Management Plane
ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.
Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:
- tsb-certs
- ldap-credentials
- custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
- postgres-credentials (non-demo deployments)
- admin-credentials
- es-certs (if your Elasticsearch is using a self-signed certificate)
- elastic-credentials (if your Elasticsearch backend requires authentication)
A resource containing only the container registry hub will install a demo of Service Bridge, create a tenant
called Tetrate and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production.
Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 500Mi
requests:
memory: 750Mi
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
ApiServer
Application and Kubernetes settings for the API server component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesJobComponentSpec | – |
teamSyncSchedule | string | – |
ElasticSearchSettings
Configure an Elasticsearch connection.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
elastic:
host: elastic
port: 5678
protocol: https
selfSigned: true
version: 7
Field | Description | Validation Rule |
host | string | string = { |
port | int32 | int32 = { |
protocol | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol | – |
selfSigned | bool | – |
version | int32 | int32 = { |
Protocol
The list of supported protocols to communicate with Elasticsearch.
Name | Number | Description |
https | 0 | |
http | 1 |
FrontEnvoy
Application and Kubernetes settings for the FrontEnvoy component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
authenticationTimeout | google.protobuf.Duration | – |
port | int32 | – |
TLSMinimumProtocolVersion | tetrateio.api.install.managementplane.v1alpha1.TLSProtocol | – |
IamServer
Kubernetes settings for the IAM server component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
JWTSettings
Configure JWT based token issuance
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
tokenIssuer:
jwt:
expiration: 1h
refreshExpiration: 720h
tokenPruneInterval: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
audiences:
- tetrate
Field | Description | Validation Rule |
issuers | List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer | – |
expiration | google.protobuf.Duration | – |
refreshExpiration | google.protobuf.Duration | – |
tokenPruneInterval | google.protobuf.Duration | – |
Issuer
Field | Description | Validation Rule |
name | string | – |
algorithm | tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm | – |
signingKey | string | – |
audiences | List of string | – |
Algorithm
Name | Number | Description |
RS256 | 0 | RSA / SHA-256 |
RS384 | 1 | RSA / SHA-384 |
RS512 | 2 | RSA / SHA-512 |
PS256 | 3 | RSA-PSS / SHA-256 |
PS384 | 4 | RSA-PSS / SHA-384 |
PS512 | 5 | RSA-PSS / SHA-512 |
ES256 | 6 | ECDSA / SHA-256 |
ES384 | 7 | ECDSA / SHA-384 |
ES512 | 8 | ECDSA / SHA-512 |
HS256 | 9 | HMAC / SHA-256 |
HS384 | 10 | HMAC / SHA-384 |
HS512 | 11 | HMAC / SHA-512 |
LDAPSettings
Detail connection and query mappings for LDAP
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
timeout: 20s
recursive: true
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
Field | Description | Validation Rule |
host | string | string = { |
port | int32 | int32 = { |
disableTLS | bool | – |
search | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search | – |
iam | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM | – |
sync | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync | – |
IAM
Field | Description | Validation Rule |
matchDN | string | string = { |
matchFilter | string | string = { |
Search
Field | Description | Validation Rule |
baseDN | string | string = { |
recursive | bool | – |
timeout | google.protobuf.Duration | – |
Sync
Field | Description | Validation Rule |
usersFilter | string | string = { |
groupsFilter | string | string = { |
membershipAttribute | string | string = { |
MPC
Kubernetes settings for the MPC component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.
Field | Description | Validation Rule |
apiServer | – | |
iamServer | – | |
webUI | – | |
frontEnvoy | – | |
spmServer | – | |
oap | – | |
zipkin | – | |
collector | tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector | – |
xcp | – | |
mpc | – |
ManagementPlaneSpec
ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.
Field | Description | Validation Rule |
hub | string | string = { |
tenant | string | – |
organization | string | – |
components | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet | – |
dataStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore | – |
telemetryStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore | – |
identityProvider | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider | – |
tokenIssuer | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer | – |
DataStore
Configure the data store for TSB to persist its data to.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade data store.
Select one of the DataStore
settings to see complete examples.
Field | Description | Validation Rule |
postgres | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings | – |
IdentityProvider
Configure the Identity Provider TSB will use as the source of users.
This identity provider is used for user authentication and to periodically synchronize the
information of existing users and groups into the platform.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo identity provider.
Select one of the IdentityProvider
settings to see complete examples.
Field | Description | Validation Rule |
ldap | – |
TelemetryStore
Configure the store that TSB will use to persist application telemetry data
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade telemetry store.
Select one of the TelemetryStore
settings to see complete examples.
Field | Description | Validation Rule |
elastic | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings | – |
TokenIssuer
Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the
identity provider. This token is used to authenticate any subsequent internal requests in TSB.
This is a mandatory setting for production. If omitted, the operator will use an insecure default.
Select one of the TokenIssuer
settings to see complete examples.
Field | Description | Validation Rule |
jwt | – |
Oap
Kubernetes settings for the OAP (SkyWalking) component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
OpenTelemetryCollector
Kubernetes settings for the OpenTelemetry Collector component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
PostgresSettings
Detail connection details for Postgres
NOTE: TSB does not make any specific schema selection. It defaults to
the search_path
set by the user/role specified in the connection settings.
By default this will result in using the public
schema. If you need to use a different
schema, update the search_path
of the Postgres user accordingly.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
postgres:
address: "postgres:5432"
sslMode: verify_full
connectionLifetime: "8500s"
name: tsb
Field | Description | Validation Rule |
host | string | – |
port | int32 | – |
sslMode | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode | – |
connectionLifetime | string | – |
name | string | – |
address | string | string = { |
SSLMode
For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html
Name | Number | Description |
require | 0 | |
allow | 1 | |
prefer | 2 | |
disable | 3 | |
verify_ca | 4 | |
verify_full | 5 |
SpmServer
Application and Kubernetes settings for the SPM server component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesJobComponentSpec | – |
applicationSyncSchedule | string | – |
TLSProtocol
Name | Number | Description |
TLS_AUTO | 0 | Envoy will choose the optimal TLS version. |
TLSv1_0 | 1 | |
TLSv1_1 | 2 | |
TLSv1_2 | 3 | |
TLSv1_3 | 4 |
WebUI
Kubernetes settings for the WebUI component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
XCP
Application and Kubernetes settings for the XCP component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
Zipkin
Kubernetes settings for the Zipkin component.
Field | Description | Validation Rule |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesJobComponentSpec | – |