Tetrate Service BridgeVersion: 1.9.x

Management Plane

ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.

Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:

tsb-certs
ldap-credentials
custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
postgres-credentials (non-demo deployments)
admin-credentials
es-certs (if your Elasticsearch is using a self-signed certificate)
elastic-credentials (if your Elasticsearch backend requires authentication)

A resource containing only the container registry hub will install a demo of Service Bridge, create a default Organization and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production. Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  organization: tetrate

To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  imagePullSecrets:
  - name: my-registry-creds
  organization: tetrate
  dataStore:
    postgres:
      address: postgres:1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  organization: tetrate
  components:
    apiServer:
      teamSyncSchedule: 17 * * * *
  dataStore:
    postgres:
      address: postgres:1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  organization: tetrate
  components:
    collector:
      kubeSpec:
        deployment:
          resources:
            limits:
              memory: 750Mi
            requests:
              memory: 500Mi
  dataStore:
    postgres:
      address: postgres:1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

ManagementPlaneComponentSet

The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.

Field	Description	Validation Rule
apiServer	tetrateio.api.install.managementplane.v1alpha1.ApiServer	–
iamServer	tetrateio.api.install.managementplane.v1alpha1.IamServer	–
webUI	tetrateio.api.install.managementplane.v1alpha1.WebUI	–
frontEnvoy	tetrateio.api.install.managementplane.v1alpha1.FrontEnvoy	–
oap	tetrateio.api.install.managementplane.v1alpha1.Oap	–
collector	tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector	–
xcp	tetrateio.api.install.managementplane.v1alpha1.XCP	–
mpc	tetrateio.api.install.managementplane.v1alpha1.MPC	–
defaultLogLevel	string The default log level for all components if the per component log level config is not specified. Note that the supported log level for different components can be different. See each components' `log_level` for more information.	–
ngac	tetrateio.api.install.managementplane.v1alpha1.NGAC	–
internalCertProvider	tetrateio.api.install.common.InternalCertProvider Configure the Kubernetes CSR certificate provider for TSB internal purposes like Webhook TLS certificates. This configuration is required for kubernetes version 1.22 and above.	–
defaultKubeSpec	tetrateio.api.install.kubernetes.KubernetesSpec Configure Kubernetes default settings for all components. These settings will be merged to all components' settings, only if the component does not define the same setting. In that case, the setting defined at the component level prevails over the global default.	–
gitops	tetrateio.api.install.common.GitOps Configuration for the integration of the Management Plane with Continuous Deployment pipelines.	–
kubegres	tetrateio.api.install.managementplane.v1alpha1.Kubegres Configuration for the Kubegres component.	–
n2ac	tetrateio.api.install.managementplane.v1alpha1.N2AC Configuration for the N2AC component.	–
eck	tetrateio.api.install.managementplane.v1alpha1.ECK Configuration for the embedded ECK components. Customizations can be made to the embedded ECK components, such as the Operator itself and the ElasticSearch master and data nodes. Refer to `eck` component settings for what can be customized. Note that this only applies when `embeddedElastic` is enabled.	–

ManagementPlaneHighAvailabilitySettings

High Availability settings of the TSB management plane.

Field Description Validation Rule

Field	Description	Validation Rule
partition	string Partition is a user-friendly name of the current TSB management plane.	string = { pattern: `^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?$` ignore_empty: `true` }
partitions	List of tetrateio.api.install.managementplane.v1alpha1.Partition Partitions is a list of TSB management plane installations that form a single management plane. When specified, current TSB management plane installation will be able to connect to remote ones to exchange operational state and will be able to authenticate components of remote management planes once they connect to the current installation.	–

partition

string
Partition is a user-friendly name of the current TSB management plane.

string = {
pattern: ^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?$
ignore_empty: true
}

partitions

List of tetrateio.api.install.managementplane.v1alpha1.Partition
Partitions is a list of TSB management plane installations that form a single management plane.

When specified, current TSB management plane installation will be able to connect to remote ones to exchange operational state and will be able to authenticate components of remote management planes once they connect to the current installation.

–

ManagementPlaneSpec

ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.

Field	Description	Validation Rule
hub	string REQUIRED TSB container hub path e.g. docker.io/tetrate.	string = { min_len: `1` }
imagePullSecrets	List of tetrateio.api.install.kubernetes.LocalObjectReference Pull secrets can be specified globally for all components, or defined into the `kubeSpec.serviceAccount` of every component if needed. In case both are defined, the most specific one (the one defined at the component) level is used. List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core	–
organization	string REQUIRED The name of the organization to be used across the management plane	string = { min_len: `1` }
components	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for individual components.	–
dataStore	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install an embedded postgres as the data store.	–
telemetryStore	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install an embedded ElasticSearch as the telemetry store.	–
identityProvider	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. If omitted, TSB will rely on a local identity provider based on local secrets.	–
tokenIssuer	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default.	–
meshObservability	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.MeshObservability Configure how the mesh should be observed, which observability functionalities should be enabled to observe your registered services in the mesh, and the store properties that TSB will use to persist application observability data like metrics, traces, logs. If omitted, a demo grade mesh observability setting will be configured for your convenience.	–
certIssuer	tetrateio.api.install.managementplane.v1alpha1.CertIssuer Configure a built in issuer for the TLS certificates used by TSB and the data plane. If omitted, the certificates will need to be provided manually.	–
enableWasmDownloadProxy	bool When enabled, the OCI WASM extensions will be downloaded via a TSB download proxy. The download proxy integrates with the common cloud providers to automatically leverage the cloud credentials without requiring users to explicitly configure them in `imagePullSecrets`. If you are hosting the WASM extensions in your cloud provider OCI registry, you may consider turning this flag on. Default: false.	–
providerSettings	tetrateio.api.install.managementplane.v1alpha1.ProviderSettings Configures Kubernetes provider specific settings.	–
highAvailability	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneHighAvailabilitySettings High Availability settings of the Management plane.	–

DataStore

Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install an embedded postgres as the data store. Select one of the DataStore settings to see complete examples.

Field	Description	Validation Rule
postgres	tetrateio.api.install.managementplane.v1alpha1.PostgresSettings ^{oneof _data_store}	–
embeddedPostgres	tetrateio.api.install.managementplane.v1alpha1.EmbeddedPostgresSettings ^{oneof _data_store}	–
cleanupCronSchedule	string Database cleanup schedule in cron format. Defaults to '0 4 * * */1' which means "at 04:00 on every day-of-week".	–
auditLogsCleanupRetention	google.protobuf.Duration Retention duration for the old audit log entries clean-up job. If unset, no audit logs clean-up will be performed. Minimimal retention duration is 24 hours.	–

IdentityProvider

Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. If omitted, TSB will rely on a local identity provider based on local secrets. Select one of the IdentityProvider settings to see complete examples.

