Tetrate Service ExpressVersion: Latest

Workload Configuration

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

WorkloadConfiguration specifies configuration of the workload handling.

For example,

authentication:
  jwt:
    issuers:
    - issuer: "https://mycompany.corp"
      jwksUri: "https://mycompany.corp/jwks.json"
      shortName: "mycorp"
      tokenFields:
        attributes:
          jsonPath: .custom_attributes
deregistration:
  propagationDelay: 15s

JwtAuthenticationConfiguration

JwtAuthenticationConfiguration specifies configuration of the workload authentication by means of an OIDC ID Token.

Field Description Validation Rule

Field	Description	Validation Rule
issuers	List of tetrateio.api.onboarding.config.install.v1alpha1.JwtIssuer List of permitted JWT issuers. If a workload authenticates itself by means of an OIDC ID Token, the issuer of that token must be present in this list, otherwise authentication attempt will be declined.	repeated = { items: `{message:{required:true}}` }

issuers

List of tetrateio.api.onboarding.config.install.v1alpha1.JwtIssuer
List of permitted JWT issuers.

If a workload authenticates itself by means of an OIDC ID Token, the issuer of that token must be present in this list, otherwise authentication attempt will be declined.

repeated = {
items: {message:{required:true}}
}

WorkloadAuthenticationConfiguration

WorkloadAuthenticationConfiguration specifies configuration of the workload authentication.

Field	Description	Validation Rule
jwt	tetrateio.api.onboarding.config.install.v1alpha1.JwtAuthenticationConfiguration JWT authentication configuration.	–

WorkloadConfiguration

WorkloadConfiguration specifies configuration of the workload handling.

Field	Description	Validation Rule
authentication	tetrateio.api.onboarding.config.install.v1alpha1.WorkloadAuthenticationConfiguration Workload authentication configuration.	–
deregistration	tetrateio.api.onboarding.config.install.v1alpha1.WorkloadDeregistrationConfiguration Workload deregistration configuration.	–

WorkloadDeregistrationConfiguration

WorkloadDeregistrationConfiguration specifies configuration of the workload deregistration.

Field Description Validation Rule

Field	Description	Validation Rule
propagationDelay	google.protobuf.Duration Estimated amount of time it takes to propagate the unregistration event across all affected mesh nodes. During this time interval affected proxies will continue making requests to the deregistered workload until the respective configuration update arrives. To prevent traffic loss, `Workload Onboarding Agent` SHOULD delay shutdown of the the workload's sidecar for that time period. As a rule of thumb, this value should remain relatively small, e.g. under 15 seconds. The reason for this is that shutdown flow on the workload's side is time-boxed. E.g., on VMs there is a stop timeout enforced by SystemD, while on AWS ECS there is a stop timeout enforced by ECS Agent. If you pick a delay value that is too big, `Workload Onboarding Agent` will delay shutdown of the sidecar for too long; as a result sidecar risks to get terminated abruptly instead of graceful connection draining. Defaults to `10s`.	duration = { required: `true` gte: `{nanos:0}` }

propagationDelay

google.protobuf.Duration
Estimated amount of time it takes to propagate the unregistration event across all affected mesh nodes.

During this time interval affected proxies will continue making requests to the deregistered workload until the respective configuration update arrives.

To prevent traffic loss, Workload Onboarding Agent SHOULD delay shutdown of the the workload's sidecar for that time period.

As a rule of thumb, this value should remain relatively small, e.g. under 15 seconds. The reason for this is that shutdown flow on the workload's side is time-boxed. E.g., on VMs there is a stop timeout enforced by SystemD, while on AWS ECS there is a stop timeout enforced by ECS Agent. If you pick a delay value that is too big, Workload Onboarding Agent will delay shutdown of the sidecar for too long; as a result sidecar risks to get terminated abruptly instead of graceful connection draining.

Defaults to 10s.

duration = {
required: true
gte: {nanos:0}
}

JwtAuthenticationConfiguration​

WorkloadAuthenticationConfiguration​

WorkloadConfiguration​

WorkloadDeregistrationConfiguration​

JwtAuthenticationConfiguration

WorkloadAuthenticationConfiguration

WorkloadConfiguration

WorkloadDeregistrationConfiguration