Skip to main content
Version: 1.6.x

Management Plane Installation

This chart installs the TSB management plane operator, which also allows you to install TSB management plane components using the TSB ManagementPlane CR and all the required secrets to make it fully run.

Before you start, make sure that you have checked the Helm installation process.

Installation overview

  1. Create a values.yaml file and edit it with your desired configuration. You can find more details on the available Helm configuration in the configuration](#configuration) section below. For a full reference of the spec section, see the TSB ManagementPlane CR.

  2. Use the helm install command to install TSB management plane. Make sure to set the image.registry and image.tag options to the correct registry location and TSB version.

  3. Wait until all TSB management plane components have been deployed successfully. You can verify your installation by trying to log in to TSB UI or connect to TSB using tctl.

Installation

To install TSB management plane, create a values.yaml file with the following content and edit it according to your needs:

spec:
organization: <organization-name>
dataStore:
postgres:
host: <postgres-hostname-or-ip>
port: <postgres-port>
name: <database-name>
telemetryStore:
elastic:
host: <elastic-hostname-or-ip>
port: <elastic-port>
version: <elastic-version>
selfSigned: <is-elastic-use-self-signed-certificate>

# TSB support OICD and LDAP for identity provider IdP
# Set according to your environment.
identityProvider:
...

secrets:
tsb:
adminPassword: <tsb-admin-password>

# Set this field if you use self-signed TLS certificate for TSB
cert: <tsb-tls-cert>
key: <tsb-tls-key>

postgres:
username: <postgres-username>
password: <postgres-password>

# Depending on your IdP, you need to set required secrets here.
...

Then, use the following helm install command to install TSB management plane:

helm install mp tetrate-tsb-helm/managementplane \
--namespace tsb \
--values values.yaml \
--set image.registry=<registry-location> \
--set image.tag=<tsb-version> \
--set spec.hub=<registry-location>

Non-prod external dependencies

If you omit the dataStore, telemetryStore, and identityProvider fields in your values.yaml file, TSB will install non-prod Postgres, Elasticsearch, and LDAP. Note that you still need to set correct secrets and credentials to use the storage.

danger

DO NOT USE NON-PROD STORAGE AND IDENTITY PROVIDER IN PRODUCTION.

Here is an example of a completed values.yaml file for a demo installation:

spec:
organization: <organization-name>

secrets:
tsb:
adminPassword: <tsb-admin-password>

# Set this field if you use self-signed TLS certificate for TSB
cert: <tsb-tls-cert>
key: <tsb-tls-key>

postgres:
username: tsb
password: tsb-postgres-password

ldap:
binddn: cn=admin,dc=tetrate,dc=io
bindpassword: admin

Troubleshooting

If you encounter any issues during the installation process, here are a few things to check:

  • Make sure that you have entered the correct values in your values.yaml file.
  • Verify that you are using the correct registry location and TSB version in the helm install command.
  • If you are using a custom identity provider, make sure that you have set all of the required secrets in the secrets section of the values.yaml file.
  • If you are having trouble connecting to TSB, make sure that all TSB components have been deployed successfully and that there are no errors in the logs.
  • If you are using a private registry to host the TSB control plane operator image, make sure that you have authenticated with the registry and that the image.registry and spec.hub values in the cluster-values.yaml file are correct.

Configuration

Image configuration

This is a required field. Set image.registry to the location of your private registry where you have synced the TSB images, and set image.tag to the TSB version that you want to deploy. Specifying only this field will install the TSB control plane operator without installing other TSB components.

NameDescriptionDefault value
image.registryRegistry used to download the operator image. Requiredcontainers.dl.tetrate.io
image.tagThe tag of the operator image. Requiredsame as the Chart version

Management plane resource configuration

This is an optional field. You can set TSB ManagementPlane CR spec in Helm values file to make the TSB management plane fully run.

NameDescriptionDefault value
specHolds the spec section of the ManagementPlane CR. Optional

Secrets configuration

This is an optional field. You can apply secrets into your cluster before installing TSB management plane or you can use Helm values to specify required secrets. Note that you can use different Helm values file if you want to separate secrets from management plane spec.

warning

Keep in mind that these options just help with creating secrets, and they must respect the configuration provided in the TSB ManagementPlane CR, otherwise the installation will end up misconfigured.

NameDescriptionDefault value
secrets.keepEnabling this makes the generated secrets persist in the cluster after uninstalling the chart if they are no provided in future updates. (see Helm doc)false
secrets.tsb.adminPasswordThe password that is going to be configured for the admin user.
secrets.tsb.certThe TLS certificate exposed by the management plane (front envoy).
secrets.tsb.keyThe key for TLS certificate exposed by the management plane (front envoy).
secrets.postgres.usernameThe username used to access the Postgres database.
secrets.postgres.passwordThe password used to access the Postgres database.
secrets.postgres.cacertThe CA cert to verify TLS certificates provided by the Postgres database.
secrets.postgres.clientcertThe client cert required to access the Postgres database.
secrets.postgres.clientkeyThe key for the client cert required to access the Postgres database.
secrets.elasticsearch.usernameThe username used to access the Elasticsearch.
secrets.elasticsearch.passwordThe password used to access the Elasticsearch.
secrets.elasticsearch.cacertThe CA cert to verify TLS certificates provided by the Elasticsearch.
secrets.ldap.binddnThe bind DN used to read from the LDAP IDP.
secrets.ldap.bindpasswordThe password for the provided bind DN used to read from the LDAP IDP.
secrets.ldap.cacertThe CA cert to verify TLS certificates provided by the LDAP IDP.
secrets.oidc.clientSecretThe client secret used to connect to the configured OIDC.
secrets.oidc.deviceClientSecretThe device client secret used to connect to the configured OIDC.
secrets.azure.clientSecretThe client secret used to connect to the Azure OIDC.

XCP secrets configuration

XCP has two authentication configuration modes: JWT (default) and mTLS. Depending on the authentication mode, the provided certificates will be used for different purpose.

JWT mode

In JWT mode, XCP Central will expose simple TLS connection for its clients.

If secrets.xcp.autoGenerateCerts is disabled, the certificate for XCP Central and the key must be provided by the user using secrets.xcp.central.cert and secrets.xcp.central.key.

Optionally, a CA can be provided with secrets.xcp.rootca to allow the MPC component to use it to verify the certs provided by XCP Central.

If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the XCP Central certificate.

Then secrets.xcp.rootca and secrets.xcp.rootcakey will be used to create the proper Issuer and generate the certificate for XCP Central and share the CA with MPC to allow it to verify the XCP Central generated cert.

MUTUAL TLS mode

In MUTUAL_TLS mode, XCP Central requires, for itself and its clients, to use certificates with a SPIFFE ID to authenticate each of the peers.

If secrets.xcp.autoGenerateCerts is disabled, the XCP Central and the MPC certs are expected to be provided by the user using the secrets.xcp.central.cert,secrets.xcp.central.key, secrets.mpc.cert and secrets.mpc.key configurations respectively.

Then, if an XCP Root CA is provided, it will be used to verify all those certs.

If secrets.xcp.autoGenerateCerts is enabled, Cert Manager is required to provide the certs to XCP Central and MPC.

Then secrets.xcp.rootca and secrets.xcp.rootcakey will be used to create the proper Issuer and generate the certificates to authenticate XCP Central and MPC via mTLS.

The following properties are allowed to be used to configure the XCP authentication mode:

NameDescriptionDefault value
secrets.xcp.autoGenerateCertsEnabling this will auto generate MPC and XCP Central certificate if mTLS is enabled as XCP authentication. Requires cert-managerfalse
secrets.mpc.certThe cert used by MPC to authenticate via mTLS against XCP Central.
secrets.mpc.keyThe cert used by MPC to authenticate via mTLS against XCP Central.
secrets.xcp.rootcaThe XCP components CA certificate.
secrets.xcp.rootcakeyThe XCP components Root Ca certificate key.
secrets.xcp.central.certThe XCP Central certificate for TLS.
secrets.xcp.central.keyThe XCP Central certificate key for TLS.
secrets.xcp.central.additionalDNSNamesAdditional DNS names to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
secrets.xcp.central.additionalURIsAdditional URIs to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
secrets.xcp.central.additionalIPAddressesAdditional IP addresses to be added in the XCP Central certificate when secrets.xcp.autoGenerateCerts is enabled
certManager.clusterResourcesNamespaceThe namespace configured in the Cert Manager installation for cluster resources.cert-manager
secrets.xcp.authModes.jwtIf true, the secrets required for XCP JWT authentication mode will be created.false
secrets.xcp.authModes.mtlsIf true, the secrets required for XCP mTLS authentication mode will be created.true

Operator extended configuration

This is an optional field. You can customize TSB operator related resources like the deployment, the service or the service account using the following optional properties:

NameDescriptionDefault value
operator.deployment.affinityAffinity configuration for the pod
operator.deployment.annotationsCustom collection of annotations to add to the deployment
operator.deployment.envCustom collection of environment vars to add to the container
operator.deployment.podAnnotationsCustom collection of annotations to add to the pod
operator.deployment.replicaCountNumber of replicas managed by the deployment
operator.deployment.strategyDeployment strategy to use
operator.deployment.tolerationsToleration collection applying to the pod scheduling
operator.deployment.podSecurityContextSecurityContext properties to apply to the pod
operator.deployment.containerSecurityContextSecurityContext properties to apply to the pod's containers
operator.service.annotationsCustom collection of annotations to add to the service
operator.serviceAccount.annotationsCustom collection of annotations to add to the service account
operator.serviceAccount.imagePullSecretsCollection of secrets names required to be able to pull images from the registry
operator.pullSecretA Docker JSON config string that will be stored as an image pull secret