Field	Description	Validation Rule
oidc	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings ^{oneof _identity_provider}	–
ldap	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings ^{oneof _identity_provider}	–
local	tetrateio.api.install.managementplane.v1alpha1.LocalSettings ^{oneof _identity_provider}	–
sync	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider.OrgSyncSettings This field is optional and by default organization will be synchronized using the configuration for the Identity Provider. However, it is possible to set specific settings for the organization synchronization by setting this field.	–

OrgSyncSettings

Field	Description	Validation Rule
azure	tetrateio.api.install.managementplane.v1alpha1.AzureSyncSettings ^{oneof _provider} Synchronizes users and groups from the configured Azure Active Directory account.	–
ignoreOrphanUsers	bool When set to true, users that are not included in any of the synchronized groups will be ignored.	–

MeshObservability

Configure how the mesh should be observed, which observability functionalities should be enabled to observe your registered services in the mesh, and the store properties that TSB will use to persist application observability data like metrics, traces, logs. If omitted, the operator will assume a demo installation and for your convenience install a demo grade mesh observability setting. Check MeshObservabilitySettings to see complete examples.

Field	Description	Validation Rule
settings	tetrateio.api.install.common.MeshObservabilitySettings ^{oneof _mesh_observability}	–

TelemetryStore

Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install an embedded ElasticSearch as the telemetry store. Select one of the TelemetryStore settings to see complete examples.

Field	Description	Validation Rule
elastic	tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings ^{oneof _telemetry_store} Configure the telemetry store that TSB will use to persist application telemetry data, such as metrics, traces, and logs. If you already have a running ElasticSearch cluster and you want to use it as the telemetry store, you can configure the `elastic` field with the connection information of your ElasticSearch cluster.	–
embeddedElastic	tetrateio.api.install.managementplane.v1alpha1.EmbeddedElasticSearchSettings ^{oneof _telemetry_store} Enable an embedded ElasticSearch cluster for telemetry data. TSB will install ElasticSearch Operator, and create an ElasticSearch cluster in the same namespace as the management plane. To configure the embedded ElasticSearch cluster, such as resource limits or number of master nodes and data nodes, you can use the `eck.operator` field, `eck.master` field, and `eck.data` fields in the `components` section. Important: By default the embedded ElasticSearch cluster will be configured using `mmapConfiguration` mode `DISABLED` which is is not suitable for production use. You should configure the `mmapConfiguration` to `PRIVILEGED` or `CLUSTER_DEFAULT`.	–

TokenIssuer

Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default. Select one of the TokenIssuer settings to see complete examples.

Field	Description	Validation Rule
jwt	tetrateio.api.install.managementplane.v1alpha1.JWTSettings ^{oneof _token_issuer}	–

Partition

Partition describes a single installation of TSB management plane.

Field Description Validation Rule

Field	Description	Validation Rule
name	string REQUIRED Name is a user-friendly name of the TSB management plane installation, e.g. 'cloud', 'on-premise', 'us-east', etc.	string = { min_len: `1` pattern: `^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?$` }
endpoint	tetrateio.api.install.managementplane.v1alpha1.Partition.Endpoint Endpoint describes an access point of the TSB management plane installation.	–
authentication	tetrateio.api.install.managementplane.v1alpha1.Partition.Authentication Authentication describes authentication settings of the remote TSB management plane installation. When specified, current TSB management plane installation will be able to verify JWT tokens issued by the remote TSB management plane installation, which will make possible connections from the remote partition to the current one. E.g., connections from the XCP Central component of the remote partition, or connections from XCP Edges that were initially onboarded into the remote partition but now are falling over to the current partition. Effectively, this is configuration of federated identity. Every partition of the Management Plane is assumed to have an independent configuration, including JWT Token Issuer. To support connectivity from one partition to another and eventually failover of XCP Edges from one partition to another, a partition needs to be able to accept JWT tokens issued by another partition. Authentication configuration instructs current partition to accept JWT tokens issued by the other partition, in other words, federated identity.	–

name

string
REQUIRED
Name is a user-friendly name of the TSB management plane installation, e.g. 'cloud', 'on-premise', 'us-east', etc.

string = {
min_len: 1
pattern: ^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?$
}

endpoint

tetrateio.api.install.managementplane.v1alpha1.Partition.Endpoint
Endpoint describes an access point of the TSB management plane installation.

–

authentication

tetrateio.api.install.managementplane.v1alpha1.Partition.Authentication
Authentication describes authentication settings of the remote TSB management plane installation.

When specified, current TSB management plane installation will be able to verify JWT tokens issued by the remote TSB management plane installation, which will make possible connections from the remote partition to the current one. E.g., connections from the XCP Central component of the remote partition, or connections from XCP Edges that were initially onboarded into the remote partition but now are falling over to the current partition.

Effectively, this is configuration of federated identity. Every partition of the Management Plane is assumed to have an independent configuration, including JWT Token Issuer. To support connectivity from one partition to another and eventually failover of XCP Edges from one partition to another, a partition needs to be able to accept JWT tokens issued by another partition. Authentication configuration instructs current partition to accept JWT tokens issued by the other partition, in other words, federated identity.

–

Authentication

Authentication describes authentication settings of the TSB management plane installation.

Field	Description	Validation Rule
jwt	List of tetrateio.api.install.managementplane.v1alpha1.Partition.Authentication.Jwt Allow authentication by means of a JWT token.	–

Jwt

Jwt configures Central to allow connections from edges using JWTs for authentication.

Field Description Validation Rule

Field	Description	Validation Rule
issuer	string REQUIRED Expected issuer ("iss") claim, JWTs with different values in this claim will be rejected.	string = { min_len: `1` }
jwksSecretName	string REQUIRED Name of the k8s Secret with the JWKS document to validate signature of JWT tokens issued by the remote TSB management plane. This secret can be copied "as is" from the `tsb-iam-jwks` secret in the remote TSB management plane. The JWKS document must be provided under key "jwks". The JWKS document might include multiple signing keys. For example: apiVersion: v1 kind: Secret metadata: name: tsb-iam-jwks-us-east namespace: tsb type: Opaque data: jwks: base64({ JWKS })	string = { min_len: `1` }

issuer

string
REQUIRED
Expected issuer ("iss") claim, JWTs with different values in this claim will be rejected.

string = {
min_len: 1
}

jwksSecretName

string
REQUIRED
Name of the k8s Secret with the JWKS document to validate signature of JWT tokens issued by the remote TSB management plane.

This secret can be copied "as is" from the tsb-iam-jwks secret in the remote TSB management plane.

