Skip to main content
Version: 1.2.x

Management Plane

ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Bridge management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.

Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:

  • tsb-certs
  • ldap-credentials
  • custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
  • postgres-credentials (non-demo deployments)
  • admin-credentials
  • es-certs (if your Elasticsearch is using a self-signed certificate)
  • elastic-credentials (if your Elasticsearch backend requires authentication)

A resource containing only the container registry hub will install a demo of Service Bridge, create a tenant called Tetrate and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production. Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate

To move from the demo installation to production readiness, configure the top level settings that enable TSB to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key

Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key

To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 500Mi
requests:
memory: 750Mi
dataStore:
postgres:
host: postgres
port: 1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key

ApiServer

Application and Kubernetes settings for the API server component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesJobComponentSpec
Configure Kubernetes specific settings

teamSyncSchedule

string
The schedule on which to synchronize teams with the configured identity provider Standard five field cron format. For example, "0 * * * *" triggers the sync hourly at minute 0.

ElasticSearchSettings

Configure an Elasticsearch connection.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
elastic:
host: elastic
port: 5678
protocol: https
selfSigned: true
version: 7
FieldDescriptionValidation Rule

host

string
REQUIRED
Elasticsearch host address (can be hostname or IP address).

string = {
  address: true
}

port

int32
REQUIRED
Port Elasticsearch is listening on.

int32 = {
  lte: 65535
  gte: 1
}

protocol

tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol
Protocol to communicate with Elasticsearch, defaults to https.

selfSigned

bool
Use Self-Signed certificates. The Self-signed CA bundle and key must be in a secret called es-certs.

version

int32
Major version of the Elasticsearch cluster. Currently supported Elasticsearch major versions are 6 and 7

int32 = {
  lte: 7
  gte: 6
}

Protocol

The list of supported protocols to communicate with Elasticsearch.

NameNumberDescription

https

0

http

1

FrontEnvoy

Application and Kubernetes settings for the FrontEnvoy component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

authenticationTimeout

google.protobuf.Duration
Configure the timeout when making an authentication request to the IAM server

port

int32
Configure the management plane ingress port

TLSMinimumProtocolVersion

tetrateio.api.install.managementplane.v1alpha1.TLSProtocol
The minimum TLS protocol version to use. TLS_AUTO defaults to TLSv1_0 for servers.

cipherSuites

List of string
If set, only the specified cipher list will be supported when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If the list of custom cipher suites is not set, a default list of cipher suites will be used. Please refer to the following Envoy docs for a detailed list of the suppoerted and default cipher suites: https://www.envoyproxy.io/docs/envoy/v1.15.4/api-v3/extensions/transport_sockets/tls/v3/common.proto.html

ecdhCurves

List of string
If set, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. Please refer to the following Envoy docs for a detailed list of the supported and default ECDH suites: https://www.envoyproxy.io/docs/envoy/v1.15.4/api-v3/extensions/transport_sockets/tls/v3/common.proto.html

IamServer

Kubernetes settings for the IAM server component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

JWTSettings

Configure JWT based token issuance

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
tokenIssuer:
jwt:
expiration: 1h
refreshExpiration: 720h
tokenPruneInterval: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
audiences:
- tetrate
FieldDescriptionValidation Rule

issuers

List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer
Issuers is the list of issuers supported by the JWT token issuance. By default, the first configured issuer will be used to sign the tokens IAM issues upon successful login, but additional ones can be configured so that the JWT authentication provider accepts those tokens as valid ones.

expiration

google.protobuf.Duration
Expiration is the duration issued tokens are valid for.

refreshExpiration

google.protobuf.Duration
Refresh Expiration is the duration issued refresh tokens are valid for.

tokenPruneInterval

google.protobuf.Duration
Token prune is the interval at which expired tokens pruned.

Issuer

FieldDescriptionValidation Rule

name

string
Name that uniquely identifies the issuer in the system.

algorithm

tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm
Algorithm used by this issuer to sign tokens.

signingKey

string
The name of the file to use as the signing key. This key must be present in the tsb-certs secret or equivalent if using Vault. If set to tls.key, Service Bridge will sign tokens with the same private key it uses to serve the UI, this is not recommended for production use-cases.

audiences

List of string
Audiences supported by this issuer. This is used on token validation. If the issuer defines no audiences, then the 'aud' claim will not be validated.

