Tetrate Service BridgeVersion: 1.12.xtsb.tetrate.io/v2
WorkspaceSetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | tsb.tetrate.io/v2 | true |
| kind | string | WorkspaceSetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | Default security and traffic settings for all proxy workloads in the workspace. | false |
| status | object | false |
WorkspaceSetting.spec
Default security and traffic settings for all proxy workloads in the workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| defaultEastWestGatewaySettings | []object | Default east west gateway settings specifies workspace-wide east-west gateway configuration. | false |
| defaultSecuritySetting | object | Security settings for all proxy workloads in this workspace. | false |
| defaultTrafficSetting | object | Traffic settings for all proxy workloads in this workspace. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| failoverSettings | object | Failover settings for all proxies connecting to a host exposed in this workspace. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| hostsReachability | object | Hosts reachability defines the list of hostnames that this workspace can reach. | false |
| regionalFailover | []object | Locality routing settings for all gateways in the workspace. | false |
WorkspaceSetting.spec.defaultEastWestGatewaySettings[index]
| Name | Type | Description | Required |
|---|---|---|---|
| workloadSelector | object | Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. | true |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| exposedServices | []object | Exposed services is used to specify the match criteria to select specific services for internal multicluster routing (east-west routing between clusters). | false |
WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].workloadSelector
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway.
| Name | Type | Description | Required |
|---|---|---|---|
| labels | map[string]string | One or more labels that indicate a specific set of pods/VMs in the namespace. | true |
| namespace | string | The namespace where the workload resides. | true |
WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].exposedServices[index]
| Name | Type | Description | Required |
|---|---|---|---|
| serviceLabels | map[string]string | true |
WorkspaceSetting.spec.defaultSecuritySetting
Security settings for all proxy workloads in this workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
WorkspaceSetting.spec.defaultSecuritySetting.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
WorkspaceSetting.spec.defaultSecuritySetting.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
WorkspaceSetting.spec.defaultSecuritySetting.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
WorkspaceSetting.spec.defaultSecuritySetting.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
WorkspaceSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
WorkspaceSetting.spec.defaultSecuritySetting.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |
WorkspaceSetting.spec.defaultTrafficSetting
Traffic settings for all proxy workloads in this workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| egress | object | Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| inbound | object | Configures inbound traffic. | false |
| outbound | object | Configures outbound traffic. | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false |
| resilience | object | Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads. | false |
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts. | false |
WorkspaceSetting.spec.defaultTrafficSetting.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
WorkspaceSetting.spec.defaultTrafficSetting.egress
Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true |
| port | integer | Deprecated. Format: int32 | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound
Configures inbound traffic.
| Name | Type | Description | Required |
|---|---|---|---|
| failoverSettings | object | Failover settings apply to all clients accessing the hostname defined in this section. | false |
| rateLimiting | object | Configuration for rate limiting requests. | false |
| resilience | object | Resiliency configuration for inbound connections. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.failoverSettings
Failover settings apply to all clients accessing the hostname defined in this section.
| Name | Type | Description | Required |
|---|---|---|---|
| automaticLoadBalancing | object | false | |
| failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
| regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
| topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.failoverSettings.automaticLoadBalancing
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Whether to enable automatic load balancing. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.failoverSettings.regionalFailover[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | string | Originating region. | false |
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
| rules | []object | A set of rate limit rules. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true |
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true |
| headerName | string | The header name to be queried from the request headers. | true |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
| limit | object | The ratelimit value that will be configured for the above rules. | true |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the header to match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.resilience
Resiliency configuration for inbound connections.
| Name | Type | Description | Required |
|---|---|---|---|
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false |
| meshTimeout | object | Configures the max connection and stream durations for HTTP and TCP connections. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required |
|---|---|---|---|
| tcp | object | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp
| Name | Type | Description | Required |
|---|---|---|---|
| keepAlive | object | Keep Alive Settings. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required |
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false |
| interval | integer | The number of seconds between keep-alive probes. | false |
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false |
WorkspaceSetting.spec.defaultTrafficSetting.inbound.resilience.meshTimeout
Configures the max connection and stream durations for HTTP and TCP connections.
