Diagnostic Service

Service to access to Diagnostic Tools in TSB

ProxyDiagnosticService

The Proxy Diagnostic Service exposes methods to access diagnostic tools in workload proxies handled by TSB, such as handling log level, gathering configurations or stats. When performing a diagnostic operation on a workload, the caller must specify:

• The resource the workload belongs to, identified by its FQN provided via the fqn field in the request messages. On this resource, the caller must have the required ProxyDiagnostic permissions.
• The cluster the workload belongs to, identified by the cluster field in the request messages.
• The workload details to run the task against.

These methods are authorized by the ReadProxyDiagnostic and WriteProxyDiagnostic permissions which the caller must have on the resource the workload belongs to. These permissions can be granted via the TSB RBAC system. For example, the following proxytools-user role allows to perform read and write operations related to the diagnostic tools. Via the access binding, in the context of the demo tenant, the proxytools-user role is granted to the demo-team team. As a result, any user in the team will be able to operate the diagnostic tools on the resources belonging to that tenant.

apiVersion: rbac.tsb.tetrate.io/v2
kind: Role
metadata:
  name: proxytools-user
spec:
  rules:
  - types:
    - apiGroup: diagnostic.tsb.tetrate.io/v2
      kinds:
      - ProxyDiagnostic
    permissions:
    - READ
    - WRITE
---
apiVersion: rbac.tsb.tetrate.io/v2
kind: AccessBindings
metadata:
  fqn: organizations/demo/tenants/demo
spec:
  allow:
  - role: rbac/proxytools-user
    subjects:
    - user: organizations/tetrate/teams/demo-team

GetLoggerLevels

SetLoggerLevels

GetConfigDump

GetServerStats

GetClusterStats

ListWorkloads

StreamLogs

GetClusterStatsRequest

Request for the cluster stats of an Istio Proxy.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Name of the workload (Istio Proxy) to run the task against.	message = {   required: true }
outputFormat	tetrateio.api.tsb.diagnostic.v2.GetClusterStatsRequest.ClusterStatsFormat Desired output format. Defaults to JSON.	enum = {   defined_only: true }

GetClusterStatsResponse

Response to the request for the cluster stats of an Istio Proxy. Returns the output of the /clusters endpoint of the Envoy Admin interface. See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--clusters

Field	Description	Validation Rule
output	string Output of the cluster stats endpoint of an Istio Proxy.	–
outputFormat	tetrateio.api.tsb.diagnostic.v2.GetClusterStatsRequest.ClusterStatsFormat Format of the output of the cluster stats endpoint of an Istio Proxy.	–

GetConfigDumpRequest

Request for a config dump from a workload (Istio Proxy).

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Name of the workload (Istio Proxy) to run the task against.	message = {   required: true }
all	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.All oneof _selector Dump all configuration.	–
bootstrap	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Bootstrap oneof _selector Dump bootstrap configuration.	–
clusters	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Clusters oneof _selector Dump cluster configuration.	–
ecds	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Ecds oneof _selector Dump typed extension configuration.	–
endpoints	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Endpoints oneof _selector Dump endpoint configuration.	–
listeners	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Listeners oneof _selector Dump listener configuration.	–
routes	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Routes oneof _selector Dump route configuration.	–
secrets	tetrateio.api.tsb.diagnostic.v2.GetConfigDumpRequest.Secrets oneof _selector Dump secret configuration.	–

All

Dump all configuration.

Field	Description	Validation Rule
includeEds	bool Include EDS into config dump.	–

Bootstrap

Dump bootstrap configuration.

Clusters

Dump cluster configuration.

Ecds

Dump typed extension configuration.

Endpoints

Dump endpoint configuration.

Listeners

Dump listener configuration.

Routes

Dump route configuration.

Secrets

Dump secret configuration.

GetConfigDumpResponse

Response to the request for a config dump from an Istio Proxy. Returns the output of the /config_dump endpoint of the Envoy Admin interface. See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump

Field	Description	Validation Rule
output	string Config in JSON format.	–

GetLoggerLevelsRequest

Request for effective logger levels of an Istio Proxy.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Name of the workload (Istio Proxy) details to run the task against.	message = {   required: true }

GetServerStatsRequest

Request for the server stats of an Istio Proxy.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Name of the workload (Istio Proxy) to run the task against.	message = {   required: true }
outputFormat	tetrateio.api.tsb.diagnostic.v2.GetServerStatsRequest.ServerStatsFormat Desired output format. Defaults to JSON.	enum = {   defined_only: true }

GetServerStatsResponse

Response to the request for the server stats of an Istio Proxy. Returns the output of the /stats endpoint of the Envoy Admin interface. See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--stats

Field	Description	Validation Rule
output	string Output of the server stats endpoint of an Istio Proxy.	–
outputFormat	tetrateio.api.tsb.diagnostic.v2.GetServerStatsRequest.ServerStatsFormat Format of the output of the server stats endpoint of an Istio Proxy.	–

ListWorkloadsRequest

Request to retrieve the workload names on which the diagnostic tools can be run. The returned workloads are belonging to the resource specified by the fqn field and are running in the cluster specified by the cluster field.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
pageSize	int32 OPTIONAL Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.	–
pageToken	string OPTIONAL Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.	–
filter	tetrateio.api.tsb.diagnostic.v2.ListWorkloadsRequest.Filter OPTIONAL Workloads filter.	–

Filter

Workloads filter.

Field	Description	Validation Rule
namespace	string Namespace name.	–
serviceName	string Name of a Service.	–

ListWorkloadsResponse

Response to the request for a list of Workloads.

Field	Description	Validation Rule
workloads	List of tetrateio.api.tsb.diagnostic.v2.Workload List of workloads.	–
nextPageToken	string A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.	–
totalSize	int32 Total number of Workloads. If a filter was included in the request, this reflects the total number after the filtering is applied.	–

LoggerLevelsResponse

Response to the request for effective logger levels of an Istio Proxy. Returns the output of the /logging endpoint of the Envoy Admin interface.

Field	Description	Validation Rule
supportedLevels	List of string Supported logging levels.	–
loggerLevels	map<string, string> Effective logger levels.	–

SetLoggerLevelsRequest

Request to change effective logger levels of an Istio Proxy.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster the workload belongs to.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Name of the workload (Istio Proxy) to run the task against.	message = {   required: true }
allLoggers	tetrateio.api.tsb.diagnostic.v2.SetLoggerLevelsRequest.AllLoggers oneof _loggers Desired level for all loggers.	–
givenLoggers	tetrateio.api.tsb.diagnostic.v2.SetLoggerLevelsRequest.GivenLoggers oneof _loggers Desired levels for given loggers.	–

AllLoggers

Desired level for all loggers.

Field	Description	Validation Rule
level	string REQUIRED Desired level for all loggers.	string = {   min_len: 1 }

GivenLoggers

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

Field	Description	Validation Rule
loggerLevels	map<string, string> REQUIRED Desired levels for given loggers.	map = {   min_pairs: 1   keys: {string:{min_len:1}}   values: {string:{min_len:1}} }

StreamLogsRequest

Request to stream logs of an Istio Proxy.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the resource the workload belongs to.	string = {   min_len: 1 }
cluster	string REQUIRED Fully-qualified name of the cluster to execute the diagnostic task in.	string = {   min_len: 1 }
workload	tetrateio.api.tsb.diagnostic.v2.Workload REQUIRED Workload details to run the task against.	message = {   required: true }
follow	bool Follow the log stream of the pod. Defaults to false.	–
previous	bool Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.	–
sinceSeconds	google.protobuf.Int64Value A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.	–

StreamLogsResponse

Response to the request to stream logs of an Istio Proxy.

Field	Description	Validation Rule
output	string Logs of an Istio Proxy.	–

Workload

Name and namespace of a workload.

Field	Description	Validation Rule
namespace	string REQUIRED Namespace of a workload.	string = {   min_len: 1 }
name	string REQUIRED Name of a workload.	string = {   min_len: 1 }

ClusterStatsFormat

Format of the cluster stats of an Istio Proxy.

Field	Number	Description
JSON	0	JSON format.
TEXT	1	Text format.

ServerStatsFormat

Format of the server stats of an Istio Proxy.

Field	Number	Description
JSON	0	JSON format.
TEXT	1	Text format.
PROMETHEUS	2	Prometheus format.