Skip to main content
logoTetrate Service BridgeVersion: next

Workload Onboarding Plane Instance Configuration

Workload Onboarding Plane Instance Configuration specifies configuration of the Workload Onboarding Plane instance.

apiVersion: config.plane.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlaneInstanceConfiguration
onboardingPlane:
uid: ef67c7b9-10da-4542-ad3b-b95acc1e05ba
tokenIssuer:
jwt:
expiration: 1h
signingKeys:
- filename: /path/to/tls.key
onboardingServer:
port: 8443
transportSecurity:
tls:
certDir: /path/to/dir/

OnboardingPlane

OnboardingPlane specifies configuration of the Workload Onboarding Plane.

FieldDescriptionValidation Rule

uid

string
REQUIRED
Unique identifier of the Workload Onboarding Plane.

Is used in the workload authentication flow to prevent replay attacks that abuse compromised workload credentials intended for a different installation of the Workload Onboarding Plane.

string = {
  min_len: 1
}

OnboardingPlaneInstanceConfiguration

OnboardingPlaneInstanceConfiguration specifies configuration of the Workload Onboarding Plane instance.

FieldDescriptionValidation Rule

onboardingPlane

tetrateio.api.onboarding.private.component.plane.config.v1alpha1.OnboardingPlane
REQUIRED
Configuration of the Workload Onboarding Plane.

message = {
  required: true
}

tokenIssuer

tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer
REQUIRED
Configuration of the built-in Workload Onboarding Token Issuer.

message = {
  required: true
}

onboardingServer

tetrateio.api.onboarding.private.component.plane.config.v1alpha1.OnboardingServer
REQUIRED
Configuration of the gRPC server that implements Workload Onboarding API.

message = {
  required: true
}

OnboardingServer

Configuration of the gRPC server that implements Workload Onboarding API.

FieldDescriptionValidation Rule

port

int32
REQUIRED
Port Workload Onboarding API server is listening on. Defaults to 8443.

int32 = {
  lte: 65535
  gte: 1
}

host

string
Host that Workload Onboarding API server binds to.

transportSecurity

tetrateio.api.onboarding.private.types.config.v1alpha1.ServerTransportSecurity
Transport layer security configuration. Defaults to no transport layer security.

TokenIssuer

Configuration of the built-in Workload Onboarding Token Issuer.

FieldDescriptionValidation Rule

jwt

tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer.JwtTokenIssuer oneof _token_issuer
Configuration of the built-in JWT Token Issuer.

JwtTokenIssuer

Configuration of the built-in JWT Token Issuer.

FieldDescriptionValidation Rule

expiration

google.protobuf.Duration
REQUIRED
Expiration is the duration issued tokens are valid for.

duration = {
  required: true
  gt: {nanos:0}
}

signingKeys

List of tetrateio.api.onboarding.private.component.plane.config.v1alpha1.TokenIssuer.JwtTokenIssuer.SigningKey
REQUIRED
List of signing keys. All keys in the list are used to validate previously issued tokens. Only the first key in the list is used to sign newly issued tokens.

repeated = {
  min_items: 1
  items: {message:{required:true}}
}

SigningKey

Signing key.

FieldDescriptionValidation Rule

filename

string
REQUIRED
Name of a file that holds private key.

string = {
  min_len: 1
}