Skip to main content
logoTetrate Service ExpressVersion: Latest

Service Security Setting

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

ServiceSecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a particular service in a security group. These settings will replace the security group wide settings for this service.

The following example defines a security setting that applies to the service foo in namespace ns1 that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
name: foo-auth
group: sg1
workspace: w1
tenant: tse
org: myorg
spec:
service: ns1/foo.ns1.svc.cluster.local
settings:
authentication: REQUIRED
authorization:
mode: GROUP

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
name: foo-wasm-plugin
group: sg1
workspace: w1
tenant: tse
org: myorg
spec:
service: ns1/foo.ns1.svc.cluster.local
settings:
extension:
- fqn: hello-world # fqn of imported extensions in TSE config:
foo: bar

ServiceSecuritySetting

A service security setting applies configuration to a service in a security group. Missing fields will inherit values from the workspace-wide setting if any.

FieldDescriptionValidation Rule

service

string
REQUIRED
The service on which the configuration is being applied. Must be in namespace/FQDN format.

string = {
  pattern: ^[^/]+/[^/]+$
}

settings

tetrateio.api.tsb.security.v2.SecuritySetting
Security settings to apply to this service.

subsets

List of tetrateio.api.tsb.security.v2.ServiceSecuritySetting.Subset
Subset specific settings that will replace the service wide settings for the specified service subsets.

configGenerationMetadata

tetrateio.api.tsb.types.v2.ConfigGenerationMetadata
Metadata values that will be add into the Istio generated configurations. When using YAML APIs liketctl or gitops, put them into the metadata.labels or metadata.annotations instead. This field is only necessary when using gRPC APIs directly.

Subset

Subset allows replacing the settings for a specific version of a service.

FieldDescriptionValidation Rule

name

string
REQUIRED
Name used to refer to the subset. This must match a subset defined in the ServiceRoute for this service, else it will be omitted.

string = {
  min_len: 1
}

settings

tetrateio.api.tsb.security.v2.SecuritySetting
REQUIRED
Security settings to apply to this service subset.

message = {
  required: true
}