The JWKS document must be provided under key "jwks". The JWKS document might include multiple signing keys.

For example:

apiVersion: v1 kind: Secret metadata: name: tsb-iam-jwks-us-east namespace: tsb type: Opaque data: jwks: base64({ JWKS })

string = {
min_len: 1
}

Endpoint

Endpoint describes an endpoint at which an TSB management plane installation is accessible.

Field	Description	Validation Rule
host	string REQUIRED Management plane host address (can be hostname or IPv4/IPv6 address).	string = { address: `true` }
port	int32 REQUIRED Port management plane is listening on.	int32 = { lte: `65535` gte: `1` }
caSecretName	string Name of the k8s Secret that holds CA certificates to use to verify the TLS certificate of the management plane. CA certificates must be provided under key "ca.crt". If not set, TLS certificate of the management plane will be validated against well-known 3rd party CAs installed system-wide on the client side. For example: `apiVersion: v1 kind: Secret metadata: name: mp-certs-us-east namespace: tsb type: Opaque data: ca.crt: base64(\{ CA Certs \})`	–
sni	string SNI value to present to TSB management plane endpoint during TLS handshake. If not set, defaults to the host address. When set to a non-empty string, TLS client will validate certificate presented by the server against this SNI value rather than host address. So the TLS certificate configured for TSB management plane endpoint must use this value for the common name (CN) or include it in the subject alternative names (SANs). This should not normally need to be set as using central hostname will result in correct routing and be included in the TLS certificate. This is primarily intended for test or demo environments where it is difficult to create DNS names and an IP address is used for central instead.	–

AWSController

Kubernetes settings for the AWS Integration Controller component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings. Note: AWS controller requires Service Account for IAM to be created before installing the controller. Therefore the Service Account will not be managed by this kubeSpec and all Service Account configuration in this kubeSpec will be ignored.	–

ApiServer

Application and Kubernetes settings for the API server component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesJobComponentSpec Configure Kubernetes specific settings.	–
teamSyncSchedule	string The schedule on which to synchronize teams with the configured identity provider Standard five field cron format. For example, "0 * * * *" triggers the sync hourly at minute 0.	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "none", "error", "warn", "info", "debug".	–

ECK

Kubernetes-specific settings for deploying Elasticsearch clusters using the Elastic Cloud on Kubernetes (ECK) operator. It includes configurations for the ECK operator itself and specific settings for Elasticsearch master and data nodes. The configuration options allow customization of memory-mapping usage and kernel settings to optimize Elasticsearch performance and compatibility within different Kubernetes environments.

By default, mmapConfiguration is set to DISABLED because in most environment you can not control the ability to change kernel settings. However, if you are in an environment where you can control the ability to change kernel settings, you can manually set vm.max_map_count kernel parameter to at least 262144 and set mmapConfiguration to CLUSTERS_DEFAULT. If you don't want to set this property manually in each node of your cluster and you can run privileged containers, you can set mmapConfiguration to PRIVILEGED. This will allow the ECK operator to set the vm.max_map_count kernel setting to at least 262144.

Field	Description	Validation Rule
operator	tetrateio.api.install.managementplane.v1alpha1.ECK.Operator Configure Kubernetes specific settings for the ElasticSearch operator.	–
master	tetrateio.api.install.managementplane.v1alpha1.ECK.Master Configure Kubernetes specific settings for the ElasticSearch master node.	–
data	tetrateio.api.install.managementplane.v1alpha1.ECK.Data Configure Kubernetes specific settings for the ElasticSearch data node.	–
mmapConfiguration	tetrateio.api.install.managementplane.v1alpha1.ECK.MmapConfigurationMode MmapConfiguration specifies the memory-mapping configuration mode for Elasticsearch storage. It controls the use of memory-mapping and the ability to adjust kernel settings for optimal performance. By default, `DISABLED` is used to disable memory-mapping for storing indices because the linux kernel has a too low default `vm.max_map_count` value for Elasticsearch to work properly. Actually, Elasticsearch will refuse to bootstrap if `vm.max_map_count` value is not set at least to 262144. See: https://www.elastic.co/guide/en/elasticsearch/reference/current/_maximum_map_count_check.html for more information on bootstrap checks. `DISABLED` mode is not recommended for production environments and should only be used only in environments where the creation of many memory maps is restricted. Which is the case in many cloud environments.	–

Data

Kubernetes settings for the ElasticSearch data node.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings for the ElasticSearch data node.	–

Master

Kubernetes settings for the ElasticSearch master node.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings for the ElasticSearch master node.	–

Operator

Kubernetes settings for the ElasticSearch operator.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings for the ECK Operator.	–

FrontEnvoy

Application and Kubernetes settings for the FrontEnvoy component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
authenticationTimeout	google.protobuf.Duration Configure the timeout when making an authentication request to the IAM server	–
port	int32 Configure the management plane ingress port	–
TLSMinimumProtocolVersion	tetrateio.api.install.managementplane.v1alpha1.TLSProtocol The minimum TLS protocol version to use. TLS_AUTO defaults to TLSv1_0 for servers.	–
cipherSuites	List of string If set, only the specified cipher list will be supported when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If the list of custom cipher suites is not set, a default list of cipher suites will be used. Please refer to the following Envoy docs for a detailed list of the supported and default cipher suites: https://www.envoyproxy.io/docs/envoy/v1.17.1/api-v3/extensions/transport_sockets/tls/v3/common.proto.html	–
ecdhCurves	List of string If set, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. Please refer to the following Envoy docs for a detailed list of the supported and default ECDH suites: https://www.envoyproxy.io/docs/envoy/v1.17.1/api-v3/extensions/transport_sockets/tls/v3/common.proto.html	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "off", "critical", "error", "warn", "info", "debug", "trace". For detailed information, see https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/run-envoy#debugging-envoy.	–

IamServer

Kubernetes settings for the IAM server component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "none", "error", "warn", "info", "debug".	–

Kubegres

Kubernetes settings for the Kubegres operator component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings.	–

MPC

Kubernetes settings for the MPC component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "none", "error", "warn", "info", "debug".	–

N2AC

Kubernetes settings for the N2AC component.

Field	Description	Validation Rule
controller	tetrateio.api.install.managementplane.v1alpha1.N2AC.Component The controller watches and reconciles the policies applied to the cluster.	–
server	tetrateio.api.install.managementplane.v1alpha1.N2AC.Component The server component manages the NGAC graph.	–
enabled	bool Enable the ngac runtime enforcement. Disabled by default.	–

Component

Common kubernetes settings for the different NGAC components.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "none", "error", "info", "debug".	–

NGAC

Kubernetes settings for the NGAC component.

