Skip to main content
Version: 1.5.x

Common Configuration Objects

Common configuration objects shared by the different install APIs.

CertManagerSettings

CertManagerSettings represents the settings used for the cert-manager installation. TSB supports installing and managing the lifecycle of the cert-manager installation.

FieldDescriptionValidation Rule

managed

tetrateio.api.install.common.CertManagerSettings.Managed
Managed specifies whether TSB should manage the lifecycle of cert-manager.

certManagerSpec

tetrateio.api.install.common.CertManagerSettings.CertManagerSpec
Configure kubernetes specific settings for cert-manager.

certManagerWebhookSpec

tetrateio.api.install.common.CertManagerSettings.CertManagerWebhookSpec
Configure kubernetes specific settings for cert-manager-webhook.

certManagerCaInjector

tetrateio.api.install.common.CertManagerSettings.CertManagerCAInjector
Configure kubernetes specific settings for cert-manager-cainjector.

certManagerStartupapicheck

tetrateio.api.install.common.CertManagerSettings.CertManagerStartupAPICheck
Configure kubernetes specific settings for cert-manager-startupapicheck.

CertManagerCAInjector

CertManagerCAInjector represents the settings used for cert-manager CAInjector installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager-cainjector.

CertManagerSpec

CertManagerSpec represents the settings used for cert-manager controller installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager.

CertManagerStartupAPICheck

CertManagerStartupAPICheck represents the settings used for cert-manager startup API check job installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesJobComponentSpec
Configure kubernetes specific settings for cert-manager-startupapicheck.

CertManagerWebhookSpec

CertManagerWebhookSpec represents the settings used for cert-manager Webhook installation in the clusters.

FieldDescriptionValidation Rule

kubeSpec

tetrateio.api.install.kubernetes.KubernetesComponentSpec
Configure kubernetes specific settings for cert-manager-webhook.

Managed

If INTERNAL, TSB will install and manage cert-manager. In case a pre-existing installation is found, the operator will not install cert-manager and fail. If EXTERNAL, TSB would rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR

NameNumberDescription

INTERNAL

0

INTERNAL represents that TSB will install and manager cert-manager in the cluster. In case a pre-existing installation is found, the operator will not install cert-manager and fail.

EXTERNAL

1

EXTERNAL represents that TSB will rely on a pre installed cert-manager for use. Pre installed cert-manager should support signing requests raised through Kubernetes CSR

ConfigProtection

ConfigProtection contains settings for enabling/disabling config protection over XCP created resources. Config protections are disabled by default. Example:

configProtection:
enableAuthorizedUpdateDeleteOnXcpConfigs: true
enableAuthorizedCreateUpdateDeleteOnXcpConfigs: true
authorizedUsers:
- user1
- system:serviceaccount:ns1:serviceaccount-1
FieldDescriptionValidation Rule

enableAuthorizedUpdateDeleteOnXcpConfigs

bool
When enabled, no other user or svc account except AuthorizedUsers would be allowed to delete or update the XCP/Istio API resources created by XCP.

enableAuthorizedCreateUpdateDeleteOnXcpConfigs

bool
When enabled, no other user or svc account except AuthorizedUsers would be allowed to create, delete or update the XCP/Istio API resources. This acts as a superset of the enableAuthorizedUpdateDeleteOnXcpConfigs.

authorizedUsers

List of string
List of usernames of authorized users or svc accounts to create/update/delete XCP configs when config protection is enabled.

CustomCertProviderSettings

CustomCertProviderSettings represents the settings used for the custom certificate provider. Users can configure the CSR signer required for certificate signing and point to the CA bundle to be used to validate the certificates.

FieldDescriptionValidation Rule

csrSignerName

string
REQUIRED
Name of Kubernetes CSR signer to be used to sign the CSR request by different TSB components for internal purposes.

string = {
  min_len: 1
}

caBundleSecretName

string
REQUIRED
Configure the CABundleSecretName to be used to verify the signed CSR request by different TSB components. If not specified, TSB would use the secret with the name ca-bundle-management-plane in the management plane namespace or ca-bundle-control-plane in the control plane namespace. The secret should contain the file ca.crt with the cert data.

string = {
  min_len: 1
}

InternalCertProvider

InternalCertProvider describes the certificate provider configuration for TSB internal purposes like kubernetes webhook certificate. TSB supports cert-manager out of the box.

FieldDescriptionValidation Rule

certManager

tetrateio.api.install.common.CertManagerSettings
Use cert-manager as the internal certificate provider

custom

tetrateio.api.install.common.CustomCertProviderSettings
Use a custom certificate provider that accepts Kubernetes CSR