Common Configuration Objects

Common configuration objects shared by the different install APIs.

CertManagerSettings

CertManagerSettings represents the settings used for the cert-manager installation. TSB supports installing and managing the lifecycle of the cert-manager installation.

Field	Description	Validation Rule
managed	tetrateio.api.install.common.CertManagerSettings.Managed Managed specifies whether TSB should manage the lifecycle of cert-manager.	–
certManagerSpec	tetrateio.api.install.common.CertManagerSettings.CertManagerSpec Configure kubernetes specific settings for cert-manager.	–
certManagerWebhookSpec	tetrateio.api.install.common.CertManagerSettings.CertManagerWebhookSpec Configure kubernetes specific settings for cert-manager-webhook.	–
certManagerCaInjector	tetrateio.api.install.common.CertManagerSettings.CertManagerCAInjector Configure kubernetes specific settings for cert-manager-cainjector.	–
certManagerStartupapicheck	tetrateio.api.install.common.CertManagerSettings.CertManagerStartupAPICheck Configure kubernetes specific settings for cert-manager-startupapicheck. DEPRECATED. Startup API Check is disabled.	–

CertManagerCAInjector

CertManagerCAInjector represents the settings used for cert-manager CAInjector installation in the clusters.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure kubernetes specific settings for cert-manager-cainjector.	–

CertManagerSpec

CertManagerSpec represents the settings used for cert-manager controller installation in the clusters.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure kubernetes specific settings for cert-manager.	–

CertManagerStartupAPICheck

CertManagerStartupAPICheck represents the settings used for cert-manager startup API check job installation in the clusters. DEPRECATED. StartupAPICheck is disabled.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesJobComponentSpec Configure kubernetes specific settings for cert-manager-startupapicheck.	–

CertManagerWebhookSpec

CertManagerWebhookSpec represents the settings used for cert-manager Webhook installation in the clusters.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure kubernetes specific settings for cert-manager-webhook.	–

ConfigProtection

ConfigProtection contains settings for enabling/disabling config protection over XCP created resources. Config protections are disabled by default. Example:

configProtection:
  enableAuthorizedUpdateDeleteOnXcpConfigs: true
  enableAuthorizedCreateUpdateDeleteOnXcpConfigs: true
  authorizedUsers:
    - user1
    - system:serviceaccount:ns1:serviceaccount-1

Field	Description	Validation Rule
enableAuthorizedUpdateDeleteOnXcpConfigs	bool When enabled, no other user or svc account except AuthorizedUsers would be allowed to delete or update the XCP/Istio API resources created by XCP.	–
enableAuthorizedCreateUpdateDeleteOnXcpConfigs	bool When enabled, no other user or svc account except AuthorizedUsers would be allowed to create, delete or update the XCP/Istio API resources. This acts as a superset of the enableAuthorizedUpdateDeleteOnXcpConfigs.	–
authorizedUsers	List of string List of usernames of authorized users or svc accounts to create/update/delete XCP configs when config protection is enabled.	–

CustomCertProviderSettings

CustomCertProviderSettings represents the settings used for the custom certificate provider. Users can configure the CSR signer required for certificate signing and point to the CA bundle to be used to validate the certificates.

Field	Description	Validation Rule
csrSignerName	string REQUIRED Name of Kubernetes CSR signer to be used to sign the CSR request by different TSB components for internal purposes.	string = {   min_len: 1 }
caBundleSecretName	string REQUIRED Configure the CABundleSecretName to be used to verify the signed CSR request by different TSB components. If not specified, TSB would use the secret with the name ca-bundle-management-plane in the management plane namespace or ca-bundle-control-plane in the control plane namespace. The secret should contain the file ca.crt with the cert data.	string = {   min_len: 1 }

GitOps

The GitOps component configures the features that allow integrating the Management Plane and/or the Control Plane cluster with Continuous Deployment pipelines.

Field	Description	Validation Rule
enabled	bool The GitOps component is in beta and disabled by default. If Management and Control Planes are installed in the same cluster, Continuous Deployment Integration should only be enabled in one of both planes. However, if the GitOps component is enabled in both planes, only the Control Plane GitOps component will remain enabled. The Management Plane GitOps component will not be enabled, even though it is explicitly enabled.	–
reconcileInterval	google.protobuf.Duration Periodical interval at which the objects will be reconciled after they are successfully synchronized (created, updated, deleted) with the Management Plane. This parameter does not affect retry on unsuccessful operation which are retried with exponential backoff strategy (staring with 3s and max delay 120s). Format: 1h/1m/1s/1ms. A value of 0 disables per-object reconciliation and uses the operator's global interval of 10h. Default: 10m.	–
batchWindow	google.protobuf.Duration When configured, all admission requests will be paused for the configured duration. Once the window interval is closed, all paused admission requests will be sent together to the Management Plane as a single request. Batching of requests is disabled by default and should be enabled only if there is high concurrency and ordering of resources could be an issue. By configuring a batch window the concurrency and ordering issues may be mitigated, although it will introduce a constant latency to all requests of the configured time window. When enabled, it is recommended to use a small value, for example 1 second.	–
managementplaneRequestTimeout	google.protobuf.Duration The GitOps component performs operations against the management plane through the k8s webhook. This allows configuring the duration of each operation in order to fail early if it takes too much. This value cannot be lower than webhook_timeout due to the request being tied to the ones received by the k8s webhook. Format: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 25s.	–
reconcileRequestTimeout	google.protobuf.Duration The GitOps component performs operations against the management plane internal reconcile loop. This allows configuring the duration of each operation to fail early if it takes too long. Format: 1h/1m/1s/1m. Any value <= 0 will be reset to the default value. Default: 2m.	–
webhookTimeout	google.protobuf.Duration Timeout that will be set in the k8s gitops webhook resource. Format: 1h/1m/1s/1m. Default: 30s. Allowed values must be between 0s and 30s.	–
pushMode	tetrateio.api.install.common.GitOps.PushMode Push mode determines how the GitOps component creates resources in the Management Plane. In SYNC mode, TSB K8s resources are validated and pushed to the Management Plane synchronously. This means that if a TSB K8s resource is not accepted by the Management Plane, it will not be stored as a resource in the K8s API. SYNC mode can be useful in scenarios where eventual consistency of resources between K8s and Management Plane could cause problems such as in CI pipelines and testing. SYNC is the default mode. In ASYNC mode, TSB K8s resources are pushed to the Management Plane asynchronously. This means that resource creation does not block the process. ASYNC mode is useful in most cases as it does not require the user to manage dependencies between TSB K8s resources. The system will reconcile in the background to achieve the desired state of objects in the Management Plane and will update the Status subresource to report progress of reconciliation.	–

InternalCertProvider

InternalCertProvider describes the certificate provider configuration for TSB internal purposes like kubernetes webhook certificate. TSB supports cert-manager out of the box.

Field	Description	Validation Rule
certManager	tetrateio.api.install.common.CertManagerSettings oneof _internal_cert_provider Use cert-manager as the internal certificate provider	–
custom	tetrateio.api.install.common.CustomCertProviderSettings oneof _internal_cert_provider Use a custom certificate provider that accepts Kubernetes CSR	–

MeshObservabilitySettings

Configure mesh observability. The following examples enable the analysis and generation of RED metrics for each endpoint of your registered services.

Notice that both, ManagementPlane and ControlPlane, need to be aligned with this configuration.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  meshObservability:
    settings:
      apiEndpointMetricsEnabled: true

apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
  name: controlplane
  namespace: istio-system
spec:
  meshObservability:
    settings:
      apiEndpointMetricsEnabled: true

Field	Description	Validation Rule
apiEndpointMetricsEnabled	bool Toggle to process, analyze, and generate api endpoints RED metrics. By default false which means disabled. If you want to analyze all your request and generate RED metrics for each endpoint of your registered services in the mesh, set it to true.	–

Managed

If INTERNAL, TSB will install and manage cert-manager. In case a pre-existing installation is found, the operator will not install cert-manager and fail. If EXTERNAL, TSB would rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR

Field	Number	Description
AUTO	0	TSB will check if a pre-existing cert-manager installation is found in the cluster and only install and manage cert-manager if it is not found. The pre-installed cert-manager should support signing requests raised through Kubernetes CSR
EXTERNAL	1	EXTERNAL represents that TSB will rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR
INTERNAL	2	INTERNAL represents that TSB will install and manage cert-manager in the cluster. In case a pre-existing installation is found, the operator will not install cert-manager and fail.

PushMode

Push mode for GitOps component. Default: SYNC.

Field	Number	Description
SYNC	0	In SYNC mode TSB K8s resources are validated and pushed to Management Plane synchronously, blocking on resource creation until the resource is created successfully in the Management Plane. This is the default mode.
ASYNC	1	In ASYNC mode TSB K8s resources are pushed to Management Plane asynchronously, without blocking on resource creation. To know if the resource was created successfully, check its K8s status.