Tetrate Service BridgeVersion: 1.12.xapplication.tsb.tetrate.io/v2
Resource Types:
API
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | application.tsb.tetrate.io/v2 | true |
| kind | string | API | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | An API configuring a set of servers and endpoints that expose the Application business logic. | false |
| status | object | false |
API.spec
An API configuring a set of servers and endpoints that expose the Application business logic.
| Name | Type | Description | Required |
|---|---|---|---|
| openapi | string | The raw OpenAPI spec for this API. | true |
| configResources | []object | false | |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| endpoints | []object | List of endpoints exposed by this API. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| httpServers | []object | List of gateways servers that expose the API. | false |
| servers | []object | DEPRECATED: For new created APIs, the exposed servers will be available at httpServers. | false |
| workloadSelector | object | Optional selector to specify the gateway workloads (pod labels and Kubernetes namespace) under the application gateway group that should be configured with this gateway. | false |
API.spec.configResources[index]
| Name | Type | Description | Required |
|---|---|---|---|
| exclusivelyOwned | boolean | The exclusively owned flag indicates if the referenced configuration resource is exclusively owned by the object. | false |
| expectedEtag | string | The expected etag field is used to check the if the configuration resource contents have changed. | false |
| fqn | string | The FQN of the resource this status is computed for. | false |
API.spec.endpoints[index]
| Name | Type | Description | Required |
|---|---|---|---|
| exposedBy | object | The exposer of this endpoint. | false |
| hostnames | []string | The list of hostnames where this endpoint is exposed. | false |
| methods | []string | The list of HTTP methods this endpoint supports. | false |
| path | string | The HTTP path of the endpoint, relative to the hostnames exposed by the API. | false |
| service | string | DEPRECATED: For new created APIs, the exposed servers will be available at httpServers. | false |
API.spec.endpoints[index].exposedBy
The exposer of this endpoint.
| Name | Type | Description | Required |
|---|---|---|---|
| clusterGroup | object | The clusters that are exposing a concrete endpoint. | false |
| service | string | The FQN of the service in the service registry that is exposing a concrete endpoint. | false |
API.spec.endpoints[index].exposedBy.clusterGroup
The clusters that are exposing a concrete endpoint.
| Name | Type | Description | Required |
|---|---|---|---|
| clusters | []object | The clusters that contain gateways exposing the HTTPEndpoint. | false |
API.spec.endpoints[index].exposedBy.clusterGroup.clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the cluster exposing the endpoint. | false |
| weight | integer | The weight for traffic to a cluster exposing the endpoint. | false |
API.spec.httpServers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
| name | string | A name assigned to the server. | true |
| routing | object | Routing rules associated with HTTP traffic to this server. | true |
| authentication | object | Authentication is used to configure the authentication of end-user credentials like JWT. | false |
| authorization | object | Authorization is used to configure authorization of end users. | false |
| extensions | object | Configure extensions for this hostname. | false |
| failoverSettings | object | Failover settings for all clients that try to access the hostname defined in this section. | false |
| openapi | object | OpenAPI configuration for the HTTP server. | false |
| port | integer | The port where the server is exposed at the gateway workload(pod). | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| tls | object | TLS certificate info. | false |
| trafficMode | enum | Traffic mode specifies the type of configuration applied to this server. Enum: AUTO, INGRESS, EGRESS, TRANSIT | false |
| transit | boolean | If set to true, the server is configured to be exposed within the mesh. | false |
API.spec.httpServers[index].routing
Routing rules associated with HTTP traffic to this server.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | HTTP routes. | true |
| corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
API.spec.httpServers[index].routing.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| directResponse | object | Return a fixed response. | false |
| disableExternalAuthorization | boolean | If set to true, external authorization is disabled on this route when the hostname is configured with external authorization. | false |
| extensions | object | false | |
| match | []object | One or more match conditions (OR-ed). | false |
| modify | object | One or more mutations to be performed before forwarding. | false |
| redirect | object | Redirect the request to a different host or URL or both. | false |
| route | object | Forward the request to the specified destination(s). | false |
API.spec.httpServers[index].routing.rules[index].directResponse
Return a fixed response.
