Tetrate Istio Subscription PlusVersion: Latest

Workload Onboarding Plane Instance Configuration

The differences between TSB and Tetrate Istio Subscription Plus (TIS+)

Tetrate Istio Subscription Plus (TIS+) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions.

Workload Onboarding Plane Instance Configuration specifies configuration of the Workload Onboarding Plane instance.

apiVersion: config.plane.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlaneInstanceConfiguration
onboardingPlane:
  uid: ef67c7b9-10da-4542-ad3b-b95acc1e05ba
tokenIssuer:
  jwt:
    expiration: 1h
    signingKeys:
    - filename: /path/to/tls.key
onboardingServer:
  port: 8443
  transportSecurity:
    tls:
      certDir: /path/to/dir/

OnboardingPlane

OnboardingPlane specifies configuration of the Workload Onboarding Plane.

Field Description Validation Rule

Field	Description	Validation Rule
uid	string REQUIRED Unique identifier of the `Workload Onboarding Plane`. Is used in the workload authentication flow to prevent replay attacks that abuse compromised workload credentials intended for a different installation of the `Workload Onboarding Plane`.	string = { min_len: `1` }

uid

string
REQUIRED
Unique identifier of the Workload Onboarding Plane.

Is used in the workload authentication flow to prevent replay attacks that abuse compromised workload credentials intended for a different installation of the Workload Onboarding Plane.

string = {
min_len: 1
}

OnboardingPlaneInstanceConfiguration

OnboardingPlaneInstanceConfiguration specifies configuration of the Workload Onboarding Plane instance.

Field	Description	Validation Rule
onboardingPlane	tetrateio.api.onboarding.private.component.plane.config.v1alpha1.OnboardingPlane REQUIRED Configuration of the `Workload Onboarding Plane`.	message = { required: `true` }
tokenIssuer	tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer REQUIRED Configuration of the built-in `Workload Onboarding Token Issuer`.	message = { required: `true` }
onboardingServer	tetrateio.api.onboarding.private.component.plane.config.v1alpha1.OnboardingServer REQUIRED Configuration of the `gRPC` server that implements `Workload Onboarding API`.	message = { required: `true` }

OnboardingServer

Configuration of the gRPC server that implements Workload Onboarding API.

Field	Description	Validation Rule
port	int32 REQUIRED Port `Workload Onboarding API` server is listening on. Defaults to `8443`.	int32 = { lte: `65535` gte: `1` }
host	string Host that `Workload Onboarding API` server binds to.	–
transportSecurity	tetrateio.api.onboarding.private.types.config.v1alpha1.ServerTransportSecurity Transport layer security configuration. Defaults to no transport layer security.	–

TokenIssuer

Configuration of the built-in Workload Onboarding Token Issuer.

Field	Description	Validation Rule
jwt	tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer.JwtTokenIssuer ^{oneof _token_issuer} Configuration of the built-in JWT Token Issuer.	–

JwtTokenIssuer

Configuration of the built-in JWT Token Issuer.

Field	Description	Validation Rule
expiration	google.protobuf.Duration REQUIRED Expiration is the duration issued tokens are valid for.	duration = { required: `true` gt: `{nanos:0}` }
signingKeys	List of tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer.JwtTokenIssuer.SigningKey REQUIRED List of signing keys. All keys in the list are used to validate previously issued tokens. Only the first key in the list is used to sign newly issued tokens.	repeated = { min_items: `1` items: `{message:{required:true}}` }

SigningKey

Signing key.

Field	Description	Validation Rule
filename	string REQUIRED Name of a file that holds private key.	string = { min_len: `1` }

OnboardingPlane​

OnboardingPlaneInstanceConfiguration​

OnboardingServer​

TokenIssuer​

JwtTokenIssuer​

SigningKey​