Control Plane Installation
This chart installs the TSB Control Plane operator.
Install
helm install cp tetrate-tsb-helm/controlplane --namespace istio-system --create-namespace -f values.yaml
Istio revision
If you need to install a particular Istio version, set the CONTROL_PLANE_REVISION environment var at the operator deployment.
Usage
Once the TSB Control Plane installation is finished a TSB Control Plane custom resource is required to properly onboard the cluster into TSB.
This can be done manually or by adding the proper spec into the property spec of this same chart.
Istio specific version
If you apply CONTROL_PLANE_REVISION environment var at operator deployment, make sure to configure spec.xcp.revision with the same value
as configured on the operator deployment. Otherwise, the operator will ignore the Control Plane resource.
Check the TSB documentation for more context on how to configure the installation.
Configuration
| Name | Description | Default value |
|---|---|---|
image.registry | Registry used to download the operator image | gcr.io/tetrate-internal-containers |
image.tag | The tag of the operator image | same as the Chart version |
Control Plane resource configuration
Optionally the TSB Control Plane custom resource can be supplied using the following configuration to make the TSB ControlPlane fully run.
| Name | Description | Default value |
|---|---|---|
spec | Holds the spec section of the Control Plane custom resource |
Secrets configuration
Optionally, all the required secrets can be supplied using the following configuration.
NOTE: Keep in mind that these options just help with creating secrets, and they must respect the configuration provided in the TSB Control Plane custom resource, otherwise the installation will end up misconfigured.
| Name | Description | Default value |
|---|---|---|
secrets.keep | Enabling this makes the generated secrets persist in the cluster after uninstalling the chart if they are no provided in future updates. (see Helm doc) | false |
secrets.tsb.cacert | CA certificate used to verify TLS certs exposed the Management Plane (front envoy) | |
secrets.elasticsearch.username | The username to access Elasticsearch | |
secrets.elasticsearch.password | The password to access Elasticsearch | |
secrets.elasticsearch.cacert | Elasticsearch CA cert TLS used by control plane to verify TLS connection | |
secrets.oapToken | JWT token used to authenticate OAP against the Management Plane | |
secrets.otelToken | JWT token used to authenticate OTel Collector against the Management Plane | |
secrets.zipkinToken | JWT token used to authenticate Zipkin against the Management Plane | |
secrets.clusterServiceAccount.clusterFQN | TSB FQN of the onboarded cluster resource. This will be generate tokens for all Control Plane agents. | |
secrets.clusterServiceAccount.JWK | JWK used to generate and sign the tokens for all the Control Plane agents. |
XCP secrets configuration
XCP allows different authentication configuration modes. Depending on which one, the provided certs will be used for different goals.
JWT mode
In JWT mode, if the XCP root CA (secrets.xcp.rootca) is provided it will be used to verify the TLS certs provided by
XCP Central.
Also secrets.xcp.edge.token or secrets.clusterServiceAccount will be required to authenticate against XCP Central.
MUTUAL TLS mode
In MUTUAL_TLS mode, XCP Edge requires certificates with a SPIFFE ID to authenticate against the XCP Central.
If secrets.xcp.autoGenerateCerts is disabled, the XCP Edge cert is expected to be provided by the user using
the secrets.xcp.edge.cert and secrets.xcp.edge.key configurations.
Then, if XCP Root CA is provided, it will be used to verify TLS certs provided by XCP Central.
If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the certs to XCP Edge.
If the Control Plane is installed in the same cluster the Management Plane runs on, no other cert info is required, because the same Cert Manager issuers will be used to create the XCP Edge cert.
Otherwise, when the Control Plane is not able to use the same Management Plane issuers, the XCP Root CA and its
key (secrets.xcp.rootca and secrets.xcp.rootcakey) are required to create a Cert Manager issuer to provide the cert
to the Edge.
The following are the configuration properties allowed to be used to configure XCP authentication mode:
| Name | Description | Default value |
|---|---|---|
secrets.xcp.autoGenerateCerts | Enabling this will auto generate XCP Edge certificate if mTLS is enabled to authenticate to XCP Central. Requires cert-manager | false |
secrets.xcp.rootca | CA certificate of XCP components | |
secrets.xcp.rootcakey | Key of the CA certificate of XCP components | |
secrets.xcp.edge.cert | Edge certificate used for mTLS with XCP Central | |
secrets.xcp.edge.key | Key of the Edge certificate used for mTLS with XCP Central | |
secrets.xcp.edge.token | JWT token used to authenticate XCP Edge against the XCP Central | |
secrets.xcp.authMode | Indicates the XCP authentication mode configured in order to generate the proper required secrets. Accepted values: JWT or MUTUAL_TLS | MUTUAL_TLS |
Operator extended configuration
The TSB operator related resources like the deployment, the service or the service account can be extended using the following optional properties:
| Name | Description | Default value |
|---|---|---|
operator.deployment.affinity | Affinity configuration for the pod | |
operator.deployment.annotations | Custom collection of annotations to add to the deployment | |
operator.deployment.env | Custom collection of environment vars to add to the container | |
operator.deployment.podAnnotations | Custom collection of annotations to add to the pod | |
operator.deployment.replicaCount | Number of replicas managed by the deployment | |
operator.deployment.strategy | Deployment strategy to use | |
operator.deployment.tolerations | Toleration collection applying to the pod scheduling | |
operator.service.annotations | Custom collection of annotations to add to the service | |
operator.serviceAccount.annotations | Custom collection of annotations to add to the service account | |
operator.serviceAccount.imagePullSecrets | Collection of secrets names required to be able to pull images from the registry | |
operator.pullSecret | A JSON encoded Docker configuration that will be stored as an image pull secret |