application.tsb.tetrate.io/v2
Resource Types:
API
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | application.tsb.tetrate.io/v2 | true |
kind | string | API | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | An API configuring a set of servers and endpoints that expose the Application business logic. | false |
status | object | false |
API.spec
An API configuring a set of servers and endpoints that expose the Application business logic.
Name | Type | Description | Required |
---|---|---|---|
openapi | string | The raw OpenAPI spec for this API. | true |
configResources | []object | false | |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
endpoints | []object | List of endpoints exposed by this API. | false |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
httpServers | []object | List of gateways servers that expose the API. | false |
servers | []object | DEPRECATED: For new created APIs, the exposed servers will be available at httpServers. | false |
workloadSelector | object | Optional selector to specify the gateway workloads (pod labels and Kubernetes namespace) under the application gateway group that should be configured with this gateway. | false |
API.spec.configResources[index]
Name | Type | Description | Required |
---|---|---|---|
exclusivelyOwned | boolean | The exclusively owned flag indicates if the referenced configuration resource is exclusively owned by the object. | false |
expectedEtag | string | The expected etag field is used to check the if the configuration resource contents have changed. | false |
fqn | string | The FQN of the resource this status is computed for. | false |
API.spec.endpoints[index]
Name | Type | Description | Required |
---|---|---|---|
exposedBy | object | The exposer of this endpoint. | false |
hostnames | []string | The list of hostnames where this endpoint is exposed. | false |
methods | []string | The list of HTTP methods this endpoint supports. | false |
path | string | The HTTP path of the endpoint, relative to the hostnames exposed by the API. | false |
service | string | DEPRECATED: For new created APIs, the exposed servers will be available at httpServers. | false |
API.spec.endpoints[index].exposedBy
The exposer of this endpoint.
Name | Type | Description | Required |
---|---|---|---|
clusterGroup | object | The clusters that are exposing a concrete endpoint. | false |
service | string | The FQN of the service in the service registry that is exposing a concrete endpoint. | false |
API.spec.endpoints[index].exposedBy.clusterGroup
The clusters that are exposing a concrete endpoint.
Name | Type | Description | Required |
---|---|---|---|
clusters | []object | The clusters that contain gateways exposing the HTTPEndpoint. | false |
API.spec.endpoints[index].exposedBy.clusterGroup.clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the cluster exposing the endpoint. | false |
weight | integer | The weight for traffic to a cluster exposing the endpoint. | false |
API.spec.httpServers[index]
Name | Type | Description | Required |
---|---|---|---|
hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
name | string | A name assigned to the server. | true |
routing | object | Routing rules associated with HTTP traffic to this server. | true |
authentication | object | Authentication is used to configure the authentication of end-user credentials like JWT. | false |
authorization | object | Authorization is used to configure authorization of end users. | false |
failoverSettings | object | Failover settings for all clients that try to access the hostname defined in this section. | false |
port | integer | The port where the server is exposed at the gateway workload(pod). | false |
rateLimiting | object | Configuration for rate limiting requests. | false |
tls | object | TLS certificate info. | false |
trafficMode | enum | Traffic mode specifies the type of configuration applied to this server. Enum: AUTO, INGRESS, EGRESS, TRANSIT | false |
transit | boolean | If set to true, the server is configured to be exposed within the mesh. | false |
API.spec.httpServers[index].routing
Routing rules associated with HTTP traffic to this server.
Name | Type | Description | Required |
---|---|---|---|
rules | []object | HTTP routes. | true |
corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
API.spec.httpServers[index].routing.rules[index]
Name | Type | Description | Required |
---|---|---|---|
directResponse | object | Return a fixed response. | false |
disableExternalAuthorization | boolean | If set to true, external authorization is disabled on this route when the hostname is configured with external authorization. | false |
match | []object | One or more match conditions (OR-ed). | false |
modify | object | One or more mutations to be performed before forwarding. | false |
redirect | object | Redirect the request to a different host or URL or both. | false |
route | object | Forward the request to the specified destination(s). | false |
API.spec.httpServers[index].routing.rules[index].directResponse
Return a fixed response.
