Skip to main content
logoTetrate Service BridgeVersion: 1.11.x

Install Tetrate Service Bridge from the AWS Container Marketplace

This document describes how to install Tetrate Service Bridge (TSB) in your Amazon Kubernetes (EKS) cluster through the AWS Container Marketplace.

note

This document is intended for users who have purchased Tetrate's AWS Container Marketplace offering. It will not work if you have not subscribed to the Tetrate Container Marketplace offering. Please contact Tetrate if you're interested in an AWS Marketplace Private Offer.

Overview of the Tetrate Operator

The Tetrate Operator is a Kubernetes Operator from Tetrate that makes it easier to install, deploy, and upgrade TSB. The AWS Container Marketplace offering for Tetrate Service Bridge installs a version of the Tetrate Operator in an EKS cluster. After that, TSB can be installed in any namespace in your EKS cluster. Throughout this document, it is assumed that the TSB will be installed in the tsb namespace.

Prerequisites for using the Tetrate Operator To use the Marketplace's Tetrate offering, make sure you meet the following requirements:

  • You have access to an EKS cluster (Kubernetes 1.16 or above) configured with IAM roles for service accounts.
  • You have cluster-admin access on the EKS cluster.
  • You have set up an EKS cluster, and you have kubectl setup.
  • You have downloaded tctl Installation

Create and configure the AWS IAM roles for your Kubernetes cluster

AWS IAM permissions are granted to Tetrate through the use of AWS's IAM roles for Kubernetes Service Accounts. This feature must be enabled at the cluster level. Create an IAM role for the Tetrate Operator pod named eks-tsb-operator, and configure it for use by EC2 per AWS guide. You will replace the trust relationship later. Then grant AWS managed policy AWSMarketplaceMeteringRegisterUsage to eks-tsb-operator.

Create the trust relationship on the IAM role. Use the following template and replace AWS_ACCOUNT_ID and OIDC_PROVIDER with appropriate values.

AWS_ACCOUNT_ID should be replaced with your AWS account ID.

OIDC_PROVIDER should be replaced with the OpenID Connect Provider URL for your Kubernetes cluster. You must remove the https:// prefix from the URL before replacement

For more details on IAM OIDC providers for EKS clusters, please refer to the official documentation

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC_PROVIDER:sub": "system:serviceaccount::tsb:tsb-operator-management-plane"
}
}
}
]
}

Install the Tetrate Operator and TSB Management Plane

Using the Tetrate CLI (tctl), generate the Kubernetes manifest for Tetrate Operator and install it into your Kubernetes cluster.

Generate the CRDs for TSB Management plane using the following command:

tctl install manifest management-plane-operator \
--registry 709825985650.dkr.ecr.us-east-1.amazonaws.com/tetrate-io > managementplaneoperator.yaml

Open the file managementplaneoperator.yaml you made above, and locate the ServiceAccount definition for tsb-operator-management-plane. Inside the YAML definition for the ServiceAccount, add the annotation section with the IAM role information so that the ServiceAccount can access it. Replace the AWS_ACCOUNT_ID in the annotation with your AWS account ID:

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
platform.tsb.tetrate.io/application: tsb-operator-managementplane
platform.tsb.tetrate.io/component: tsb-operator
platform.tsb.tetrate.io/plane: management
name: tsb-operator-management-plane
namespace: 'tsb'
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/eks-tsb-operator

Deploy the operator using kubectl, making sure that your Kubernetes context is pointed to the correct cluster:

kubectl apply -f managementplaneoperator.yaml

Deploying the Tetrate Operator may take a little bit of time. You can monitor its status by running the following command:

kubectl -n tsb get pod -owide

You should see some text resembling the example below. The operator is ready when the READY and STATUS columns have the values 1/1 and Running respectively.

kubectl -n tsb get pod -owide
Output
NAME                                             READY   STATUS    RESTARTS   AGE   IP               NODE                                              NOMINATED NODE   READINESS GATES
tsb-operator-management-plane-68c98756d5-n44d7 1/1 Running 0 71s 192.168.17.234 ip-192-168-24-207.ca-central-1.compute.internal <none> <none>

Follow the instructions on Management Plane installation and finish installing the Management Plane].

Accessing TSB UI

Obtain the ELB address assigned to the Management Plane by executing the following command:

kubectl -n tsb get svc -l=app=envoy
Output
NAME    TYPE           CLUSTER-IP       EXTERNAL-IP                                                                 PORT(S)                                         AGE
envoy LoadBalancer 10.100.157.254 a72dd70af1bf64e7d86a7352a9568ea1-952780637.ca-central-1.elb.amazonaws.com 8443:32457/TCP,9443:30475/TCP,42422:32238/TCP 10m

Assign a DNS record pointing to your ELB. Please refer to the official documentation for details.

Once you have the DNS records setup, you can access the Web UI using the URL https://<DNS Name>:8443.

Next steps

Please contact us if you have further questions.