OpenAPI Extensions available to configure APIs.
Metadata describing an extension to the OpenAPI spec.
Available OpenAPI extensions to configure APi Gateway features in Service Express .
| Field | Description | Validation Rule |
|---|
x-tsb-service | string
Short name of the service in the TSB service registry where the path is
exposed. If the extension is configured in the info section, all paths in
the spec will be mapped to this service. This service name will be used to generate all the routes for traffic
coming to the associated paths. OpenAPI extension name: x-tsb-service
Applies to: info, path
Required: Required unless x-tsb-redirect or x-tsb-clusters is defined for the target paths. Example: openapi: 3.0.0
info:
title: Sample API
version: 0.1.9
x-tsb-service: productpage.bookinfo
paths:
/users:
x-tsb-service: productpage.bookinfo
get:
summary: Returns a list of users.
| – |
x-tsb-redirect | tetrateio.api.tsb.gateway.v2.Redirect
Configures a redirection for the given path.
If a redirection is configured for a given path, the x-tsb-service
extension can be omitted. OpenAPI extension name: x-tsb-redirect
Applies to: path
Required: false Example: paths:
/users:
x-tsb-redirect:
uri: /v2/users
get:
summary: Returns a list of users.
| – |
x-tsb-tls | tetrateio.api.tsb.gateway.v2.ServerTLSSettings
Configures the TLS settings for a given server. If omitted, the
server will be configured to serve plain text connections. OpenAPI extension name: x-tsb-redirect
Applies to: server
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-tls:
mode: SIMPLE
secretName: api-certs
| – |
x-tsb-cors | tetrateio.api.tsb.gateway.v2.CorsPolicy
Configures CORS policy settings for the given server.
Note that Service Bridge does not currently support per-path CORS
settings, so this applies at a server level. OpenAPI extension name: x-tsb-cors
Applies to: server
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-cors:
allowOrigin:
- "*"
| – |
x-tsb-authentication | tetrateio.api.tsb.auth.v2.Authentication
Configures Authentication rules for the given server.
This extension must be configured if the Authorization is configured
with rules based on JWT tokens. OpenAPI extension name: x-tsb-authentication
Applies to: server
Required: Required if Authorization is based on JWT tokens. Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-authentication:
jwt:
issuer: https://www.googleapis.com/oauth2/v1/certs
audience: bookinfo
| – |
x-tsb-external-authorization | tetrateio.api.tsb.application.v2.OpenAPIExternalAuthzBackend
Configures an external authorization server to handle all authorization requests
for the configured server.
This extension can be applied also at path level in order to disable the external
authorization for a specific path via the disabled field. OpenAPI extension name: x-tsb-external-authorization
Applies to: server, path
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-external-authorization:
uri: http://authz-server.example.com
includeRequestHeaders:
- Authorization
| – |
x-tsb-jwt-authorization | tetrateio.api.tsb.application.v2.OpenAPIExtensions.JWTAuthz
Configures Authorization based on JWT tokens. Note that if this is configured, the x-tsb-authentication extension must
be configured for the servers so the tokens can be properly validated and
trusted before reading their contents to enforce access control rules. This can be applied at the server or path level. When applied at the server level,
the authorization rules will be enforced for all paths in that server. OpenAPI extension name: x-tsb-jwt-authorization
Applies to: server, path
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-authorization:
claims:
- iss: https://www.googleapis.com/oauth2/v1/certs
sub: expected-subject
other:
group: engineering
paths:
/users:
x-tsb-authorization:
claims:
- other:
group: admin
| – |
x-tsb-ratelimiting | tetrateio.api.tsb.gateway.v2.RateLimitSettings
Configures settings for ratelimiting requests This can be applied at the server, path and operation level.
Each rate limit setting is independent of the other.
Top level fields such as failClosed and timeout
can be only be specified at the server level.
The dimensions are automatically populated based on the path
attributes, and users are allowed to append more dimensions
as well OpenAPI extension name: x-tsb-ratelimiting
Applies to: server, path, operation
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-ratelimiting:
failClosed: false
timeout: 0.03s
rules:
- dimensions:
- header:
name: x-user-id
- header:
name: ":method"
value:
exact: GET
limit:
requestsPerUnit: 10
unit: MINUTE
paths:
/users:
x-tsb-ratelimiting:
rules:
- limit:
requestsPerUnit: 5
unit: SECOND
post:
x-tsb-ratelimiting:
rules:
- limit:
requestsPerUnit: 10
unit: SECOND
| – |
x-tsb-external-ratelimiting | tetrateio.api.tsb.gateway.v2.ExternalRateLimitServiceSettings
Configures settings for ratelimiting requests using an external ratelimit server
This can be applied at the server, path and operation level.
Each setting is independent of the other.
Top level fields such as domain and rateLimitServerUri must
only be specified at the server level.
The 'headersfield within theheaderValueMatch
dimension field is automatically populated
when this annotation is used at the path and operation level
and theheaders` field is unset.
Users are allowed to append more values as well. OpenAPI extension name: x-tsb-external-ratelimiting
Applies to: server, path, operation
Required: false Example: openapi: 3.0.0
servers:
- url: http://api.example.com/v1
x-tsb-external-ratelimiting:
domain: "my-api-domain"
rateLimitServerUri: "grpc://ratelimiter.bar.com"
rules:
- dimensions:
- requestHeaders:
headerName: "x-user-id"
descriptorKey: "desc-key-1"
- headerValueMatch:
descriptorValue: "desc-value-1"
headers:
":method":
exact: "GET"
- remoteAddress: {}
paths:
/users:
x-tsb-external-ratelimiting:
rules:
- dimensions:
- headerValueMatch:
descriptorValue: "desc-value-2"
post:
x-tsb-external-ratelimiting:
rules:
- dimensions:
- headerValueMatch:
descriptorValue: "desc-value-3"
| – |
x-tsb-wasm-extensions | tetrateio.api.tsb.application.v2.OpenAPIWasmExtensionAttachment
Configures WASM extensions associated to the Ingress Gateway generated from the API OpenAPI definition.
This list of extensions can be assigned to the info level as there is only one IngressGateway per API. OpenAPI extension name: x-tsb-wasm-extensions
Applies to: info
Required: false Example: openapi: 3.0.0
info:
title: Sample API
version: 0.1.9
x-tsb-wasm-extensions:
- name: wasm-header
config:
header: x-wasm-header
value: api-tsb
paths:
/users:
x-tsb-service: productpage.bookinfo
get:
summary: Returns a list of users.
| – |
x-tsb-wasm-definitions | tetrateio.api.tsb.extension.v2.WasmExtension
Configures WASM extensions definitions used in the attachments from the API OpenAPI definition.
This list of extensions can be assigned to the info level.
Inline extension definition is ONLY allowed when using App Ingress. When using it in a TSB application,
only extensions enabled in the TSB extensino catalog can be referenced. OpenAPI extension name: x-tsb-wasm-definitions
Applies to: info
Required: false Example: openapi: 3.0.0
info:
title: Sample API
version: 0.1.9
x-tsb-wasm-extensions:
- name: wasm-header
config:
header: x-wasm-header
value: api-tsb
x-tsb-wasm-definitions:
- fqn: extensions/wasm-header
url: oci://docker.io/example/my-wasm-extension:1.0
source: https://github.com/example/wasm-extension
phase: AUTHN
priority: 200
config:
header: x-wasm-header
value: def-value
paths:
/users:
x-tsb-service: productpage.bookinfo
get:
summary: Returns a list of users.
| – |
x-tsb-waf | tetrateio.api.tsb.security.v2.WAFSettings
Configures a set of WAF rules to be applied to incoming traffic. OpenAPI extension name: x-tsb-waf
Applies to: info
Required: false Example: openapi: 3.0.0
info:
title: Sample API
version: 0.1.9
x-tsb-waf:
rules:
- Include @recommended-conf
- SecResponseBodyAccess Off
- Include @owasp_crs/*.conf
paths:
/users:
x-tsb-service: productpage.bookinfo
get:
summary: Returns a list of users.
| – |
x-tsb-clusters | tetrateio.api.tsb.gateway.v2.RouteToClusters
Short name of the clusters that contain ingress gateways where the path is
exposed. If the extension is configured in the info section, all paths in
the spec will be mapped to clusters. This clusters name will be used to generate all the routes for traffic
coming to the associated paths. OpenAPI extension name: x-tsb-clusters
Applies to: info, path
Required: Required unless x-tsb-redirect or x-tsb-service is defined for the target paths. Example: openapi: 3.0.0
info:
title: Sample API
version: 0.1.9
x-tsb-clusters:
clusters:
- name: c1
weight: 100
paths:
/users:
x-tsb-clusters:
clusters:
- name: c2
weight: 90
- name: c3
weight: 10
get:
summary: Returns a list of users.
| – |
x-tsb-transit | bool
If this flag is activated (set to true), only the specified path(s) for a given server will be accessible
exclusively within the mesh network. This implies that any external traffic aiming to reach these paths
would be blocked, promoting network isolation and enhanced security. This setting plays a crucial role in traffic forwarding across two different clusters that may not
have a direct connection to each other. It facilitates communication through the mesh network, creating
an indirect link between them. Thus, even if a direct route does not exist, information exchange can still take place. If this extension is applied under the server of the 'info' section, it affects all paths listed
in the 'spec' for that particular server. Consequently, these paths become exclusive to the mesh network,
restricting their accessibility from outside the network. However, if this extension is applied to a single server listed in the path section, its impact is more specific.
It only affects that particular path mentioned in the 'spec' for that server. In turn, this single path is
made exclusive to the mesh network, shielding it from external access. This granular level of control can be
beneficial in cases where only a specific path needs to be isolated, while others remain accessible. In both cases, this helps in controlling and managing traffic flow, especially in large distributed systems where
security and traffic management are critical. This granular control allows for a flexible, security-focused approach
to managing network traffic within the mesh network. OpenAPI extension name: x-tsb-transit
Applies to: server
Required: false Example: openapi: 3.0.0
info:
title: Sample Internal API
version: 0.1.9
servers:
- url: http://api.example.com/v1
x-tsb-transit: false
paths:
/users:
get:
summary: Returns a list of users that can be accessed from outside.
/internalusers:
servers:
- url: http://internal.api.example.com/v1
x-tsb-transit: true
get:
summary: Returns a list of internal users only accessible within the mesh.
| – |
Configures authorization rules based on the JWT token in an incoming request.
Use an authorization server running at the specified URI. Support both HTTP and gRPC server.
It is recommended to enable TLS validation (SIMPLE or MUTUAL) to secure traffic
between workload and external authorization server
If you use gRPC, do not set includeRequestHeaders
OpenAPIExternalAuthzBackend extends the fields provided by ExternalAuthzBackend by adding the disabled field.
The x-tsb-external-authorization annotation can be applied at:
OpenAPIWasmExtensionAttachment defines the WASM extension attached in an OpenAPI specification
including the name to identify the extension and also the specific configuration
that will override the global extension configuration.
Tetrate Service ExpressVersion: Latest