Algorithm

NameNumberDescription

RS256

0

RSA / SHA-256

RS384

1

RSA / SHA-384

RS512

2

RSA / SHA-512

PS256

3

RSA-PSS / SHA-256

PS384

4

RSA-PSS / SHA-384

PS512

5

RSA-PSS / SHA-512

ES256

6

ECDSA / SHA-256

ES384

7

ECDSA / SHA-384

ES512

8

ECDSA / SHA-512

HS256

9

HMAC / SHA-256

HS384

10

HMAC / SHA-384

HS512

11

HMAC / SHA-512

LDAPSettings

Detail connection and query mappings for LDAP

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
timeout: 20s
recursive: true
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
FieldDescriptionValidation Rule

host

string
REQUIRED
LDAP server host address (can be hostname or IP address)

string = {
  address: true
}

port

int32
REQUIRED
Port the LDAP server is listening on

int32 = {
  lte: 65535
  gte: 1
}

disableTLS

bool
Disable secure connections to the LDAP server.

search

tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search
Configure common properties to be used when running queries against the LDAP server.

iam

tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM
Configure how IAM validates credentials against the LDAP server. The field are not exclusive; if both are configured, a direct match against the DN is attempted first and the filter based match will be used as a fallback.

sync

tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync
Sync configures how existing users and groups are retrieved from the LDAP server.

IAM

FieldDescriptionValidation Rule

matchDN

string
REQUIRED
Configure how a user can be directly bound to a DN pattern. If all users can be found with a given pattern, we can bind them directly. Otherwise, a MatchFilter should be configured to perform a search of the DN for the given user. In Active Directory the bind operation is directly done using the username (in the user@domain form) so when connecting to an AD instance this should be set to just: %s.

string = {
  min_len: 1
}

matchFilter

string
REQUIRED
The pattern used to search for a user DN. This will be used when the user DN cannot be directly resolved by matching the configured MatchDN.

Here are some example search patterns for common LDAP implementations: - OpenLDAP: "CN=%s,CN=Users" - Active Directory: "(&(objectClass=user)(samAccountName=%s))"

string = {
  min_len: 1
}

FieldDescriptionValidation Rule

baseDN

string
REQUIRED
The location at which LDAP search operations will start from.

string = {
  min_len: 1
}

recursive

bool
Recursively search the LDAP tree.

timeout

google.protobuf.Duration
The timeout when querying the LDAP server. If omitted, the query is bound by the timeout set by the LDAP server.

Sync

FieldDescriptionValidation Rule

usersFilter

string
REQUIRED
The LDAP filter that will be used to fetch all the users that are to be synced to TSB. e.g. "(objectClass=user)"

string = {
  min_len: 1
}

groupsFilter

string
REQUIRED
The LDAP filter that will be used to fetch all the groups that are to be synced to TSB. e.g. "(objectClass=group)"

string = {
  min_len: 1
}

membershipAttribute

string
REQUIRED
The name of the attribute in a Group record returned from LDAP that represents a member of the group. e.g. "member"

string = {
  min_len: 1
}

MPC

Kubernetes settings for the MPC component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

ManagementPlaneComponentSet

The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.

FieldDescriptionValidation Rule

apiServer

tetrateio.api.install.managementplane.v1alpha1.ApiServer

iamServer

tetrateio.api.install.managementplane.v1alpha1.IamServer

webUI

tetrateio.api.install.managementplane.v1alpha1.WebUI

frontEnvoy

tetrateio.api.install.managementplane.v1alpha1.FrontEnvoy

oap

tetrateio.api.install.managementplane.v1alpha1.Oap

zipkin

tetrateio.api.install.managementplane.v1alpha1.Zipkin

collector

tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector

xcp

tetrateio.api.install.managementplane.v1alpha1.XCP

mpc

tetrateio.api.install.managementplane.v1alpha1.MPC

ManagementPlaneSpec

ManagementPlaneSpec defines the desired installed state of TSB management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.