| Name | Type | Description | Required |
|---|---|---|---|
| maxConnectionDuration | string | This specifies the duration of time after which a downstream and upstream connection will be drained and/or closed, starting from when it was first established. | false |
| maxDownstreamConnectionDuration | string | The maximum duration of a TCP connection. | false |
| maxStreamDuration | string | The max stream duration is the maximum time that a stream’s lifetime will span. | false |
| proxyType | enum | Specifies the type of proxy to which to apply the mesh timeout settings. Enum: ANY, SIDECAR, GATEWAY | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound
Configures outbound traffic.
| Name | Type | Description | Required |
|---|---|---|---|
| egress | object | Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads. | false |
| reachability | object | The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. | false |
| upstreamTrafficSettings | []object | List of hosts and the associated traffic settings to be used by the clients sending traffic to them. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.egress
Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | Specifies the egress gateway hostname. | true |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| hosts | []string | When the mode is | false |
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false |
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false |
| loadBalancer | object | Load balancing settings for the clients. | false |
| resilience | object | Resilience settings for the clients. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required |
|---|---|---|---|
| trafficMode | enum | If set to Enum: UNSET, OPTIONAL, REQUIRED | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required |
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false |
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required |
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false |
| httpHeaderName | string | Hash based on a specific HTTP header. | false |
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false |
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false |
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false |
| useSourceIp | boolean | Hash based on the source IP address. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the cookie. | true |
| ttl | string | Lifetime of the cookie. | true |
| path | string | Path to set for the cookie. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required |
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false |
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false |
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | false | |
| tcp | object | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required |
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false |
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false |
| requestTimeout | string | Timeout for HTTP requests. | false |
| retries | object | Retry policy for HTTP requests. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required |
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true |
| perTryTimeout | string | Timeout per retry attempt for a given request. | false |
| retryOn | string | Specifies the conditions under which retry takes place. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required |
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false |
| keepAlive | object | Keep Alive Settings. | false |
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required |
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false |
| interval | integer | The number of seconds between keep-alive probes. | false |
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false |
WorkspaceSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required |
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false |
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false |
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false |
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false |
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false |
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false |
| interval | string | The time interval between ejection analysis sweeps. | false |
| maxEjectionPercent | integer | The maximum % of an upstream cluster that can be ejected due to outlier detection. | false |
| maxEjectionTime | string | The maximum time that a host is ejected for. | false |
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting
Configuration for rate limiting requests.
| Name | Type | Description | Required |
|---|---|---|---|
| externalService | object | Configure ratelimiting using an external ratelimit server. | false |
| settings | object | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
| Name | Type | Description | Required |
|---|---|---|---|
| domain | string | The rate limit domain to use when calling the rate limit service. | true |
| rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | true |
| rules | []object | A set of rate limit rules. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
| tls | object | Configure TLS parameters to be used when connecting to the external rate limit server. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | true |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| destinationCluster | object | Rate limit on destination envoy cluster. | false |
| headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
| remoteAddress | object | Rate limit on remote address of client. | false |
| requestHeaders | object | Rate limit on the value of certain request headers. | false |
| sourceCluster | object | Rate limit on source envoy cluster. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorValue | string | The value to use in the descriptor entry. | true |
| headers | map[string]object | Specifies a set of headers that the rate limit action should match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
| Name | Type | Description | Required |
|---|---|---|---|
| descriptorKey | string | The key to use in the descriptor entry. | true |
| headerName | string | The header name to be queried from the request headers. | true |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls
Configure TLS parameters to be used when connecting to the external rate limit server.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | A list of rules for ratelimiting. | true |
| failClosed | boolean | If the rate limit service is unavailable, the request will fail if failClosed is set to true. | false |
| timeout | string | The timeout in seconds for the rate limit server RPC. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| dimensions | []object | A list of dimensions to define each ratelimit rule. | true |
| limit | object | The ratelimit value that will be configured for the above rules. | true |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| header | object | Rate limit on certain HTTP headers. | false |
| remoteAddress | object | Rate limit on the remote address of client. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the header to match on. | true |
| dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
| value | object | Value of the header to match on if matching on a specific value. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Ratelimit on a specific remote address. | true |
WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
| Name | Type | Description | Required |
|---|---|---|---|
| requestsPerUnit | integer | Specifies the value of the rate limit. | true |
| unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | true |
WorkspaceSetting.spec.defaultTrafficSetting.reachability
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| hosts | []string | When the mode is | false |
| mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience
Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| circuitBreakerSensitivity | enum | This field is DEPRECATED in favor of Enum: UNSET, LOW, MEDIUM, HIGH | false |
| httpRequestTimeout | string | This field is DEPRECATED in favor of | false |
| httpRetries | object | This field is DEPRECATED in favor of | false |
| keepAlive | object | Keep Alive Settings. | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience.httpRetries
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.
