Skip to main content
Version: 1.4.x

Tetrate Service Bridge

Welcome to the Tetrate Service Bridge (TSB) developer hub. You'll find comprehensive guides and documentation to help you start working with TSB as quickly as possible, as well as support if you get stuck. To make it easy to get going, we've highlighted the main content of interest for Application Developers who deploy applications into environments using TSB, Platform Operators who install, manage, and upgrade TSB and its components, and Security Admins who are responsible mandating, enforcing, and monitoring for runtime security controls.

Application Developers

The service mesh - and Tetrate Service Bridge - can offload a ton of complexity from your application! To start with you'll need to deploy your application with a Sidecar Proxy, then you can start to configure features like getting traffic to your application, apply rate limiting that traffic, or split traffic between VMs and K8s applications to enable the strangler pattern for modernization.

1. Concepts

  1. The Service Mesh architecture
  2. TSB's architecture
  3. Traffic Management with a Mesh
  4. Global observability with TSB

2. Deploying your App in the Mesh

  1. Deploy your application with a Sidecar - this is identical to deploying with Istio, and the Istio community has a ton of troubleshooting information around sidecar injection if you run into issues!
  2. Configure TSB to deliver external traffic
  3. Configure your Application with OpenAPI annotations

3. Managing your App in TSB

  1. Viewing metrics and traces for your application

4. Common Use Cases

  1. Ingress: getting traffic to your application
  2. Rate limiting that traffic
  3. Canary-release new versions of your application
  4. Migrating traffic from VMs to K8s
  5. Failover traffic across clusters

5. Useful Docs

  1. TSB FAQ
  2. Istio's official site

Platform Operators

Tetrate Service Bridge takes a morass of clusters and transforms them into a single, coherent mesh. To start with you'll want to install TSB's management plane, onboard application clusters so they can be observed and controlled, and maybe even deploy a demo application to understand the process your Application Developers will need to go through.

1. Concepts

  1. The Service Mesh architecture
  2. TSB's architecture, especially the ideas of the management plane, control plane, and data plane — and the responsibilities of each
  3. Traffic Management with a Mesh
  4. Global observability with TSB
  5. Understand how configuration flows through TSB at runtime
  6. IAM: Resource & Permission Hierarchy

2. Install, Setup, and Operations

  1. Install TSB's Management Plane
    • Configure login with OIDC: the default installation assumes an LDAP based login - this example uses Azure OIDC, but the TSB configuration is the same for any OIDC provider
  2. Onboard clusters that host applications (in other words, installing TSB control planes)
  3. Deploy and Configure Ingress proxies (shared, or one per team)
  4. Understand the certificates that are required for installation and how they're used
  5. Upgrade TSB versions
  6. GitOps with the Service Mesh
  7. Configuration status

3. Administration and Operation

  1. Manage Access to TSB
  2. Default Log Levels (for Applications and TSB)
  3. Alerting for TSB components
  4. TSB Resources and Capacity Planning
  5. Debugging with TSB's troubleshooting container

4. Useful Docs

  1. TSB FAQ
  2. TSB installation OIDC configuration reference
  3. Firewall setup for TSB communication
  4. Hosted TSB security FAQ (not for on-prem users)

Security Admins

The service mesh provides a security team a huge amount of leverage to implement and enforce policy centrally, but in a way that's lightweight for developers

1. Concepts

  1. The Service Mesh architecture
  2. High level TSB security overview
  3. What's the Management Plane/Runtime Split?

    1. Management Plane Security

    1. IAM: Resource & Permission Hierarchy
    2. Runtime Architecture

    2. Application Runtime Security

    1. Service Identity
    2. Service-to-Service Authorization in TSB is implemented as a thin layer over top of
    3. End User Authentication with the Mesh - the service mesh can be used to perform authentication of end-user credentials on behalf of applications, and NIST even recommends this approach. This guide covers using Keycloak, but any system
  4. Global observability
  5. Understand how configuration flows through TSB at runtime (including security policy)

2. Controls for Applications in the Mesh

  1. Enforce (m)TLS everywhere
  2. Implement service-to-service authentication and authorization
  3. Manage egress to external services
  4. Perform End-User Authentication for Applications
  5. Configure Envoy's External Authorization APIs

3. Ensuring Controls are Enforced

  1. Global observability for monitoring service-service traffic (including egress)
  2. Audit Log overview and API

4. Managing Access to TSB

  1. Tenants, Workspaces, and Groups, combined with TSB's flexible RBAC with custom roles, enable you to control who in your org can do what in TSB easily
  2. Firewall requirements for connecting to TSB

5. Useful Docs

  1. TSB FAQ
  2. Istio security overview
  3. Hosted TSB security FAQ (not for on-prem users)
  4. Reference for TSB's RBAC Access Control API