Control Plane Provisioning Overview

This section describes how to set up a brand new Connect Control Plane. The Control Plane serves as the identity datastore and management layer for your infrastructure and applications. Each isolated trust zone in your deployment is managed by a dedicated SPIRE server and each SPIRE server is in turn managed by the Connect Control Plane.

The Control Plane runs on a Kubernetes cluster and also uses SPIRE to provide workload identity to the API server itself. Therefore, we first need to deploy a suitable cluster and make some pre-requisite deployment decisions before deploying SPIRE to the Control Plane cluster.

Once the backing SPIRE is deployed, the Control Plane API (and optional web UI) can be deployed to the same cluster.

For a production-ready Connect Control Plane, several integrations with major cloud providers are supported for the Connect datastore and trust bundle storage - see Cloud Integrations for more details.

The remainder of this section will walk through the setup steps in the following order: