads are configured with the default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a ClusterIP type service by default.
  • EASTWEST: EASTWEST represents the gateway type configured for East-West use cases. Gateway workloads are configured with the default port 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.

Responses

Request samples

Content type
application/json
{
  • "concurrency": 0,
  • "connectionDrainDuration": "string",
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "kubeSpec": {
    },
  • "revision": "string",
  • "targetCluster": "string",
  • "targetNamespace": "string",
  • "type": "UNIFIED"
}

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Delete the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Shared Gateway Reference Grants in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "sharedGatewayReferenceGrants": [
    ]
}

Create a new Shared Gateway Reference Grant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2SharedGatewayReferenceGrant)

Shared Gateway Reference Grants allows sharing a Gateway with other Workspaces or Gateway Groups, so that the referencing Workspaces or Gateway Groups can apply their own configurations to the shared Gateway.

The following example creates a Shared Gateway Reference Grant for the Gateway shared-gw1 and allows the Workspace w2 to reference it and apply its own configurations. Any shared Gateway configurations that are applied to shared-gw1 in Workspace w2 will be applied to the Gateway shared-gw1 in Workspace w1.

apiVersion: gateway.tsb.tetrate.io/v2
kind: SharedGatewayReferenceGrant
metadata:
  name: shared-gw1-grant
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  gatewaySelectors:
  - nameSelector:
      name: shared-gw1
  from:
    fqn:
    - organizations/tetrate/tenants/mycompany/workspaces/w2

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "sharedGatewayReferenceGrant": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "updateProtectionEnabled": true,
  • "from": {
    },
  • "gatewaySelectors": [
    ]
}

Get the details of the given Shared Gateway Reference Grant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

sharedgatewayreferencegrant
required
string

Sharedgatewayreferencegrant name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "updateProtectionEnabled": true,
  • "from": {
    },
  • "gatewaySelectors": [
    ]
}

Update the given Shared Gateway Reference Grant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

sharedgatewayreferencegrant
required
string

Sharedgatewayreferencegrant name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (v2SharedGatewayReferenceGrantFrom)

From specifies the resource that is granted access to the shared Gateway.

required
Array of objects (SharedGatewayReferenceGrantGatewaySelector)

A list of Gateway Selectors that specify which Gateways are being shared.

updateProtectionEnabled
boolean

When set, prevents the resource from being deleted or updated. In order to delete or update the resource this property needs to be set to false first.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "from": {
    },
  • "gatewaySelectors": [
    ],
  • "updateProtectionEnabled": true
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "updateProtectionEnabled": true,
  • "from": {
    },
  • "gatewaySelectors": [
    ]
}

Delete the given Shared Gateway Reference Grant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

sharedgatewayreferencegrant
required
string

Sharedgatewayreferencegrant name.

Responses

Response samples

Content type
application/json
{ }

ListSharedGateways lists gateways that have a shared reference grant for the given gateway group, workspace, tenant, or organization.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "sharedGateways": [
    ]
}

List all Tier1 Gateway objects that have been created in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "tier1Gateways": [
    ]
}

Create a Tier1 Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Deprecation The functionality provided by the `Tier1Gateway` is now provided in `Gateway` object, and using it is the recommended approach. The `Tier1Gateway` resource will be removed in future releases. :::)

Tier1Gateway configures a workload to act as a gateway that distributes traffic across one or more ingress gateways in other clusters.

NOTE: Tier1 gateways cannot be used to route traffic to the same cluster. A cluster with tier1 gateway cannot have any other gateways or workloads.

The following example declares a tier1 gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes host movieinfo.com on ports 8080, 8443 and kafka.internal on port 9000. Traffic for these hosts at the ports 8443 and 9000 are TLS terminated and forwarded over Istio mutual TLS to the ingress gateways hosting movieinfo.com host on clusters c3 and c4 and the internal kafka.internal service in cluster c3 respectively. The server at port 8080 is configured to receive plaintext HTTP traffic and redirect to port 8443 with "Permanently Moved" (HTTP 301) status code.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    clusters:
    - name: c3 # the target gateway IPs will be automatically determined
      weight: 90
    - name: c4
      weight: 10
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization
  tcpExternalServers:
  - name: kafka
    hostname: kafka.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    clusters:
    - name: c3
      weight: 100

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the c3 or c4. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    clusters:
    - name: c3 # the target gateway IPs will be automatically determined
      weight: 90
    - name: c4
      weight: 10
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization

Tier1 gateways can also be used to forward mesh internal traffic for Gateway hosts from one cluster to another. This form of forwarding will work only if the two clusters cannot reach each other directly (e.g., they are on different VPCs that are not peered). The following example declares a tier1 gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes hosts movieinfo.com, bookinfo.com, and a non-HTTP server called kafka.org-internal within the mesh. Traffic to movieinfo.com is load balanced across all clusters on vpc-02, while traffic to bookinfo.com and kafka.org-internal is load balanced across ingress gateways exposing bookinfo.com on any cluster. Traffic from the source (sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  internalServers: # forwarding gateway (HTTP traffic only)
  - name: movieinfo
    hostname: movieinfo.com
    clusters:
    - labels:
        network: vpc-02 # the target gateway IPs will be automatically determined
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.company.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization
  - name: bookinfo
    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com
  tcpInternalServers: # forwarding non-HTTP traffic within the mesh
  - name: kafka
    hostname: kafka.org-internal

** NOTE:** If two clusters have direct connectivity, declaring a tier1 internal server will have no effect.

Tier1 gateways can also be configured to expose hostnames in the TLS passthrough mode. Tier1 gateway will forward the pasthrough server traffic to any tier2 pass through servers exposing the same hostname. In other words, To be able to leverage passthrough at tier1, it is a MUST that passthrough is configured at t2 IngressGateway as well.

** NOTE:** A hostname like abc.com can only be exposed either in passthrough mode OR in terminating tls mode(External/Internal servers), not in both the modes.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com

The Tier1Gateway above will require the corresponding, at least one or more, IngressGateway(s), e.g.:

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tlsPassthrough:
    - name: nginx
      port: 443
      hostname: nginx.example.com
      route:
        host: "ns1/my-nginx.default.svc.cluster.local"
        port: 443

The following example customizes the Extensions field to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar

Whenever traffic is to be sent from one cluster to another, one or more of the following would have to be true for it to succeed:

  • Both clusters belong to the same network.
  • Destination cluster network is not named.
  • Organization Setting is set up to send traffic from source cluster to destination cluster.

Tier1Gateway also allows you to apply ModSecurity/Coraza compatible Web Application Firewall rules to traffic passing through the gateway.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/*.conf

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "tier1Gateway": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

get the details of the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Gateways_UpdateTier1Gateway

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2Tier1ExternalServer)

One or more servers exposed by the gateway externally.

Array of objects (v2Tier1InternalServer)

One or more servers exposed by the gateway internally for cross cluster forwarding.

Array of objects (v2Tier1PassthroughServer)

One or more tls passthrough servers exposed by the gateway externally.

Array of objects (v2Tier1TCPExternalServer)

One or more tcp servers exposed by the gateway externally.

Array of objects (v2Tier1TCPInternalServer)

One or more tcp servers exposed by the gateway for mesh internal traffic.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf

apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
required
object (tsbtypesv2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{ }

List all Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "gateways": [
    ]
}

Create a Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (gatewayv2Gateway)

The Gateway configuration combines the functionalities of both the existing Tier1Gateway and IngressGateway, providing a unified approach for configuring a workload as a gateway in the mesh. Each server within the Gateway is configured to route requests either to destination clusters, such as a Tier1Gateway, or to specific services, like an IngressGateway.

The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes a host bookinfo.com on https port 9443 and http port 9090. The port 9090 is configured to receive plaintext traffic and send a redirect to the https port 9443 (site-wide HTTP -> HTTPS redirection). At port 9443, TLS is terminated using the certificates in the Kubernetes secret bookinfo-certs. Clients are authenticated using JWT tokens, whose keys are obtained from the OIDC provider www.googleapis.com. The request is then authorized by an the user's authorization engine hosted at https://company.com/authz before being forwarded to the productpage service in the backend. Here, the gateway is configured in a manner similar to an existing IngressGateway with HTTP server.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      rules:
        jwt:
        - issuer: https://accounts.google.com
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local
    rateLimiting:
      settings:
        rules:
          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4
        - dimensions:
          - remoteAddress:
              value: 1.2.3.4
          limit:
            requestsPerUnit: 10
            unit: HOUR
          # Ratelimit at 50 requests/minute for every unique value in the user-agent header
        - dimensions:
          - header:
              name: user-agent
          limit:
            requestsPerUnit: 50
            unit: MINUTE
          # Ratelimit at 100 requests/second for every unique client remote address
          # with the HTTP requests having a GET method and the path prefix of /productpage
        - dimensions:
          - remoteAddress:
              value: "*"
          - header:
              name: ":path"
              value:
                prefix: /productpage
          - header:
              name: ":method"
              value:
                exact: "GET"
          limit:
            requestsPerUnit: 100
            unit: SECOND

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the productpage service in the backend. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local

If the productpage.ns1 service on Kubernetes has a ServiceRoute with multiple subsets and weights, the traffic will be split across the subsets accordingly.

