Tetrate Istio Subscription Plus (TIS Plus) templates
Overview
Tetrate Istio Subscription Plus (TIS Plus) templates enable deployment of TIS Plus as Kosmos applications.
A template is a reusable resource that defines:
- Application configurations
- Container images
- Deployment structure
Available templates
There are two templates:
Supported versions of TIS Plus
1.12.61.14.0
References
Management plane template
The ManagementPlane resource provides the configuration required to install the Istio Subscription Plus management plane on a cluster.
The installation API follows an override model, meaning any optional fields that are not explicitly set will automatically use sensible default values.
Prerequisites
Before starting, ensure you have:
- Tetrate repository account credentials
- Verified installation requirements
- Installed:
- Supported versions of kubectl and Helm , for details see supported platforms
- Installed TCTL (must match TIS Plus version)
- Logged into your private Docker registry
Sync the TIS Plus images for management plane installation
tctl install image-sync \
--username <user-name> \
--apikey <api-key> \
--registry <registry-location>
Note:
- Credentials (
usernameandapikey) arguments must hold the Tetrate repository account details provided by Tetrate to enable the download of the container images - Registry must point to your private Docker registry
Parameters
Required parameters
| Name | Type | Required | Created by Kosmos Controller | Description | Example / Default Value |
|---|---|---|---|---|---|
| TIS_PLUS_VERSION | string | ✅ | ❌ | TIS Plus version to install | 1.14.0 |
| REGISTRY_LOCATION | string | ✅ | ❌ | Location of the private registry | registry.example.com |
| ORGANIZATION | string | ✅ | ❌ | Organization name for TIS Plus installation | joyent |
| TIS_PLUS_ADMIN_PASSWORD | string | ✅ | ❌ | Password for the TIS Plus admin user | password123 |
Optional parameters
| Name | Type | Required | Created by Kosmos Controller | Description | Example / Default Value |
|---|---|---|---|---|---|
| MANAGEMENT_PLANE_REPLICAS | int | ❌ | ❌ | Number of management plane replicas | 1 |
| ELASTIC_HOST | string | ❌ | ❌ | Elasticsearch host (uses embedded store if not set) | — |
| ELASTIC_PORT | string | ❌ | ❌ | Elasticsearch port | — |
| ELASTICSEARCH_USERNAME | string | ❌ | ❌ | Elasticsearch username | — |
| ELASTICSEARCH_PASSWORD | string | ❌ | ❌ | Elasticsearch password | — |
| ELASTICSEARCH_CACERT | string | ❌ | ❌ | CA certificate for Elasticsearch TLS | — |
| identityProvider_oidc_scopes | string | ❌ | ❌ | Specifies the scopes sent to the OIDC provider during authentication. The required openid scope is included by default, and any additional scopes are appended.In many cases, extra scopes such as profile or email are needed when user records in TSB cannot be uniquely identified using only the sub claim from the ID token. | — |
| identityProvider_oidc_redirectUri | string | ❌ | ✅ | Specifies the public URI where TSB is accessed. This is the redirect URI used by the OIDC provider after successful authentication and must be registered with the provider. The URI must include the path: /iam/v2/oidc/callbackExample: If TSB is accessible at https://example.com, then the redirect URI must be:https://example.com/iam/v2/oidc/callbackEnsure that this value exactly matches the redirect URI configured in the OIDC provider application settings. | https://example.com/iam/v2/oidc/callback |
| identityProvider_oidc_providerConfig_dynamic_configurationUri | string | ❌ | ✅ | Specifies the OIDC provider’s well-known configuraation URI. When provided, TSB automatically discovers and configures the OIDC client settings, including: * Authorization endpoint * Token endpoint * JWKS URI This eliminates the need to manually configure these endpoints | — |
Install TIS Plus Management Plane
Method 1: Using Kosmos UI
Log in to Kosmos
Select the cluster to deploy your application.
Click Install App
Fill required fields Note: If using a Fleet cluster to install the application, make sure to create a namespace and a ClusterRoleBinding that grants the service account sufficient permissions to create required resources.
kubectl create namespace <namespace-name>
kubectl create clusterrolebinding <clusterrolebinding-name> \
--clusterrole=cluster-admin \
--serviceaccount=<namespace>:job-tetrate-istio-subscription-plus-management-plane
Method 2: Using Kosmos CLI
Run command kosmos install app [flags] to install the TIS PLUS Management Plane components.
kosmos install app \
--name tetrate-istio-subscription-plus-management-plane \
--fleet <fleet-name> \
--target-cluster <cluster-name> \
--parameter-file <path-to-parameters-yaml-file> \
--target-namespace <namespace-name>
Sample parameter YAML file content
TIS_PLUS_VERSION: <tis-plus-version>
REGISTRY_LOCATION: <registry-location>
ORGANIZATION: <organization>
TIS_PLUS_ADMIN_PASSWORD: <tis-plus-admin-password>
MANAGEMENT_PLANE_REPLICAS: <management-plane-replicas>
Access management plane
You can now obtain the URL to access the TIS Plus Management Plane. This is the IP address or Hostname of the Front Envoy service that can be obtained by running command.
kubectl get svc -n tsb envoy \
--output jsonpath='{.status.loadBalancer.ingress[0]}'
Access the management plane :
https://<management-plane-url>:<port>
Please note: The default port is 8443, unless the Front Envoy port has been changed during installation.
