Skip to main content
logoTetrate Service ExpressVersion: Latest

Egress Gateway

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

EgressGateway configures a workload to act as a gateway for traffic exiting the mesh. The egress gateway is meant to be the destination of unknown traffic within the mesh (traffic sent to non-mesh services). The gateway allows authorization control of traffic sent to it to more finely tune which services are allowed to send unknown traffic through the gateway. Only HTTP is supported at this time.

The following example declares an egress gateway running on pods in istio-system with the label app=istio-egressgateway. This gateway is setup to allow traffic from anywhere in the cluster to access www.httpbin.org and from the bookinfo details app specifically, you can access any external host. EgressGateways need to be paired with TrafficSettings in order to be usable. You must set the egress field in the TrafficSettings to point to the egress gateway and send traffic to port 15443. Once this is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS. The gateway will then decide whether to forward the traffic or not, and use one-way TLS for external calls.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
name: my-egress
group: g1
workspace: w1
tenant: tse
organization: tse
spec:
workloadSelector:
namespace: ns1
labels:
app: istio-egressgateway
authorization:
- from:
mode: WORKSPACE
to: ["www.httpbin.org"]
- from:
mode: CUSTOM
serviceAccounts: ["default/bookinfo-details"]
to: ["*"]
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: tse
organization: tse
spec:
reachability:
mode: CUSTOM
hosts:
- "./*"
- "istio-system/*"
egress:
host: istio-system/istio-egressgateway.istio-system.svc.cluster.local

The following example customizes the Extensions field to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
name: my-egress
group: g1
workspace: w1
tenant: tse
organization: tse
spec:
workloadSelector:
namespace: ns1
labels:
app: istio-egressgateway
authorization:
- from:
mode: WORKSPACE
to: ["www.httpbin.org"]
- from:
mode: CUSTOM
serviceAccounts: ["default/bookinfo-details"]
to: ["*"]
extension:
- fqn: hello-world # fqn of imported extensions in TSE config:
foo: bar

EgressAuthorization

EgressAuthorization is used to dictate which service accounts can access a set of external hosts

FieldDescriptionValidation Rule

from

tetrateio.api.tsb.security.v2.AuthorizationSettings
The workloads or service accounts this authorization rule applies to. If not set, the rule applies to all workloads or service accounts.

to

List of string
REQUIRED
The external hostnames the workload(s) described in this rule can access. Hosts cannot be specified more than once. Use "*" to allow access to any external host

repeated = {
  min_items: 1
}

EgressGateway

EgressGateway configures a workload to act as an egress gateway in the mesh.

-->

FieldDescriptionValidation Rule

workloadSelector

tetrateio.api.tsb.types.v2.WorkloadSelector
REQUIRED
Specify the gateway workloads (pod labels and Kubernetes namespace) under the gateway group that should be configured with this gateway. There can be only one gateway for a workload selector in a namespace.

message = {
  required: true
}

authorization

List of tetrateio.api.tsb.gateway.v2.EgressAuthorization
The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

extension

List of tetrateio.api.tsb.types.v2.WasmExtensionAttachment
Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

configGenerationMetadata

tetrateio.api.tsb.types.v2.ConfigGenerationMetadata
Metadata values that will be add into the Istio generated configurations. When using YAML APIs liketctl or gitops, put them into the metadata.labels or metadata.annotations instead. This field is only necessary when using gRPC APIs directly.