Field	Description	Validation Rule
enabled	bool NGAC is an experimental component. If enabled is false, this component will not be installed.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevels	map<string, string> The log level configuration by scopes. Supported log level: "none", "error", "info", "debug".	–

Oap

Kubernetes settings for the OAP (SkyWalking) component.

Field	Description	Validation Rule
retentionPeriodDays	int32 Number of days to retain metrics for. Defaults to 7 days.	–
streamingLogEnabled	bool Feature flag to determine whether on-demand streaming logs should be enabled.	–
onDemandEnvoyMetricsEnabled	bool Feature flag to determine whether on-demand envoy metrics should be enabled. If enabled, the envoy proxy will provide a set of metrics that can be queried using the metrics service. OAP will provide a query API that can be used to collect envoy proxy metrics for specific pods. This is only for temporary and real-time queries that can be used, for example, for application troubleshooting use cases. These metrics are not persisted.	–
storageIndexMergingEnabled	bool Feature flag to determine whether metrics/meter and records should be shard into multi-physical indices, or instead if they should be merged into a single physical index. By default "false", metric/meter and records are sharded into multi-physical indices. Instead of sharding, if enabled by setting it to "true", metrics/meter and records will be merged into one physical index template `metrics-all` and `records-all`. This feature flag must also be set on all clusters control plane manifests and have the same value as this one, otherwise control plane observability data could be written to the wrong or not existing index. In this storage mode, consider adjusting index settings to scale out properly based on your needs by setting `storageSpecificIndexSettings` field.	–
storageSpecificIndexSettings	List of tetrateio.api.install.managementplane.v1alpha1.Oap.StorageIndexSetting Configure how many shards and replicas a concrete index template should have. This setting is useful to scale out the indices based on your system traffic and topology. The more traffic, relationships between services, and service's api endpoint you have more metrics/meter and records will be generated. Specially if storage logic sharding is disabled, `metrics-all`, `records-all`, `zipkin_span` should be adjusted based on your needs.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevel	string Specifies the log level for OAP component. Supported log level: "all", "debug", "info", "warn", "error", "fatal", "off" and "trace".	–

StorageIndexSetting

Configure the number of shards and replicas a concrete index template should have.

Field	Description	Validation Rule
indexName	string REQUIRED The name of the index template that we get the settings applied. If `storage_index_merging_enabled` is true, the following index templates can be configured: "metrics-all", "records-all", "log", "zipkin_span" If `storage_index_merging_enabled` is false, the following index templates can be configured: "metrics-percent", "metrics-apdex", "ebpf_profiling_task", "metrics-statuscode", "meter-avglabeled", "service_relation_server_side", "log", "process_traffic", "metrics-sum", "alarm_record", "service_label", " ebpf_profiling_data", "zipkin_service_span_traffic", "service_relation_client_side", "service_traffic", "metrics-histogram", "endpoint_traffic", "ebpf_profiling_schedule", "network_address_alias", "metrics-count", "top_n_cache_write_command", "process_relation_client_side", "zipkin_service_traffic", "metrics-longavg", "meter-avg", "process_relation_server_side", "top_n_cache_read_command", "instance_traffic", "zipkin_span", "metrics-cpm", "zipkin_service_relation_traffic", "metrics-percentile", "metrics-doubleavg", "tag_autocomplete"	string = { min_len: `1` }
numberOfShards	int32 REQUIRED The number of shards for the index template.	int32 = { gt: `0` }
numberOfReplicas	int32 REQUIRED The number of replicas or the index template.	int32 = { gte: `0` }

OpenTelemetryCollector

Kubernetes settings for the OpenTelemetry Collector component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevel	string Specifies the log level for OTEL collector component. Supported log level: "debug", "info", "warn", "error", "dpanic", "panic", and "fatal".	–

WebUI

Kubernetes settings for the WebUI component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings Although possible via the Kubernetes settings, the WebUI does not support multiple instances. Therefore you should not set `replicaCount` or an `hpaSpec`	–

XCP

Application and Kubernetes settings for the XCP component.

Field	Description	Validation Rule
centralAuthModes	tetrateio.api.install.managementplane.v1alpha1.XCP.CentralAuthModes Authentication modes for connections from XCP Edges to XCP Central. If not set will default to mutual TLS only.	–
configProtection	tetrateio.api.install.common.ConfigProtection ConfigProtection contains settings for enabling/disabling config protection over XCP created resources. Config protections are disabled by default.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
logLevels	map<string, string> Loglevel for XCP. Supported log level: "none", "fatal", "error", "warn", "info", "debug".	–

CentralAuthModes

Authentication modes for connections to XCP Central (from XCP Edges or MPC). At least one mode must be enabled. Multiple modes can be enabled to facilitate migration from one mode to another.

Field	Description	Validation Rule
mutualTls	bool GRPC stream is encrypted with mutual TLS	–
jwt	bool XCP Edges present a JWT bearer token in the GRPC headers	–

AWSSettings

Global settings to AWS.

Field	Description	Validation Rule
serviceAccountName	string REQUIRED Service account name to use with IAM role association. Required. This service account should have the proper permissions depending on which AWS services are enabled. (Lattice, etc.)	string = { min_len: `1` }

LatticeSettings

Settings specific to Lattice. These settings enable the AWS Lattice Discovery Service integration feature. It takes care of discovering AWS Lattice services with tag "Tetrate:ExposeToMesh" set to "true", registering them into TSB and creating the TSB configs to make them accessible from the mesh.

Field	Description	Validation Rule
enabled	bool ^{oneof __enabled} Enable/disable the Lattice integration controller. Default: false.	–
regions	List of string AWS regions to query for Lattice services to discover. Required.	–
tenant	string The TSB tenant name where the TSB configs that manage Lattice will be created.	–

ProviderSettings

Configure Kubernetes provider specific settings.

Field	Description	Validation Rule
aws	tetrateio.api.install.managementplane.v1alpha1.AWSSettings Global settings to AWS.	–
lattice	tetrateio.api.install.managementplane.v1alpha1.LatticeSettings Settings specific to Lattice.	–

AzureSyncSettings

Azure configures how users and groups are synchronized from Azure Active Directory.

