Enterprise Kubernetes, delivered

Tectonic ships with CoreOS's signature automated operations, runs multi-cloud, and is the fastest, most secure path to Kubernetes.

Tectonic Deployer Configuration Details

This guide walks through customizing your Tectonic configuration, which is stored within several files. Follow the instructions to customize your configuration.

Create and Convert Deployer Config

Create a blank configuration file called deployer-config.txt. Adjust the default file below based on your desired configuration.

Replace ${CLUSTER_HOSTNAME} with a hostname with A records for each worker machine in the cluster or a load-balancer that directs traffic to all workers. This scheme works because the Console and Identity services are configured as "node ports", which means they are listening on a port across all machines.

Configure the identity-db-url with the details required to connect to your Postgres database, in standard DSN format.

All other values already match the defaults, unless you changed them in earlier steps.

Example Deployer Config

# This file contains the necessary user-supplied settings for Tectonic.
# It is intended as input to generate-deployer-config.sh

# URL for Identity DB

# Issuer for identity; used by Identity itself, Console, and other Relying Parties of Identity.

# Customizes identity screens
identity-issuer-name=Organization ID Services

# Email address for Identity to send from.

# Console URL

# Email address of the identity admin user

# Certificate Authorities for Console: This should be the name of a Kubernetes Secret
# containing a "config" key, whose values are PEM-formatted certificates. These
# will be the trusted CAs that Console uses to make https requests. If this
# value is empty, then the host's root CAs will be used.

# Secret containing TLS cert and key for Identity

# Secret containing TLS cert and key for Console

Customizing the Deployer Config for your Site

The fields in the deployer-config.txt file understood by the generate-deployer-config script are described below.

  • identity-db-url: The database used by Identity to store user information. Should be a PostgreSQL DSN format string yielding a connection to an existing, empty PostgreSQL DB.
  • identity-issuer-url: This is the URL for the Tectonic Identity service, against which Console will authorize users. This should be the same URL as set in Tectonic Services for the tectonic-identity-worker service.
  • identity-issuer-name: This string will appear to users, e.g., "Sign into identity-issuer-name …"
  • identity-email-from: This is the email address that Identity will send email from.
  • console-url - This is the URL used to access Console. Used by tectonic-manager to set up post-authentication redirects. This should be the same URL set in "Tectonic Services" for the tectonic-console service.
  • identity-admin-user - Email address of primary administrator; granted full administrator rights. Password will be created and stored in a secret later in this guide.
  • tectonic-ca-cert-secret: Name of the secret containing signing CA for the console and identity services' TLS certificates. May be empty, in which case only host CAs are used.
  • tectonic-identity-tls-secret, tectonic-console-tls-secret: Names of secrets containing TLS cert, key for terminating TLS in identity and console apps. They can be the same if they are using wildcard domain certs. These are the names of the secrets created in the configure TLS certs step.

After adjusting your deployer-config.txt according to the above, use generate-deployer-config.sh to convert it to a secret for loading into your cluster:

$ ./generate-deployer-config.sh deployer-config.txt tectonic-deployer-config-secret.yml

$ kubectl create -f tectonic-deployer-config-secret.yml

Configuring the Identity Emailer

Identity expects an emailer configuration in the JSON format consumed by the underlying Dex engine to control how it sends email for events like password resets. Create such an emailer config file, then convert it into a secret in the manner that is probably becoming familiar, returning to the generate-secrets-from-file.sh script used previously:

$ ./generate-secrets-from-file.sh tectonic-identity-emailer-config tectonic-identity-emailer-config-secret.yml identity-emailer.json

Load the resulting secret into the cluster:

$ kubectl create -f tectonic-identity-emailer-config-secret.yml

Creating Identity Connectors

Connectors allow Identity's underlying Dex engine to delegate authentication to one or more external identity providers. In the simplest case, described here, local logins are authenticated by Identity itself based on user ID and password. The simple connector definition for this configuration looks like:

		"type": "local",
		"id": "local"

Store this JSON excerpt in a file named identity-connectors.json for conversion into a secret named tectonic-identity-connectors, by the usual means:

$ ./generate-secrets-from-file.sh tectonic-identity-connectors tectonic-identity-connectors-secret.yml identity-connectors.json

$ kubectl create -f tectonic-identity-connectors-secret.yml

See Configuring Connectors for information on Connector setups for external providers and other advanced configurations.