Management Plane

ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.

Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:

• tsb-certs
• ldap-credentials
• custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
• postgres-credentials (non-demo deployments)
• admin-credentials
• es-certs (if your Elasticsearch is using a self-signed certificate)
• elastic-credentials (if your Elasticsearch backend requires authentication)

A resource containing only the container registry hub will install a demo of Service Bridge, create a tenant called Tetrate and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production. Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate

To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  dataStore:
    postgres:
      host: postgres
      port: 1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  components:
    apiServer:
      teamSyncSchedule: 17 * * * *
  dataStore:
    postgres:
      host: postgres
      port: 1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  hub: docker.io/tetrate
  components:
    collector:
      kubeSpec:
        deployment:
          resources:
            limits:
              memory: 500Mi
            requests:
              memory: 750Mi
  dataStore:
    postgres:
      host: postgres
      port: 1234
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember
  tokenIssuer:
    jwt:
      expiration: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key

ApiServer

Application and Kubernetes settings for the API server component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesJobComponentSpec Configure Kubernetes specific settings	–
teamSyncSchedule	string The schedule on which to synchronize teams with the configured identity provider Standard five field cron format. For example, "0 * * * *" triggers the sync hourly at minute 0.	–

ElasticSearchSettings

Configure an Elasticsearch connection.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  telemetryStore:
    elastic:
      host: elastic
      port: 5678
      protocol: https
      selfSigned: true
      version: 7

Field	Description	Validation Rule
host	string REQUIRED Elasticsearch host address (can be hostname or IP address).	string = {   address: true }
port	int32 REQUIRED Port Elasticsearch is listening on.	int32 = {   lte: 65535   gte: 1 }
protocol	tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol Protocol to communicate with Elasticsearch, defaults to https.	–
selfSigned	bool Use Self-Signed certificates. The Self-signed CA bundle and key must be in a secret called es-certs.	–
version	int32 Major version of the Elasticsearch cluster. Currently supported Elasticsearch major versions are 6 and 7	int32 = {   lte: 7   gte: 6 }

Protocol

The list of supported protocols to communicate with Elasticsearch.

Name	Number	Description
https	0
http	1

FrontEnvoy

Application and Kubernetes settings for the FrontEnvoy component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–
authenticationTimeout	google.protobuf.Duration Configure the timeout when making an authentication request to the IAM server	–
port	int32 Configure the management plane ingress port	–
TLSMinimumProtocolVersion	tetrateio.api.install.managementplane.v1alpha1.TLSProtocol The minimum TLS protocol version to use. TLS_AUTO defaults to TLSv1_0 for servers.	–
cipherSuites	List of string If set, only the specified cipher list will be supported when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If the list of custom cipher suites is not set, a default list of cipher suites will be used. Please refer to the following Envoy docs for a detailed list of the suppoerted and default cipher suites: https://www.envoyproxy.io/docs/envoy/v1.15.4/api-v3/extensions/transport_sockets/tls/v3/common.proto.html	–
ecdhCurves	List of string If set, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. Please refer to the following Envoy docs for a detailed list of the supported and default ECDH suites: https://www.envoyproxy.io/docs/envoy/v1.15.4/api-v3/extensions/transport_sockets/tls/v3/common.proto.html	–

IamServer

Kubernetes settings for the IAM server component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–

JWTSettings

Configure JWT based token issuance

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  tokenIssuer:
    jwt:
      expiration: 1h
      refreshExpiration: 720h
      tokenPruneInterval: 1h
      issuers:
      - name: https://jwt.tetrate.io
        algorithm: RS256
        signingKey: tls.key
        audiences:
        - tetrate

Field	Description	Validation Rule
issuers	List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer Issuers is the list of issuers supported by the JWT token issuance. By default, the first configured issuer will be used to sign the tokens IAM issues upon successful login, but additional ones can be configured so that the JWT authentication provider accepts those tokens as valid ones.	–
expiration	google.protobuf.Duration Expiration is the duration issued tokens are valid for.	–
refreshExpiration	google.protobuf.Duration Refresh Expiration is the duration issued refresh tokens are valid for.	–
tokenPruneInterval	google.protobuf.Duration Token prune is the interval at which expired tokens pruned.	–

