ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.
Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:
- tsb-certs
- ldap-credentials
- custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
- postgres-credentials (non-demo deployments)
- admin-credentials
- es-certs (if your Elasticsearch is using a self-signed certificate)
- elastic-credentials (if your Elasticsearch backend requires authentication)
A resource containing only the container registry hub will install a demo of Service Bridge, create a default
Organization and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production.
Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
imagePullSecrets:
- name: my-registry-creds
organization: tetrate
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 750Mi
requests:
memory: 500Mi
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.
Field | Description | Validation Rule |
---|---|---|
apiServer |
– |
|
iamServer |
– |
|
webUI |
– |
|
frontEnvoy |
– |
|
oap |
– |
|
collector |
tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector |
– |
xcp |
– |
|
mpc |
– |
|
defaultLogLevel |
string |
– |
ngac |
– |
|
internalCertProvider |
tetrateio.api.install.common.InternalCertProvider |
– |
defaultKubeSpec |
tetrateio.api.install.kubernetes.KubernetesSpec |
– |
gitops |
tetrateio.api.install.common.GitOps |
– |
ManagementPlaneSpec
ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.
Field | Description | Validation Rule |
---|---|---|
hub |
string |
string = { |
imagePullSecrets |
List of tetrateio.api.install.kubernetes.LocalObjectReference List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core |
– |
organization |
string |
string = { |
components |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet |
– |
dataStore |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore |
– |
telemetryStore |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore |
– |
identityProvider |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider |
– |
tokenIssuer |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer |
– |
meshObservability |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.MeshObservability |
– |
certIssuer |
tetrateio.api.install.managementplane.v1alpha1.CertIssuer |
– |
enableWasmDownloadProxy |
bool |
– |
DataStore
Configure the data store for TSB to persist its data to.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade data store.
Select one of the DataStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
postgres |
tetrateio.api.install.managementplane.v1alpha1.PostgresSettings oneof data_store |
– |
IdentityProvider
Configure the Identity Provider TSB will use as the source of users.
This identity provider is used for user authentication and to periodically synchronize the
information of existing users and groups into the platform.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo identity provider.
Select one of the IdentityProvider
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
oidc |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings oneof identity_provider |
– |
ldap |
tetrateio.api.install.managementplane.v1alpha1.LDAPSettings oneof identity_provider |
– |
sync |
tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider.OrgSyncSettings |
– |
OrgSyncSettings
Field | Description | Validation Rule |
---|---|---|
azure |
tetrateio.api.install.managementplane.v1alpha1.AzureSyncSettings oneof provider |
– |
ignoreOrphanUsers |
bool |
– |
MeshObservability
Configure how the mesh should be observed, which observability functionalities should be
enabled to observe your registered services in the mesh, and the store properties
that TSB will use to persist application observability data like metrics, traces,
logs.
If omitted, the operator will assume
a demo installation and for your convenience install a demo grade mesh observability
setting.
Check MeshObservabilitySettings
to see complete examples.
Field | Description | Validation Rule |
---|---|---|
settings |
tetrateio.api.install.common.MeshObservabilitySettings oneof mesh_observability |
– |
TelemetryStore
Configure the store that TSB will use to persist application telemetry data
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade telemetry store.
Select one of the TelemetryStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
elastic |
tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings oneof telemetry_store |
– |
TokenIssuer
Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the
identity provider. This token is used to authenticate any subsequent internal requests in TSB.
This is a mandatory setting for production. If omitted, the operator will use an insecure default.
Select one of the TokenIssuer
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
jwt |
tetrateio.api.install.managementplane.v1alpha1.JWTSettings oneof token_issuer |
– |
ApiServer
Application and Kubernetes settings for the API server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesJobComponentSpec |
– |
teamSyncSchedule |
string |
– |
logLevels |
map<string, string> |
– |
FrontEnvoy
Application and Kubernetes settings for the FrontEnvoy component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
authenticationTimeout |
google.protobuf.Duration |
– |
port |
int32 |
– |
TLSMinimumProtocolVersion |
tetrateio.api.install.managementplane.v1alpha1.TLSProtocol |
– |
cipherSuites |
List of string |
– |
ecdhCurves |
List of string |
– |
logLevels |
map<string, string> |
– |
IamServer
Kubernetes settings for the IAM server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevels |
map<string, string> |
– |
MPC
Kubernetes settings for the MPC component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevels |
map<string, string> |
– |
NGAC
Kubernetes settings for the NGAC component.
Field | Description | Validation Rule |
---|---|---|
enabled |
bool |
– |
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevels |
map<string, string> |
– |
Oap
Kubernetes settings for the OAP (SkyWalking) component.
