TSB Helm Charts
This document explains how you can leverage Helm Charts to install the different elements of TSB. The document assumes that Helm is already installed in the system.
TSB has one chart for each plane:
- Management Plane: installs the TSB Management Plane operator (optionally allows to install the MP CR and/or the secrets).
- Control Plane: installs the TSB Control Plane operator (optionally allows to install the MP CR and/or the secrets).
- Data Plane: installs the TSB Data Plane operator.
Each chart installs the operator of the corresponding plane. Both management plane and the control plane ones also allow creating the corresponding resource that triggers the operator ( using the Spec attribute ) to deploy all the TSB components and/or the required secrets (using the Secrets attribute) to making them properly run.
This behavior lets you choose the way to fully configure TSB and integrate with CD pipelines. You can use helm to:
- only install the operators
- install/upgrade the plane resource (Management plane or Control plane CRs) along with the operator
- install/upgrade the secrets along with the operator
- install/upgrade all of them (operator, resource, secrets) at once
Regarding secrets, keep in mind that helm install/upgrade
command accepts different files that can be provided by
different sources, using one of the source for the spec and another for secrets.
There is an extra configuration (secrets.keep
) to keep the secrets installed and avoid removing them. With this,
secrets can be applied just once, and future upgrades without secrets won't remove them.
By default, Helm charts also install TSB CRDs. If you wish to skip the CRD installation step, you can pass the --skip-crds
flag.
Installation process
Prerequisites
Configure the Helm repository
- Add the repository:
helm repo add tetrate-tsb-helm 'https://charts.dl.tetrate.io/public/helm/charts/'
helm repo update - List the available versions:
helm search repo tetrate-tsb-helm -l
- Use them:
helm install mp tetrate-tsb-helm/managementplane -n tsb --create-namespace -f values.yaml
Steps
In order to do a full installation from scratch, follow this specific order of steps :
An example values.yaml
file is packaged within the Helm chart. You can use the helm pull
command to download the chart to a local directory
and use the existing values.yaml
for your customizations.
- install Management Plane
Namespace
usually installed in
tsb
namespace- create a
values.yaml
file to configure credentials to the Postgres database, the TSB certs, the TSB, Elasticsearch, and the IAM (LDAP credentials, or OIDC secrets, or Azure secrets) - fill both
Spec
andSecrets
fields to configure the CR and secrets respectively - dependencies
- Certificate Provider
- in case Certificate auto generation is going to be used
secrets:
xcp:
autoGenerateCerts: true- by default TSB will install Cert Manager
- if Cert Manager is already present in the cluster, it has to be specified in the Management Plane definition and TSB won't install one
components:
internalCertProvider:
certManager:
managed: EXTERNAL- for existing Cert Manager installations it's needed to configure the use of Kubernetes CSR objects
- Postgres
- by default TSB will install Postgres
- by default
sslMode
is set asrequired
for the Management Plane, use thedataStore.postgres.sslMode
attribute to change this value - if Postgres is already present in the cluster, it has to be specified in the Management Plane definition and TSB won't install one
dataStore:
postgres:
address: <postgres service endpoint>:5432
name: postgres
sslMode: disable
secrets:
postgres:
username: postgres
password: <base64 pass>
- Certificate Provider
- create a
- create the Management Plane CR
- if the attribute Spec was specified in the management plane chart in previous step, this step can be skipped.
- create and apply a yaml file with the Management Plane CR object definition
kubectl apply -f mp-file.yaml
- create a TSB Cluster
- step 1 output shows the commands to configure
tctl
to connect to TSB - create and apply a yaml file with the Cluster object definition
- only required fields are
metadata.name
andmetadata.organization
(same value as specified in Management Plane CR) tctl apply -f cluster-file.yaml
- step 1 output shows the commands to configure
- install Control Plane
Namespace
usually in
istio-system
namespace- in order to configure Elasticsearch, Zipkin, NGAC agent, OAP, and OTEL Collector or the Cluster Service Account to automate these tokens management, use the
values.yaml
file. Attributes Spec (to create the CP CR) and Secrets in the values file will define the behaviour - get TSB JWT tokens and specify them in the Control Plane templates
- in order to configure Elasticsearch, Zipkin, NGAC agent, OAP, and OTEL Collector or the Cluster Service Account to automate these tokens management, use the
- install Data Plane
Namespace
usually in
istio-gateway
namespace- in order to configure the Deployment, Service annotations, Service Account and pull Secret create and use a
values.yaml
file
- in order to configure the Deployment, Service annotations, Service Account and pull Secret create and use a
Use the created file values.yaml
file to specify those parts that are not already present in the cluster.
If no Postgres, Cert-Manager or Elasticsearch information is specified, the operator will install default demo instances of them, not intended to be use in production environments.
In case Secrets
element is used, a secret for each part specified will be created. Only those secrets that are not already in the cluster have to be specified in the file. Secrets names are not configurable.
It's important to specify the images registry in the values.yaml
file section image.registry
, and in case the Spec is not empty, also the hub
value pointing to the same registry. These properties are used to pull the TSB operator image and the other components' images, respectively.