Field	Description	Validation Rule
clientId	string REQUIRED Client ID of an Azure application that has permissions to synchronize users and teams. The application must be registered in Azure Ad and have, at least, the "Windows Azure Active Directory/Read directory Data" permission.	string = { min_len: `1` }
tenantId	string REQUIRED The tenant id that identifies the specific Azure Active Directory to synchronize.	string = { min_len: `1` }
environment	string Environment where the Azure Directory belongs to. The supported values are: AzurePublicCloud AzureUSGovernmentCloud AzureChinaCloud AzureGermanCloud If not set, 'AzurePublicCloud' will be used.	–
usersFilter	string If present, the value will be passed to the Microsoft Graph API when listing the users to filter the results. See: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http	–
groupsFilter	string If present, the value will be passed to the Microsoft Graph API when listing the groups to filter the results. See: https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http	–
baseGroupName	string If present, we will apply all changes under the hierarchy of the given group i.e. all descendant users and groups	–

CertIssuer

Configures a built in issuer for TSB TLS certificates.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  certIssuer:
    selfSigned: \{\}
    tsbCerts: \{\}
    clusterIntermediateCAs: \{\}

Field	Description	Validation Rule
selfSigned	tetrateio.api.install.managementplane.v1alpha1.CertIssuer.SelfSignedCertIssuer ^{oneof _issuer} Additional providers such as AWS PCA or Vault can be added in the future.	–
tsbCerts	tetrateio.api.install.managementplane.v1alpha1.CertIssuer.TsbCertsSettings When set a TLS certificate will be created to expose TSB APIs.	–
clusterIntermediateCAs	tetrateio.api.install.managementplane.v1alpha1.CertIssuer.ClusterIntermediateCASettings When set, an intermediate CA for each cluster will be created that Istio in the control plane will use for assigning TLS certificates to each workload.	–

ClusterIntermediateCASettings

Options for configuring the issued intermediate CAs that Istio in the control plane will use for assigning TLS certificates to each workload

Options such as the expiration and renewal period can be added here in the future if needed.

SelfSignedCertIssuer

Options such as the expiration and renewal period of the self signed root CA can be added here in the future if needed.

TsbCertsSettings

Options for configuring the issued TSB TLS certs.

Options such as the expiration and renewal period can be added here in the future if needed.

ElasticSearchSettings

Configure an Elasticsearch connection.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
      protocol: https
      selfSigned: true
      version: 7

Field	Description	Validation Rule
host	string REQUIRED Elasticsearch host address (can be hostname or IP address).	string = { address: `true` }
port	int32 REQUIRED Port Elasticsearch is listening on.	int32 = { lte: `65535` gte: `1` }
protocol	tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol Protocol to communicate with Elasticsearch, defaults to https.	–
selfSigned	bool Use Self-Signed certificates. The Self-signed CA bundle and key must be in a secret called es-certs.	–
version	int32 DEPRECATED: Major version of the Elasticsearch cluster. Currently supported Elasticsearch major versions are `6`, `7`, and `8`.	int32 = { lte: `8` gte: `6` }

EmbeddedElasticSearchSettings

Configuration for the Embedded ElasticSearch

TSB allows to set up an ElasticSearch operator (ECK) to manage an embedded ElasticSearch installation. This installation will use the user and password stored in a secret named elastic-credentials that you must create before installing TSB.

This example setups the installation with a custom database size.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  telemetryStore:
    embeddedElastic:
      storageSize: 100Gi
      storageClassName: standard-rwo

Field	Description	Validation Rule
indexPrefix	string The name prefix of the ElasticSearch indices and templates. Defaults to 'skywalking'.	–
storageSize	string The size of each ElasticSearch Data Node Pod's in a cluster. You can express the size in the following units https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory Defaults to 200Gi.	–
storageClassName	string It allows setting the Storage-Class' name which will be used to store the ElasticSearch cluster. If it is not set, ElasticSearch operator uses the default Storage-Class available in a Kubernetes cluster. Once the Storage-Class is assigned, Kubernetes automatically provisions a PV and a PVC for each ElasticSearch Pod using the Storage-Class. Defaults to empty, letting Kubernetes choose the default one. Make sure that your storage class has `allowVolumeExpansion=true` and `ExpandInUsePersistentVolumes=true`, otherwise manual intervention is needed when more storage size is needed.	–

EmbeddedPostgresSettings

Configuration for the Embedded Postgres

TSB allows to set up a Postgres operator (Kubegres) to manage an embedded Postgres installation. This installation will always create the tsb user, and will always require a TLS connection. The certificates used for this TLS configuration can be found in the tsb-postgres-certs secrets on the same ManagementPlane namespace.

This examples setups the installation with a custom backup schedule and custom database sizes.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  dataStore:
    embeddedPostgres:
      connectionLifetime: "8500s"
      name: tsb
      backupCronSchedule: "0 2 * * */1"
      backupStorageSize: 10Gi
      storageSize: 50Gi

Field	Description	Validation Rule
name	string REQUIRED The name of the database TSB will use in Postgres.	string = { min_len: `1` }
connectionLifetime	string How long a connection lives before it is killed and recreated. A value of zero means connections are not closed due to their age. Defaults to 8500s.	–
connectionIdleLifetime	string How long an connection lives before it is killed. A value of zero means connections are not closed due to idle time. Defaults to 8500s.	–
connectionMaxOpen	int32 Maximum number of concurrent open connections. Defaults to 100.	–
connectionIdleMaxOpen	int32 Maximum number of concurrent open idle connections. Defaults to 2. A value of 0 means no idle connections are retained. If the `connection_max_open` value is set, then this value will be adjusted automatically in order to always be <= the `connection_max_open`.	–
storageSize	string The size of each Postgres Pod's database in a cluster. We use "Mi" for Megabyte and "Gi" for Gigabyte. Defaults to 50Gi.	–
storageClassName	string It allows setting the Storage-Class' name which will be used to store the PostgreSql database. If it is not set, Kubegres operator uses the default Storage-Class available in a Kubernetes cluster. Once the Storage-Class is assigned, Kubernetes automatically provisions a PV and a PVC for each Postgres Pod using the Storage-Class. Defaults to empty, letting Kubernetes choose the default one;	–
backupCronSchedule	string It expects a Cron format defining how often a back-up should happen. Defaults to '0 2 * * */1' which means "at 02:00 on every day-of-week".	–
backupStorageSize	string The size of Postgres Backup Job's volume. We use "Mi" for Megabyte and "Gi" for Gigabyte. Defaults to 10Gi.	–
backupStorageClassName	string It allows setting the Storage-Class' name which will be used to store the PostgreSql backups. If it is not set, Kubegres operator uses the default Storage-Class available in a Kubernetes cluster. Once the Storage-Class is assigned, Kubernetes automatically provisions a PV and a PVC for each Postgres Pod using the Storage-Class. Defaults to empty, letting Kubernetes choose the default one;	–
replicas	int32 It defines the number of PostgreSql instances (or Pods) to deploy in a cluster. For example, if set to '3', Kubegres deploys 1 Primary Pod and 2 Replica Pods. If set to '1', it will only create 1 Primary Pod without creating any Replica Pods. Defaults to 3.	–
cleanupCronSchedule	string Database cleanup schedule in cron format. Defaults to '0 4 * * */1' which means "at 04:00 on every day-of-week". Deprecated: This field has been moved in the datastore configuration.	–
defaultCleanupRetention	google.protobuf.Duration Retention duration for the clean-up jobs, such as old backups and old audit log entries. Defaults to 720h (24hours * 30days). Deprecated: use the BackupCleanupRetention and AuditLogsCleanupRetentions (from datastore configuration) fields.	–
backupCleanupRetention	google.protobuf.Duration Retention duration for the old backups clean-up job. The job will be triggered according to the `backup_cron_schedule` specified in the datastore configuration. Defaults to 720h (24hours * 30days).	–
auditLogsCleanupRetention	google.protobuf.Duration Retention duration for the old audit log entries clean-up job. If unset, it will default to the `default_cleanup_retention` value. Deprecated: This field has been moved to the datastore configuration.	–