| Name | Type | Description | Required |
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true |
| perTryTimeout | string | Timeout per retry attempt for a given request. | false |
| retryOn | string | Specifies the conditions under which retry takes place. | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required |
|---|---|---|---|
| tcp | object | TCP Keep Alive settings associated with the upstream and downstream TCP connections. | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp
TCP Keep Alive settings associated with the upstream and downstream TCP connections.
| Name | Type | Description | Required |
|---|---|---|---|
| downstream | object | TCP Keep Alive Settings associated with the downstream (client) connection. | false |
| upstream | object | This field is DEPRECATED in favor of | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream
TCP Keep Alive Settings associated with the downstream (client) connection.
| Name | Type | Description | Required |
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false |
| interval | integer | The number of seconds between keep-alive probes. | false |
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false |
WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream
This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.
| Name | Type | Description | Required |
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false |
| interval | integer | The number of seconds between keep-alive probes. | false |
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hosts | []string | List of hosts for which the settings will be created. | false |
| settings | object | A single setting to be applied to all the clients connecting to the upstream hosts. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings
A single setting to be applied to all the clients connecting to the upstream hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | object | Configuration for connection authentication parameters. | false |
| loadBalancer | object | Load balancing settings for the clients. | false |
| resilience | object | Resilience settings for the clients. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.authentication
Configuration for connection authentication parameters.
| Name | Type | Description | Required |
|---|---|---|---|
| trafficMode | enum | If set to Enum: UNSET, OPTIONAL, REQUIRED | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer
Load balancing settings for the clients.
| Name | Type | Description | Required |
|---|---|---|---|
| consistentHash | object | Use consistent hash load balancing which can provide soft session affinity. | false |
| simple | enum | Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash
Use consistent hash load balancing which can provide soft session affinity.
| Name | Type | Description | Required |
|---|---|---|---|
| httpCookie | object | Hash based on HTTP cookie. | false |
| httpHeaderName | string | Hash based on a specific HTTP header. | false |
| httpQueryParameterName | string | Hash based on a specific HTTP query parameter. | false |
| maglev | object | The Maglev load balancer implements consistent hashing to backend hosts. | false |
| ringHash | object | The ring/modulo hash load balancer implements consistent hashing to backend hosts. | false |
| useSourceIp | boolean | Hash based on the source IP address. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie
Hash based on HTTP cookie.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the cookie. | true |
| ttl | string | Lifetime of the cookie. | true |
| path | string | Path to set for the cookie. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev
The Maglev load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| tableSize | integer | The table size for Maglev hashing. | true |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash
The ring/modulo hash load balancer implements consistent hashing to backend hosts.
| Name | Type | Description | Required |
|---|---|---|---|
| minimumRingSize | integer | The minimum number of virtual nodes to use for the hash ring. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience
Resilience settings for the clients.
