Skip to main content
Version: 1.5.x

Control Plane Installation

This chart installs the TSB Control Plane operator.


helm install cp tetrate-tsb-helm/controlplane --namespace istio-system --create-namespace -f values.yaml
Istio revision

If you need to install a particular Istio version, set the CONTROL_PLANE_REVISION environment var at the operator deployment.


Once the TSB Control Plane installation is finished a TSB Control Plane custom resource is required to properly onboard the cluster into TSB.

This can be done manually or by adding the proper spec into the property spec of this same chart.

Istio specific version

If you apply CONTROL_PLANE_REVISION environment var at operator deployment, make sure to configure spec.xcp.revision with the same value as configured on the operator deployment. Otherwise, the operator will ignore the Control Plane resource.

Check the TSB documentation for more context on how to configure the installation.


NameDescriptionDefault value
image.registryRegistry used to download the operator
image.tagThe tag of the operator imagesame as the Chart version

Control Plane resource configuration

Optionally the TSB Control Plane custom resource can be supplied using the following configuration to make the TSB ControlPlane fully run.

NameDescriptionDefault value
specHolds the spec section of the Control Plane custom resource

Secrets configuration

Optionally, all the required secrets can be supplied using the following configuration.

NOTE: Keep in mind that these options just help with creating secrets, and they must respect the configuration provided in the TSB Control Plane custom resource, otherwise the installation will end up misconfigured.

NameDescriptionDefault value
secrets.keepEnabling this makes the generated secrets persist in the cluster after uninstalling the chart if they are no provided in future updates. (see Helm doc)false
secrets.tsb.cacertCA certificate used to verify TLS certs exposed the Management Plane (front envoy)
secrets.elasticsearch.usernameThe username to access Elasticsearch
secrets.elasticsearch.passwordThe password to access Elasticsearch
secrets.elasticsearch.cacertElasticsearch CA cert TLS used by control plane to verify TLS connection
secrets.oapTokenJWT token used to authenticate OAP against the Management Plane
secrets.otelTokenJWT token used to authenticate OTel Collector against the Management Plane
secrets.zipkinTokenJWT token used to authenticate Zipkin against the Management Plane
secrets.clusterServiceAccount.clusterFQNTSB FQN of the onboarded cluster resource. This will be generate tokens for all Control Plane agents.
secrets.clusterServiceAccount.JWKJWK used to generate and sign the tokens for all the Control Plane agents.

XCP secrets configuration

XCP allows different authentication configuration modes. Depending on which one, the provided certs will be used for different goals.

JWT mode

In JWT mode, if the XCP root CA (secrets.xcp.rootca) is provided it will be used to verify the TLS certs provided by XCP Central.

Also secrets.xcp.edge.token or secrets.clusterServiceAccount will be required to authenticate against XCP Central.


In MUTUAL_TLS mode, XCP Edge requires certificates with a SPIFFE ID to authenticate against the XCP Central.

If secrets.xcp.autoGenerateCerts is disabled, the XCP Edge cert is expected to be provided by the user using the secrets.xcp.edge.cert and secrets.xcp.edge.key configurations.

Then, if XCP Root CA is provided, it will be used to verify TLS certs provided by XCP Central.

If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the certs to XCP Edge.

If the Control Plane is installed in the same cluster the Management Plane runs on, no other cert info is required, because the same Cert Manager issuers will be used to create the XCP Edge cert.

Otherwise, when the Control Plane is not able to use the same Management Plane issuers, the XCP Root CA and its key (secrets.xcp.rootca and secrets.xcp.rootcakey) are required to create a Cert Manager issuer to provide the cert to the Edge.

The following are the configuration properties allowed to be used to configure XCP authentication mode:

NameDescriptionDefault value
secrets.xcp.autoGenerateCertsEnabling this will auto generate XCP Edge certificate if mTLS is enabled to authenticate to XCP Central. Requires cert-managerfalse
secrets.xcp.rootcaCA certificate of XCP components
secrets.xcp.rootcakeyKey of the CA certificate of XCP components
secrets.xcp.edge.certEdge certificate used for mTLS with XCP Central
secrets.xcp.edge.keyKey of the Edge certificate used for mTLS with XCP Central
secrets.xcp.edge.tokenJWT token used to authenticate XCP Edge against the XCP Central
secrets.xcp.authModeIndicates the XCP authentication mode configured in order to generate the proper required secrets. Accepted values: JWT or MUTUAL_TLSMUTUAL_TLS

Operator extended configuration

The TSB operator related resources like the deployment, the service or the service account can be extended using the following optional properties:

NameDescriptionDefault value
operator.deployment.affinityAffinity configuration for the pod
operator.deployment.annotationsCustom collection of annotations to add to the deployment
operator.deployment.envCustom collection of environment vars to add to the container
operator.deployment.podAnnotationsCustom collection of annotations to add to the pod
operator.deployment.replicaCountNumber of replicas managed by the deployment
operator.deployment.strategyDeployment strategy to use
operator.deployment.tolerationsToleration collection applying to the pod scheduling
operator.service.annotationsCustom collection of annotations to add to the service
operator.serviceAccount.annotationsCustom collection of annotations to add to the service account
operator.serviceAccount.imagePullSecretsCollection of secrets names required to be able to pull images from the registry
operator.pullSecretA JSON encoded Docker configuration that will be stored as an image pull secret