JWTSettings

Configure JWT based token issuance

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  tokenIssuer:
    jwt:
      expiration: 1h
      refreshExpiration: 720h
      tokenPruneInterval: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key
        audiences:
        - tetrate

Field	Description	Validation Rule
issuers	List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer Issuers is the list of issuers supported by the JWT token issuance. By default, the first configured issuer will be used to sign the tokens IAM issues upon successful login, but additional ones can be configured so that the JWT authentication provider accepts those tokens as valid ones.	–
expiration	google.protobuf.Duration Expiration is the duration issued tokens are valid for.	–
refreshExpiration	google.protobuf.Duration Refresh Expiration is the duration issued refresh tokens are valid for.	–
tokenPruneInterval	google.protobuf.Duration Token prune is the interval at which expired tokens pruned.	–
signingKeysSecret	string Secret containing the signing keys used for issuing and validating tokens. If unset will default to the "iam-signing-key" secret generated by the operator.	–

Issuer

Field	Description	Validation Rule
name	string Name that uniquely identifies the issuer in the system.	–
algorithm	tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm Algorithm used by this issuer to sign tokens.	–
signingKey	string The name of the file to use as the signing key. This key must be present in the secret configured in "signing_keys_secret" or equivalent if using Vault. By default, "signing_keys_secret" is set to "iam-signing-key" generated by the operator.	–
audiences	List of string Audiences supported by this issuer. This is used on token validation. If the issuer defines no audiences, then the 'aud' claim will not be validated.	–

LDAPSettings

Detail connection and query mappings for LDAP

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
        timeout: 20s
        recursive: true
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember

Field	Description	Validation Rule
host	string REQUIRED LDAP server host address (can be hostname or IP address)	string = { address: `true` }
port	int32 REQUIRED Port the LDAP server is listening on	int32 = { lte: `65535` gte: `1` }
disableTLS	bool Disable secure connections to the LDAP server.	–
debug	bool LDAP connection debug toggle. When enabled it will print LDAP Requests and Responses messages to the log	–
search	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search Configure common properties to be used when running queries against the LDAP server.	–
iam	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM Configure how IAM validates credentials against the LDAP server. The field are not exclusive; if both are configured, a direct match against the DN is attempted first and the filter based match will be used as a fallback.	–
sync	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync Sync configures how existing users and groups are retrieved from the LDAP server.	–

IAM

Field Description Validation Rule

Field	Description	Validation Rule
matchDN	string REQUIRED Configure how a user can be directly bound to a DN pattern. If all users can be found with a given pattern, we can bind them directly. Otherwise, a MatchFilter should be configured to perform a search of the DN for the given user. In Active Directory the bind operation is directly done using the username (in the user@domain form) so when connecting to an AD instance this should be set to just: %s.	string = { min_len: `1` }
matchFilter	string REQUIRED The pattern used to search for a user DN. This will be used when the user DN cannot be directly resolved by matching the configured MatchDN. Here are some example search patterns for common LDAP implementations: OpenLDAP: "CN=%s,CN=Users" Active Directory: "(&(objectClass=user)(samAccountName=%s))"	string = { min_len: `1` }

matchDN

string
REQUIRED
Configure how a user can be directly bound to a DN pattern. If all users can be found with a given pattern, we can bind them directly. Otherwise, a MatchFilter should be configured to perform a search of the DN for the given user. In Active Directory the bind operation is directly done using the username (in the user@domain form) so when connecting to an AD instance this should be set to just: %s.

string = {
min_len: 1
}

matchFilter

string
REQUIRED
The pattern used to search for a user DN. This will be used when the user DN cannot be directly resolved by matching the configured MatchDN.

Here are some example search patterns for common LDAP implementations:

OpenLDAP: "CN=%s,CN=Users"
Active Directory: "(&(objectClass=user)(samAccountName=%s))"

string = {
min_len: 1
}

Search

Field	Description	Validation Rule
baseDN	string REQUIRED The location at which LDAP search operations will start from.	string = { min_len: `1` }
recursive	bool Recursively search the LDAP tree.	–
timeout	google.protobuf.Duration The timeout when querying the LDAP server. If omitted, the query is bound by the timeout set by the LDAP server.	–
pagesize	int32 Configures paginated search queries for LDAP. When this is set to a non-zero value, LDAP queries will run with pagination controls enabled, as specified in https://datatracker.ietf.org/doc/html/rfc2696. Note that using a paginated search may result in more queries to the LDAP backend and it may slow down the overall process to fetch all the results, so it is recommended to be used only if the amount of data to be fetched is over the limits the server is willing to accept. By default the value is 0, and pagination is disabled.	–

Sync

Field	Description	Validation Rule
usersFilter	string REQUIRED The LDAP filter that will be used to fetch all the users that are to be synced to TSB. e.g. "(objectClass=user)"	string = { min_len: `1` }
groupsFilter	string REQUIRED The LDAP filter that will be used to fetch all the groups that are to be synced to TSB. e.g. "(objectClass=group)"	string = { min_len: `1` }
membershipAttribute	string REQUIRED The name of the attribute in a Group record returned from LDAP that represents a member of the group. e.g. "member"	string = { min_len: `1` }

LocalSettings

Configure the identity provider to use local secrets.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  identityProvider:
    local: \{\}

OIDCSettings

Identity provider configuration for OIDC

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  identityProvider:
    oidc:
      clientId: 50076fd0b8f911eb85290242ac130003
      scopes: ['email', 'profile']
      redirectUri: https://example.com/iam/v2/oidc/callback
      providerConfig:
        dynamic:
          configurationUri: https://accounts.google.com/.well-known/openid-configuration
      offlineAccessConfig:
        deviceCodeAuth:
          clientId: 981174759bab4dc49d0072294900eade

