Skip to main content
logoTetrate Service BridgeVersion: 1.9.x

Common Configuration Objects

Common configuration objects shared by the different install APIs.

CertManagerSettings

CertManagerSettings represents the settings used for the cert-manager installation. TSB supports installing and managing the lifecycle of the cert-manager installation.

FieldDescriptionValidation Rule

managed

tetrateio.api.install.common.CertManagerSettings.Managed
Managed specifies whether TSB should manage the lifecycle of cert-manager.

certManagerSpec

tetrateio.api.install.common.CertManagerSettings.CertManagerSpec
Configure kubernetes specific settings for cert-manager.

certManagerWebhookSpec

tetrateio.api.install.common.CertManagerSettings.CertManagerWebhookSpec
Configure kubernetes specific settings for cert-manager-webhook.

certManagerCaInjector

tetrateio.api.install.common.CertManagerSettings.CertManagerCAInjector
Configure kubernetes specific settings for cert-manager-cainjector.

certManagerStartupapicheck

tetrateio.api.install.common.CertManagerSettings.CertManagerStartupAPICheck
Configure kubernetes specific settings for cert-manager-startupapicheck. DEPRECATED. Startup API Check is disabled.

CertManagerCAInjector

CertManagerCAInjector represents the settings used for cert-manager CAInjector installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager-cainjector.

CertManagerSpec

CertManagerSpec represents the settings used for cert-manager controller installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager.

CertManagerStartupAPICheck

CertManagerStartupAPICheck represents the settings used for cert-manager startup API check job installation in the clusters. DEPRECATED. StartupAPICheck is disabled.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesJobComponentSpec
Configure kubernetes specific settings for cert-manager-startupapicheck.

CertManagerWebhookSpec

CertManagerWebhookSpec represents the settings used for cert-manager Webhook installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager-webhook.

ConfigProtection

ConfigProtection contains settings for enabling/disabling config protection over XCP created resources. Config protections are disabled by default. Example:

configProtection:
enableAuthorizedUpdateDeleteOnXcpConfigs: true
enableAuthorizedCreateUpdateDeleteOnXcpConfigs: true
authorizedUsers:
- user1
- system:serviceaccount:ns1:serviceaccount-1
FieldDescriptionValidation Rule

enableAuthorizedUpdateDeleteOnXcpConfigs

bool
When enabled, no other user or svc account except AuthorizedUsers would be allowed to delete or update the XCP/Istio API resources created by XCP.

enableAuthorizedCreateUpdateDeleteOnXcpConfigs

bool
When enabled, no other user or svc account except AuthorizedUsers would be allowed to create, delete or update the XCP/Istio API resources. This acts as a superset of the enableAuthorizedUpdateDeleteOnXcpConfigs.

authorizedUsers

List of string
List of usernames of authorized users or svc accounts to create/update/delete XCP configs when config protection is enabled.

CustomCertProviderSettings

CustomCertProviderSettings represents the settings used for the custom certificate provider. Users can configure the CSR signer required for certificate signing and point to the CA bundle to be used to validate the certificates.

FieldDescriptionValidation Rule

csrSignerName

string
REQUIRED
Name of Kubernetes CSR signer to be used to sign the CSR request by different TSB components for internal purposes.

string = {
  min_len: 1
}

caBundleSecretName

string
REQUIRED
Configure the CABundleSecretName to be used to verify the signed CSR request by different TSB components. If not specified, TSB would use the secret with the name ca-bundle-management-plane in the management plane namespace or ca-bundle-control-plane in the control plane namespace. The secret should contain the file ca.crt with the cert data.

string = {
  min_len: 1
}

GitOps

The GitOps component configures the features that allow integrating the Management Plane and/or the Control Plane cluster with Continuous Deployment pipelines.

FieldDescriptionValidation Rule

enabled

bool
The GitOps component is in beta and disabled by default. If Management and Control Planes are installed in the same cluster, Continuous Deployment Integration should only be enabled in one of both planes. However, if the GitOps component is enabled in both planes, only the Control Plane GitOps component will remain enabled. The Management Plane GitOps component will not be enabled, even though it is explicitly enabled.

reconcileInterval

google.protobuf.Duration
Periodical interval at which the objects will be reconciled after they are successfully synchronized (created, updated, deleted) with the Management Plane. This parameter does not affect retry on unsuccessful operation which are retried with exponential backoff strategy (staring with 3s and max delay 120s). Format: 1h/1m/1s/1ms. A value of 0 disables per-object reconciliation and uses the operator's global interval of 10h. Default: 10m.

batchWindow

google.protobuf.Duration
When configured, all admission requests will be paused for the configured duration. Once the window interval is closed, all paused admission requests will be sent together to the Management Plane as a single request. Batching of requests is disabled by default and should be enabled only if there is high concurrency and ordering of resources could be an issue. By configuring a batch window the concurrency and ordering issues may be mitigated, although it will introduce a constant latency to all requests of the configured time window. When enabled, it is recommended to use a small value, for example 1 second.

managementplaneRequestTimeout

google.protobuf.Duration
The GitOps component performs operations against the management plane through the k8s webhook. This allows configuring the duration of each operation in order to fail early if it takes too much. This value cannot be lower than webhook_timeout due to the request being tied to the ones received by the k8s webhook. Format: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 25s.

reconcileRequestTimeout

google.protobuf.Duration
The GitOps component performs operations against the management plane internal reconcile loop. This allows configuring the duration of each operation to fail early if it takes too long. Format: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 2m.

webhookTimeout

google.protobuf.Duration
Timeout that will be set in the k8s gitops webhook resource. Format: 1h/1m/1s/1m. Default: 30s. Allowed values must be between 0s and 30s.

pushMode

tetrateio.api.install.common.GitOps.PushMode
Push mode determines how the GitOps component creates resources in the Management Plane.

In SYNC mode, TSB K8s resources are validated and pushed to the Management Plane synchronously. This means that if a TSB K8s resource is not accepted by the Management Plane, it will not be stored as a resource in the K8s API. SYNC mode can be useful in scenarios where eventual consistency of resources between K8s and Management Plane could cause problems such as in CI pipelines and testing. SYNC is the default mode.

In ASYNC mode, TSB K8s resources are pushed to the Management Plane asynchronously. This means that resource creation does not block the process. ASYNC mode is useful in most cases as it does not require the user to manage dependencies between TSB K8s resources. The system will reconcile in the background to achieve the desired state of objects in the Management Plane and will update the Status subresource to report progress of reconciliation.

InternalCertProvider

InternalCertProvider describes the certificate provider configuration for TSB internal purposes like kubernetes webhook certificate. TSB supports cert-manager out of the box.

FieldDescriptionValidation Rule

certManager

tetrateio.api.install.common.CertManagerSettings oneof _internal_cert_provider
Use cert-manager as the internal certificate provider

custom

tetrateio.api.install.common.CustomCertProviderSettings oneof _internal_cert_provider
Use a custom certificate provider that accepts Kubernetes CSR

MeshObservabilitySettings

Configure mesh observability. The following examples enable the analysis and generation of RED metrics for each endpoint of your registered services.

Notice that both, ManagementPlane and ControlPlane, need to be aligned with this configuration.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
meshObservability:
settings:
apiEndpointMetricsEnabled: true
apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
name: controlplane
namespace: istio-system
spec:
meshObservability:
settings:
apiEndpointMetricsEnabled: true
FieldDescriptionValidation Rule

apiEndpointMetricsEnabled

bool
Toggle to process, analyze, and generate api endpoints RED metrics. By default false which means disabled. If you want to analyze all your request and generate RED metrics for each endpoint of your registered services in the mesh, set it to true.

Managed

If INTERNAL, TSB will install and manage cert-manager. In case a pre-existing installation is found, the operator will not install cert-manager and fail. If EXTERNAL, TSB would rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR

FieldNumberDescription

AUTO

0

TSB will check if a pre-existing cert-manager installation is found in the cluster and only install and manage cert-manager if it is not found. The pre-installed cert-manager should support signing requests raised through Kubernetes CSR

EXTERNAL

1

EXTERNAL represents that TSB will rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR

INTERNAL

2

INTERNAL represents that TSB will install and manage cert-manager in the cluster. In case a pre-existing installation is found, the operator will not install cert-manager and fail.

PushMode

Push mode for GitOps component. Default: SYNC.

FieldNumberDescription

SYNC

0

In SYNC mode TSB K8s resources are validated and pushed to Management Plane synchronously, blocking on resource creation until the resource is created successfully in the Management Plane. This is the default mode.

ASYNC

1

In ASYNC mode TSB K8s resources are pushed to Management Plane asynchronously, without blocking on resource creation. To know if the resource was created successfully, check its K8s status.