Skip to main content
logoTetrate Service BridgeVersion: 1.12.x

gateway.tsb.tetrate.io/v2

Resource Types:

EgressGateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringEgressGatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

EgressGateway configures a workload to act as an egress gateway in the mesh.

false
statusobject
false

EgressGateway.spec

↩ Parent

EgressGateway configures a workload to act as an egress gateway in the mesh.

NameTypeDescriptionRequired
workloadSelectorobject

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

true
authorization[]object

The description of which service accounts can access which hosts.

false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false

EgressGateway.spec.workloadSelector

↩ Parent

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

NameTypeDescriptionRequired
labelsmap[string]string

One or more labels that indicate a specific set of pods/VMs in the namespace.

true
namespacestring

The namespace where the workload resides.

true

EgressGateway.spec.authorization[index]

↩ Parent

NameTypeDescriptionRequired
to[]string

The external hostnames the workload(s) described in this rule can access.

true
fromobject

The workloads or service accounts this authorization rule applies to.

false

EgressGateway.spec.authorization[index].from

↩ Parent

The workloads or service accounts this authorization rule applies to.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

false
serviceAccounts[]string

When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

EgressGateway.spec.authorization[index].from.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

EgressGateway.spec.authorization[index].from.http.external

↩ Parent

NameTypeDescriptionRequired
allowedUpstreamHeaders[]string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).

false
includeRequestHeaders[]string
false
pathPrefixstring

Sets a prefix to the value of authorization request header Path.

false
tlsobject
false
uristring
false

EgressGateway.spec.authorization[index].from.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

EgressGateway.spec.authorization[index].from.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

EgressGateway.spec.authorization[index].from.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

EgressGateway.spec.authorization[index].from.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

EgressGateway.spec.authorization[index].from.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

EgressGateway.spec.authorization[index].from.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

EgressGateway.spec.authorization[index].from.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

EgressGateway.spec.authorization[index].from.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

EgressGateway.spec.authorization[index].from.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

EgressGateway.spec.authorization[index].from.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

EgressGateway.spec.authorization[index].from.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

EgressGateway.spec.authorization[index].from.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

EgressGateway.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

EgressGateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

EgressGateway.spec.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

EgressGateway.spec.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

Gateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringGatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

The Gateway configuration combines the functionalities of both the existing Tier1Gateway and IngressGateway, providing a unified approach for configuring a workload as a gateway in the mesh.

false
statusobject
false

Gateway.spec

↩ Parent

The Gateway configuration combines the functionalities of both the existing Tier1Gateway and IngressGateway, providing a unified approach for configuring a workload as a gateway in the mesh.

NameTypeDescriptionRequired
workloadSelectorobject

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

true
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressAuthorization[]object

External services are onboarded into the mesh via service entry, and these services are exposed on the Gateway for egress access.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
http[]object

One or more HTTP or HTTPS servers exposed by the gateway.

false
tcp[]object

One or more non-HTTP and non-passthrough servers which use TCP based protocols.

false
tls[]object

One or more TLS servers exposed by the gateway.

false
wafobject

WAF settings to be enabled for traffic passing through the HttpServer.

false
wasmPlugins[]object

WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway with the specific configuration for each plugin.

false

Gateway.spec.workloadSelector

↩ Parent

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

NameTypeDescriptionRequired
labelsmap[string]string

One or more labels that indicate a specific set of pods/VMs in the namespace.

true
namespacestring

The namespace where the workload resides.

true

Gateway.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

Gateway.spec.egressAuthorization[index]

↩ Parent

NameTypeDescriptionRequired
to[]object

The set of hostnames exposed on the Gateway through which external hosts can be accessed.

true
fromobject

Specifies the source workloads or service accounts for this authorization rule.

false
identityMatchenum

IdentityMatch defines the client identity used for evaluating the authorization rules.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false

Gateway.spec.egressAuthorization[index].to[index]

↩ Parent

NameTypeDescriptionRequired
hostobject

External host.

true
methods[]string

The HTTP methods allowed by this rule, e.g., ["GET", "HEAD"].

false
paths[]string

The request paths allowed for access, e.g., ["/accounts", "/info*", "/user/profile/*"].

false

Gateway.spec.egressAuthorization[index].to[index].host

↩ Parent

External host.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Gateway.spec.egressAuthorization[index].from

↩ Parent

Specifies the source workloads or service accounts for this authorization rule.