Field	Description	Validation Rule
clientId	string REQUIRED The client ID from the OIDC provider's application configuration settings.	string = { min_len: `1` }
scopes	List of string Scopes passed to the OIDC provider in the Authentication Request. Required scope 'openid' is included by default, any additional scopes will be appended in the Authorization Request. Additional scopes such as 'profile' or 'email' are generally required if user records in TSB can not be identified with the ID Token 'sub' claim alone.	–
redirectUri	string REQUIRED The public URI where TSB is accessed. This is the location where the OIDC provider will redirect after authentication and must be registered with the OIDC provider. TSB requires that the path matches /iam/v2/oidc/callback. For example, if TSB is accessed via https://example.com, then this setting should be https://example.com/iam/v2/oidc/callback and the OIDC provider application setting for the Redirect URI must match this.	string = { uri: `true` }
authorizationParams	map<string, string> OPTIONAL Optional parameters that will be included in the authorization request to the authorization endpoint. This provides a way to add non standard or optional query parameters to the authorization request. Required parameters such as "client_id", "scope, "state" and "redirect_uri" will take precedence over any parameters defined here. In other words, setting any of these parameters here will not have any effect and will be replaced by other TSB configuration.	–
maxExpirationSeconds	int32 OPTIONAL Optional max expiration time of issued tokens. When greater than 0 this sets an upper bounds on the token expiration. If not provided or if the value is greater than the token expiration issued by the OIDC provider then the OIDC provider expiration time takes precedence.	–
providerConfig	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings REQUIRED OIDC provider configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSB operator will configure OIDC settings discovered through the provider's configuration endpoint. If the provider doesn't have a configuration endpoint you can set the required OIDC settings using static values.	message = { required: `true` }
offlineAccessConfig	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessSettings OPTIONAL Optional OIDC settings specific to offline access. When specified these settings take precedence over top-level OIDC settings.	–

DynamicSettings

Dynamically configures OIDC client settings using values from the OIDC provider's well-known OIDC configuration endpoint.

Field	Description	Validation Rule
configurationUri	string REQUIRED OIDC provider's well-known OIDC configuration URI. When set TSB will automatically configure the OIDC client settings for the Authorization Endpoint, Token Endpoint and JWKS URI from the OIDC Provider's configuration URI.	string = { uri: `true` }

OfflineAccessOverrides

OIDC settings that can be used to override top-level settings for offline access.

Field	Description	Validation Rule
clientId	string OPTIONAL The client ID from the OIDC provider's application configuration settings.	–
scopes	List of string Scopes passed to the OIDC provider in the Device Code request Required scope 'openid' is included by default, any additional scopes will be appended in the Device Code Authorization request. Additional scopes such as 'profile' or 'email' are generally required if user records in TSB can not be identified with the ID Token 'sub' claim alone.	–
skipClientIdCheck	bool OPTIONAL Instructs JWT validation to ignore the 'aud' claim. When set to true, comparisons between the 'aud' claim in the JWT token and the 'client_id' in the OIDC provider's configuration will be skipped.	–
providerConfig	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings OPTIONAL OIDC provider configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSB operator will configure OIDC settings discovered through the provider's configuration endpoint. If the provider doesn't have a configuration endpoint you can set the required OIDC settings using static values.	–

OfflineAccessSettings

Optional OIDC settings specific to offline access. When specified these settings take precedence over top-level OIDC settings.

Field	Description	Validation Rule
deviceCodeAuth	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides OPTIONAL OIDC settings for Device Code Authorization grant used with offline access. Any settings applied here override top-level OIDC configuration.	–
tokenExchange	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides OPTIONAL OIDC settings for Token Exchange grant used with offline access. Any settings applied here override top-level OIDC configuration.	–

ProviderSettings

OIDC provider's configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSB operator will configure OIDC settings discovered through the provider's configuration endpoint. If the provider doesn't have a configuration endpoint you can set the required OIDC settings using static values.

Field	Description	Validation Rule
dynamic	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.DynamicSettings ^{oneof _provider_settings}	–
static	tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.StaticSettings ^{oneof _provider_settings}	–

StaticSettings

Allows to statically configure OIDC client settings if the OIDC provider doesn't have a configuration endpoint.

Field	Description	Validation Rule
authorizationEndpoint	string REQUIRED The Authorization Endpoint for the OIDC provider.	string = { uri: `true` }
tokenEndpoint	string REQUIRED The Token Endpoint for the OIDC provider.	string = { uri: `true` }
jwksUri	string ^{oneof _jwks_setting} URI for the OIDC provider's JSON Web Key Sets. This can be found in the OIDC provider's configuration response. The JWKS are used for token verification.	string = { uri: `true` }
jwks	string ^{oneof _jwks_setting} JSON string with the OIDC provider's JSON Web Key Sets. In general the URI for the Key Set is the preferred method for configuring JWKS. This setting is provided in case the provider doesn't publish JWKS via a public URI.	string = { min_len: `1` }
deviceCodeEndpoint	string OPTIONAL The Device Code endpoint for the OIDC provider. This is optional but required when using the Device Code authentication flow.	–
introspectionEndpoint	string OPTIONAL The Introspection endpoint for the OIDC provider. This is optional and used as an authentication source for the Token Exchange flow.	–

PostgresSettings

Detail connection details for Postgres

NOTE: TSB does not make any specific schema selection. It defaults to the search_path set by the user/role specified in the connection settings. By default this will result in using the public schema. If you need to use a different schema, update the search_path of the Postgres user accordingly.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  dataStore:
    postgres:
      address: "postgres:5432"
      sslMode: verify_full
      connectionLifetime: "8500s"
      name: tsb

Field	Description	Validation Rule
host	string Deprecated. Use the 'address' field instead. Postgres host address (can be hostname or IP address).	–
port	int32 Deprecated. Use the 'address' field instead. Port Postgres is listening on.	–
sslMode	tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html	–
connectionLifetime	string How long a connection lives before it is killed and recreated. A value of zero means connections are not closed due to their age.	–
name	string The name of the database TSB will use in Postgres. The database needs to exist unless TSB is using the demo installation.	–
address	string REQUIRED The address of the database instance. E.g. my-postgres.com:5432	string = { min_len: `1` }
connectionIdleLifetime	string How long an connection lives before it is killed. A value of zero means connections are not closed due to idle time.	–
connectionMaxOpen	int32 Maximum number of concurrent open connections. Defaults to 0 (unlimited).	–
connectionIdleMaxOpen	int32 Maximum number of concurrent open idle connections. Defaults to 2. A value of 0 means no idle connections are retained. If the `connection_max_open` value is set, then this value will be adjusted automatically in order to always be <= the `connection_max_open.	–
azureIdentity	tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.AzureManagedIdentity ^{oneof _managed_identity} Uses Azure Active Directory for authenticating with PostgreSQL.	–