Configure tctl
Run the following commands to configure tctl with your credentials
tctl config clusters set helm \
--bridge-address ${FRONT_ENVOY_ADDRESS}:8443 \
--tls-insecure
tctl config users set helm \
--username admin \
--password ${TIS_PLUS_ADMIN_PASSWORD} \
--org ${ORG}
tctl config profiles set helm \
--cluster helm \
--username helm
tctl config profiles set-current helm
Verify configuration
tctl config view
Onboarding cluster to TIS Plus
Setup pull secrets
To set up pull secrets in the TIS Plus namespacs, run the following commands
kubectl get namespace tis-plus-system || kubectl create namespace tis-plus-system
kubectl create secret docker-registry tis-plus-pull-secret \
--docker-server=<your-registry-server> \
--docker-username=<your-username> \
--docker-password=<your-password> \
--docker-email=<your-email> \
-n tis-plus-system
Register workload cluster
cat <<EOF > cluster-config.yaml
apiVersion: api.tsb.tetrate.io/v2
kind: Cluster
metadata:
name: cluster-1
organization: <organization-name>
EOF
tctl apply -f cluster-config.yaml
tctl x cluster-install-template cluster-1 > cluster-1-values.yaml
Verify registration
tctl get cluster
You can also validate the registered cluster from Management console
Tetrate Istio Subscription Plus (TIS Plus) Control Plane template
The ControlPlane resource defines the configuration required to install the Istio Subscription Plus control plane on a cluster.
The installation API uses an override model, so any optional fields that are not explicitly specified will automatically fall back to sensible default values.
Prerequisites
Before you begin, ensure the following requirements are met:
Acquired Tetrate repository account credentials
Verified installation requirements
Installed supported versions of:
for additional details see supported platforms
Installed TCTL
- The TCTL version must match the TIS Plus version being installed
Istio is installed and running.
helm repo add istio https://istio-release.storage.googleapis.com/charts helm repo update kubectl create namespace istio-system helm install istiod istio/istiod -n istio-system --waitLogged into your private Docker registry
Sync images
Run the following command to sync TIS Plus images for control plane installation:
tctl install image-sync \
--mode observe \
--username <user-name> \
--apikey <api-key> \
--registry <registry-location>
Note:
usernameandapikeymust be your Tetrate repository credentialsregistrymust point to your private Docker registry
Encode cluster configuration
Before proceeding with the template, encode the cluster values file:
base64 < cluster-1-values.yaml
- This command generates a base64-encoded string
- The encoded output will be used as input for the template in subsequent steps
Parameters
| Name | Type | Required | Created by Kosmos Controller | Description | Example / Default Value |
|---|---|---|---|---|---|
| REGISTRY_LOCATION | string | ✅ | ❌ | Location of the private registry containing TIS Plus images | registry.example.com |
| TIS_PLUS_VERSION | string | ✅ | ❌ | TIS Plus version to install | 1.12.6 |
| CONTROL_PLANE_REPLICAS | int | ❌ | ❌ | Number of replicas of TIS Plus control plane operator | 1 |
| CLUSTER_VALUES_ENCODED | string | ✅ | ❌ | Base64-encoded contents of the cluster values YAML file | — |
Install TIS plus control plane
Method 1: Using Kosmos UI
Log in to Kosmos
Select your cluster
Click Install App
Fill required fields
Note: If using a Fleet cluster to install the application, make sure to create a namespace and a ClusterRoleBinding that grants the service account sufficient permissions to create required resources.
kubectl create clusterrolebinding <clusterrolebinding-name> \
--clusterrole=cluster-admin \
--serviceaccount=<namespace>:job-tetrate-istio-subscription-plus-control-plane
Method 2: Using Kosmos CLI
kosmos install app [flags]
Example
kosmos install app \
--name tetrate-istio-subscription-plus-control-plane \
--fleet <fleet-name> \
--target-cluster <cluster-name> \
--parameter-file <path-to-parameters-yaml-file> \
--target-namespace <namespace-name>
Sample parameter YAML file content
CLUSTER_VALUES_ENCODED: <cluster-values-encoded>
REGISTRY_LOCATION: <registry-location>
TIS_PLUS_VERSION: <tis-plus-version>
CONTROL_PLANE_REPLICAS: <control-plane-replicas>
After the Control plane is installed, review the pods
kubectl get pods -n tis-plus-system
Installing Bookinfo Example
Create Tenant
Create Workspace
