Tetrate Service BridgeVersion: nextWorkload Onboarding Plane
OnboardingPlane resource exposes a set of configuration options supported
by the Workload Onboarding Plane installer.
The installation API is an override API, so any unset optional fields will receive sensible defaults.
The minimal OnboardingPlane resource requires only a single field -
container registry that hosts Docker images of the Workload Onboarding Operator and its sub-components.
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
If you need to pull from a private registry, you can add reference to the necessary pull secrets:
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
imagePullSecrets:
- name: my-registry-creds
To onboard workloads from custom on-premise environments, you can leverage support for OIDC ID Tokens.
If workloads in your custom environment can authenticate themselves by means of an
OIDC ID Token,
you can define a list of JWT issuers permitted by the Workload Onboarding Plane.
For example,
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
workloads:
authentication:
jwt:
issuers:
- issuer: "https://mycompany.corp"
jwksUri: "https://mycompany.corp/jwks.json"
shortName: "mycorp"
tokenFields:
attributes:
jsonPath: .custom_attributes
To ensure there will be no traffic loss when an onboarded workload gets shutdown, you can configure the time period to delay the shutdown for after deregistering the workload from the mesh, which will give enough time to reconfigure all affected mesh nodes to not load balance requests to the deregistered workload before it becomes unavailable.
For example,
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
workloads:
deregistration:
propagationDelay: 15s
It is possible to put constraints on what Istio revisions the workloads can onboard to via this Onboarding Plane.
For example,
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
istio:
revisions:
only:
include:
- green
- blue
It is also possible to allow all Istio revisions for workloads to onboard via this Onboarding Plane.
For example,
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
name: onboarding-plane
namespace: istio-system
spec:
hub: docker.io/tetrate
istio:
revisions:
all: \{\}
LocalObjectReference
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
| Field | Description | Validation Rule |
|---|---|---|
name | string | – |
OnboardingPlaneIstioSettings
Configuration of the Workload Onboarding Plane with regards to Istio.
| Field | Description | Validation Rule |
|---|---|---|
revisions | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneIstioSettings.RevisionSelector If not specified, workloads are allowed to connect to any of the installed Istio revisions. | – |
RevisionSelector
Selects revisions that the workload is allowed to connect to.
| Field | Description | Validation Rule |
|---|---|---|
all | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneIstioSettings.RevisionSelector.All oneof _selector | – |
only | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneIstioSettings.RevisionSelector.Only oneof _selector | – |
All
Specifies that the workload is allowed to connect to any of the installed Istio revisions.
Only
Specifies that the workload is allowed to connect to specific Istio revisions.
| Field | Description | Validation Rule |
|---|---|---|
include | List of string Empty list means that workloads are NOT allowed to connect to any of the installed Istio revisions. Defaults to an empty list. | – |
OnboardingPlaneSpec
OnboardingPlaneSpec specifies the desired state of components of the
Workload Onboarding Plane.
| Field | Description | Validation Rule |
|---|---|---|
hub | string | string = { |
uid | string Is used in the workload authentication flow to prevent replay attacks
that abuse compromised workload credentials intended for a different
installation of the Defaults to an auto-generated UUID. | string = { |
tokenIssuer | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneSpec.TokenIssuer | message = { |
workloads | tetrateio.api.onboarding.config.install.v1alpha1.WorkloadConfiguration | – |
imagePullSecrets | List of tetrateio.api.onboarding.private.install.v1alpha1.LocalObjectReference List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core | – |
istio | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneIstioSettings | – |
components | tetrateio.api.onboarding.config.install.v1alpha1.OnboardingPlaneComponentSet | – |
TokenIssuer
Configuration of the built-in Workload Onboarding Token Issuer.
| Field | Description | Validation Rule |
|---|---|---|
jwt | tetrateio.api.onboarding.private.install.v1alpha1.OnboardingPlaneSpec.TokenIssuer.JwtTokenIssuer oneof _token_issuer | – |
JwtTokenIssuer
Configuration of the built-in JWT Token Issuer.
| Field | Description | Validation Rule |
|---|---|---|
expiration | google.protobuf.Duration | duration = { |
OnboardingPlaneStatus
OnboardingPlaneStatus represents the current status of the onboarding plane.