Version: 1.3.x

Traffic Setting

Traffic Settings allow configuring the behavior of the sidecars in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of sidecars on namespaces outside the traffic group as well as reliability settings for outbound calls made by the sidecars to other services.

The following example creates a traffic group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the sidecars:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
    mode: CUSTOM
    hosts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "db/*"
  resilience:
    circuitBreakerSensitivity: MEDIUM
  egress:
    host: istio-system/istio-egressgateway
    port: 443

The following traffic setting confines the reachability of sidecars in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
    mode: GROUP

HTTPRetry

HTTPRetry defines the parameters for retrying API calls to a service.

Field	Description	Validation Rule
attempts	int32 REQUIRED Number of retries for a given request. The interval between retries will be determined automatically (25ms+). Actual number of retries attempted depends on the httpReqTimeout.	int32 = { gte: `1` }
perTryTimeout	google.protobuf.Duration Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.	–
retryOn	string Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. See the retry policies and gRPC retry policies for more details.	–

ReachabilitySettings

ReachabilitySettings define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy sidecars in the data plane.

Field	Description	Validation Rule
mode	tetrateio.api.tsb.traffic.v2.ReachabilitySettings.Mode A short cut for specifying the set of services accessed by the workload.	–
hosts	List of string When the mode is `CUSTOM`, `hosts` specify the set of services that the sidecar should be able to reach. Must be in the `<namespace>/<fqdn>` format. - `./` indicates all services in the namespace where the sidecar resides. - `ns1/` indicates all services in the `ns1` namespace. - `ns1/svc1.com` indicates `svc1.com` service in `ns1` namespace. - `*/svc1.com` indicates `svc1.com` service in any namespace.	–

Mode

A short cut for defining the common reachability patterns

Name	Number	Description
UNSET	0	Inherit from parent if possible. Otherwise treated as `CLUSTER`.
NAMESPACE	1	The workload may talk to any service in its own namespace.
GROUP	2	The workload may talk to any service in the traffic group.
WORKSPACE	3	The workload may talk to any service in the workspace.
CLUSTER	4	The workload may talk to any service in the cluster.
CUSTOM	5	The workload may talk to services defined explicitly.

ResilienceSettings

ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or sidecar.

Field	Description	Validation Rule
httpRequestTimeout	google.protobuf.Duration Timeout for HTTP requests. Disabled if not set.	–
httpRetries	tetrateio.api.tsb.traffic.v2.HTTPRetry Retry policy for HTTP requests. Disabled if not set.	–
tcpKeepalive	google.protobuf.BoolValue If enabled, sets SO_KEEPALIVE on the socket to enable TCP keepalive.	–
circuitBreakerSensitivity	tetrateio.api.tsb.traffic.v2.ResilienceSettings.Sensitivity Circuit breakers in Envoy are applied per endpoint in a load balancing pool. By default, circuit breakers are disabled. If set, the sensitivity level determines the maximum number of consecutive failures that Envoy will tolerate before ejecting an endpoint from the load balancing pool.	–

Sensitivity

Available sensitivity levels for the circuit breaker.

Name	Number	Description
UNSET	0	Default values will be used.
LOW	1	Tolerate up to 20 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.
MEDIUM	2	Tolerate up to 10 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.
HIGH	3	Tolerate up to 5 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.

TrafficSetting

A traffic setting applies configuration to a set of sidecars in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Field	Description	Validation Rule
reachability	tetrateio.api.tsb.traffic.v2.ReachabilitySettings The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy sidecars in the data plane.	–
resilience	tetrateio.api.tsb.traffic.v2.ResilienceSettings Resilience settings such as timeouts, retries, etc., affecting outbound traffic from sidecars.	–
egress	tetrateio.api.tsb.traffic.v2.TrafficSetting.EgressGateway Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the sidecar. If not specified, the sidecar will send the unknown traffic directly to the IP requested by the application.	–

EgressGateway

EgressGateway specifies the gateway where traffic external to the mesh will be redirected.

Field	Description	Validation Rule
host	string REQUIRED Specifies the egress gateway hostname. Must be in `<namespace>/<fqdn>` format.	string = { pattern: `^[^/]+/[^/]+$` }
port	int32 REQUIRED Specifies the port on the host to connect to.	int32 = { lte: `65535` gte: `1` }

HTTPRetry​

ReachabilitySettings​

Mode​

ResilienceSettings​

Sensitivity​

TrafficSetting​

EgressGateway​