Issuer

Field	Description	Validation Rule
name	string Name that uniquely identifies the issuer in the system.	–
algorithm	tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm Algorithm used by this issuer to sign tokens.	–
signingKey	string The name of the file to use as the signing key. This key must be present in the tsb-certs secret or equivalent if using Vault. If set to tls.key, Service Bridge will sign tokens with the same private key it uses to serve the UI, this is not recommended for production use-cases.	–
audiences	List of string Audiences supported by this issuer. This is used on token validation. If the issuer defines no audiences, then the 'aud' claim will not be validated.	–

Algorithm

Name	Number	Description
RS256	0	RSA / SHA-256
RS384	1	RSA / SHA-384
RS512	2	RSA / SHA-512
PS256	3	RSA-PSS / SHA-256
PS384	4	RSA-PSS / SHA-384
PS512	5	RSA-PSS / SHA-512
ES256	6	ECDSA / SHA-256
ES384	7	ECDSA / SHA-384
ES512	8	ECDSA / SHA-512
HS256	9	HMAC / SHA-256
HS384	10	HMAC / SHA-384
HS512	11	HMAC / SHA-512

LDAPSettings

Detail connection and query mappings for LDAP

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  identityProvider:
    ldap:
      host: ldap
      port: 389
      search:
        baseDN: dc=tetrate,dc=io
        timeout: 20s
        recursive: true
      iam:
        matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
        matchFilter: "(&(objectClass=person)(uid=%s))"
      sync:
        usersFilter: "(objectClass=person)"
        groupsFilter: "(objectClass=groupOfUniqueNames)"
        membershipAttribute: uniqueMember

Field	Description	Validation Rule
host	string REQUIRED LDAP server host address (can be hostname or IP address)	string = {   address: true }
port	int32 REQUIRED Port the LDAP server is listening on	int32 = {   lte: 65535   gte: 1 }
disableTLS	bool Disable secure connections to the LDAP server.	–
search	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search Configure common properties to be used when running queries against the LDAP server.	–
iam	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM Configure how IAM validates credentials against the LDAP server. The field are not exclusive; if both are configured, a direct match against the DN is attempted first and the filter based match will be used as a fallback.	–
sync	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync Sync configures how existing users and groups are retrieved from the LDAP server.	–

IAM

Field	Description	Validation Rule
matchDN	string REQUIRED Configure how a user can be directly bound to a DN pattern. If all users can be found with a given pattern, we can bind them directly. Otherwise, a MatchFilter should be configured to perform a search of the DN for the given user. In Active Directory the bind operation is directly done using the username (in the user@domain form) so when connecting to an AD instance this should be set to just: %s.	string = {   min_len: 1 }
matchFilter	string REQUIRED The pattern used to search for a user DN. This will be used when the user DN cannot be directly resolved by matching the configured MatchDN. Here are some example search patterns for common LDAP implementations: - OpenLDAP: "CN=%s,CN=Users" - Active Directory: "(&(objectClass=user)(samAccountName=%s))"	string = {   min_len: 1 }

Search

Field	Description	Validation Rule
baseDN	string REQUIRED The location at which LDAP search operations will start from.	string = {   min_len: 1 }
recursive	bool Recursively search the LDAP tree.	–
timeout	google.protobuf.Duration The timeout when querying the LDAP server. If omitted, the query is bound by the timeout set by the LDAP server.	–

Sync

Field	Description	Validation Rule
usersFilter	string REQUIRED The LDAP filter that will be used to fetch all the users that are to be synced to TSB. e.g. "(objectClass=user)"	string = {   min_len: 1 }
groupsFilter	string REQUIRED The LDAP filter that will be used to fetch all the groups that are to be synced to TSB. e.g. "(objectClass=group)"	string = {   min_len: 1 }
membershipAttribute	string REQUIRED The name of the attribute in a Group record returned from LDAP that represents a member of the group. e.g. "member"	string = {   min_len: 1 }

MPC

Kubernetes settings for the MPC component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–

ManagementPlaneComponentSet

The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.