NameTypeDescriptionRequired
modeenum

A shortcut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, SERVICE_ACCOUNT

false
resources[]string

resources specify the allowed set of resources using TSB FQNs.

false
serviceAccounts[]string

serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

Gateway.spec.http[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
routingobject

Routing rules associated with HTTP traffic to this server.

true
authenticationobject

Authentication is used to configure the authentication of end-user credentials like JWT.

false
authorizationobject

Authorization is used to configure authorization of end users.

false
extensionsobject

Configure extensions for this hostname.

false
failoverSettingsobject

Failover settings for all clients that try to access the hostname defined in this section.

false
openapiobject

OpenAPI configuration for the HTTP server.

false
portinteger

The port where the server is exposed at the gateway workload(pod).

false
rateLimitingobject

Configuration for rate limiting requests.

false
tlsobject

TLS certificate info.

false
trafficModeenum

Traffic mode specifies the type of configuration applied to this server.


Enum: AUTO, INGRESS, EGRESS, TRANSIT

false
transitboolean

If set to true, the server is configured to be exposed within the mesh.

false

Gateway.spec.http[index].routing

↩ Parent

Routing rules associated with HTTP traffic to this server.

NameTypeDescriptionRequired
rules[]object

HTTP routes.

true
corsPolicyobject

Cross origin resource request policy settings for all routes.

false

Gateway.spec.http[index].routing.rules[index]

↩ Parent

NameTypeDescriptionRequired
directResponseobject

Return a fixed response.

false
disableExternalAuthorizationboolean

If set to true, external authorization is disabled on this route when the hostname is configured with external authorization.

false
extensionsobject
false
match[]object

One or more match conditions (OR-ed).

false
modifyobject

One or more mutations to be performed before forwarding.

false
redirectobject

Redirect the request to a different host or URL or both.

false
routeobject

Forward the request to the specified destination(s).

false

Gateway.spec.http[index].routing.rules[index].directResponse

↩ Parent

Return a fixed response.

NameTypeDescriptionRequired
statusinteger

Specifies the HTTP response status to be returned.

true
bodyobject

Specifies the content of the response body.

false

Gateway.spec.http[index].routing.rules[index].directResponse.body

↩ Parent

Specifies the content of the response body.

NameTypeDescriptionRequired
bytesstring

response body as base64 encoded bytes.


Format: binary

false
stringstring
false

Gateway.spec.http[index].routing.rules[index].extensions

↩ Parent

NameTypeDescriptionRequired
composerobject
false
kongobject

Extend using Kong.

false

Gateway.spec.http[index].routing.rules[index].extensions.composer

↩ Parent

NameTypeDescriptionRequired
plugins[]object

List of plugins.

false

Gateway.spec.http[index].routing.rules[index].extensions.composer.plugins[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Plugin name.

true
configobject

Configuration for this plugin (Optional).

false
pluginSourceobject

Reference to a custom plugin that will be attached and enabled.

false
priorityinteger

Priority to be given to this plugin (Optional).

false

Gateway.spec.http[index].routing.rules[index].extensions.composer.plugins[index].config

↩ Parent

Configuration for this plugin (Optional).

NameTypeDescriptionRequired
configMapstring

Obtain plugin config from the specified kubernetes configMap.

false
inlineobject

Provide plugin config inline in the yaml format.

false
secretstring

Obtain plugin config from the specified kubernetes secret.

false

Gateway.spec.http[index].routing.rules[index].extensions.composer.plugins[index].pluginSource

↩ Parent

Reference to a custom plugin that will be attached and enabled.

NameTypeDescriptionRequired
configMapstring

Kubernetes ConfigMap containing the plugin files.

true

Gateway.spec.http[index].routing.rules[index].extensions.kong

↩ Parent

Extend using Kong.

NameTypeDescriptionRequired
plugins[]object

List of plugins.

false

Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Plugin name.

true
configobject

Configuration for this plugin (Optional).

false
pluginSourceobject

Reference to a custom plugin that will be attached and enabled.

false
priorityinteger

Priority to be given to this plugin (Optional).

false

Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index].config

↩ Parent

Configuration for this plugin (Optional).

NameTypeDescriptionRequired
inlineobject

Provide plugin config inline in the yaml format.

false
secretstring
false

Gateway.spec.http[index].routing.rules[index].extensions.kong.plugins[index].pluginSource

↩ Parent

Reference to a custom plugin that will be attached and enabled.

NameTypeDescriptionRequired
configMapstring

Kubernetes ConfigMap containing the plugin files.

true

Gateway.spec.http[index].routing.rules[index].match[index]

↩ Parent

NameTypeDescriptionRequired
headersmap[string]object

The header keys must be lowercase and use hyphen as the separator, e.g.

false
uriobject

URI to match.

false

Gateway.spec.http[index].routing.rules[index].match[index].headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Gateway.spec.http[index].routing.rules[index].match[index].uri

↩ Parent

URI to match.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Gateway.spec.http[index].routing.rules[index].modify

↩ Parent

One or more mutations to be performed before forwarding.

NameTypeDescriptionRequired
headersobject

Add/remove/overwrite one or more HTTP headers in a request or response.

false
rewriteobject

Rewrite the HTTP Host or URL or both.

false

Gateway.spec.http[index].routing.rules[index].modify.headers

↩ Parent

Add/remove/overwrite one or more HTTP headers in a request or response.

NameTypeDescriptionRequired
requestobject

Header manipulation rules to apply before forwarding a request to the destination service.

false
responseobject

Header manipulation rules to apply before returning a response to the caller.

false

Gateway.spec.http[index].routing.rules[index].modify.headers.request

↩ Parent

Header manipulation rules to apply before forwarding a request to the destination service.

NameTypeDescriptionRequired
addmap[string]string

Append the given values to the headers specified by keys (will create a comma-separated list of values).

false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

Gateway.spec.http[index].routing.rules[index].modify.headers.response

↩ Parent

Header manipulation rules to apply before returning a response to the caller.

NameTypeDescriptionRequired
addmap[string]string

Append the given values to the headers specified by keys (will create a comma-separated list of values).

false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

Gateway.spec.http[index].routing.rules[index].modify.rewrite

↩ Parent

Rewrite the HTTP Host or URL or both.

NameTypeDescriptionRequired
authoritystring

Rewrite the Authority/Host header with this value.

false
uristring

Rewrite the path (or the prefix) portion of the URI with this value.

false

Gateway.spec.http[index].routing.rules[index].redirect

↩ Parent

Redirect the request to a different host or URL or both.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger
false
redirectCodeinteger

On a redirect, Specifies the HTTP status code to use in the redirect response.

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

Gateway.spec.http[index].routing.rules[index].route

↩ Parent

Forward the request to the specified destination(s).

NameTypeDescriptionRequired
clusterDestinationobject

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

false
serviceDestinationobject

RouteToService represents the service running in clusters.

false

Gateway.spec.http[index].routing.rules[index].route.clusterDestination

↩ Parent

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

NameTypeDescriptionRequired
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false

Gateway.spec.http[index].routing.rules[index].route.clusterDestination.clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Gateway.spec.http[index].routing.rules[index].route.serviceDestination

↩ Parent

RouteToService represents the service running in clusters.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E;.

true
portinteger

The port on the service to forward the request to.

false
tlsobject

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

false

Gateway.spec.http[index].routing.rules[index].route.serviceDestination.tls

↩ Parent

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.http[index].routing.rules[index].route.serviceDestination.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.http[index].routing.corsPolicy

↩ Parent

Cross origin resource request policy settings for all routes.

NameTypeDescriptionRequired
allowCredentialsboolean

Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials.

false
allowHeaders[]string

List of HTTP headers that can be used when requesting the resource.

false
allowMethods[]string

List of HTTP methods allowed to access the resource.

false
allowOrigin[]string

The list of origins that are allowed to perform CORS requests.

false
exposeHeaders[]string

A white list of HTTP headers that the browsers are allowed to access.

false
maxAgestring

Specifies how long the results of a preflight request can be cached.

false

Gateway.spec.http[index].authentication

↩ Parent

Authentication is used to configure the authentication of end-user credentials like JWT.

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

Gateway.spec.http[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Gateway.spec.http[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Gateway.spec.http[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Gateway.spec.http[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false
useRefreshTokenboolean

Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that.

false

Gateway.spec.http[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

Gateway.spec.http[index].authentication.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.http[index].authentication.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.http[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

Gateway.spec.http[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Gateway.spec.http[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Gateway.spec.http[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Gateway.spec.http[index].authorization

↩ Parent

Authorization is used to configure authorization of end users.

NameTypeDescriptionRequired
externalobject
false
localobject
false

Gateway.spec.http[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
allowedUpstreamHeaders[]string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).

false
includeRequestHeaders[]string
false
pathPrefixstring

Sets a prefix to the value of authorization request header Path.

false
tlsobject
false
uristring
false

Gateway.spec.http[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.http[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.http[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

Gateway.spec.http[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

Gateway.spec.http[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

Gateway.spec.http[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

Gateway.spec.http[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

Gateway.spec.http[index].extensions

↩ Parent

Configure extensions for this hostname.

NameTypeDescriptionRequired
composerobject
false
kongobject

Extend using Kong.

false

Gateway.spec.http[index].extensions.composer

↩ Parent

NameTypeDescriptionRequired
plugins[]object

List of plugins.

false

Gateway.spec.http[index].extensions.composer.plugins[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Plugin name.

true
configobject

Configuration for this plugin (Optional).

false
pluginSourceobject

Reference to a custom plugin that will be attached and enabled.

false
priorityinteger

Priority to be given to this plugin (Optional).

false

Gateway.spec.http[index].extensions.composer.plugins[index].config

↩ Parent

Configuration for this plugin (Optional).

NameTypeDescriptionRequired
configMapstring

Obtain plugin config from the specified kubernetes configMap.

false
inlineobject

Provide plugin config inline in the yaml format.

false
secretstring

Obtain plugin config from the specified kubernetes secret.

false

Gateway.spec.http[index].extensions.composer.plugins[index].pluginSource

↩ Parent

Reference to a custom plugin that will be attached and enabled.

NameTypeDescriptionRequired
configMapstring

Kubernetes ConfigMap containing the plugin files.

true

Gateway.spec.http[index].extensions.kong

↩ Parent

Extend using Kong.

NameTypeDescriptionRequired
plugins[]object

List of plugins.

false

Gateway.spec.http[index].extensions.kong.plugins[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Plugin name.

true
configobject

Configuration for this plugin (Optional).

false
pluginSourceobject

Reference to a custom plugin that will be attached and enabled.

false
priorityinteger

Priority to be given to this plugin (Optional).

false

Gateway.spec.http[index].extensions.kong.plugins[index].config

↩ Parent

Configuration for this plugin (Optional).

NameTypeDescriptionRequired
inlineobject

Provide plugin config inline in the yaml format.

false
secretstring
false

Gateway.spec.http[index].extensions.kong.plugins[index].pluginSource

↩ Parent

Reference to a custom plugin that will be attached and enabled.

NameTypeDescriptionRequired
configMapstring

Kubernetes ConfigMap containing the plugin files.

true

Gateway.spec.http[index].failoverSettings

↩ Parent

Failover settings for all clients that try to access the hostname defined in this section.

NameTypeDescriptionRequired
automaticLoadBalancingobject
false
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

Gateway.spec.http[index].failoverSettings.automaticLoadBalancing

↩ Parent

NameTypeDescriptionRequired
enabledboolean

Whether to enable automatic load balancing.

false

Gateway.spec.http[index].failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

Gateway.spec.http[index].openapi

↩ Parent

OpenAPI configuration for the HTTP server.

NameTypeDescriptionRequired
fqnstring

The fqn of the API that holds the OpenAPI spec document.

false
validationobject

Validation options for the OpenAPI document.

false

Gateway.spec.http[index].openapi.validation

↩ Parent

Validation options for the OpenAPI document.

NameTypeDescriptionRequired
enabledboolean

If set to true, the OpenAPI document is enabled for validation.

false
pathPrefixstring

Prefix to add to the paths in the OpenAPI doc before matching against incoming requests.

false

Gateway.spec.http[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Gateway.spec.http[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Gateway.spec.http[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Gateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Gateway.spec.http[index].rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.http[index].rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.http[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Gateway.spec.http[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Gateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Gateway.spec.http[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Gateway.spec.http[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

Gateway.spec.http[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Gateway.spec.tcp[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname to identify the service.

true
namestring

A name assigned to the server.

true
routeobject

Forward the connection to the specified destination.

true
failoverSettingsobject

Failover settings for all clients that try to access the hostname defined in this section.

false
portinteger

The port where the server is exposed.

false
tlsobject

TLS certificate info to terminate the TLS connection.

false
trafficModeenum

Traffic mode specifies the type of configuration applied to this server.


Enum: AUTO, INGRESS, EGRESS, TRANSIT

false
transitboolean

If set to true, the server is configured to be exposed within the mesh.

false

Gateway.spec.tcp[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
clusterDestinationobject

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

false
serviceDestinationobject

RouteToService represents the service running in clusters.

false

Gateway.spec.tcp[index].route.clusterDestination

↩ Parent

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

NameTypeDescriptionRequired
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false

Gateway.spec.tcp[index].route.clusterDestination.clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Gateway.spec.tcp[index].route.serviceDestination

↩ Parent

RouteToService represents the service running in clusters.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E;.

true
portinteger

The port on the service to forward the request to.

false
tlsobject

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

false

Gateway.spec.tcp[index].route.serviceDestination.tls

↩ Parent

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.tcp[index].route.serviceDestination.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.tcp[index].failoverSettings

↩ Parent

Failover settings for all clients that try to access the hostname defined in this section.

NameTypeDescriptionRequired
automaticLoadBalancingobject
false
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

Gateway.spec.tcp[index].failoverSettings.automaticLoadBalancing

↩ Parent

NameTypeDescriptionRequired
enabledboolean

Whether to enable automatic load balancing.

false

Gateway.spec.tcp[index].failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

Gateway.spec.tcp[index].tls

↩ Parent

TLS certificate info to terminate the TLS connection.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

Gateway.spec.tcp[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Gateway.spec.tls[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
routeobject

Forward the connection to the specified destination.

true
failoverSettingsobject

Failover settings for all clients that try to access the hostname defined in this section.

false

Gateway.spec.tls[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
clusterDestinationobject

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

false
serviceDestinationobject

RouteToService represents the service running in clusters.

false

Gateway.spec.tls[index].route.clusterDestination

↩ Parent

RouteToClusters represents the clusters where the request needs to be routed to from the gateway.

NameTypeDescriptionRequired
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false

Gateway.spec.tls[index].route.clusterDestination.clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Gateway.spec.tls[index].route.serviceDestination

↩ Parent

RouteToService represents the service running in clusters.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E;.

true
portinteger

The port on the service to forward the request to.

false
tlsobject

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

false

Gateway.spec.tls[index].route.serviceDestination.tls

↩ Parent

The ClientTLSSettings specifies how the gateway workload should establish connections to external services.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Gateway.spec.tls[index].route.serviceDestination.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Gateway.spec.tls[index].failoverSettings

↩ Parent

Failover settings for all clients that try to access the hostname defined in this section.

NameTypeDescriptionRequired
automaticLoadBalancingobject
false
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

Gateway.spec.tls[index].failoverSettings.automaticLoadBalancing

↩ Parent

NameTypeDescriptionRequired
enabledboolean

Whether to enable automatic load balancing.

false

Gateway.spec.tls[index].failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

Gateway.spec.waf

↩ Parent

WAF settings to be enabled for traffic passing through the HttpServer.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

Gateway.spec.wasmPlugins[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

Gateway.spec.wasmPlugins[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

Gateway.spec.wasmPlugins[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

Group

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

false
statusobject
false

Group.spec

↩ Parent

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

NameTypeDescriptionRequired
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

true
configGenerationMetadataobject

Default metadata values that will be propagated to the children Istio generated configurations.

false
configModeenum

The Configuration types that will be added to this group.


Enum: BRIDGED, DIRECT

false
deletionProtectionEnabledboolean

When set, prevents the resource from being deleted.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
profiles[]string

List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string

Under the tenant/workspace/group: - */ns1 implies ns1 namespace in any cluster.

true

Group.spec.configGenerationMetadata

↩ Parent

Default metadata values that will be propagated to the children Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

IngressGateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringIngressGatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

IngressGateway configures a workload to act as an ingress gateway into the mesh.

false
statusobject
false

IngressGateway.spec

↩ Parent

IngressGateway configures a workload to act as an ingress gateway into the mesh.

NameTypeDescriptionRequired
workloadSelectorobject

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

true
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false
http[]object

One or more HTTP or HTTPS servers exposed by the gateway.

false
tcp[]object

One or more non-HTTP and non-passthrough servers which use TCP based protocols.

false
tlsPassthrough[]object

One or more TLS servers exposed by the gateway.

false
wafobject

WAF settings to be enabled for traffic passing through the HttpServer.

false

IngressGateway.spec.workloadSelector

↩ Parent

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

NameTypeDescriptionRequired
labelsmap[string]string

One or more labels that indicate a specific set of pods/VMs in the namespace.

true
namespacestring

The namespace where the workload resides.

true

IngressGateway.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

IngressGateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

IngressGateway.spec.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

IngressGateway.spec.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

IngressGateway.spec.http[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
routingobject

Routing rules associated with HTTP traffic to this service.

true
authenticationobject

Configuration to authenticate clients.

false
authorizationobject

Configuration to authorize a request.

false
rateLimitingobject

Configuration for rate limiting requests.

false
tlsobject

TLS certificate info.

false
xxxOldAuthenticationobject
false
xxxOldAuthorizationobject
false

IngressGateway.spec.http[index].routing

↩ Parent

Routing rules associated with HTTP traffic to this service.

NameTypeDescriptionRequired
rules[]object

HTTP routes.

true
corsPolicyobject

Cross origin resource request policy settings for all routes.

false

IngressGateway.spec.http[index].routing.rules[index]

↩ Parent

NameTypeDescriptionRequired
directResponseobject

Return a fixed response.

false
match[]object

One or more match conditions (OR-ed).

false
modifyobject

One or more mutations to be performed before forwarding.

false
redirectobject

Redirect the request to a different host or URL or both.

false
routeobject

Forward the request to the specified destination(s).

false

IngressGateway.spec.http[index].routing.rules[index].directResponse

↩ Parent

Return a fixed response.

NameTypeDescriptionRequired
statusinteger

Specifies the HTTP response status to be returned.

true
bodyobject

Specifies the content of the response body.

false

IngressGateway.spec.http[index].routing.rules[index].directResponse.body

↩ Parent

Specifies the content of the response body.

NameTypeDescriptionRequired
bytesstring

response body as base64 encoded bytes.


Format: binary

false
stringstring
false

IngressGateway.spec.http[index].routing.rules[index].match[index]

↩ Parent

NameTypeDescriptionRequired
headersmap[string]object

The header keys must be lowercase and use hyphen as the separator, e.g.

false
uriobject

URI to match.

false

IngressGateway.spec.http[index].routing.rules[index].match[index].headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].routing.rules[index].match[index].uri

↩ Parent

URI to match.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].routing.rules[index].modify

↩ Parent

One or more mutations to be performed before forwarding.

NameTypeDescriptionRequired
headersobject

Add/remove/overwrite one or more HTTP headers in a request or response.

false
rewriteobject

Rewrite the HTTP Host or URL or both.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers

↩ Parent

Add/remove/overwrite one or more HTTP headers in a request or response.

NameTypeDescriptionRequired
requestobject

Header manipulation rules to apply before forwarding a request to the destination service.

false
responseobject

Header manipulation rules to apply before returning a response to the caller.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.request

↩ Parent

Header manipulation rules to apply before forwarding a request to the destination service.

NameTypeDescriptionRequired
addmap[string]string

Append the given values to the headers specified by keys (will create a comma-separated list of values).

false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.response

↩ Parent

Header manipulation rules to apply before returning a response to the caller.

NameTypeDescriptionRequired
addmap[string]string

Append the given values to the headers specified by keys (will create a comma-separated list of values).

false
remove[]string

Remove a the specified headers.

false
setmap[string]string

Overwrite the headers specified by key with the given values.

false

IngressGateway.spec.http[index].routing.rules[index].modify.rewrite

↩ Parent

Rewrite the HTTP Host or URL or both.

NameTypeDescriptionRequired
authoritystring

Rewrite the Authority/Host header with this value.

false
uristring

Rewrite the path (or the prefix) portion of the URI with this value.

false

IngressGateway.spec.http[index].routing.rules[index].redirect

↩ Parent

Redirect the request to a different host or URL or both.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger
false
redirectCodeinteger

On a redirect, Specifies the HTTP status code to use in the redirect response.

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

IngressGateway.spec.http[index].routing.rules[index].route

↩ Parent

Forward the request to the specified destination(s).

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E; format for IngressGateway resources.

true
portinteger

The port on the service to forward the request to.

false

IngressGateway.spec.http[index].routing.corsPolicy

↩ Parent

Cross origin resource request policy settings for all routes.

NameTypeDescriptionRequired
allowCredentialsboolean

Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials.

false
allowHeaders[]string

List of HTTP headers that can be used when requesting the resource.

false
allowMethods[]string

List of HTTP methods allowed to access the resource.

false
allowOrigin[]string

The list of origins that are allowed to perform CORS requests.

false
exposeHeaders[]string

A white list of HTTP headers that the browsers are allowed to access.

false
maxAgestring

Specifies how long the results of a preflight request can be cached.

false

IngressGateway.spec.http[index].authentication

↩ Parent

Configuration to authenticate clients.

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

IngressGateway.spec.http[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

IngressGateway.spec.http[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

IngressGateway.spec.http[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

IngressGateway.spec.http[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false
useRefreshTokenboolean

Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that.

false

IngressGateway.spec.http[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

IngressGateway.spec.http[index].authentication.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

IngressGateway.spec.http[index].authentication.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

IngressGateway.spec.http[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

IngressGateway.spec.http[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

IngressGateway.spec.http[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

IngressGateway.spec.http[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

IngressGateway.spec.http[index].authorization

↩ Parent

Configuration to authorize a request.

