Skip to main content
Version: 0.9.x


Data plane operator

The data plane operator, in charge of deploying the ingress gateways in Kubernetes, moves from control plane namespace (istio-system by default) to its own namespace. As a result, you should not upgrade the existing data plane operator deployment but deploy a new one instead.

Operator Configuration Values

The data plane operator installation needs some parameters described in the tetrate/install/tsboperator/config-values file.

This file lists a series of environment variables used by the operator deploy scripts and you can choose to set them in the file so you can source it every time you need to run the scripts or set them as environment variables in your shell to be picked up by the scripts.

The following documentation assumes that you edit the config-values file to suit your needs and that you have already sourced it in your current shell.

source tetrate/install/tsboperator/config-values

Deploy the new Data Plane Operator

The data plane operator will watch for TSB data plane configuration resources. Once deployed, you then configure gateways (Ingress, Egress or Tier1) as described by such resources. To deploy the TSB data plane operator use the provided script.


No data plane configurations need to be deployed at this point. Instead, you will create and deploy them as required when you need to deploy ingress gateways.

Upgrade gateways

The new data plane operator uses a new API for describing the ingress gateways. You will need to replace the existing custom resources by the equivalent ones with the new APIs. The new data plane operator in turn will take care of performing the necessary changes to upgrade the ingress gateways.

Once you have applied a new gateway CR for replacing an existing gateway, delete the correspondent DataPlaneConfig.

Cleanup old data plane operator

Once all gateways have been created using the new API, you can cleanup the old operator deployment in the control plane namespace.

kubectl -n ${CONTROL_NAMESPACE} delete clusterrolebinding/tsb-operator-data-plane svc/tsb-operator-metrics-data-plane deployment/tsb-operator-data-plane

New gateways deletion

Due to an issue present in upstream Istio operator, the data plane operator in TSB version 0.8.3 is unable to delete the associated Kubernetes resources deployed for a given gateway when such gateway is deleted. The result of this is that even if you delete the IngressGateway, EgressGateway or Tier1Gateway resources, the Kubernetes resources backing such gateway will not be deleted.

In order to clean up such resources, you will need to manually use kubectl to delete the following resources in the namespace where the gateway object was deployed to.


kubectl delete -n ${DATA_NAMESPACE} HorizontalPodAutoscaler ${GATEWAY_NAME}
kubectl delete -n ${DATA_NAMESPACE} Deployment ${GATEWAY_NAME}
kubectl delete -n ${DATA_NAMESPACE} PodDisruptionBudget ${GATEWAY_NAME}
kubectl delete -n ${DATA_NAMESPACE} Role ${GATEWAY_NAME}-sds
kubectl delete -n ${DATA_NAMESPACE} RoleBinding ${GATEWAY_NAME}-sds
kubectl delete -n ${DATA_NAMESPACE} Service ${GATEWAY_NAME}
kubectl delete -n ${DATA_NAMESPACE} ServiceAccount ${GATEWAY_NAME}-service-account

For instance, given the following IngressGateway:

kind: IngressGateway
name: middle
namespace: ingress
type: LoadBalancer

The value for DATA_NAMESPACE variable above would be ingress and GATEWAY_NAME would be middle.