Management Plane
ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.
Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:
- tsb-certs
- ldap-credentials
- custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
- postgres-credentials (non-demo deployments)
- admin-credentials
- es-certs (if your Elasticsearch is using a self-signed certificate)
- elastic-credentials (if your Elasticsearch backend requires authentication)
A resource containing only the container registry hub will install a demo of Service Bridge, create a default
Organization and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production.
Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
imagePullSecrets:
- name: my-registry-creds
organization: tetrate
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tetrate
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 750Mi
requests:
memory: 500Mi
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.
Field | Description | Validation Rule |
---|---|---|
apiServer | – | |
iamServer | – | |
webUI | – | |
frontEnvoy | – | |
oap | – | |
collector | tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector | – |
xcp | – | |
mpc | – | |
defaultLogLevel | string | – |
ngac | – | |
internalCertProvider | tetrateio.api.install.common.InternalCertProvider | – |
defaultKubeSpec | tetrateio.api.install.kubernetes.KubernetesSpec | – |
gitops | tetrateio.api.install.common.GitOps | – |
kubegres | tetrateio.api.install.managementplane.v1alpha1.Kubegres | – |
n2ac | tetrateio.api.install.managementplane.v1alpha1.N2AC | – |
eck | tetrateio.api.install.managementplane.v1alpha1.ECK | – |
ManagementPlaneHighAvailabilitySettings
High Availability settings of the TSB management plane.
Field | Description | Validation Rule |
---|---|---|
partition | string | string = { |
partitions | List of tetrateio.api.install.managementplane.v1alpha1.Partition When specified, current TSB management plane installation will be able to connect to remote ones to exchange operational state and will be able to authenticate components of remote management planes once they connect to the current installation. | – |
ManagementPlaneSpec
ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.
Field | Description | Validation Rule |
---|---|---|
hub | string | string = { |
imagePullSecrets | List of tetrateio.api.install.kubernetes.LocalObjectReference List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core | – |
organization | string | string = { |
components | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet | – |
dataStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore | – |
telemetryStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore | – |
identityProvider | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider | – |
tokenIssuer | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer | – |
meshObservability | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.MeshObservability | – |
certIssuer | tetrateio.api.install.managementplane.v1alpha1.CertIssuer | – |
enableWasmDownloadProxy | bool | – |
providerSettings | tetrateio.api.install.managementplane.v1alpha1.ProviderSettings | – |
highAvailability | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneHighAvailabilitySettings | – |
DataStore
Configure the data store for TSB to persist its data to.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install an embedded postgres as the data store.
Select one of the DataStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
postgres | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings oneof _data_store | – |
embeddedPostgres | tetrateio.api.install.managementplane.v1alpha1.EmbeddedPostgresSettings oneof _data_store | – |
cleanupCronSchedule | string | – |
auditLogsCleanupRetention | google.protobuf.Duration | – |
IdentityProvider
Configure the Identity Provider TSB will use as the source of users.
This identity provider is used for user authentication and to periodically synchronize the
information of existing users and groups into the platform.
If omitted, TSB will rely on a local identity provider based on local secrets.
Select one of the IdentityProvider
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
oidc | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings oneof _identity_provider | – |
ldap | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings oneof _identity_provider | – |
local | tetrateio.api.install.managementplane.v1alpha1.LocalSettings oneof _identity_provider | – |
sync | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider.OrgSyncSettings | – |
OrgSyncSettings
Field | Description | Validation Rule |
---|---|---|
azure | tetrateio.api.install.managementplane.v1alpha1.AzureSyncSettings oneof _provider | – |
ignoreOrphanUsers | bool | – |
MeshObservability
Configure how the mesh should be observed, which observability functionalities should be
enabled to observe your registered services in the mesh, and the store properties
that TSB will use to persist application observability data like metrics, traces,
logs.
If omitted, the operator will assume
a demo installation and for your convenience install a demo grade mesh observability
setting.
Check MeshObservabilitySettings
to see complete examples.
Field | Description | Validation Rule |
---|---|---|
settings | tetrateio.api.install.common.MeshObservabilitySettings oneof _mesh_observability | – |
TelemetryStore
Configure the store that TSB will use to persist application telemetry data
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install an embedded ElasticSearch
as the telemetry store.
Select one of the TelemetryStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
elastic | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings oneof _telemetry_store | – |
embeddedElastic | tetrateio.api.install.managementplane.v1alpha1.EmbeddedElasticSearchSettings oneof _telemetry_store | – |
TokenIssuer
Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the
identity provider. This token is used to authenticate any subsequent internal requests in TSB.
This is a mandatory setting for production. If omitted, the operator will use an insecure default.
Select one of the TokenIssuer
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
jwt | tetrateio.api.install.managementplane.v1alpha1.JWTSettings oneof _token_issuer | – |
Partition
Partition describes a single installation of TSB management plane.
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
endpoint | tetrateio.api.install.managementplane.v1alpha1.Partition.Endpoint | – |
authentication | tetrateio.api.install.managementplane.v1alpha1.Partition.Authentication When specified, current TSB management plane installation will be able to verify JWT tokens issued by the remote TSB management plane installation, which will make possible connections from the remote partition to the current one. E.g., connections from the XCP Central component of the remote partition, or connections from XCP Edges that were initially onboarded into the remote partition but now are falling over to the current partition. Effectively, this is configuration of federated identity. Every partition of the Management Plane is assumed to have an independent configuration, including JWT Token Issuer. To support connectivity from one partition to another and eventually failover of XCP Edges from one partition to another, a partition needs to be able to accept JWT tokens issued by another partition. Authentication configuration instructs current partition to accept JWT tokens issued by the other partition, in other words, federated identity. | – |
Authentication
Authentication describes authentication settings of the TSB management plane installation.
Field | Description | Validation Rule |
---|---|---|
jwt | List of tetrateio.api.install.managementplane.v1alpha1.Partition.Authentication.Jwt | – |
Jwt
Jwt configures Central to allow connections from edges using JWTs for authentication.
Field | Description | Validation Rule |
---|---|---|
issuer | string | string = { |
jwksSecretName | string This secret can be copied "as is" from the The JWKS document must be provided under key "jwks". The JWKS document might include multiple signing keys. For example:apiVersion: v1 kind: Secret metadata: name: tsb-iam-jwks-us-east namespace: tsb type: Opaque data: jwks: base64({ JWKS }) | string = { |
Endpoint
Endpoint describes an endpoint at which an TSB management plane installation is accessible.
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
port | int32 | int32 = { |
caSecretName | string CA certificates must be provided under key "ca.crt". If not set, TLS certificate of the management plane will be validated against well-known 3rd party CAs installed system-wide on the client side. For example:
| – |
sni | string If not set, defaults to the host address. When set to a non-empty string, TLS client will validate certificate presented by the server against this SNI value rather than host address. So the TLS certificate configured for TSB management plane endpoint must use this value for the common name (CN) or include it in the subject alternative names (SANs). This should not normally need to be set as using central hostname will result in correct routing and be included in the TLS certificate. This is primarily intended for test or demo environments where it is difficult to create DNS names and an IP address is used for central instead. | – |
AWSController
Kubernetes settings for the AWS Integration Controller component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
ApiServer
Application and Kubernetes settings for the API server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesJobComponentSpec | – |
teamSyncSchedule | string | – |
logLevels | map<string, string> | – |
ECK
Kubernetes-specific settings for deploying Elasticsearch clusters using the Elastic Cloud on Kubernetes (ECK) operator. It includes configurations for the ECK operator itself and specific settings for Elasticsearch master and data nodes. The configuration options allow customization of memory-mapping usage and kernel settings to optimize Elasticsearch performance and compatibility within different Kubernetes environments.
By default, mmapConfiguration
is set to DISABLED
because in most environment you can not control the ability
to change kernel settings.
However, if you are in an environment where you can control the ability to change kernel settings,
you can manually set vm.max_map_count
kernel parameter to at least 262144
and set mmapConfiguration
to CLUSTERS_DEFAULT
.
If you don't want to set this property manually in each node of your cluster and you can run privileged containers,
you can set mmapConfiguration
to PRIVILEGED
. This will allow the ECK operator to set the vm.max_map_count
kernel setting to at least 262144.
Field | Description | Validation Rule |
---|---|---|
operator | tetrateio.api.install.managementplane.v1alpha1.ECK.Operator | – |
master | tetrateio.api.install.managementplane.v1alpha1.ECK.Master | – |
data | tetrateio.api.install.managementplane.v1alpha1.ECK.Data | – |
mmapConfiguration | tetrateio.api.install.managementplane.v1alpha1.ECK.MmapConfigurationMode | – |
Data
Kubernetes settings for the ElasticSearch data node.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
Master
Kubernetes settings for the ElasticSearch master node.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
Operator
Kubernetes settings for the ElasticSearch operator.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
FrontEnvoy
Application and Kubernetes settings for the FrontEnvoy component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
authenticationTimeout | google.protobuf.Duration | – |
port | int32 | – |
TLSMinimumProtocolVersion | tetrateio.api.install.managementplane.v1alpha1.TLSProtocol | – |
cipherSuites | List of string | – |
ecdhCurves | List of string | – |
logLevels | map<string, string> | – |
IamServer
Kubernetes settings for the IAM server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
Kubegres
Kubernetes settings for the Kubegres operator component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
MPC
Kubernetes settings for the MPC component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
N2AC
Kubernetes settings for the N2AC component.