FieldDescriptionValidation Rule

hub

string
REQUIRED
TSB container hub path e.g. docker.io/tetrate.

string = {
  min_len: 1
}

tenant

string
Deprecated. Use organization instead. The name of the tenant to be used across the management plane.

organization

string
The name of the organization to be used across the management plane

components

tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for individual components.

dataStore

tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore
Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade data store.

telemetryStore

tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore
Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade telemetry store.

identityProvider

tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider
Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo identity provider.

tokenIssuer

tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer
Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default.

DataStore

Configure the data store for TSB to persist its data to. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade data store. Select one of the DataStore settings to see complete examples.

FieldDescriptionValidation Rule

postgres

tetrateio.api.install.managementplane.v1alpha1.PostgresSettings

IdentityProvider

Configure the Identity Provider TSB will use as the source of users. This identity provider is used for user authentication and to periodically synchronize the information of existing users and groups into the platform. This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo identity provider. Select one of the IdentityProvider settings to see complete examples.

FieldDescriptionValidation Rule

ldap

tetrateio.api.install.managementplane.v1alpha1.LDAPSettings

TelemetryStore

Configure the store that TSB will use to persist application telemetry data This is a mandatory setting for production. If omitted, the operator will assume a demo installation and for your convenience install a demo grade telemetry store. Select one of the TelemetryStore settings to see complete examples.

FieldDescriptionValidation Rule

elastic

tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings

TokenIssuer

Configure the Token Issuer TSB will use to mint tokens upon initial authentication with the identity provider. This token is used to authenticate any subsequent internal requests in TSB. This is a mandatory setting for production. If omitted, the operator will use an insecure default. Select one of the TokenIssuer settings to see complete examples.

FieldDescriptionValidation Rule

jwt

tetrateio.api.install.managementplane.v1alpha1.JWTSettings

Oap

Kubernetes settings for the OAP (SkyWalking) component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

OpenTelemetryCollector

Kubernetes settings for the OpenTelemetry Collector component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

PostgresSettings

Detail connection details for Postgres

NOTE: TSB does not make any specific schema selection. It defaults to the search_path set by the user/role specified in the connection settings. By default this will result in using the public schema. If you need to use a different schema, update the search_path of the Postgres user accordingly.

apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
postgres:
address: "postgres:5432"
sslMode: verify_full
connectionLifetime: "8500s"
name: tsb
FieldDescriptionValidation Rule

host

string
Deprecated. Use the 'address' field instead. Postgres host address (can be hostname or IP address).

port

int32
Deprecated. Use the 'address' field instead. Port Postgres is listening on.

sslMode

tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode
For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html

connectionLifetime

string
How long a connection lives before it is killed and recreated.

name

string
The name of the database TSB will use in Postgres. If this database doesn't exist, TSB will create one.

address

string
REQUIRED
The address of the database instance. E.g. my-postgres.com:5432

string = {
  min_len: 1
}

connectionIdleLifetime

string
How long an connection lives before it is killed. A value of zero means connections are not closed due to idle time.

connectionMaxOpen

int32
Maximum number of concurrent open connections. Defaults to 0 (unlimited).

connectionIdleMaxOpen

int32
Maximum number of concurrent open idle connections. Defaults to 2. A value of 0 means no idle connections are retained. If the connection_max_open value is set, then this value will be adjusted automatically in order to always be <= the `connection_max_open.

SSLMode

For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html

NameNumberDescription

require

0

allow

1

prefer

2

disable

3

verify_ca

4

verify_full

5

TLSProtocol

NameNumberDescription

TLS_AUTO

0

Envoy will choose the optimal TLS version.

TLSv1_0

1

TLSv1_1

2

TLSv1_2

3

TLSv1_3

4

WebUI

Kubernetes settings for the WebUI component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings Although possible via the Kubernetes settings, the WebUI does not support multiple instances. Therefore you should not set replicaCount or an hpaSpec

XCP

Application and Kubernetes settings for the XCP component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure Kubernetes specific settings

Zipkin

Kubernetes settings for the Zipkin component.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesJobComponentSpec
Configure Kubernetes specific settings