Control Plane Installation
This chart installs the TSB control plane operator to onboard a cluster. Similar to Management Plane Helm chart, it also allows you to install TSB control plane components using TSB
ControlPlane CR and all the required secrets to make it fully run.
Before you start, make sure that you've:
✓ Checked the Helm installation process
✓ Installed TSB management plane
✓ Login to the management plane with tctl
✓ Installed yq. This will be used to help getting helm values from creating cluster response.
TSB 1.6 introduces isolation boundaries that allows you to have multiple TSB-managed Istio environments within a Kubernetes cluster, or spanning several clusters. One of the benefits of isolation boundaries is that you can perform canary upgrades of the control plane.
To enable isolation boundaries, you must update operator deployment with environment variable
ISTIO_ISOLATION_BOUNDARIES=true and control plane CR to include
For more information, see Isolation Boundaries.
Before you begin, you will need to create a cluster object in TSB to represent the cluster where you will be installing the TSB control plane. Replace
<organization-name> with the appropriate values for your environment:
displayName: "App Cluster"
To create the cluster object, run the following command:
tctl apply -f cluster.yaml -o yaml | yq .spec.installTemplate.helm > cluster-cp-values.yaml
The file, cluster-cp-values.yaml, comprises the default configuration for the TSB control plane operator, including any necessary secrets for authentication with the TSB management plane. To customize your installation, you may modify this file by adding any extra configuration values you need for the TSB control plane prior to proceeding to the subsequent step.
Use the following helm install command to install TSB control plane. Make sure to replace
<registry-location> with the correct values.
helm install cp tetrate-tsb-helm/controlplane \
--version <tsb-version> \
--namespace istio-system --create-namespace \
--timeout 5m \
--values cluster-cp-values.yaml \
Wait for the TSB control plane components to be deployed successfully. To verify that the installation was successful, you can try logging in to the TSB UI or connecting to TSB using tctl and checking the list of clusters to see if the cluster has been onboarded.
If you encounter any issues during the installation process, here are a few tips for troubleshooting:
- Make sure that you have followed all of the steps in the correct order.
- Double-check the configuration values in the
cluster-cp-values.yamlfile to ensure that they are correct.
- Check the logs of the TSB control plane operator to see if there are any error messages or stack traces that can help diagnose the problem.
- If you are using a private registry to host the TSB control plane operator image, make sure that you have authenticated with the registry and that the
image.registryvalue is correct.
- Check the cluster onboarding troubleshooting guide.
This is a required field. Set
registry to your private registry where you have synced TSB images into and
tag to TSB version that you want to deploy. Specifying only this field will install TSB control plane operator without installing other TSB components.
|Registry used to download the operator image
|The tag of the operator image
|same as the Chart version
Control Plane resource configuration
This is an optional field. You can set TSB
in Helm values file to make the TSB control plane fully run.
spec section of the
This is an optional field. You can apply secrets into your cluster before installing TSB control plane or you can use Helm values to specify required secrets. Note that you can use different Helm values file if you want to separate secrets from control plane spec.
Keep in mind that these options just help with creating secrets, and they must respect the configuration provided
in the TSB
ManagementPlane CR, otherwise the installation will end up misconfigured.
|Enabling this makes the generated secrets persist in the cluster after uninstalling the chart if they are no provided in future updates. (see Helm doc)
|CA certificate used to verify TLS certs exposed the Management Plane (front envoy)
|The username to access Elasticsearch
|The password to access Elasticsearch
|Elasticsearch CA cert TLS used by control plane to verify TLS connection
|JWT token used to authenticate OAP against the Management Plane
|JWT token used to authenticate Otel Collector against the Management Plane
|TSB FQN of the onboarded cluster resource. This will be generate tokens for all Control Plane agents.
|Literal JWK used to generate and sign the tokens for all the Control Plane agents.
|Base64-encoded JWK used to generate and sign the tokens for all the Control Plane agents.
XCP secrets configuration
XCP uses JWTs to authenticate against between Edges and Central.
If the XCP root CA (
secrets.xcp.rootca) is provided it will be used to verify the TLS certs provided by
secrets.clusterServiceAccount will be required to authenticate against XCP Central.
The following are the configuration properties allowed to be used to configure XCP authentication mode:
|CA certificate of XCP components
|JWT token used to authenticate XCP Edge against the XCP Central
Operator extended configuration
This is an optional field. You can customize TSB operator related resources like the deployment, the service or the service account using the following optional properties:
|Affinity configuration for the pod
|Custom collection of annotations to add to the deployment
|Custom collection of environment vars to add to the container
|Custom collection of annotations to add to the pod
|Number of replicas managed by the deployment
|Deployment strategy to use
|Toleration collection applying to the pod scheduling
|SecurityContext properties to apply to the pod
|SecurityContext properties to apply to the pod's containers
|Custom collection of annotations to add to the service
|Custom collection of annotations to add to the service account
|Collection of secrets names required to be able to pull images from the registry
|A JSON encoded Docker configuration that will be stored as an image pull secret