| Name | Type | Description | Required |
|---|---|---|---|
| status | integer | Specifies the HTTP response status to be returned. | true |
| body | object | Specifies the content of the response body. | false |
API.spec.httpServers[index].routing.rules[index].directResponse.body
Specifies the content of the response body.
| Name | Type | Description | Required |
|---|---|---|---|
| bytes | string | response body as base64 encoded bytes. Format: binary | false |
| string | string | false |
API.spec.httpServers[index].routing.rules[index].extensions
| Name | Type | Description | Required |
|---|---|---|---|
| composer | object | false | |
| kong | object | Extend using Kong. | false |
API.spec.httpServers[index].routing.rules[index].extensions.composer
| Name | Type | Description | Required |
|---|---|---|---|
| plugins | []object | List of plugins. | false |
API.spec.httpServers[index].routing.rules[index].extensions.composer.plugins[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Plugin name. | true |
| config | object | Configuration for this plugin (Optional). | false |
| pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
| priority | integer | Priority to be given to this plugin (Optional). | false |
API.spec.httpServers[index].routing.rules[index].extensions.composer.plugins[index].config
Configuration for this plugin (Optional).
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Obtain plugin config from the specified kubernetes configMap. | false |
| inline | object | Provide plugin config inline in the | false |
| secret | string | Obtain plugin config from the specified kubernetes secret. | false |
API.spec.httpServers[index].routing.rules[index].extensions.composer.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
API.spec.httpServers[index].routing.rules[index].extensions.kong
Extend using Kong.
| Name | Type | Description | Required |
|---|---|---|---|
| plugins | []object | List of plugins. | false |
API.spec.httpServers[index].routing.rules[index].extensions.kong.plugins[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Plugin name. | true |
| config | object | Configuration for this plugin (Optional). | false |
| pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
| priority | integer | Priority to be given to this plugin (Optional). | false |
API.spec.httpServers[index].routing.rules[index].extensions.kong.plugins[index].config
Configuration for this plugin (Optional).
| Name | Type | Description | Required |
|---|---|---|---|
| inline | object | Provide plugin config inline in the | false |
| secret | string | false |
API.spec.httpServers[index].routing.rules[index].extensions.kong.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
API.spec.httpServers[index].routing.rules[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
| uri | object | URI to match. | false |
API.spec.httpServers[index].routing.rules[index].match[index].headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].routing.rules[index].match[index].uri
URI to match.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
| Name | Type | Description | Required |
|---|---|---|---|
| headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
| rewrite | object | Rewrite the HTTP Host or URL or both. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
| Name | Type | Description | Required |
|---|---|---|---|
| request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
| response | object | Header manipulation rules to apply before returning a response to the caller. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.httpServers[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.httpServers[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | Rewrite the Authority/Host header with this value. | false |
| uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
API.spec.httpServers[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
| port | integer | false | |
| redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
| scheme | string | On a redirect, overwrite the scheme with this one. | false |
| uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
API.spec.httpServers[index].routing.rules[index].route
Forward the request to the specified destination(s).
| Name | Type | Description | Required |
|---|---|---|---|
| clusterDestination | object | RouteToClusters represents the clusters where the request needs to be routed to from the gateway. | false |
| serviceDestination | object | RouteToService represents the service running in clusters. | false |
API.spec.httpServers[index].routing.rules[index].route.clusterDestination
RouteToClusters represents the clusters where the request needs to be routed to from the gateway.
| Name | Type | Description | Required |
|---|---|---|---|
| clusters | []object | The destination clusters that contain ingress gateways exposing the hostname. | false |
API.spec.httpServers[index].routing.rules[index].route.clusterDestination.clusters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | Labels associated with the cluster. | false |
| name | string | The name of the destination cluster. | false |
| network | string | The network associated with the destination clusters. | false |
| weight | integer | The weight for traffic to a given destination. | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination
RouteToService represents the service running in clusters.