AzureManagedIdentity

AzureManagedIdentity holds the static data needed to authenticate a PostgreSQL hosted at Azure from an Azure workload via Azure Active Directory. Ref: https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-azure-ad-authentication

Field	Description	Validation Rule
clientId	string REQUIRED Client ID of an Azure application that has permissions to access the key vault secrets, where the postgres password is stored.	string = { min_len: `1` }
userName	string REQUIRED The username needs to be statically provided. The password will be gathered via AAD token.	string = { min_len: `1` }
tokenTtl	google.protobuf.Duration Token TTL. Minimum is 3600 seconds. See https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens	duration = { gte: `{nanos:0}` }

MmapConfigurationMode

MmapConfigurationMode defines the available memory-mapping configuration modes. By default, Elasticsearch uses memory mapping (mmap) to efficiently access indices. Usually, default values for virtual address space on Linux distributions are too low for Elasticsearch to work properly, which may result in out-of-memory exceptions. This setting allows you to control the use of memory-mapping and the ability to adjust kernel settings. For more details on memory-mapping and its implications on Elasticsearch performance, refer to the Elasticsearch documentation on virtual memory settings. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-virtual-memory.html Kernel documentation on the maximum number of memory map areas a process may have: https://docs.kernel.org/admin-guide/sysctl/vm.html?highlight=vm+txt#max-map-count

Field	Number	Description
INVALID	0
DISABLED	1	DISABLED disables the use of memory-mapping for storing indices, which may affect performance and is recommended only in environments where the creation of many memory maps is restricted. This mode will configure the Elasticsearch nodes with `node.store.allow_mmap: false`. For more details on memory-mapping and its implications on Elasticsearch performance, refer to the Elasticsearch documentation on virtual memory settings. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-virtual-memory.html
CLUSTERS_DEFAULT	2	CLUSTERS_DEFAULT specifies that the memory-mapping configuration will defer to the `vm.max_map_count` setting currently established on the Kubernetes cluster nodes. This mode is optimal for scenarios where the memory-mapping configuration is managed manually or through other automation processes outside of the ECK operator. It assumes that the necessary kernel settings adjustments have been pre-configured on each node to meet Elasticsearch's performance and operational requirements.
PRIVILEGED	3	PRIVILEGED enables the use of privileged containers to adjust the `vm.max_map_count` kernel setting to 262144. This mode is recommended in environments where such adjustments are permissible and you don't want to manually adjust the kernel settings.

TLSProtocol

Field	Number	Description
TLS_AUTO	0	Envoy will choose the optimal TLS version.
TLSv1_0	1
TLSv1_1	2
TLSv1_2	3
TLSv1_3	4

Protocol

The list of supported protocols to communicate with Elasticsearch.

Field	Number	Description
https	0
http	1

Algorithm

Field	Number	Description
RS256	0	RSA / SHA-256
RS384	1	RSA / SHA-384
RS512	2	RSA / SHA-512
PS256	3	RSA-PSS / SHA-256
PS384	4	RSA-PSS / SHA-384
PS512	5	RSA-PSS / SHA-512
ES256	6	ECDSA / SHA-256
ES384	7	ECDSA / SHA-384
ES512	8	ECDSA / SHA-512
HS256	9	HMAC / SHA-256
HS384	10	HMAC / SHA-384
HS512	11	HMAC / SHA-512

SSLMode

For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html

Field	Number	Description
require	0
allow	1
prefer	2
disable	3
verify_ca	4
verify_full	5

ManagementPlaneComponentSet​

ManagementPlaneHighAvailabilitySettings​

ManagementPlaneSpec​

DataStore​

IdentityProvider​

OrgSyncSettings​

MeshObservability​

TelemetryStore​

TokenIssuer​

Partition​

Authentication​

Jwt​

For example:​

apiVersion: v1 kind: Secret metadata: name: tsb-iam-jwks-us-east namespace: tsb type: Opaque data: jwks: base64({ JWKS })​

Endpoint​

For example:​

AWSController​

ApiServer​

ECK​

Data​

Master​

Operator​

FrontEnvoy​

IamServer​

Kubegres​

MPC​

N2AC​

Component​

NGAC​

Oap​

StorageIndexSetting​

OpenTelemetryCollector​

WebUI​

XCP​

CentralAuthModes​

AWSSettings​

LatticeSettings​

ProviderSettings​

AzureSyncSettings​

CertIssuer​

ClusterIntermediateCASettings​

SelfSignedCertIssuer​

TsbCertsSettings​

ElasticSearchSettings​

EmbeddedElasticSearchSettings​

EmbeddedPostgresSettings​

JWTSettings​

Issuer​

LDAPSettings​

IAM​

Search​

Sync​

LocalSettings​

OIDCSettings​

DynamicSettings​

OfflineAccessOverrides​

OfflineAccessSettings​

ProviderSettings​

StaticSettings​

PostgresSettings​

AzureManagedIdentity​

MmapConfigurationMode​

TLSProtocol​

Protocol​

Algorithm​

SSLMode​

ManagementPlaneComponentSet

ManagementPlaneHighAvailabilitySettings

ManagementPlaneSpec

DataStore

IdentityProvider

OrgSyncSettings

MeshObservability

TelemetryStore

TokenIssuer

Partition

Authentication

Jwt

For example:

apiVersion: v1 kind: Secret metadata: name: tsb-iam-jwks-us-east namespace: tsb type: Opaque data: jwks: base64({ JWKS })

Endpoint

For example:

AWSController

ApiServer

ECK

Data

Master

Operator

FrontEnvoy

IamServer

Kubegres

MPC

N2AC

Component

NGAC

Oap

StorageIndexSetting

OpenTelemetryCollector

WebUI

XCP

CentralAuthModes

AWSSettings

LatticeSettings

ProviderSettings

AzureSyncSettings

CertIssuer

ClusterIntermediateCASettings

SelfSignedCertIssuer

TsbCertsSettings

ElasticSearchSettings

EmbeddedElasticSearchSettings

EmbeddedPostgresSettings

JWTSettings

Issuer

LDAPSettings

IAM

Search

Sync

LocalSettings

OIDCSettings

DynamicSettings

OfflineAccessOverrides

OfflineAccessSettings

ProviderSettings

StaticSettings

PostgresSettings

AzureManagedIdentity

MmapConfigurationMode

TLSProtocol

Protocol

Algorithm

SSLMode