Field | Description | Validation Rule |
---|---|---|
retentionPeriodDays |
int32 |
– |
streamingLogEnabled |
bool |
– |
onDemandEnvoyMetricsEnabled |
bool |
– |
storageIndexMergingEnabled |
bool |
– |
storageSpecificIndexSettings |
List of tetrateio.api.install.managementplane.v1alpha1.Oap.StorageIndexSetting |
– |
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevel |
string |
– |
StorageIndexSetting
Configure the number of shards and replicas a concrete index template should have.
Field | Description | Validation Rule |
---|---|---|
indexName |
string |
string = { |
numberOfShards |
int32 |
int32 = { |
numberOfReplicas |
int32 |
int32 = { |
OpenTelemetryCollector
Kubernetes settings for the OpenTelemetry Collector component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevel |
string |
– |
WebUI
Kubernetes settings for the WebUI component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
XCP
Application and Kubernetes settings for the XCP component.
Field | Description | Validation Rule |
---|---|---|
centralAuthModes |
tetrateio.api.install.managementplane.v1alpha1.XCP.CentralAuthModes |
– |
configProtection |
tetrateio.api.install.common.ConfigProtection |
– |
kubeSpec |
tetrateio.api.install.kubernetes.KubernetesComponentSpec |
– |
logLevels |
map<string, string> |
– |
CentralAuthModes
Authentication modes for connections to XCP Central (from XCP Edges or MPC). At least one mode must be enabled. Multiple modes can be enabled to facilitate migration from one mode to another.
Field | Description | Validation Rule |
---|---|---|
mutualTls |
bool |
– |
jwt |
bool |
– |
AzureSyncSettings
Azure configures how users and groups are synchronized from Azure Active Directory.
Field | Description | Validation Rule |
---|---|---|
clientId |
string |
string = { |
tenantId |
string |
string = { |
environment |
string
|
– |
usersFilter |
string |
– |
groupsFilter |
string |
– |
baseGroupName |
string |
– |
CertIssuer
Configures a built in issuer for TSB TLS certificates.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
certIssuer:
selfSigned: {}
tsbCerts: {}
clusterIntermediateCAs: {}
Field | Description | Validation Rule |
---|---|---|
selfSigned |
tetrateio.api.install.managementplane.v1alpha1.CertIssuer.SelfSignedCertIssuer oneof issuer |
– |
tsbCerts |
tetrateio.api.install.managementplane.v1alpha1.CertIssuer.TsbCertsSettings |
– |
clusterIntermediateCAs |
tetrateio.api.install.managementplane.v1alpha1.CertIssuer.ClusterIntermediateCASettings |
– |
ElasticSearchSettings
Configure an Elasticsearch connection.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
elastic:
host: elastic
port: 5678
protocol: https
selfSigned: true
version: 7
Field | Description | Validation Rule |
---|---|---|
host |
string |
string = { |
port |
int32 |
int32 = { |
protocol |
tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol |
– |
selfSigned |
bool |
– |
version |
int32 |
int32 = { |
JWTSettings
Configure JWT based token issuance
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
tokenIssuer:
jwt:
expiration: 1h
refreshExpiration: 720h
tokenPruneInterval: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
audiences:
- tetrate
Field | Description | Validation Rule |
---|---|---|
issuers |
List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer |
– |
expiration |
google.protobuf.Duration |
– |
refreshExpiration |
google.protobuf.Duration |
– |
tokenPruneInterval |
google.protobuf.Duration |
– |
signingKeysSecret |
string If unset will default to the “iam-signing-key” secret generated by the operator. |
– |
Issuer
Field | Description | Validation Rule |
---|---|---|
name |
string |
– |
algorithm |
tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm |
– |
signingKey |
string |
– |
audiences |
List of string |
– |
LDAPSettings
Detail connection and query mappings for LDAP
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
timeout: 20s
recursive: true
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
Field | Description | Validation Rule |
---|---|---|
host |
string |
string = { |
port |
int32 |
int32 = { |
disableTLS |
bool |
– |
debug |
bool |
– |
search |
tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search |
– |
iam |
tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM |
– |
sync |
tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync |
– |
IAM
Field | Description | Validation Rule |
---|---|---|
matchDN |
string |
string = { |
matchFilter |
string Here are some example search patterns for common LDAP implementations:
|
string = { |
Search
Field | Description | Validation Rule |
---|---|---|
baseDN |
string |
string = { |
recursive |
bool |
– |
timeout |
google.protobuf.Duration |
– |
pagesize |
int32 |
– |
Sync
Field | Description | Validation Rule |
---|---|---|
usersFilter |
string |
string = { |
groupsFilter |
string |
string = { |
membershipAttribute |
string |
string = { |
OIDCSettings
Identity provider configuration for OIDC
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
oidc:
clientId: 50076fd0b8f911eb85290242ac130003
scopes: ['email', 'profile']
redirectUri: https://example.com/iam/v2/oidc/callback
providerConfig:
dynamic:
configurationUri: https://accounts.google.com/.well-known/openid-configuration
offlineAccessConfig:
deviceCodeAuth:
clientId: 981174759bab4dc49d0072294900eade
Field | Description | Validation Rule |
---|---|---|
clientId |
string |
string = { |
scopes |
List of string |
– |
redirectUri |
string |
string = { |
authorizationParams |
map<string, string> |
– |
maxExpirationSeconds |
int32 |
– |
providerConfig |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings |
message = { |
offlineAccessConfig |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessSettings |
– |
DynamicSettings
Dynamically configures OIDC client settings using values from the OIDC provider’s well-known OIDC configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
configurationUri |
string |
string = { |
OfflineAccessOverrides
OIDC settings that can be used to override top-level settings for offline access.
