Skip to main content
logoTetrate Service ExpressVersion: Latest

Tetrate Service Express Management Plane configuration

The Tetrate Service Express (TSE) Management Plane is comprised of a set of containers, running in the tse namespace in the Management Cluster.

Configuration is defined by a custom resource of type ManagementPlane, named managementplane:

kubectl get managementplane -n tse -o yaml

You can edit the Management Plane configuration as follows:

kubectl edit managementplane managementplane -n tse

Any changes are detected by the tsb-operator-management-plane operator and are applied.

Management Plane configuration

The Management Plane settings are documented in the TSE Reference Guide. You can modify the behaviour of the various components that make up the Management Plane, configuring features such as external authentication against an identity provider, or alternative data stores for configuration or telemetry.

Please refer to Tetrate support before changing any of these settings.

Example Configuration change

The Management Plane is served through a frontEnvoy proxy service. The kubeSpec stanza declares Kubernetes-specific settings, and the front-end load balancer settings are found within.

You may wish to reconfigure the front-end load balancer to only accept internally-sourced traffic. This is a common configuration for organizations who deploy an internal proxy (e.g. a jumpbox) to access internal services. You can edit the front-end load balancer settings by modifying this stanza:

port: 443
type: LoadBalancer
annotations: "load_balancing.cross_zone.enabled=true" nlb tse-gateway internal

If you make this change and re-apply the ManagementPlane resource, the tsb-operator-management-plane operator will then update the frontEnvoy component's configuration, reconfiguring the envoy service with the desired annotations. The AWS load balancer controller will then update the load balancing configuration for that service.

Note: To open the frontEnvoy to external traffic, you can set the aws-load-balancer-scheme to the value internet-facing.

Other load balancer configuration, such as aws-load-balancer-name can also be added.

When you save this change, the TSE operator will redeploy the front-envoy component with the new load-balancing configuration. This can take several minutes to take effect.

Remember to reconfigure tctl

After this change, you need to wait several minutes for it to take effect, and then re-configure tctl.