The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes host movieinfo.com on ports 8080, 8443 and kafka.internal on port 9000. Traffic for these hosts at the ports 8443 and 9000 are TLS terminated and forwarded over Istio mutual TLS to the ingress gateways hosting movieinfo.com host on clusters c3 for matching prefix v1 and c4 for matching v2, and the internal kafka.internal service in cluster c3 respectively. The server at port 8080 is configured to receive plaintext HTTP traffic and redirect to port 8443 with "Permanently Moved" (HTTP 301) status code. Here, the gateway is configured in a manner similar to an existing Tier1Gateway with external servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    routing:
      rules:
        - redirect:
            authority: movieinfo.com
            port: 8443
            redirectCode: 301
            scheme: https
            uri: "/"
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    routing:
      rules:
         - match:
             - uri:
                 prefix: "/v1"
           route:
             clusterDestination:
               clusters:
                 - name: c3 # the target gateway IPs will be automatically determined
                   weight: 100
         - match:
             - uri:
                 prefix: "/v2"
           route:
             clusterDestination:
               clusters:
                 - name: c4 # the target gateway IPs will be automatically determined
                   weight: 100
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
          - authorization
  tcp:
  - name: kafka
    hostname: kafka.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      clusterDestination:
        clusters:
          - name: c3
            weight: 100

This example used to forward mesh internal traffic for Gateway hosts from one cluster to another. This form of forwarding will work only if the two clusters cannot reach each other directly (e.g., they are on different VPCs that are not peered). The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes hosts movieinfo.com, bookinfo.com, and a non-HTTP server called kafka.org-internal within the mesh. Traffic to movieinfo.com is load balanced across all clusters on vpc-02, while traffic to bookinfo.com and kafka.org-internal is load balanced across ingress gateways exposing bookinfo.com on any cluster. Traffic from the source (sidecars) is expected to arrive on the tier1 gateway over Istio mTLS. Here, the gateway is configured in a manner similar to an existing Tier1Gateway with internal servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http: # forwarding gateway (HTTP traffic only)
  - name: movieinfo
    transit: true # server marked as internal
    hostname: movieinfo.com
    routing:
      rules:
      - route:
          clusterDestination:
            clusters:
            - labels:
                network: vpc-02 # the target gateway IPs will be automatically determined
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.company.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      meshInternalAuthz:
        external:
          uri: "https://auth.company.com"
          includeRequestHeaders:
            - authorization
  - name: bookinfo
    transit: true # server marked as internal
    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com
    routing:
      rules:
      - route:
          clusterDestination:
            clusters:
  tcp: # forwarding non-HTTP traffic within the mesh
  - name: kafka
    transit: true # server marked as internal
    hostname: kafka.org-internal
    route:
      clusterDestination:
        clusters:

The following example illustrates defining non-HTTP server (based on TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP protocol and listens on port 9000. The clients have to connect with TLS with the SNI kafka.myorg.internal. The TLS is terminated at the gateway and the traffic is routed to kafka.infra.svc.cluster.local:8000.

If subsets are defined in the ServiceRoute referencing kafka.infra.svc.cluster.local service, then it is also considered while routing.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tcp:
  - name: kafka-gateway
    hostname: kafka.myorg.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      serviceDestination:
        host: kafka.infra.svc.cluster.local
        port: 8000

This is an example of configuring a gateway for TLS. The gateway will forward the passthrough server traffic to clusters c1 and c2. It is essential to configure TLS on the same hostname at c1 and c2 as well. Here, the gateway is configured similarly to an existing Tier1Gateway with passthrough servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tls:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
    route:
      clusterDestination:
         clusters:
           - name: c1 # the target gateway IPs will be automatically determined
             weight: 90
           - name: c2
             weight: 10

This configuration defines a Gateway named egress-access intended for egress traffic management. It operates within the namespace ns and targets pods labeled with app: egressgateway. The Gateway exposes three external hosts for egress access: example.com, httpbin.org, and apis.google.com.

