Skip to main content
Version: 1.5.x

TSB Helm Charts

This document explains how you can leverage Helm Charts to install the different elements of TSB. The document assumes that Helm is already installed in the system.

TSB has one chart for each plane:

  • Management Plane: installs the TSB Management Plane operator (optionally allows to install the MP CR and/or the secrets).
  • Control Plane: installs the TSB Control Plane operator (optionally allows to install the MP CR and/or the secrets).
  • Data Plane: installs the TSB Data Plane operator.

Each chart installs the operator of the corresponding plane. Both management plane and the control plane ones also allow creating the corresponding resource that triggers the operator ( using the Spec attribute ) to deploy all the TSB components and/or the required secrets (using the Secrets attribute) to making them properly run.

This behavior lets you choose the way to fully configure TSB and integrate with CD pipelines. You can use helm to:

  • only install the operators
  • install/upgrade the plane resource (Management plane or Control plane CRs) along with the operator
  • install/upgrade the secrets along with the operator
  • install/upgrade all of them (operator, resource, secrets) at once

Regarding secrets, keep in mind that helm install/upgrade command accepts different files that can be provided by different sources, using one of the source for the spec and another for secrets.

There is an extra configuration (secrets.keep) to keep the secrets installed and avoid removing them. With this, secrets can be applied just once, and future upgrades without secrets won't remove them.

By default, Helm charts also install TSB CRDs. If you wish to skip the CRD installation step, you can pass the --skip-crds flag.

Installation process

Prerequisites

  1. Helm installed
  2. TSB cli tctl installed
  3. kubectl installed
  4. Credentials for Tetrate's image repository

Configure the Helm repository

  • Add the repository:
    helm repo add tetrate-tsb-helm 'https://charts.dl.tetrate.io/public/helm/charts/'
    helm repo update
  • List the available versions:
    helm search repo tetrate-tsb-helm -l
  • Use them:
    helm install mp tetrate-tsb-helm/managementplane -n tsb --create-namespace -f values.yaml

Steps

In order to do a full installation from scratch, follow this specific order of steps :

Values file template

An example values.yaml file is packaged within the Helm chart. You can use the helm pull command to download the chart to a local directory and use the existing values.yaml for your customizations.

  1. install Management Plane
    Namespace

    usually installed in tsb namespace

    1. create a values.yaml file to configure credentials to the Postgres database, the TSB certs, the TSB, Elasticsearch, and the IAM (LDAP credentials, or OIDC secrets, or Azure secrets)
    2. fill both Spec and Secrets fields to configure the CR and secrets respectively
    3. dependencies
      1. Certificate Provider
        1. in case Certificate auto generation is going to be used
        secrets:
        xcp:
        autoGenerateCerts: true
        1. by default TSB will install Cert Manager
        2. if Cert Manager is already present in the cluster, it has to be specified in the Management Plane definition and TSB won't install one
          components:
        internalCertProvider:
        certManager:
        managed: EXTERNAL
        1. for existing Cert Manager installations it's needed to configure the use of Kubernetes CSR objects
      2. Postgres
        1. by default TSB will install Postgres
        2. by default sslMode is set as required for the Management Plane, use the dataStore.postgres.sslMode attribute to change this value
        3. if Postgres is already present in the cluster, it has to be specified in the Management Plane definition and TSB won't install one
          dataStore:
        postgres:
        address: <postgres service endpoint>:5432
        name: postgres
        sslMode: disable
        secrets:
        postgres:
        username: postgres
        password: <base64 pass>
  2. create the Management Plane CR
    1. if the attribute Spec was specified in the management plane chart in previous step, this step can be skipped.
    2. create and apply a yaml file with the Management Plane CR object definition
    3. kubectl apply -f mp-file.yaml
  3. create a TSB Cluster
    1. step 1 output shows the commands to configure tctl to connect to TSB
    2. create and apply a yaml file with the Cluster object definition
    3. only required fields are metadata.name and metadata.organization (same value as specified in Management Plane CR)
    4. tctl apply -f cluster-file.yaml
  4. install Control Plane
    Namespace

    usually in istio-system namespace

    1. in order to configure Elasticsearch, Zipkin, NGAC agent, OAP, and OTEL Collector or the Cluster Service Account to automate these tokens management, use the values.yaml file. Attributes Spec (to create the CP CR) and Secrets in the values file will define the behaviour
    2. get TSB JWT tokens and specify them in the Control Plane templates
  5. install Data Plane
    Namespace

    usually in istio-gateway namespace

    1. in order to configure the Deployment, Service annotations, Service Account and pull Secret create and use a values.yaml file

Use the created file values.yaml file to specify those parts that are not already present in the cluster. If no Postgres, Cert-Manager or Elasticsearch information is specified, the operator will install default demo instances of them, not intended to be use in production environments.

In case Secrets element is used, a secret for each part specified will be created. Only those secrets that are not already in the cluster have to be specified in the file. Secrets names are not configurable.

It's important to specify the images registry in the values.yaml file section image.registry, and in case the Spec is not empty, also the hub value pointing to the same registry. These properties are used to pull the TSB operator image and the other components' images, respectively.