Thoth SDK
sdk v0.1.15 / proxy v0.3.3
Kubernetes Operator

Quickstart

Install thoth-operator and reconcile a tenant in Kubernetes.

Prerequisites

  • Kubernetes >= 1.28
  • Helm >= 3.13
  • Network egress from cluster to https://<thoth-control-plane-host>
  • Thoth admin auth token

Install the operator

helm upgrade --install thoth-operator oci://ghcr.io/atensecurity/charts/thoth-operator \
  --version 0.1.0 \
  --namespace thoth-system \
  --create-namespace

Create tenant auth token secret

kubectl -n thoth-system create secret generic thoth-admin-token \
  --from-literal=token='<THOTH_ADMIN_AUTH_TOKEN>'

Apply a ThothTenant resource

apiVersion: platform.atensecurity.com/v1alpha1
kind: ThothTenant
metadata:
  name: tenant-a
  namespace: thoth-system
spec:
  tenantId: tenant-a
  apexDomain: "<apex-domain>"
  authSecretRef:
    name: thoth-admin-token
    key: token
  settings:
    enforceMcpPolicies: true
    approvalMode: "step_up"
  policySync: true
kubectl apply -f thothtenant.yaml

Verify reconciliation

kubectl -n thoth-system get thothtenant tenant-a -o yaml
kubectl -n thoth-system logs deploy/thoth-operator

Expect:

  • .status.phase: Ready
  • Ready condition = True
  • .status.observedGeneration equals .metadata.generation

Secret rotation

Referenced secrets are watched by the operator. Rotating a referenced token secret triggers a new reconciliation without waiting for the standard periodic requeue.

Previous

Kubernetes Operator

Next

CRD Reference

On this page