| Name | Type | Description | Required |
|---|---|---|---|
| circuitBreakerSensitivity | enum | Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM | false |
| connectionPool | object | Configures tolerance and other settings for TCP/HTTP connections to the service. | false |
| outlierDetection | object | Outlier detection settings for the upstream host when custom mode is used. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool
Configures tolerance and other settings for TCP/HTTP connections to the service.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | false | |
| tcp | object | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http
| Name | Type | Description | Required |
|---|---|---|---|
| maxRequests | integer | Maximum number of active requests to the service. | false |
| maxRequestsPerConnection | integer | Maximum number of requests per connection to the service. | false |
| requestTimeout | string | Timeout for HTTP requests. | false |
| retries | object | Retry policy for HTTP requests. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries
Retry policy for HTTP requests.
| Name | Type | Description | Required |
|---|---|---|---|
| attempts | integer | Number of retries for a given request. Format: int32 | true |
| perTryTimeout | string | Timeout per retry attempt for a given request. | false |
| retryOn | string | Specifies the conditions under which retry takes place. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp
| Name | Type | Description | Required |
|---|---|---|---|
| connectTimeout | string | TCP connection timeout. | false |
| keepAlive | object | Keep Alive Settings. | false |
| maxConnections | integer | Maximum number of HTTP1 /TCP connections to the service. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive
Keep Alive Settings.
| Name | Type | Description | Required |
|---|---|---|---|
| idleTime | integer | The number of seconds a connection needs to be idle before keep-alive probes start being sent. | false |
| interval | integer | The number of seconds between keep-alive probes. | false |
| probes | integer | The total number of unacknowledged probes to send before deciding the connection is dead. | false |
WorkspaceSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.outlierDetection
Outlier detection settings for the upstream host when custom mode is used.
| Name | Type | Description | Required |
|---|---|---|---|
| baseEjectionTime | string | The base time that a host is ejected for. | false |
| consecutive5xx | integer | The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs. | false |
| consecutiveGatewayFailure | integer | The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs. | false |
| consecutiveLocalOriginFailure | integer | false | |
| enforcingConsecutive5xx | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx. | false |
| enforcingConsecutiveGatewayFailure | integer | The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures. | false |
| enforcingConsecutiveLocalOriginFailure | integer | The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures. | false |
| interval | string | The time interval between ejection analysis sweeps. | false |
| maxEjectionPercent | integer | The maximum % of an upstream cluster that can be ejected due to outlier detection. | false |
| maxEjectionTime | string | The maximum time that a host is ejected for. | false |
| splitExternalLocalOriginErrors | boolean | Determines whether to distinguish local origin failures from external errors. | false |
WorkspaceSetting.spec.failoverSettings
Failover settings for all proxies connecting to a host exposed in this workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| automaticLoadBalancing | object | false | |
| failoverPriority | []string | FailoverPriority specifies the failover priority for traffic. | false |
| regionalFailover | []object | Locality routing settings for all gateways in the Workspace/Organization for which this is defined. | false |
| topologyChoice | enum | TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY | false |
WorkspaceSetting.spec.failoverSettings.automaticLoadBalancing
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Whether to enable automatic load balancing. | false |
WorkspaceSetting.spec.failoverSettings.regionalFailover[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | string | Originating region. | false |
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |
WorkspaceSetting.spec.hostsReachability
Hosts reachability defines the list of hostnames that this workspace can reach.
| Name | Type | Description | Required |
|---|---|---|---|
| hostnames | []object | The Gateway hostname that can be one of the following. | true |
WorkspaceSetting.spec.hostsReachability.hostnames[index]
| Name | Type | Description | Required |
|---|---|---|---|
| exact | string | Exact string match. | false |
| prefix | string | Prefix-based match. | false |
| regex | string | ECMAscript style regex-based match. | false |
WorkspaceSetting.spec.regionalFailover[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | string | Originating region. | false |
| to | string | Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy. | false |