Field	Description	Validation Rule
apiServer	tetrateio.api.install.managementplane.v1alpha1.ApiServer	–
iamServer	tetrateio.api.install.managementplane.v1alpha1.IamServer	–
webUI	tetrateio.api.install.managementplane.v1alpha1.WebUI	–
frontEnvoy	tetrateio.api.install.managementplane.v1alpha1.FrontEnvoy	–
oap	tetrateio.api.install.managementplane.v1alpha1.Oap	–
zipkin	tetrateio.api.install.managementplane.v1alpha1.Zipkin	–
collector	tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector	–
xcp	tetrateio.api.install.managementplane.v1alpha1.XCP	–
mpc	tetrateio.api.install.managementplane.v1alpha1.MPC	–

ManagementPlaneSpec

ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.

Field	Description	Validation Rule
hub	string REQUIRED TSB container hub path e.g. docker.io/tetrate.	string = {   min_len: 1 }
tenant	string Deprecated. Use organization instead. The name of the tenant to be used across the management plane.	–
organization	string The name of the organization to be used across the management plane	–
components	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for individual components.	–
dataStore	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade data store.	–
telemetryStore	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade telemetry store.	–
identityProvider	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo identity provider.	–
tokenIssuer	tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default.	–

DataStore

Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade data store. Select one of the DataStore settings to see complete examples.

Field	Description	Validation Rule
postgres	tetrateio.api.install.managementplane.v1alpha1.PostgresSettings	–

IdentityProvider

Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo identity provider. Select one of the IdentityProvider settings to see complete examples.

Field	Description	Validation Rule
ldap	tetrateio.api.install.managementplane.v1alpha1.LDAPSettings	–

TelemetryStore

Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade telemetry store. Select one of the TelemetryStore settings to see complete examples.

Field	Description	Validation Rule
elastic	tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings	–

TokenIssuer

Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default. Select one of the TokenIssuer settings to see complete examples.

Field	Description	Validation Rule
jwt	tetrateio.api.install.managementplane.v1alpha1.JWTSettings	–

Oap

Kubernetes settings for the OAP (SkyWalking) component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–

OpenTelemetryCollector

Kubernetes settings for the OpenTelemetry Collector component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–

PostgresSettings

Detail connection details for Postgres

NOTE: TSB does not make any specific schema selection. It defaults to the search_path set by the user/role specified in the connection settings. By default this will result in using the public schema. If you need to use a different schema, update the search_path of the Postgres user accordingly.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
  name: managementplane
spec:
  dataStore:
    postgres:
      address: "postgres:5432"
      sslMode: verify_full
      connectionLifetime: "8500s"
      name: tsb

Field	Description	Validation Rule
host	string Deprecated. Use the 'address' field instead. Postgres host address (can be hostname or IP address).	–
port	int32 Deprecated. Use the 'address' field instead. Port Postgres is listening on.	–
sslMode	tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html	–
connectionLifetime	string How long a connection lives before it is killed and recreated.	–
name	string The name of the database TSB will use in Postgres. If this database doesn't exist, TSB will create one.	–
address	string REQUIRED The address of the database instance. E.g. my-postgres.com:5432	string = {   min_len: 1 }
connectionIdleLifetime	string How long an connection lives before it is killed. A value of zero means connections are not closed due to idle time.	–
connectionMaxOpen	int32 Maximum number of concurrent open connections. Defaults to 0 (unlimited).	–
connectionIdleMaxOpen	int32 Maximum number of concurrent open idle connections. Defaults to 2. A value of 0 means no idle connections are retained. If the connection_max_open value is set, then this value will be adjusted automatically in order to always be <= the `connection_max_open.	–

SSLMode

For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html

Name	Number	Description
require	0
allow	1
prefer	2
disable	3
verify_ca	4
verify_full	5

TLSProtocol

Name	Number	Description
TLS_AUTO	0	Envoy will choose the optimal TLS version.
TLSv1_0	1
TLSv1_1	2
TLSv1_2	3
TLSv1_3	4

WebUI

Kubernetes settings for the WebUI component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings Although possible via the Kubernetes settings, the WebUI does not support multiple instances. Therefore you should not set replicaCount or an hpaSpec	–

XCP

Application and Kubernetes settings for the XCP component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings	–

Zipkin

Kubernetes settings for the Zipkin component.

Field	Description	Validation Rule
kubeSpec	tetrateio.api.install.kubernetes.KubernetesJobComponentSpec Configure Kubernetes specific settings	–