Field | Description | Validation Rule |
---|---|---|
clientId |
string |
– |
scopes |
List of string |
– |
skipClientIdCheck |
bool |
– |
providerConfig |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings |
– |
OfflineAccessSettings
Optional OIDC settings specific to offline access. When specified these settings take precedence over top-level OIDC settings.
Field | Description | Validation Rule |
---|---|---|
deviceCodeAuth |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides |
– |
tokenExchange |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides |
– |
ProviderSettings
OIDC provider’s configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSB operator will configure OIDC settings discovered through the provider’s configuration endpoint. If the provider doesn’t have a configuration endpoint you can set the required OIDC settings using static values.
Field | Description | Validation Rule |
---|---|---|
dynamic |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.DynamicSettings oneof provider_settings |
– |
static |
tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.StaticSettings oneof provider_settings |
– |
StaticSettings
Allows to statically configure OIDC client settings if the OIDC provider doesn’t have a configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
authorizationEndpoint |
string |
string = { |
tokenEndpoint |
string |
string = { |
jwksUri |
string oneof jwks_setting |
string = { |
jwks |
string oneof jwks_setting |
string = { |
deviceCodeEndpoint |
string |
– |
introspectionEndpoint |
string |
– |
PostgresSettings
Detail connection details for Postgres
NOTE: TSB does not make any specific schema selection. It defaults to
the search_path
set by the user/role specified in the connection settings.
By default this will result in using the public
schema. If you need to use a different
schema, update the search_path
of the Postgres user accordingly.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
postgres:
address: "postgres:5432"
sslMode: verify_full
connectionLifetime: "8500s"
name: tsb
Field | Description | Validation Rule |
---|---|---|
host |
string |
– |
port |
int32 |
– |
sslMode |
tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode |
– |
connectionLifetime |
string |
– |
name |
string |
– |
address |
string |
string = { |
connectionIdleLifetime |
string |
– |
connectionMaxOpen |
int32 |
– |
connectionIdleMaxOpen |
int32 |
– |
FlavorType
Flavor that’s being deployed. $hide_from_docs
Field | Number | Description |
---|---|---|
TSB |
0 |
Tetrate Service Bridge (default if unset) |
TSE |
1 |
Tetrate Service Express |
TLSProtocol
Field | Number | Description |
---|---|---|
TLS_AUTO |
0 |
Envoy will choose the optimal TLS version. |
TLSv1_0 |
1 |
|
TLSv1_1 |
2 |
|
TLSv1_2 |
3 |
|
TLSv1_3 |
4 |
Protocol
The list of supported protocols to communicate with Elasticsearch.
Field | Number | Description |
---|---|---|
https |
0 |
|
http |
1 |
Algorithm
Field | Number | Description |
---|---|---|
RS256 |
0 |
RSA / SHA-256 |
RS384 |
1 |
RSA / SHA-384 |
RS512 |
2 |
RSA / SHA-512 |
PS256 |
3 |
RSA-PSS / SHA-256 |
PS384 |
4 |
RSA-PSS / SHA-384 |
PS512 |
5 |
RSA-PSS / SHA-512 |
ES256 |
6 |
ECDSA / SHA-256 |
ES384 |
7 |
ECDSA / SHA-384 |
ES512 |
8 |
ECDSA / SHA-512 |
HS256 |
9 |
HMAC / SHA-256 |
HS384 |
10 |
HMAC / SHA-384 |
HS512 |
11 |
HMAC / SHA-512 |
SSLMode
For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html
Field | Number | Description |
---|---|---|
require |
0 |
|
allow |
1 |
|
prefer |
2 |
|
disable |
3 |
|
verify_ca |
4 |
|
verify_full |
5 |