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | The destination service in | true |
| port | integer | The port on the service to forward the request to. | false |
| tls | object | The | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls
The ClientTLSSettings specifies how the gateway workload should establish connections to external services.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.httpServers[index].routing.rules[index].route.serviceDestination.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
| Name | Type | Description | Required |
|---|---|---|---|
| allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. | false |
| allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
| allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
| allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
| exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
| maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
API.spec.httpServers[index].authentication
Authentication is used to configure the authentication of end-user credentials like JWT.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
API.spec.httpServers[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.httpServers[index].authentication.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.httpServers[index].authentication.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
API.spec.httpServers[index].authentication.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
API.spec.httpServers[index].authentication.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
API.spec.httpServers[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.httpServers[index].authentication.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].authentication.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
API.spec.httpServers[index].authentication.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.httpServers[index].authentication.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.httpServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
API.spec.httpServers[index].authorization
Authorization is used to configure authorization of end users.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
API.spec.httpServers[index].authorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
API.spec.httpServers[index].authorization.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.httpServers[index].authorization.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].authorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
API.spec.httpServers[index].authorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
API.spec.httpServers[index].authorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
API.spec.httpServers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
API.spec.httpServers[index].authorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
API.spec.httpServers[index].extensions
Configure extensions for this hostname.
| Name | Type | Description | Required |
|---|---|---|---|
| composer | object | false | |
| kong | object | Extend using Kong. | false |
API.spec.httpServers[index].extensions.composer
| Name | Type | Description | Required |
|---|---|---|---|
| plugins | []object | List of plugins. | false |
API.spec.httpServers[index].extensions.composer.plugins[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Plugin name. | true |
| config | object | Configuration for this plugin (Optional). | false |
| pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
| priority | integer | Priority to be given to this plugin (Optional). | false |
API.spec.httpServers[index].extensions.composer.plugins[index].config
Configuration for this plugin (Optional).
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Obtain plugin config from the specified kubernetes configMap. | false |
| inline | object | Provide plugin config inline in the | false |
| secret | string | Obtain plugin config from the specified kubernetes secret. | false |
API.spec.httpServers[index].extensions.composer.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
API.spec.httpServers[index].extensions.kong
Extend using Kong.
| Name | Type | Description | Required |
|---|---|---|---|
| plugins | []object | List of plugins. | false |
API.spec.httpServers[index].extensions.kong.plugins[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Plugin name. | true |
| config | object | Configuration for this plugin (Optional). | false |
| pluginSource | object | Reference to a custom plugin that will be attached and enabled. | false |
| priority | integer | Priority to be given to this plugin (Optional). | false |
API.spec.httpServers[index].extensions.kong.plugins[index].config
Configuration for this plugin (Optional).
| Name | Type | Description | Required |
|---|---|---|---|
| inline | object | Provide plugin config inline in the | false |
| secret | string | false |
API.spec.httpServers[index].extensions.kong.plugins[index].pluginSource
Reference to a custom plugin that will be attached and enabled.
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | Kubernetes ConfigMap containing the plugin files. | true |
API.spec.httpServers[index].failoverSettings
Failover settings for all clients that try to access the hostname defined in this section.
| Name | Type | Description | Required |
|---|---|---|---|
| automaticLoadBalancing | object | false | |
| failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
| regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
| topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
API.spec.httpServers[index].failoverSettings.automaticLoadBalancing
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Whether to enable automatic load balancing. | false |
API.spec.httpServers[index].failoverSettings.regionalFailover[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | string | Originating region. | false |
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
API.spec.httpServers[index].openapi
OpenAPI configuration for the HTTP server.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The fqn of the API that holds the OpenAPI spec document. | false |
| validation | object | Validation options for the OpenAPI document. | false |
API.spec.httpServers[index].openapi.validation
Validation options for the OpenAPI document.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | If set to true, the OpenAPI document is enabled for validation. | false |
| pathPrefix | string | Prefix to add to the paths in the OpenAPI doc before matching against incoming requests. | false |
API.spec.httpServers[index].rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
API.spec.httpServers[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
| rules | []object | A set of rate limit rules. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
API.spec.httpServers[index].rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true |
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true |
| headerName | string | The header name to be queried from the request headers. | true |
API.spec.httpServers[index].rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.httpServers[index].rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.httpServers[index].rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
API.spec.httpServers[index].rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
| limit | object | The ratelimit value that will be configured for the above rules. | true |
API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the header to match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.httpServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true |
API.spec.httpServers[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
API.spec.httpServers[index].tls
TLS certificate info.