Field | Description | Validation Rule |
---|---|---|
controller | tetrateio.api.install.managementplane.v1alpha1.N2AC.Component | – |
server | tetrateio.api.install.managementplane.v1alpha1.N2AC.Component | – |
enabled | bool | – |
Component
Common kubernetes settings for the different NGAC components.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
NGAC
Kubernetes settings for the NGAC component.
Field | Description | Validation Rule |
---|---|---|
enabled | bool | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
Oap
Kubernetes settings for the OAP (SkyWalking) component.
Field | Description | Validation Rule |
---|---|---|
retentionPeriodDays | int32 | – |
streamingLogEnabled | bool | – |
onDemandEnvoyMetricsEnabled | bool | – |
storageIndexMergingEnabled | bool | – |
storageSpecificIndexSettings | List of tetrateio.api.install.managementplane.v1alpha1.Oap.StorageIndexSetting | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevel | string | – |
StorageIndexSetting
Configure the number of shards and replicas a concrete index template should have.
Field | Description | Validation Rule |
---|---|---|
indexName | string | string = { |
numberOfShards | int32 | int32 = { |
numberOfReplicas | int32 | int32 = { |
OpenTelemetryCollector
Kubernetes settings for the OpenTelemetry Collector component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevel | string | – |
WebUI
Kubernetes settings for the WebUI component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
XCP
Application and Kubernetes settings for the XCP component.
Field | Description | Validation Rule |
---|---|---|
centralAuthModes | tetrateio.api.install.managementplane.v1alpha1.XCP.CentralAuthModes | – |
configProtection | tetrateio.api.install.common.ConfigProtection | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
CentralAuthModes
Authentication modes for connections to XCP Central (from XCP Edges or MPC). At least one mode must be enabled. Multiple modes can be enabled to facilitate migration from one mode to another.
Field | Description | Validation Rule |
---|---|---|
mutualTls | bool | – |
jwt | bool | – |
AWSSettings
Global settings to AWS.
Field | Description | Validation Rule |
---|---|---|
serviceAccountName | string | string = { |
LatticeSettings
Settings specific to Lattice. These settings enable the AWS Lattice Discovery Service integration feature. It takes care of discovering AWS Lattice services with tag "Tetrate:ExposeToMesh" set to "true", registering them into TSB and creating the TSB configs to make them accessible from the mesh.
Field | Description | Validation Rule |
---|---|---|
enabled | bool oneof __enabled | – |
regions | List of string | – |
tenant | string | – |
ProviderSettings
Configure Kubernetes provider specific settings.
Field | Description | Validation Rule |
---|---|---|
aws | tetrateio.api.install.managementplane.v1alpha1.AWSSettings | – |
lattice | tetrateio.api.install.managementplane.v1alpha1.LatticeSettings | – |
AzureSyncSettings
Azure configures how users and groups are synchronized from Azure Active Directory.
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
tenantId | string | string = { |
environment | string
| – |
usersFilter | string | – |
groupsFilter | string | – |
baseGroupName | string | – |
CertIssuer
Configures a built in issuer for TSB TLS certificates.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
certIssuer:
selfSigned: \{\}
tsbCerts: \{\}
clusterIntermediateCAs: \{\}
Field | Description | Validation Rule |
---|---|---|
selfSigned | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.SelfSignedCertIssuer oneof _issuer | – |
tsbCerts | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.TsbCertsSettings | – |
clusterIntermediateCAs | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.ClusterIntermediateCASettings | – |
ClusterIntermediateCASettings
Options for configuring the issued intermediate CAs that Istio in the control plane will use for assigning TLS certificates to each workload
Options such as the expiration and renewal period can be added here in the future if needed.
SelfSignedCertIssuer
Options such as the expiration and renewal period of the self signed root CA can be added here in the future if needed.
TsbCertsSettings
Options for configuring the issued TSB TLS certs.
Options such as the expiration and renewal period can be added here in the future if needed.
ElasticSearchSettings
Configure an Elasticsearch connection.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
elastic:
host: elastic
port: 5678
protocol: https
selfSigned: true
version: 7
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
port | int32 | int32 = { |
protocol | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol | – |
selfSigned | bool | – |
version | int32 | int32 = { |
EmbeddedElasticSearchSettings
Configuration for the Embedded ElasticSearch
TSB allows to set up an ElasticSearch operator (ECK) to manage an embedded
ElasticSearch installation.