NameTypeDescriptionRequired
externalobject
false
localobject
false

IngressGateway.spec.http[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
allowedUpstreamHeaders[]string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).

false
includeRequestHeaders[]string
false
pathPrefixstring

Sets a prefix to the value of authorization request header Path.

false
tlsobject
false
uristring
false

IngressGateway.spec.http[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

IngressGateway.spec.http[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

IngressGateway.spec.http[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

IngressGateway.spec.http[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

IngressGateway.spec.http[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

IngressGateway.spec.http[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

IngressGateway.spec.http[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

IngressGateway.spec.http[index].rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

IngressGateway.spec.http[index].rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

IngressGateway.spec.http[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

IngressGateway.spec.http[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

IngressGateway.spec.http[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

IngressGateway.spec.http[index].xxxOldAuthentication

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

IngressGateway.spec.http[index].xxxOldAuthentication.jwt

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false

IngressGateway.spec.http[index].xxxOldAuthorization

↩ Parent

NameTypeDescriptionRequired
externalobject
false
localobject
false

IngressGateway.spec.http[index].xxxOldAuthorization.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
uristring
false

IngressGateway.spec.http[index].xxxOldAuthorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

IngressGateway.spec.tcp[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname to identify the service.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
routeobject

Forward the connection to the specified destination.

false
tlsobject
false

IngressGateway.spec.tcp[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E; format for IngressGateway resources.

true
portinteger

The port on the service to forward the request to.

false

IngressGateway.spec.tcp[index].tls

↩ Parent

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

IngressGateway.spec.tcp[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

IngressGateway.spec.tlsPassthrough[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
routeobject

Forward the connection to the specified destination.

true

IngressGateway.spec.tlsPassthrough[index].route

↩ Parent

Forward the connection to the specified destination.

NameTypeDescriptionRequired
hoststring

The destination service in &#003C;namespace&#003E;/&#003C;fqdn&#003E; format for IngressGateway resources.

true
portinteger

The port on the service to forward the request to.

false

IngressGateway.spec.waf

↩ Parent

WAF settings to be enabled for traffic passing through the HttpServer.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

Tier1Gateway

↩ Parent

NameTypeDescriptionRequired
apiVersionstringgateway.tsb.tetrate.io/v2true
kindstringTier1Gatewaytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

false
statusobject
false

Tier1Gateway.spec

↩ Parent

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

NameTypeDescriptionRequired
workloadSelectorobject

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

true
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension.

false
externalServers[]object

One or more servers exposed by the gateway externally.

false
fqnstring

Fully-qualified name of the resource.

false
internalServers[]object

One or more servers exposed by the gateway internally for cross cluster forwarding.

false
passthroughServers[]object

One or more tls passthrough servers exposed by the gateway externally.

false
tcpExternalServers[]object

One or more tcp servers exposed by the gateway externally.

false
tcpInternalServers[]object

One or more tcp servers exposed by the gateway for mesh internal traffic.

false
wafobject

WAF settings to be enabled for traffic passing through this Tier1 gateway.

false

Tier1Gateway.spec.workloadSelector

↩ Parent

Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.

NameTypeDescriptionRequired
labelsmap[string]string

One or more labels that indicate a specific set of pods/VMs in the namespace.

true
namespacestring

The namespace where the workload resides.

true

Tier1Gateway.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

Tier1Gateway.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

Tier1Gateway.spec.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

Tier1Gateway.spec.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

Tier1Gateway.spec.externalServers[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
authenticationobject

Authentication is used to configure the authentication of end-user credentials like JWT.

false
authorizationobject

Authorization is used to configure authorization of end users.

false
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false
rateLimitingobject

Configuration for rate limiting requests.

false
redirectobject

Redirect allows configuring HTTP redirect.

false
tlsobject

TLS certificate info.

false

Tier1Gateway.spec.externalServers[index].authentication

↩ Parent

Authentication is used to configure the authentication of end-user credentials like JWT.

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

Tier1Gateway.spec.externalServers[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Tier1Gateway.spec.externalServers[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Tier1Gateway.spec.externalServers[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Tier1Gateway.spec.externalServers[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false
useRefreshTokenboolean

Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that.

false

Tier1Gateway.spec.externalServers[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

Tier1Gateway.spec.externalServers[index].authentication.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Tier1Gateway.spec.externalServers[index].authentication.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.externalServers[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Tier1Gateway.spec.externalServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Tier1Gateway.spec.externalServers[index].authorization

↩ Parent

Authorization is used to configure authorization of end users.

NameTypeDescriptionRequired
externalobject
false
localobject
false

Tier1Gateway.spec.externalServers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
allowedUpstreamHeaders[]string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).

false
includeRequestHeaders[]string
false
pathPrefixstring

Sets a prefix to the value of authorization request header Path.

false
tlsobject
false
uristring
false

Tier1Gateway.spec.externalServers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Tier1Gateway.spec.externalServers[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.externalServers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

Tier1Gateway.spec.externalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Tier1Gateway.spec.externalServers[index].rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Tier1Gateway.spec.externalServers[index].redirect

↩ Parent

Redirect allows configuring HTTP redirect.