| Name | Type | Description | Required |
|---|---|---|---|
| cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
| files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
| maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
| minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
| mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
| secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
| subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
API.spec.httpServers[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
API.spec.servers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hostname | string | Hostname with which the service can be expected to be accessed by clients. | true |
| name | string | A name assigned to the server. | true |
| port | integer | The port where the server is exposed. | true |
| routing | object | Routing rules associated with HTTP traffic to this service. | true |
| authentication | object | Configuration to authenticate clients. | false |
| authorization | object | Configuration to authorize a request. | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| tls | object | TLS certificate info. | false |
| xxxOldAuthentication | object | false | |
| xxxOldAuthorization | object | false |
API.spec.servers[index].routing
Routing rules associated with HTTP traffic to this service.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | HTTP routes. | true |
| corsPolicy | object | Cross origin resource request policy settings for all routes. | false |
API.spec.servers[index].routing.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| directResponse | object | Return a fixed response. | false |
| match | []object | One or more match conditions (OR-ed). | false |
| modify | object | One or more mutations to be performed before forwarding. | false |
| redirect | object | Redirect the request to a different host or URL or both. | false |
| route | object | Forward the request to the specified destination(s). | false |
API.spec.servers[index].routing.rules[index].directResponse
Return a fixed response.
| Name | Type | Description | Required |
|---|---|---|---|
| status | integer | Specifies the HTTP response status to be returned. | true |
| body | object | Specifies the content of the response body. | false |
API.spec.servers[index].routing.rules[index].directResponse.body
Specifies the content of the response body.
| Name | Type | Description | Required |
|---|---|---|---|
| bytes | string | response body as base64 encoded bytes. Format: binary | false |
| string | string | false |
API.spec.servers[index].routing.rules[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| headers | map[string]object | The header keys must be lowercase and use hyphen as the separator, e.g. | false |
| uri | object | URI to match. | false |
API.spec.servers[index].routing.rules[index].match[index].headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.servers[index].routing.rules[index].match[index].uri
URI to match.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.servers[index].routing.rules[index].modify
One or more mutations to be performed before forwarding.
| Name | Type | Description | Required |
|---|---|---|---|
| headers | object | Add/remove/overwrite one or more HTTP headers in a request or response. | false |
| rewrite | object | Rewrite the HTTP Host or URL or both. | false |
API.spec.servers[index].routing.rules[index].modify.headers
Add/remove/overwrite one or more HTTP headers in a request or response.
| Name | Type | Description | Required |
|---|---|---|---|
| request | object | Header manipulation rules to apply before forwarding a request to the destination service. | false |
| response | object | Header manipulation rules to apply before returning a response to the caller. | false |
API.spec.servers[index].routing.rules[index].modify.headers.request
Header manipulation rules to apply before forwarding a request to the destination service.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.servers[index].routing.rules[index].modify.headers.response
Header manipulation rules to apply before returning a response to the caller.
| Name | Type | Description | Required |
|---|---|---|---|
| add | map[string]string | Append the given values to the headers specified by keys (will create a comma-separated list of values). | false |
| remove | []string | Remove a the specified headers. | false |
| set | map[string]string | Overwrite the headers specified by key with the given values. | false |
API.spec.servers[index].routing.rules[index].modify.rewrite
Rewrite the HTTP Host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | Rewrite the Authority/Host header with this value. | false |
| uri | string | Rewrite the path (or the prefix) portion of the URI with this value. | false |
API.spec.servers[index].routing.rules[index].redirect
Redirect the request to a different host or URL or both.
| Name | Type | Description | Required |
|---|---|---|---|
| authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. | false |
| port | integer | false | |
| redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. | false |
| scheme | string | On a redirect, overwrite the scheme with this one. | false |
| uri | string | On a redirect, overwrite the Path portion of the URL with this value. | false |
API.spec.servers[index].routing.rules[index].route
Forward the request to the specified destination(s).
