Management Plane
ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.
Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:
- tsb-certs
- ldap-credentials
- custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
- postgres-credentials (non-demo deployments)
- admin-credentials
- es-certs (if your Elasticsearch is using a self-signed certificate)
- elastic-credentials (if your Elasticsearch backend requires authentication)
A resource containing only the container registry hub will install a demo of Service Bridge, create a default
Organization and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production.
Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
imagePullSecrets:
- name: my-registry-creds
organization: tetrate
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 750Mi
requests:
memory: 500Mi
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.
Field | Description | Validation Rule |
---|---|---|
apiServer | – | |
iamServer | – | |
webUI | – | |
frontEnvoy | – | |
oap | – | |
collector | tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector | – |
xcp | – | |
mpc | – | |
defaultLogLevel | string | – |
ngac | – | |
internalCertProvider | tetrateio.api.install.common.InternalCertProvider | – |
defaultKubeSpec | tetrateio.api.install.kubernetes.KubernetesSpec | – |
gitops | tetrateio.api.install.common.GitOps | – |
ManagementPlaneSpec
ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.
Field | Description | Validation Rule |
---|---|---|
hub | string | string = { |
imagePullSecrets | List of tetrateio.api.install.kubernetes.LocalObjectReference List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core | – |
organization | string | string = { |
components | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet | – |
dataStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore | – |
telemetryStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore | – |
identityProvider | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider | – |
tokenIssuer | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer | – |
meshObservability | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.MeshObservability | – |
certIssuer | tetrateio.api.install.managementplane.v1alpha1.CertIssuer | – |
enableWasmDownloadProxy | bool | – |
DataStore
Configure the data store for TSB to persist its data to.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade data store.
Select one of the DataStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
postgres | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings oneof _data_store | – |
IdentityProvider
Configure the Identity Provider TSB will use as the source of users.
This identity provider is used for user authentication and to periodically synchronize the
information of existing users and groups into the platform.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo identity provider.
Select one of the IdentityProvider
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
oidc | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings oneof _identity_provider | – |
ldap | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings oneof _identity_provider |