This installation will use the user and password stored in a secret named
elastic-credentials
that you must create before installing TSB.
This example setups the installation with a custom database size.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
embeddedElastic:
storageSize: 100Gi
storageClassName: standard-rwo
Field | Description | Validation Rule |
---|---|---|
indexPrefix | string | – |
storageSize | string | – |
storageClassName | string | – |
EmbeddedPostgresSettings
Configuration for the Embedded Postgres
TSB allows to set up a Postgres operator (Kubegres) to manage an embedded Postgres installation.
This installation will always create the tsb
user, and will always require a TLS connection.
The certificates used for this TLS configuration can be found in the tsb-postgres-certs
secrets
on the same ManagementPlane namespace.
This examples setups the installation with a custom backup schedule and custom database sizes.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
embeddedPostgres:
connectionLifetime: "8500s"
name: tsb
backupCronSchedule: "0 2 * * */1"
backupStorageSize: 10Gi
storageSize: 50Gi
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
connectionLifetime | string | – |
connectionIdleLifetime | string | – |
connectionMaxOpen | int32 | – |
connectionIdleMaxOpen | int32 | – |
storageSize | string | – |
storageClassName | string | – |
backupCronSchedule | string | – |
backupStorageSize | string | – |
backupStorageClassName | string | – |
replicas | int32 | – |
cleanupCronSchedule | string | – |
defaultCleanupRetention | google.protobuf.Duration | – |
backupCleanupRetention | google.protobuf.Duration | – |
auditLogsCleanupRetention | google.protobuf.Duration | – |
tlsCertDuration | google.protobuf.Duration | duration = { |
tlsCertRenewBefore | google.protobuf.Duration | duration = { |
tlsCaDuration | google.protobuf.Duration | duration = { |
tlsCaRenewBefore | google.protobuf.Duration | duration = { |
JWTSettings
Configure JWT based token issuance
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
tokenIssuer:
jwt:
expiration: 1h
refreshExpiration: 720h
tokenPruneInterval: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
audiences:
- tetrate
Field | Description | Validation Rule |
---|---|---|
issuers | List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer | – |
expiration | google.protobuf.Duration | – |
refreshExpiration | google.protobuf.Duration | – |
tokenPruneInterval | google.protobuf.Duration | – |
signingKeysSecret | string If unset will default to the "iam-signing-key" secret generated by the operator. | – |
Issuer
Field | Description | Validation Rule |
---|---|---|
name | string | – |
algorithm | tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm | – |
signingKey | string | – |
audiences | List of string | – |
LDAPSettings
Detail connection and query mappings for LDAP
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
timeout: 20s
recursive: true
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
port | int32 | int32 = { |
disableTLS | bool | – |
debug | bool | – |
search | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search | – |
iam | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM | – |
sync | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync | – |
IAM
Field | Description | Validation Rule |
---|---|---|
matchDN | string | string = { |
matchFilter | string Here are some example search patterns for common LDAP implementations:
| string = { |
Search
Field | Description | Validation Rule |
---|---|---|
baseDN | string | string = { |
recursive | bool | – |
timeout | google.protobuf.Duration | – |
pagesize | int32 | – |
Sync
Field | Description | Validation Rule |
---|---|---|
usersFilter | string | string = { |
groupsFilter | string | string = { |
membershipAttribute | string | string = { |
LocalSettings
Configure the identity provider to use local secrets.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
local: \{\}
OIDCSettings
Identity provider configuration for OIDC
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
oidc:
clientId: 50076fd0b8f911eb85290242ac130003
scopes: ['email', 'profile']
redirectUri: https://example.com/iam/v2/oidc/callback
providerConfig:
dynamic:
configurationUri: https://accounts.google.com/.well-known/openid-configuration
offlineAccessConfig:
deviceCodeAuth:
clientId: 981174759bab4dc49d0072294900eade
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
scopes | List of string | – |
redirectUri | string | string = { |
authorizationParams | map<string, string> | – |
maxExpirationSeconds | int32 | – |
providerConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings | message = { |
offlineAccessConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessSettings | – |
DynamicSettings
Dynamically configures OIDC client settings using values from the OIDC provider's well-known OIDC configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
configurationUri | string | string = { |
OfflineAccessOverrides
OIDC settings that can be used to override top-level settings for offline access.
Field | Description | Validation Rule |
---|---|---|
clientId | string | – |
scopes | List of string | – |
skipClientIdCheck | bool | – |
providerConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings | – |
OfflineAccessSettings
Optional OIDC settings specific to offline access. When specified these settings take precedence over top-level OIDC settings.
Field | Description | Validation Rule |
---|---|---|
deviceCodeAuth | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides | – |
tokenExchange | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides | – |
ProviderSettings
OIDC provider's configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSB operator will configure OIDC settings discovered through the provider's configuration endpoint. If the provider doesn't have a configuration endpoint you can set the required OIDC settings using static values.
Field | Description | Validation Rule |
---|---|---|
dynamic | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.DynamicSettings oneof _provider_settings | – |
static | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.StaticSettings oneof _provider_settings | – |
StaticSettings
Allows to statically configure OIDC client settings if the OIDC provider doesn't have a configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
authorizationEndpoint | string | string = { |
tokenEndpoint | string | string = { |
jwksUri | string oneof _jwks_setting | string = { |
jwks | string oneof _jwks_setting | string = { |
deviceCodeEndpoint | string | – |
introspectionEndpoint | string | – |
PostgresSettings
Detail connection details for Postgres
NOTE: TSB does not make any specific schema selection. It defaults to
the search_path
set by the user/role specified in the connection settings.
By default this will result in using the public
schema. If you need to use a different
schema, update the search_path
of the Postgres user accordingly.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
postgres:
address: "postgres:5432"
sslMode: verify_full
connectionLifetime: "8500s"
name: tsb
Field | Description | Validation Rule |
---|---|---|
host | string | – |
port | int32 | – |
sslMode | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode | – |
connectionLifetime | string | – |
name | string | – |
address | string | string = { |
connectionIdleLifetime | string | – |
connectionMaxOpen | int32 | – |
connectionIdleMaxOpen | int32 | – |
azureIdentity | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.AzureManagedIdentity oneof _managed_identity | – |
AzureManagedIdentity
AzureManagedIdentity holds the static data needed to authenticate a PostgreSQL hosted at Azure from an Azure workload via Azure Active Directory. Ref: https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-azure-ad-authentication
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
userName | string | string = { |
tokenTtl | google.protobuf.Duration | duration = { |
MmapConfigurationMode
MmapConfigurationMode defines the available memory-mapping configuration modes. By default, Elasticsearch uses memory mapping (mmap) to efficiently access indices. Usually, default values for virtual address space on Linux distributions are too low for Elasticsearch to work properly, which may result in out-of-memory exceptions. This setting allows you to control the use of memory-mapping and the ability to adjust kernel settings. For more details on memory-mapping and its implications on Elasticsearch performance, refer to the Elasticsearch documentation on virtual memory settings. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-virtual-memory.html Kernel documentation on the maximum number of memory map areas a process may have: https://docs.kernel.org/admin-guide/sysctl/vm.html?highlight=vm+txt#max-map-count
Field | Number | Description |
---|---|---|
INVALID | 0 | |
DISABLED | 1 | DISABLED disables the use of memory-mapping for storing indices, which may affect performance
and is recommended only in environments where the creation of many memory maps is restricted.
This mode will configure the Elasticsearch nodes with |
CLUSTERS_DEFAULT | 2 | CLUSTERS_DEFAULT specifies that the memory-mapping configuration will defer to the |
PRIVILEGED | 3 | PRIVILEGED enables the use of privileged containers to adjust the |
TLSProtocol
Field | Number | Description |
---|---|---|
TLS_AUTO | 0 | Envoy will choose the optimal TLS version. |
TLSv1_0 | 1 | |
TLSv1_1 | 2 | |
TLSv1_2 | 3 | |
TLSv1_3 | 4 |
Protocol
The list of supported protocols to communicate with Elasticsearch.
Field | Number | Description |
---|---|---|
https | 0 | |
http | 1 |
Algorithm
Field | Number | Description |
---|---|---|
RS256 | 0 | RSA / SHA-256 |
RS384 | 1 | RSA / SHA-384 |
RS512 | 2 | RSA / SHA-512 |
PS256 | 3 | RSA-PSS / SHA-256 |
PS384 | 4 | RSA-PSS / SHA-384 |
PS512 | 5 | RSA-PSS / SHA-512 |
ES256 | 6 | ECDSA / SHA-256 |
ES384 | 7 | ECDSA / SHA-384 |
ES512 | 8 | ECDSA / SHA-512 |
HS256 | 9 | HMAC / SHA-256 |
HS384 | 10 | HMAC / SHA-384 |
HS512 | 11 | HMAC / SHA-512 |
SSLMode
For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html
Field | Number | Description |
---|---|---|
require | 0 | |
allow | 1 | |
prefer | 2 | |
disable | 3 | |
verify_ca | 4 | |
verify_full | 5 |