Tetrate Istio SubscriptionVersion: NextInstallation
Following are the steps to install the TIS Workload Onboarding Operator.
Prerequisites
- Helm is installed
- Acquired credentials from Tetrate to access the TIS add-ons repository.
Tetrate uses the same credentials for FIPS and add-on repositories. If you have already acquired credentials for the FIPS repository, you can use the same credentials to access the TIS add-on repository.
Installation
Before installing Workload Onboarding Operator, you need to add the TIS Helm repository to your Helm client:
helm repo add tis-addons https://tis.tetrate.io/charts
helm repo update
Set the required variables for TIS credentials:
export TIS_USER="<tis-username>"
export TIS_PASS="<tis-password>"
Then create a secret for the TIS add-ons repository. This will be used later to pull the Workload Onboarding Operator image from the TIS add-ons repository.
kubectl create secret docker-registry tetrate-addons-creds \
--docker-server="addon-containers.istio.tetratelabs.com" \
--docker-username=${TIS_USER} \
--docker-password=${TIS_PASS} \
--docker-email="${USER}@" \
-n tis
Create a values file for the Onboarding Operator with the required values.
Please note that the repository.onboardingPackageIstioSidecar.tag value should be aligned with the TID version
installed in the Kubernetes cluster.
cat <<EOF > onboarding-operator-values.yaml
image:
pullSecrets:
- name: tetrate-addons-creds # (1) REQUIRED
repository:
onboardingPackageIstioSidecar:
tag: 1.24.3-tetrate3 # (2) REQUIRED
onboarding:
endpoint:
host: onboarding-endpoint.example # (3) REQUIRED
tlsSecretName: onboarding-endpoint-tls-cert # (4) REQUIRED
EOF
- You must provide the secret name created in the previous step.
- You must provide the TID version installed in the Kubernetes cluster.
- You must provide a DNS name for the Workload Onboarding Endpoint, e.g.
onboarding-endpoint.your-company.corp. - You must provide the name of the Kubernetes Secret that holds the TLS certificate for the Workload Onboarding Endpoint.
Install the Onboarding Operator:
helm install onboarding-operator tis-addons/onboarding-operator \
--namespace istio-system \
--values onboarding-operator-values.yaml \
--version 0.1.0
Note: The currently supported TID versions are: 1.24.3-tetrate0, 1.24.3-tetrate1, 1.24.3-tetrate2, 1.24.3-tetrate3. More versions will be supported in the future.
Workload Onboarding Endpoint
The Workload Onboarding Endpoint is the component that the individual Workload Onboarding Agent(s) connect to join the mesh.
In production scenarios, the Workload Onboarding Endpoint must be highly available, have a stable address, and enforce TLS on incoming connections.
For that reason, the DNS name and TLS certificate are mandatory parameters for enabling Workload Onboarding.
DNS name
You can choose any DNS name for the Workload Onboarding Endpoint.
That name must be associated with the address of the Kubernetes Service vmgateway
from the istio-system namespace.
In production scenarios, you can achieve that by using external-dns.
TLS certificate
To provide a certificate for the Workload Onboarding Endpoint, you need to
create a Kubernetes secret of type TLS in the istio-system namespace.
You have several options:
- Either create a Kubernetes secret from an X509 cert and a private key procured out-of-band
- Or you can use cert-manager to automate provisioning of the TLS cert
TLS certificate procured out-of-band
To provide a TLS certificate procured out-of-band, use:
kubectl create secret tls <onboarding-endpoint-tls-cert> \
-n istio-system \
--cert=<path/to/cert/file> \
--key=<path/to/key/file>
TLS certificate procured by cert-manager
To automate the provisioning of the TLS certificate, you can use cert-manager.
For example, you can procure a free TLS certificate signed by a trusted CA, such as Let's Encrypt.
In this case, your configuration will look similar to:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <onboarding-endpoint-tls-cert>
namespace: istio-system
spec:
secretName: <onboarding-endpoint-tls-cert>
duration: 2160h # 90d
renewBefore: 360h # 15d
usages:
- server auth
dnsNames:
- <onboarding-endpoint-dns-name>
issuerRef:
name: <your-issuer>
kind: ClusterIssuer
Refer to the cert-manager documentation for further details.
Uninstallation
First, delete the onboarding-operator deployment, the Onboarding Operator is watching the deletion of this deployment,
and it will remove all the resources created by the itself.
kubectl -n istio-system delete deploy onboarding-operator
Then, you can uninstall the helm chart with:
helm -n istio-system uninstall onboarding-operator
Helm Configuration
The following table lists the configurable parameters of the Workload Onboarding Operator chart and their default values.
| Key | Type | Default | Description |
|---|---|---|---|
| image.repository | string | "addon-containers.istio.tetratelabs.com" | Image repository from where download the onboarding images |
| image.tag | string | "0.1.0-onboarding" | Onboarding image tag to be used |
| image.pullSecrets | list | [] | Image pull secrets to be used to pull the onboarding images |
| image.pullPolicy | string | "IfNotPresent" | |
| repository.onboardingPackageIstioSidecar.tag | string | "1.24.3-tetrate3" | Istio sidecar tag to be used for the onboarding workloads |
| onboarding.endpoint.host | string | "onboarding-endpoint.example" | Hostname for the onboarding endpoint |
| onboarding.endpoint.tlsSecretName | string | "onboarding-endpoint-tls-cert" | Secret name for the onboarding endpoint TLS certificate |
To view all support configuration options and documentation, run:
helm show values tetratelabs/onboarding-operator