Skip to main content
logoTetrate Service BridgeVersion: 1.5.x

Management Plane Installation

This chart installs the TSB Management Plane operator.

It optionally allows installing along with the operator:

Install

helm install mp tetrate-tsb-helm/managementplane --namespace tsb --create-namespace -f values.yaml

Usage

Once the TSB Management Plane operator is installed with this chart a TSB Management Plane custom resource is required to properly have a TSB Management Plane running.

This can be done manually or by adding the proper spec into the property spec of this same chart.

Check the TSB documentation for more context on how to configure the installation

Configuration

NameDescriptionDefault value
image.registryRegistry used to download the operator image. Requiredgcr.io/tetrate-internal-containers
image.tagThe tag of the operator image. Requiredsame as the Chart version

Management Plane resource configuration

Optionally the TSB Management Plane custom resource can be supplied using the following configuration to make the TSB Management Plane fully run.

NameDescriptionDefault value
specHolds the spec section of the Management Plane custom resource. Optional

Secrets configuration

Also, optionally, all the required secrets can be supplied using the following configuration.

NOTE: Keep in mind that these options just help with creating secrets, and they must respect the configuration provided in the TSB Management Plane custom resource, otherwise the installation will end up misconfigured.

NameDescriptionDefault value
secrets.keepEnabling this makes the generated secrets persist in the cluster after uninstalling the chart if they are no provided in future updates. (see Helm doc)false
secrets.tsb.adminPasswordThe password that is going to be configured for the admin user.
secrets.tsb.certThe TLS certificate exposed by the Management Plane (front envoy).
secrets.tsb.keyThe key for TLS certificate exposed by the Management Plane (front envoy).
secrets.postgres.usernameThe username used to access the Postgres database.
secrets.postgres.passwordThe password used to access the Postgres database.
secrets.postgres.cacertThe CA cert to verify TLS certificates provided by the Postgres database.
secrets.postgres.clientcertThe client cert required to access the Postgres database.
secrets.postgres.clientkeyThe key for the client cert required to access the Postgres database.
secrets.elasticsearch.usernameThe username used to access the Elasticsearch.
secrets.elasticsearch.passwordThe password used to access the Elasticsearch.
secrets.elasticsearch.cacertThe CA cert to verify TLS certificates provided by the Elasticsearch.
secrets.ldap.binddnThe bind DN used to read from the LDAP IDP.
secrets.ldap.bindpasswordThe password for the provided bind DN used to read from the LDAP IDP.
secrets.ldap.cacertThe CA cert to verify TLS certificates provided by the LDAP IDP.
secrets.oidc.clientSecretThe client secret used to connect to the configured OIDC.
secrets.oidc.deviceClientSecretThe device client secret used to connect to the configured OIDC.
secrets.azure.clientSecretThe client secret used to connect to the Azure OIDC.

XCP secrets configuration

XCP allows different authentication configuration modes. Depending on which one, the provided certs will be used for different goals.

JWT mode

In JWT mode, XCP Central will expose simple TLS for its clients.

If secrets.xcp.autoGenerateCerts is disabled, the certificate for XCP Central and the key must be provided by the user using secrets.xcp.central.cert and secrets.xcp.central.key.

Optionally, a CA can be provided with secrets.xcp.rootca to allow the MPC component to use it to verify the certs provided by XCP Central.

If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the XCP Central certificate.

Then secrets.xcp.rootca and secrets.xcp.rootcakey will be used to create the proper Issuer and generate the certificate for XCP Central and share the CA with MPC to allow it to verify the XCP Central generated cert.

MUTUAL TLS mode

In MUTUAL_TLS mode, XCP Central requires, for itself and its clients, to use certificates with a SPIFFE ID to authenticate each of the peers.

If secrets.xcp.autoGenerateCerts is disabled, the XCP Central and the MPC certs are expected to be provided by the user using the secrets.xcp.central.cert,secrets.xcp.central.key, secrets.mpc.cert and secrets.mpc.key configurations respectively.

Then, if an XCP Root CA is provided, it will be used to verify all those certs.

If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the certs to XCP Central and MPC.

Then secrets.xcp.rootca and secrets.xcp.rootcakey will be used to create the proper Issuer and generate the certificates to authenticate XCP Central and MPC via mTLS.

The following properties are allowed to be used to configure the XCP authentication mode:

NameDescriptionDefault value
secrets.xcp.autoGenerateCertsEnabling this will auto generate MPC and XCP Central certificate if mTLS is enabled as XCP authentication. Requires cert-managerfalse
secrets.mpc.certThe cert used by MPC to authenticate via mTLS against XCP Central.
secrets.mpc.keyThe cert used by MPC to authenticate via mTLS against XCP Central.
secrets.xcp.rootcaThe XCP components CA certificate.
secrets.xcp.rootcakeyThe XCP components Root Ca certificate key.
secrets.xcp.central.certThe XCP Central certificate for TLS.
secrets.xcp.central.keyThe XCP Central certificate key for TLS.
secrets.xcp.central.additionalDNSNamesAdditional DNS names to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
secrets.xcp.central.additionalURIsAdditional URIs to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
secrets.xcp.central.additionalIPAddressesAdditional IP addresses to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
certManager.clusterResourcesNamespaceThe namespace configured in the Cert Manager installation for cluster resources.cert-manager
secrets.xcp.authModes.jwtIf true, the secrets required for XCP JWT authentication mode will be created.false
secrets.xcp.authModes.mtlsIf true, the secrets required for XCP mTLS authentication mode will be created.true

Operator extended configuration

The TSB operator related resources like the deployment, the service or the service account can be extended using the following optional properties:

NameDescriptionDefault value
operator.deployment.affinityAffinity configuration for the pod
operator.deployment.annotationsCustom collection of annotations to add to the deployment
operator.deployment.envCustom collection of environment vars to add to the container
operator.deployment.podAnnotationsCustom collection of annotations to add to the pod
operator.deployment.replicaCountNumber of replicas managed by the deployment
operator.deployment.strategyDeployment strategy to use
operator.deployment.tolerationsToleration collection applying to the pod scheduling
operator.service.annotationsCustom collection of annotations to add to the service
operator.serviceAccount.annotationsCustom collection of annotations to add to the service account
operator.serviceAccount.imagePullSecretsCollection of secrets names required to be able to pull images from the registry
operator.pullSecretA Docker JSON config string that will be stored as an image pull secret