Examine Configuration

The Tetrate platform generates and distributes configuration to gateways and sidecar proxies. This configuration is based on a number of inputs, including:

• Your desired configuration, which is assigned to Gateway, Traffic and Security groups within Workspaces. For example, this can include Gateway resources which configure gateways to proxy traffic
• Higher-level configuration (templates and defaults) defined at an organization or tenant level, or applied using configuration profiles
• Service presence, as reported by managed clusters, which is used to configure gateways and routing rules to access that service from other locations
• Cluster status, reporting which services (identified by DNS names) are exposed on each service, used to configure Tier 1 gateways

The configuration is provided directly using the TSB APIs, or indirectly using the GitOps process. In the GitOps process, configuration is applied to local kubernetes clusters and is periodically pushed to the central Management Plane to be incorporated into the configuration.

The platform generates configuration dynamically, based on the desired configuration and the current (dynamic) state. Configuration is distributed from the central Management Plane to each workload cluster, and may take time to propagate.

Get Started with Configuration

You'll recall that the Tetrate configuration can be found in the Workspaces pane:

Additionally, some types of configuration (Traffic, Gateway, Security) are delegated to Traffic Groups, Gateway Groups and Security Groups. Istio Internal Groups are used for direct Istio configuration.

For more information, you can review the documentation Understanding Tetrate Istio Configuration.

Example: Gateway Configuration

Inspect the Gateway Group that is relevant to your service (i.e. matches the clusters and namespaces):

Select the GATEWAY SETTINGS pane to view the requested Gateway configuration:

Note that the status of the configuration is green, indicating that it has been correctly applied to the target gateway instance.

Understanding the Configuration

Refer to the TSB API Reference for a full explanation of the configuration structure and meaning.

The Gateway configuration contains a list of rules, and may also include authentication, request validation (e.g. OAS matching) or rate limiting configuration that will control how the gateway proxies traffic to your service.

Gateway Configuration is located within a Gateway Group, and is applied to deployed gateway instances within controlled namespaces which match the workloadSelector stanza.

If you have access to the T1 cluster config:

If you have access to the T1 cluster configuration, you can inspect the matching edge gateway configuration:

This configuration is typically simpler, and may not contain explicit routing rules. In that case, the Tier1 gateway is configured to load balance traffic to Tier2 gateways that present a matching host name.

Troubleshooting Configuration

Detailed configuration troubleshooting is likely to need the assistance of your platform team. Platform team members will have broader permissions to view the entire Tetrate platform configuration, and will be able to interpret and judge configuration propagation issues.

For example, some propagation issues may indicate 'working as intended', depending on how your organization leverages the Tetrate configuration hierarchy to assign defaults and distribute these across clusters.