Skip to main content
logoTetrate Service ExpressVersion: Latest

JWT Issuer

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

JwtIssuer specifies configuration associated with a JWT issuer.

For example,

issuer: "https://mycompany.corp"
jwksUri: "https://mycompany.corp/jwks.json"
shortName: "mycorp"
tokenFields:
  attributes:
    jsonPath: .custom_attributes

JwtIssuer

JwtIssuer specifies configuration associated with a JWT issuer.

FieldDescriptionValidation Rule

issuer

string
REQUIRED
JWT Issuer identifier.

The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

E.g., https://mycompany.corp, https://accounts.google.com, https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/, etc.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
  prefix: https://
  uri: true
}

jwksUri

string oneof _jwks_source
URL of the JSON Web Key Set document.

Source of public keys the Workload Onboarding Plane should use to validate the signature of an OIDC ID Token.

E.g., https://mycompany.corp/jwks.json.

When unspecified, URL the JSON Web Key Set document will be resolved using OpenID Connect Discovery protocol.

string = {
  prefix: https://
  uri: true
}

jwks

string oneof _jwks_source
Inlined JSON Web Key Set document.

Specifies public keys the Workload Onboarding Plane should use to validate the signature of an OIDC ID Token.

string = {
  min_len: 1
}

shortName

string
REQUIRED
Unique short name associated with the issuer.

The value must consist of lower case alphanumeric characters and hyphen (-).

Since this value will be included into the auto-generated name of the WorkloadAutoRegistration resource, keep it as short as possible.

E.g., my-corp, prod, test, etc.

string = {
  pattern: ^[0-9a-z]+(-[0-9a-z]+)*$
}

tokenFields

tetrateio.api.onboarding.config.install.v1alpha1.JwtTokenFields
Description of the custom fields included in the OIDC ID Token.

By default, Workload Onboarding Plane interprets only one field that is always present in a valid OIDC ID Token

  • sub (subject).

If you want Workload Onboarding Plane to interpret custom fields included in the OIDC ID Token, you have to provide an explicit configuration.

E.g., you can instruct the Workload Onboarding Plane to treat a certain field as a map of fine-grained attributes associated with the subject. It will allow you to define OnboardingPolicy(s) that match those attributes.

Notice that this description instructs how to interpret custom fields if they are present in an OIDC ID Token. A token in which custom fields are not present is still valid. An OnboardingPolicy that does not put constraints on attributes extracted from custom fields can still match a workload with that token.

JwtTokenField

JwtTokenField specifies a custom field included into the OIDC ID Token.

FieldDescriptionValidation Rule

jsonPath

string
REQUIRED
Simple JSON Path which is evaluated against custom claims of the OIDC ID Token to produce the value of the field.

E.g., .custom_attributes, .google.compute_engine, etc.

JSON Path must start either from . or from $. Use of $ is mandatory when followed by the array notation.

E.g., $['custom_attributes'], $['google'].compute_engine, etc.

Special symbols (such as . or ) in property names must be escaped.

E.g., .custom\.attributes, $['custom\.attributes'], etc.

See https://goessner.net/articles/JsonPath/

string = {
  pattern: ^[.$].+$
}

JwtTokenFields

JwtTokenFields specifies custom fields included into the OIDC ID Token.

FieldDescriptionValidation Rule

attributes

tetrateio.api.onboarding.config.install.v1alpha1.JwtTokenField
Field that carries a map of fine-grained attributes associated with the subject of the OIDC ID Token.

If specified, Workload Onboarding Plane will treat the name/value pairs extracted from this field as attributes associated with the workload. It will allow you to define OnboardingPolicy(s) that match those attributes.

E.g., if an OIDC ID Token includes the following fields:

\{
  "iss": "https://mycompany.corp",
  "aud": "ef67c7b9-10da-4542-ad3b-b95acc1e05ba",
  "sub": "us-east-datacenter1-vm007",
  "azp": "us-east-datacenter1-vm007",
  "iat": 1613404941,
  "exp": 1613408541,
  "custom_attributes": \{
    "region": "us-east",
    "datacenter": "datacenter1",
    "instance_name": "vm007",
    "instance_hostname": "vm007.internal.corp",
    "instance_role": "app-ratings"
  \}
\}

then, you can indicate to the Workload Onboarding Plane to treat the contents of field custom_attributes as fine-grained attributes associated with the workload.

OnboardingPlaneComponentSet

The set of components that make up the control plane. Use this to override application settings or Kubernetes settings for each individual component.

FieldDescriptionValidation Rule

instance

tetrateio.api.onboarding.config.install.v1alpha1.OnboardingPlaneInstance
Workload Onboarding Plane Instance component.

OnboardingPlaneInstance

Kubernetes settings for the Workload Onboarding Plane Instance component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings.

logLevels

map<string, string>
The log level configuration by scopes. Supported log level: "none", "error", "warn", "info", "debug".