Skip to main content

Tetrate Service Bridge API (1.9.x)

Download OpenAPI specification:Download

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters
code
string

OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.

error
string

OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong.

Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError

state
required
string

The state parameter sent to the OIDC provider on the authorization request.

errorDescription
string

Optional error description sent by the OIDC provider when an error occurs.

errorUri
string

Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

Content type
application/json
{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters
redirectUri
string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

Content type
application/json
{ }

Applications

List all existing applications for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "applications": [
    ]
}

Creates a new Application in TSB.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Application)

An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "application": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Get the details of an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Modify an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup
string

Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (*/*) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services
Array of strings

Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by another application, application creation/modification will fail.

workspace
required
string

FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "gatewayGroup": "string",
  • "namespaceSelector": {
    },
  • "services": [
    ],
  • "workspace": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
forceDeleteProtectedGroups
boolean

Force the deletion of internal groups even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

List all APIs attached to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Attach a new API to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2API)

An API configuring a set of servers and endpoints that expose the Application business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Get the details of an API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Delete an existing API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WasmExtension)

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "wasmExtension": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Get a WASM extension

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Modify an existing WasmExtension. When modifying the details of an extension in use, such as the image property, enabled flag, phase, or default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live traffic in all those places that reference the extension. Similarly, changes to the allowed_in property may trigger the removal of the extension from all places where the extension was in use that are not allowed to use it anymore, affecting live traffic on the relevant namespaces as well.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
allowedIn
Array of strings

List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.

config
object

Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.

description
string (A description of the extension. $hide_from_yaml)
displayName
string (User friendly name for the extension. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
image
string

Deprecated. Use the url field instead. Repository and tag of the OCI image containing the WASM extension.

imagePullPolicy
string (WasmExtensionPullPolicy)
Default: "UNSPECIFIED_POLICY"
Enum: "UNSPECIFIED_POLICY" "IfNotPresent" "Always"

The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.

  • UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.
  • IfNotPresent: If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.
  • Always: We will always pull the latest version of an image when changing this plugin. Note that the change includes metadata field as well.
imagePullSecret
string

Credentials to use for OCI image pulling. Name of a K8s Secret that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image. If TSB is configured to use the WASM download proxy, this secret must exist in the istio-system namespace of each cluster that has applications that use the extension. If the downlaod proxy is disabled, the secret must exist in each application namespace that is using the extension.

object (v2GlobalTrafficSelector)

GlobalTrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. This setting applies to all WASM Extension attachments. These selectors can be overridden at attachments. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.

phase
string (Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase)
Default: "UNSPECIFIED_PHASE"
Enum: "UNSPECIFIED_PHASE" "AUTHN" "AUTHZ" "STATS"
  • UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.
  • AUTHN: Insert plugin before Istio authentication filters.
  • AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters.
  • STATS: Insert plugin before Istio stats filters and after Istio authorization filters.
priority
integer <int32>

Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.

source
string (Source to find the code for the WASM extension)
url
required
string

URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

object (v2VmConfig)

Configuration for a Wasm VM. more details can be found here.

Responses

Request samples

Content type
application/json
{
  • "allowedIn": [
    ],
  • "config": { },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "image": "string",
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "match": {
    },
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "source": "string",
  • "url": "string",
  • "vmConfig": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{ }

Gateways

List all gateway groups that exist in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

update the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all Egress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "egressGateways": [
    ]
}

Create an Egress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2EgressGateway)

EgressGateway configures a workload to act as an egress gateway in the mesh.

-->

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "egressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts)

The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "authorization": [