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | The destination service in | true |
| port | integer | The port on the service to forward the request to. | false |
API.spec.servers[index].routing.corsPolicy
Cross origin resource request policy settings for all routes.
| Name | Type | Description | Required |
|---|---|---|---|
| allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. | false |
| allowHeaders | []string | List of HTTP headers that can be used when requesting the resource. | false |
| allowMethods | []string | List of HTTP methods allowed to access the resource. | false |
| allowOrigin | []string | The list of origins that are allowed to perform CORS requests. | false |
| exposeHeaders | []string | A white list of HTTP headers that the browsers are allowed to access. | false |
| maxAge | string | Specifies how long the results of a preflight request can be cached. | false |
API.spec.servers[index].authentication
Configuration to authenticate clients.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
API.spec.servers[index].authentication.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.servers[index].authentication.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.servers[index].authentication.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
API.spec.servers[index].authentication.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
API.spec.servers[index].authentication.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
API.spec.servers[index].authentication.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.servers[index].authentication.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.servers[index].authentication.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
API.spec.servers[index].authentication.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
API.spec.servers[index].authentication.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
API.spec.servers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
API.spec.servers[index].authorization
Configuration to authorize a request.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
API.spec.servers[index].authorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
API.spec.servers[index].authorization.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.servers[index].authorization.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.servers[index].authorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
API.spec.servers[index].authorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
API.spec.servers[index].authorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
API.spec.servers[index].authorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
API.spec.servers[index].authorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
API.spec.servers[index].rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
API.spec.servers[index].rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
| rules | []object | A set of rate limit rules. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
API.spec.servers[index].rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true |
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true |
| headerName | string | The header name to be queried from the request headers. | true |
API.spec.servers[index].rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
API.spec.servers[index].rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
API.spec.servers[index].rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
API.spec.servers[index].rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
| limit | object | The ratelimit value that will be configured for the above rules. | true |
API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the header to match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true |
API.spec.servers[index].rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
API.spec.servers[index].tls
TLS certificate info.
| Name | Type | Description | Required |
|---|---|---|---|
| cipherSuites | []string | List of cipher suites to be used for TLS connections. | false |
| files | object | Load the keys and certificates from files accessible to the ingress gateway workload. | false |
| maxProtocolVersion | enum | Set the maximum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
| minProtocolVersion | enum | Set the minimum supported TLS protocol version. Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 | false |
| mode | enum | Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively. Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL | false |
| secretName | string | The name of the secret in Kubernetes that holds the TLS certs including the CA certificates. | false |
| subjectAltNames | []string | List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake. | false |
API.spec.servers[index].tls.files
Load the keys and certificates from files accessible to the ingress gateway workload.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| privateKey | string | false | |
| serverCertificate | string | false |
API.spec.servers[index].xxxOldAuthentication
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
API.spec.servers[index].xxxOldAuthentication.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
API.spec.servers[index].xxxOldAuthorization
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
API.spec.servers[index].xxxOldAuthorization.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| uri | string | false |
API.spec.servers[index].xxxOldAuthorization.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
API.spec.servers[index].xxxOldAuthorization.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
API.spec.servers[index].xxxOldAuthorization.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
API.spec.workloadSelector
Optional selector to specify the gateway workloads (pod labels and Kubernetes namespace) under the application gateway group that should be configured with this gateway.
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
| namespace | string | The namespace where the workload resides. | true |
Application
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | application.tsb.tetrate.io/v2 | true |
| kind | string | Application | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic. | false |
| status | object | false |
Application.spec
An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic.
| Name | Type | Description | Required |
|---|---|---|---|
| workspace | string | FQN of the workspace this application is part of. | true |
| configResources | []object | false | |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| gatewayGroup | string | Optional FQN of the Gateway Group to be used by the application. | false |
| namespaceSelector | object | Optional set of namespaces this application can configure. | false |
| services | []string | Optional list of services that are part of the application. | false |
Application.spec.configResources[index]
| Name | Type | Description | Required |
|---|---|---|---|
| exclusivelyOwned | boolean | The exclusively owned flag indicates if the referenced configuration resource is exclusively owned by the object. | false |
| expectedEtag | string | The expected etag field is used to check the if the configuration resource contents have changed. | false |
| fqn | string | The FQN of the resource this status is computed for. | false |
Application.spec.namespaceSelector
Optional set of namespaces this application can configure.
| Name | Type | Description | Required |
|---|---|---|---|
| names | []string | Under the tenant/workspace/group: - | true |