Name | Type | Description | Required |
---|---|---|---|
status | integer | Specifies the HTTP response status to be returned. | true |
body | object | Specifies the content of the response body. | false |
API.spec.httpServers[index].routing.rules[index].directResponse.body
Specifies the content of the response body.
Name | Type | Description | Required |
---|---|---|---|
bytes | string | response body as base64 encoded bytes. Format: binary | false |
string | string | false |
API.spec.httpServers[index].routing.rules[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
uri | object | URI to match. | false |
API.spec.httpServers[index].routing.rules[index].match[index].headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].routing.rules[index].match[index].uri
URI to match.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
Name | Type | Description | Required |
---|---|---|---|
headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
rewrite | object | Rewrite the HTTP Host or URL or both. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
Name | Type | Description | Required |
---|---|---|---|
request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
response | object | Header manipulation rules to apply before returning a response to the caller. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
Name | Type | Description | Required |
---|---|---|---|
add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
remove | []string | Remove a the specified headers. | false |
set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.httpServers[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | Rewrite the Authority/Host header with this value. | false |
uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
API.spec.httpServers[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
Name | Type | Description | Required |
---|---|---|---|
authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
port | integer | false | |
redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
scheme | string | On a redirect, overwrite the scheme with this one. | false |
uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
API.spec.httpServers[index].routing.rules[index].route
Forward the request to the specified destination(s).
Name | Type | Description | Required |
---|---|---|---|
clusterDestination | object | RouteToClusters represents the clusters where the request needs to be routed to from the gateway. | false |
serviceDestination | object | RouteToService represents the service running in clusters. | false |
API.spec.httpServers[index].routing.rules[index].route.clusterDestination
RouteToClusters represents the clusters where the request needs to be routed to from the gateway.
Name | Type | Description | Required |
---|---|---|---|
clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
API.spec.httpServers[index].routing.rules[index].route.clusterDestination.clusters[index]
Name | Type | Description | Required |
---|---|---|---|
labels | map[string]string | Labels associated with the cluster. | false |
name | string | The name of the destination cluster. | false |
network | string | The network associated with the destination clusters. | false |
weight | integer | The weight for traffic to a given destination. | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination
RouteToService represents the service running in clusters.
Name | Type | Description | Required |
---|---|---|---|
host | string | The destination service in | true |
port | integer | The port on the service to forward the request to. | false |
tls | object | The | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls
The ClientTLSSettings
specifies how the gateway
workload should establish connections to external services.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
Name | Type | Description | Required |
---|---|---|---|
allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. | false |
allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
API.spec.httpServers[index].authentication
Authentication is used to configure the authentication of end-user credentials like JWT.
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
oidc | object | false | |
rules | object | List of rules how to authenticate an HTTP request. | false |
API.spec.httpServers[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.httpServers[index].authentication.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.httpServers[index].authentication.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
API.spec.httpServers[index].authentication.oidc
Name | Type | Description | Required |
---|---|---|---|
clientId | string | The client_id to be used in the authorize calls. | true |
clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
provider | object | The OIDC Provider configuration. | true |
redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
API.spec.httpServers[index].authentication.oidc.provider
The OIDC Provider configuration.
Name | Type | Description | Required |
---|---|---|---|
issuer | string | The OIDC Provider's issuer identifier. | true |
authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
API.spec.httpServers[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
API.spec.httpServers[index].authentication.oidc.provider.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].authentication.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
API.spec.httpServers[index].authentication.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. | true |
audiences | []string | The list of JWT audiences. | false |
fromCookies | []string | List of cookie names from which JWT is expected. | false |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.httpServers[index].authentication.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | true |
prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.httpServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | true |
header | string | The name of the header to be created. | true |
API.spec.httpServers[index].authorization
Authorization is used to configure authorization of end users.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |