We will deployed TSB from helm, having the Management Plane, Global CP, and Data Planes all in different clusters.
TOC
Configure the Helm repo
helm repo add tetrate-tsb-helm 'https://charts.dl.tetrate.io/public/helm/charts/'
helm repo updateList available versions
helm search repo tetrate-tsb-helm -l
This is necessary because Tetrate is keeping images under credentials. This command takes a while as it pulls and pushes over 5g of images. This only needs to occur once.
docker login
tctl install image-sync --username <username> \
--apikey <api-key> --registry docker.io/cmwylie19Installs the TSB Management Plane Operator and Global Control Plane.
Create the management-plane namespace and generate the necessary secrets.
kubectl create ns tsb
tctl install manifest management-plane-secrets -y --tsb-admin-password password | kubectl apply -f -Deploy the Management Plane through helm
helm install mp tetrate-tsb-helm/managementplane -n tsb \
--set image.registry=docker.io/cmwylie19 \
--set image.tag=1.5.0 Wait for the TSB operator to be ready
kubectl wait --for=condition=ready pod -l name=tsb-operator -n tsb --timeout=180sLaunch an instance of the ManagementPlane operator
kubectl apply -f -<<EOF
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: mp
namespace: tsb
spec:
hub: docker.io/cmwylie19
organization: redhat-appeng
# components:
# internalCertProvider:
# certManager:
# managed: INTERNAL
EOFWait for pods to be ready
kubectl wait --for=condition=ready pod -l app=zipkin -n tsb
kubectl wait --for=condition=ready pod -l app=web -n tsb
kubectl wait --for=condition=ready pod -l app=oap -n tsb
kubectl wait --for=condition=ready pod -l app=iam -n tsb
kubectl wait --for=condition=ready pod -l app=envoy -n tsb
kubectl wait --for=condition=ready pod -l app=elasticsearch -n tsb
kubectl wait --for=condition=ready pod -l app=ldap -n tsb
kubectl wait --for=condition=ready pod -l app=mpc -n tsb
Configure tctl's default config profile to point to your TSB cluster. On GCP, use .status.loadBalancer.ingress[0].ip on AWS use .status.loadBalancer.ingress[0].hostname.
tctl config clusters set tetrate-mp-cp-cluster --bridge-address $(kubectl get svc -n tsb envoy --output jsonpath='{.status.loadBalancer.ingress[0].hostname}'):8443 --tls-insecure
tctl config users set tetrate-mp-cp-admin --org redhat-appeng --tenant admin --username admin --password password
tctl config profiles set tetrate-mp-cp-profile --cluster tetrate-mp-cp-cluster --username tetrate-mp-cp-admin
tctl config profiles set-current tetrate-mp-cp-profileCheck the dashboard
tctl ui -p tetrate-mp-cp-profileLogin
tctl login --org redhat-appeng --username admin --password password --tenant admin -p tetrate-mp-cp-profile
Configure the management plane to communication with data plane
tctl apply -f -<<EOF
apiVersion: api.tsb.tetrate.io/v2
kind: Cluster
metadata:
name: tsb-dp
namespace: tsb
organization: redhat-appeng
spec:
tokenTtl: "1h"
EOFCheck the clusters to ensure the dp cluster has been added
tctl get clustersoutput
NAME DISPLAY NAME DESCRIPTION
tsb-dp
Installs the TSB Control Plane & Data Plane Operator on remote cluster.
Add RBAC to allow control plane and data plane operator service accounts appropriate permissions
oc adm policy add-scc-to-user anyuid \
system:serviceaccount:istio-system:tsb-operator-control-plane --context tetrate-dp
oc adm policy add-scc-to-user anyuid \
system:serviceaccount:istio-gateway:tsb-operator-data-plane --context tetrate-dp
oc adm policy add-scc-to-user anyuid \
system:serviceaccount:istio-system:xcp-edge --context tetrate-dp
oc adm policy add-scc-to-user anyuid \
system:serviceaccount:istio-system:istio-system-oap --context tetrate-dpInstall operators for the control and data plane
tctl install manifest cluster-operators \
--registry docker.io/cmwylie19 | kubectl apply --context tetrate-dp -f -Create the service account that the cluster will use to authenticate with the management plane.
tctl install cluster-service-account \
--cluster tsb-dp \
> cluster-tsb-dp-service-account.jwkCreate the Kubernetes secrets for the data plane
tctl install manifest control-plane-secrets \
--cluster tsb-dp \
--cluster-service-account="$(cat cluster-tsb-dp-service-account.jwk)" \
| kubectl apply --context tetrate-dp -f -kubectl wait --for=condition=ready pod -l name=tsb-operator -n istio-system --timeout=180s --context tetrate-dpCreate RBAC for the control plane
oc adm policy add-scc-to-user anyuid -n istio-system -z istiod-service-account --context tetrate-dp # SA for istiod
oc adm policy add-scc-to-user anyuid -n istio-system -z vmgateway-service-account --context tetrate-dp
oc adm policy add-scc-to-user anyuid -n istio-system -z istio-system-oap --context tetrate-dp
oc adm policy add-scc-to-user privileged -n istio-system -z xcp-edge --context tetrate-dp Launch an instance of the ControlPlane operator
kubectl apply --context tetrate-dp -f -<<EOF
apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
name: controlplane
namespace: istio-system
spec:
hub: docker.io/cmwylie19
telemetryStore:
elastic:
host: a6a12e7bc4ff5435a9cf4e2697b140b5-961723708.ca-central-1.elb.amazonaws.com
port: 8443
selfSigned: true
managementPlane:
host: a6a12e7bc4ff5435a9cf4e2697b140b5-961723708.ca-central-1.elb.amazonaws.com
port: 8443
selfSigned: true
clusterName: tetrate-mp-cp-cluster
EOFk delete svc,deploy,sts,rs,cm,pvc,sa,secret,po,job,role,rolebinding -n tsb --all --force --grace-period=0;
kubectl delete ns tsb;
k delete svc,deploy,sts,rs,cm,pvc,sa,secret,po,job,role,rolebinding -n cert-manager --all --force --grace-period=0;
kubectl delete ns cert-manager;