Skip to main content
logoTetrate Service ExpressVersion: Latest

Complete the TSE Configuration

Now that you have installed TSE and perhaps onboarded one or more clusters, there are several steps you may wish to take to secure your installation.

This can wait!

You don't have to make this configuration now; it can be applied later, or skipped if you are installing TSE in a temporary sandbox.

Update the login credentials

If helm value.yaml file for the management plane hasn't been adjusted before applying, then the default TSE admin username and password are tse : tse. You should change the password promptly to secure this account.

new_password="MyNewPassword"
new_password_base64=$(echo -n $new_password | sha256sum | awk '{printf $1}' | base64 -w 0)

# update the secret with the new value
kubectl patch secret local-user-credentials --type='json' -p='[{"op" : "replace" ,"path" : "/data/tse" ,"value" : "'$new_password_base64'"}]'

# restart the IAM service
kubectl -n tse rollout restart deployment iam

If you change the login credentials, don't forget to update the tctl configuration, as well as any API clients you may use:

tctl config users set tse --username tse --password "MyNewPassword" --org "tse" --tenant "tse"

Add Additional Users

The TSE admin tse account is built-in to Tetrate Service Express. In a production deployment, you will most likely want to reserve this account for essential admin tasks, and provision other user accounts for team members and automation role.

Refer to the TSE Administration Guide: Users chapter for detailed instructions on:

Add a DNS Name for the TSE Console

The TSE console is served through a front envoy instance in the Management Plane installation. You can obtain the address of the AWS load balancer that serves this instance as follows:

ADDRESS=$(kubectl get svc -n "tse" envoy --output jsonpath='{.status.loadBalancer.ingress[0].hostname}')

For convenience, you may wish to configure a simple DNS name to point to the load balancer.

Update the TLS certificate for the TSE console

The TSE Console entry-point is used by client web browsers, as well as internal TSE services. The simplest way to provide a secure, semi-public entrypoint for the TSE console is to deploy a proxy in front, exclusively for use by web browser traffic. You can also configure the tctl tool to use this alternative entry point.

For more information, please contact Tetrate support with specific requirements.