Gateway Common Configuration Messages
Configurations used to build gateways.
ClusterDestination #
Field | Description | Validation Rule |
---|---|---|
name | string | – |
labels | map<string, string> | – |
network | string Deprecated: The | – |
weight | uint32 | – |
CorsPolicy #
Field | Description | Validation Rule |
---|---|---|
allowOrigin | List of string | – |
allowMethods | List of string | – |
allowHeaders | List of string | – |
exposeHeaders | List of string | – |
maxAge | google.protobuf.Duration | – |
allowCredentials | google.protobuf.BoolValue | – |
ExternalRateLimitServiceSettings #
Configuration for ratelimiting using an external ratelimit server The ratelimit server must expose Envoy's Rate Limit Service gRPC API.
If the rate limit service is called, and the response for any of the descriptors is over limit, a 429 response is returned. The rate limit filter also sets the x-envoy-ratelimited header.
If there is an error in calling rate limit service or rate limit service returns an error and failure_mode_deny is set to true, a 500 response is returned.
Field | Description | Validation Rule |
---|---|---|
domain | string | string = { |
failClosed | bool | – |
rateLimitServerUri | string | string = { |
rules | List of tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitRule | repeated = { |
timeout | google.protobuf.Duration | – |
tls | tetrateio.api.tsb.auth.v2.ClientTLSSettings | – |
RateLimitDimension #
RateLimitDimension is a set of conditions to match HTTP requests Once the conditions are satisfied, corresponding descriptors (set of keys and values) are emitted and sent to the external rate limit server. The server is expected to make a rate limit decision based on these descriptors. Please go through the Envoy RateLimit descriptor to get more information on descriptors
Field | Description | Validation Rule |
---|---|---|
sourceCluster | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension.SourceCluster oneof _dimension_specifier | – |
destinationCluster | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension.DestinationCluster oneof _dimension_specifier | – |
remoteAddress | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension.RemoteAddress oneof _dimension_specifier | – |
requestHeaders | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension.RequestHeaders oneof _dimension_specifier | – |
headerValueMatch | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension.HeaderValueMatch oneof _dimension_specifier | – |
DestinationCluster #
Emit descriptor entry - a key-value pair of the form ("destination_cluster", "\<routed target cluster\>")
where destination_cluster
is the destination
envoy cluster to which traffic is bound to.
HeaderValueMatch #
Emit descriptor entry - a key-value pair of the form ("header_match", "\<descriptor_value\>")
, where descriptor_value
is a user
specified value corresponding to a header match event.
Field | Description | Validation Rule |
---|---|---|
headers | map<string, tetrateio.api.tsb.gateway.v2.StringMatch> | map = { |
descriptorValue | string | string = { |
RemoteAddress #
Emit descriptor entry - a key-value pair of the form
("remote_address", "\<trusted address from x-forwarded-for\>")
RequestHeaders #
Emit descriptor entry - a key-value pair of the form
("\<descriptor_key\>", "\<header_value_queried_from_header\>")
where descriptor_key
is a user specified key to emit when the
HTTP header is seen.
Field | Description | Validation Rule |
---|---|---|
headerName | string | string = { |
descriptorKey | string | string = { |
SourceCluster #
Emit descriptor entry - a key-value pair of the form
("source_cluster", "\<local service cluster\>")
where source_cluster
is the source envoy cluster (corresponding to the --service-cluster
flag value set by Istio).
RateLimitRule #
Field | Description | Validation Rule |
---|---|---|
dimensions | List of tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings.RateLimitDimension | repeated = { |
HTTPRewrite #
Configuration for an URL rewrite rule.
Field | Description | Validation Rule |
---|---|---|
uri | string | – |
authority | string | – |
Headers #
Header manipulation rules.
Field | Description | Validation Rule |
---|---|---|
request | tetrateio.api.tsb.gateway.v2.Headers.HeaderOperations | – |
response | tetrateio.api.tsb.gateway.v2.Headers.HeaderOperations | – |
HeaderOperations #
HeaderOperations Describes the header manipulations to apply.
Field | Description | Validation Rule |
---|---|---|
set | map<string, string> | – |
add | map<string, string> | – |
remove | List of string | – |
HostsReachability #
HostsReachability
defines the list of gateway hosts that this workspace can reach.
In multicluster deployments, hosts are reachable to all namespaces(*
) by default.
However, this may not always be necessary, as clients may only be present in a few namespaces.
By configuring this, a list of namespaces can be limited to the namespaces configured in the workspace.
Workspaces with no hosts reachability configuration are considered to have reachable to all hosts.
Field | Description | Validation Rule |
---|---|---|
hostnames | List of tetrateio.api.tsb.gateway.v2.StringMatch
| – |
HttpMatchCondition #
A single match clause to match all aspects of a request.
Field | Description | Validation Rule |
---|---|---|
uri | tetrateio.api.tsb.gateway.v2.StringMatch | – |
headers | map<string, tetrateio.api.tsb.gateway.v2.StringMatch> | – |
HttpModifyAction #
HTTP path/url/header modification.
Field | Description | Validation Rule |
---|---|---|
rewrite | tetrateio.api.tsb.gateway.v2.HTTPRewrite | – |
headers | tetrateio.api.tsb.gateway.v2.Headers | – |
RateLimitSettings #
Configuration for ratelimiting HTTP/gRPC requests This has a list of rate limit rules that can be configured. With each rule a list of dimensions can be defined. A request counts towards the limit if all of the dimensions match the attributes of the request. When the matched requests exceed the limit, a 429 response is returned.
Field | Description | Validation Rule |
---|---|---|
rules | List of tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitRule | repeated = { |
failClosed | bool | – |
timeout | google.protobuf.Duration | – |
RateLimitDimension #
RateLimitDimension is a condition to match HTTP requests that should be rate limited.
Field | Description | Validation Rule |
---|---|---|
remoteAddress | tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitDimension.RemoteAddress oneof _dimension_specifier | – |
header | tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitDimension.Header oneof _dimension_specifier | – |
Header #
RateLimit based on certain headers
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
value | tetrateio.api.tsb.gateway.v2.StringMatch | – |
RemoteAddress #
RateLimit based on the client's remote address, extracted from the trusted X-Forwarded-For header.
Field | Description | Validation Rule |
---|---|---|
value | string | string = { |
RateLimitRule #
RateLimitRule is the block to define each internal ratelimit configuration.
Field | Description | Validation Rule |
---|---|---|
dimensions | List of tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitDimension | repeated = { |
limit | tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitValue | message = { |
RateLimitValue #
RateLimitValue specifies the values that will be used to determine the rate limit.
Field | Description | Validation Rule |
---|---|---|
requestsPerUnit | uint32 | – |
unit | tetrateio.api.tsb.gateway.v2.RateLimitSettings.RateLimitValue.Unit | enum = { |
RateLimiting #
Configuration for ratelimiting HTTP/gRPC requests can be rate limited based on a variety of attributes in the request such as headers (including cookies), URL path/prefixes, client remote address etc.
Field | Description | Validation Rule |
---|---|---|
settings | tetrateio.api.tsb.gateway.v2.RateLimitSettings oneof _ratelimit_specifier | – |
externalService | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings oneof _ratelimit_specifier | – |
Redirect #
Field | Description | Validation Rule |
---|---|---|
uri | string | – |
authority | string | – |
redirectCode | uint32 | – |
port | uint32 | – |
scheme | string | – |
ServerTLSSettings #
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.gateway.v2.ServerTLSSettings.TLSMode | – |
secretName | string | – |
files | tetrateio.api.tsb.gateway.v2.ServerTLSSettings.FileSource | – |
minProtocolVersion | tetrateio.api.tsb.gateway.v2.TLSProtocol | enum = { |
maxProtocolVersion | tetrateio.api.tsb.gateway.v2.TLSProtocol | enum = { |
cipherSuites | List of string
| – |
subjectAltNames | List of string | – |
FileSource #
File path configuration of TLS keys and certificates.
Field | Description | Validation Rule |
---|---|---|
serverCertificate | string | – |
privateKey | string | – |
caCertificates | string | – |
StringMatch #
Describes how to match a given string in HTTP headers. Match is case-sensitive.
Field | Description | Validation Rule |
---|---|---|
exact | – | |
prefix | – | |
regex | string oneof _match_type | – |
Unit #
Units of time.
Field | Number | Description |
---|---|---|
UNKNOWN | 0 | |
SECOND | 1 | |
MINUTE | 2 | |
HOUR | 3 | |
DAY | 4 |
TLSMode #
Field | Number | Description |
---|---|---|
DISABLED | 0 | |
SIMPLE | 1 | |
MUTUAL | 2 |
TLSProtocol #
Enumeration for TLS protocol versions.
Field | Number | Description |
---|---|---|
TLS_AUTO | 0 | |
TLSV1_0 | 1 | |
TLSV1_1 | 2 | |
TLSV1_2 | 3 | |
TLSV1_3 | 4 |