NameTypeDescriptionRequired
authoritystring

On a redirect, overwrite the Authority/Host portion of the URL with this value.

false
portinteger
false
redirectCodeinteger

On a redirect, Specifies the HTTP status code to use in the redirect response.

false
schemestring

On a redirect, overwrite the scheme with this one.

false
uristring

On a redirect, overwrite the Path portion of the URL with this value.

false

Tier1Gateway.spec.externalServers[index].tls

↩ Parent

TLS certificate info.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

Tier1Gateway.spec.externalServers[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Tier1Gateway.spec.internalServers[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by sidecars in the mesh.

true
namestring

A name assigned to the server.

true
authenticationobject

Authentication is used to configure the authentication of end-user credentials like JWT.

false
authorizationobject

Authorization is used to configure authorization of end user and traffic.

false
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname.

false

Tier1Gateway.spec.internalServers[index].authentication

↩ Parent

Authentication is used to configure the authentication of end-user credentials like JWT.

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

Tier1Gateway.spec.internalServers[index].authentication.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Tier1Gateway.spec.internalServers[index].authentication.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Tier1Gateway.spec.internalServers[index].authentication.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Tier1Gateway.spec.internalServers[index].authentication.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false
useRefreshTokenboolean

Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that.

false

Tier1Gateway.spec.internalServers[index].authentication.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

Tier1Gateway.spec.internalServers[index].authentication.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Tier1Gateway.spec.internalServers[index].authentication.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.internalServers[index].authentication.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Tier1Gateway.spec.internalServers[index].authentication.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Tier1Gateway.spec.internalServers[index].authorization

↩ Parent

Authorization is used to configure authorization of end user and traffic.

NameTypeDescriptionRequired
externalobject
false
localobject
false

Tier1Gateway.spec.internalServers[index].authorization.external

↩ Parent

NameTypeDescriptionRequired
allowedUpstreamHeaders[]string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).

false
includeRequestHeaders[]string
false
pathPrefixstring

Sets a prefix to the value of authorization request header Path.

false
tlsobject
false
uristring
false

Tier1Gateway.spec.internalServers[index].authorization.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Tier1Gateway.spec.internalServers[index].authorization.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Tier1Gateway.spec.internalServers[index].authorization.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

Tier1Gateway.spec.internalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Tier1Gateway.spec.passthroughServers[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Hostname with which the service can be expected to be accessed by clients.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
clusters[]object

The destination clusters that contain ingress gateways exposing the hostname on passthrough servers.

false

Tier1Gateway.spec.passthroughServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Tier1Gateway.spec.tcpExternalServers[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

Although hostname or authority does not make sense in the non-HTTP context, this is used to define the routing rules.

true
namestring

A name assigned to the server.

true
portinteger

The port where the server is exposed.

true
clusters[]object

The destination clusters contain ingress gateways exposing the service.

false
tlsobject

TLS certificate information to terminate TLS.

false

Tier1Gateway.spec.tcpExternalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Tier1Gateway.spec.tcpExternalServers[index].tls

↩ Parent

TLS certificate information to terminate TLS.

NameTypeDescriptionRequired
cipherSuites[]string

List of cipher suites to be used for TLS connections.

false
filesobject

Load the keys and certificates from files accessible to the ingress gateway workload.

false
maxProtocolVersionenum

Set the maximum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
minProtocolVersionenum

Set the minimum supported TLS protocol version.


Enum: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3

false
modeenum

Set this to SIMPLE, or MUTUAL for one-way TLS, mutual TLS respectively.


Enum: DISABLED, SIMPLE, MUTUAL, OPTIONAL_MUTUAL

false
secretNamestring

The name of the secret in Kubernetes that holds the TLS certs including the CA certificates.

false
subjectAltNames[]string

List of Subject Alternative Names (SAN) from the client's certificate that are accepted for client identity verification during the TLS handshake.

false

Tier1Gateway.spec.tcpExternalServers[index].tls.files

↩ Parent

Load the keys and certificates from files accessible to the ingress gateway workload.

NameTypeDescriptionRequired
caCertificatesstring
false
privateKeystring
false
serverCertificatestring
false

Tier1Gateway.spec.tcpInternalServers[index]

↩ Parent

NameTypeDescriptionRequired
hostnamestring

The name of the service used.

true
namestring

A name assigned to the server.

true
clusters[]object

The destination clusters contain ingress gateways exposing the service.

false

Tier1Gateway.spec.tcpInternalServers[index].clusters[index]

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string

Labels associated with the cluster.

false
namestring

The name of the destination cluster.

false
networkstring

The network associated with the destination clusters.

false
weightinteger

The weight for traffic to a given destination.

false

Tier1Gateway.spec.waf

↩ Parent

WAF settings to be enabled for traffic passing through this Tier1 gateway.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true