By default, egress access is denied for all three hosts. Users must explicitly define allow rules for traffic to pass through.

Clients in the cluster-1/client namespace are granted access to the example.com host. Clients in the cluster-2/client namespace can access httpbin.org. However, access to apis.google.com is denied for all clients.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: egress-access
  labels:
    xcp.tetrate.io/workspace: egress-ws
    xcp.tetrate.io/gatewayGroup: egress-gw-group
spec:
  workloadSelector:
    namespace: ns
    labels:
      app: egressgateway
  http:
    - name: example
      hostname: "example.com"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/example.com"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
    - name: httpbin
      hostname: "httpbin.org"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/httpbin.org"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
    - name: apis
      hostname: "apis.google.com"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/apis.google.com"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
  egressAuthorization:
    - from:
        mode: SERVICE_ACCOUNT
        serviceAccounts:
          - "cluster-1/client/*"
      to:
        - host:
            exact: "example.com"
    - from:
        mode: SERVICE_ACCOUNT
        serviceAccounts:
          - "cluster-2/client/*"
      to:
        - host:
            exact: "httpbin.org"

TSB provides ways to extend the bundled functionality that comes in with envoy using the extensions field.

The following example shows a Gateway configuration in which the kong's response-transformer plugin is being used.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    extensions:
      kong:
        plugins:
          - name: response-transformer
            priority: 999
            config:
              inline:
                remove:
                  json:
                  - example-field
          - name: custom-header-adder
            priority: 1000
            config:
              inline:
                request_header_to_add: example-header
            pluginSource:
              configMap: cm-containing-this-plugin-in-gw-install-ns
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "gateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
Array of objects (v2EgressAuthorizationSettings)

External services are onboarded into the mesh via service entry, and these services are exposed on the Gateway for egress access. By default, access is denied for these hosts. Users can configure EgressAuthorizationSettings to specify which service accounts are allowed.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (gatewayv2HTTP)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, rate limiting, etc.

Array of objects (gatewayv2TCP)

One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS.

Array of objects (v2TLS)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf

apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
Array of objects (v2WasmExtensionAttachment)

WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway with the specific configuration for each plugin. This custom configuration will override the one configured globally to the plugin. Each plugin has a global configuration including priority that will condition the execution of the assigned plugins.

required
object (tsbtypesv2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "egressAuthorization": [
    ],
  • "etag": "string",
  • "http": [
    ],
  • "tcp": [
    ],
  • "tls": [
    ],
  • "waf": {
    },
  • "wasmPlugins": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{ }

IstioInternal

List all Istio internal groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new Istio internal group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbistiointernalv2Group)

Istio internal groups only allow grouping DIRECT mode mesh resources in a set of namespaces owned by its parent workspace. This group is aimed for grouping resources not directly related to traffic, security, or gateway like EnvoyFilters and ServiceEntry for instance. Istio internal group is meant to group highly coupled and implementation-detailed oriented istio resources that don't provide any BRIDGE mode guarantees or backward/forward compatibilities that other groups like traffic, security of gateway can provide. Especially, and mainly because resources like EnvoyFilters, are highly customizable and can interfere in unpredictable ways, with any other routing, security, listeners, or filter chains among other configurations that TSB may have setup. Therefore, this group is only meant to be used for users/administrators that are confident with those advanced features, knowing that the defined resources under this group will not interfere with the TSB provided mesh governance functionalities.

The following example creates an istio internal group for resources in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany.

apiVersion: istiointernal.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"

It is possible to directly attach Istio APIs such as EnvoyFilter, and ServiceEntry to the istio internal group. These configurations will then pushed to the appropriate Istio control planes.

The following ServiceEntry example declares a few external APIs accessed by internal applications over HTTPS. The sidecar inspects the SNI value in the ClientHello message to route to the appropriate external service.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-https
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/istioInternalGroup: t1
spec:
  hosts:
  - api.dropboxapi.com
  - www.googleapis.com
  - api.facebook.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS

The namespace where the Istio APIs are applied will need to be part of the parent istio internal group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the istio internal group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify a Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given Istio internal group. Note that deleting resources in TSB is a recursive operation. Deleting a Istio internal group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

Metrics

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

Sources

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [