Setting Up Workload Onboarding
This document describes how to set up your environment so that your VMs are ready to be onboarded using the Workload Onboarding Agent.
The setup for Workload Onboarding consists of the following steps:
- Enable Workload Onboarding
- Create the WorkloadGroup
- Allow the workloads to join WorkloadGroup
- Create the Sidecar configuration
- Install the Workload Onboarding Agent on a VM
Enable Workload Onboarding
To enable Workload Onboarding in a given Kubernetes Cluster, you need to edit TSB ControlPlane resource or Helm configuration as follows:
spec:
...
meshExpansion:
onboarding: # (1) REQUIRED
endpoint:
hosts:
- <onboarding-endpoint-dns-name> # (2) REQUIRED
secretName: <onboarding-endpoint-tls-cert> # (3) REQUIRED
tokenIssuer:
jwt:
expiration: <onboarding-token-expiration-time> # (4) OPTIONAL
localRepository: {} # (5) OPTIONAL
And then:
- To enable Workload Onboarding in a given Kubernetes Cluster, you need to edit
the
spec.meshExpansion.onboarding
section and provide the values for all mandatory fields - You must provide a DNS name for the Workload Onboarding Endpoint, e.g.
onboarding-endpoint.your-company.corp
- You must provide the name of the Kubernetes Secret that holds the TLS certificate for the Workload Onboarding Endpoint
- You can choose a custom expiration time for the onboarding tokens, which defaults to
1 hour
- You can choose to deploy a local copy of the repository with DEB/RPM packages of the Workload Onboarding Agent and Istio sidecar
Workload Onboarding Endpoint
The Workload Onboarding Endpoint is the component that the individual Workload Onboarding Agent(s) connect to join the mesh.
In production scenarios, the Workload Onboarding Endpoint must be highly available, have a stable address, and enforce TLS on incoming connections.
For that reason, the DNS name and TLS certificate are mandatory parameters for enabling Workload Onboarding.
DNS name
You can choose any DNS name for the Workload Onboarding Endpoint.
That name must be associated with the address of the Kubernetes Service vmgateway
from the istio-system
namespace.
In production scenarios, you can achieve that by using external-dns
.
TLS certificate
To provide a certificate for the Workload Onboarding Endpoint, you need to
create a Kubernetes secret of type TLS in the istio-system
namespace.
You have several options:
- Either create a Kubernetes secret from an X509 cert and a private key procured out-of-band
- Or you can use cert-manager to automate provisioning of the TLS cert