tctl experimental
tctl experimental
Experimental commands that may be modified or deprecated
Options
-h, --help help for experimental
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")
tctl experimental install
Experimental install commands
Options
-h, --help help for install
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")
tctl experimental install profile
Install infra profiles that work with TSB
Options
-h, --help help for profile
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")
tctl experimental install profile aws
Install AWS hosted infrastructure to run TSB
tctl experimental install profile aws [flags]
Examples
# Create infrastructure for a TSB installation (Requires valid AWS credentials and eksctl cli installed)
tctl install profile aws --username <username> --apikey <apikey> --registry <registry-location>
Options
-i, --account-id string AWS account ID [required]
-a, --availability-zone string AWS availability Zone [required] (default "us-east-1b")
--eks-version string EKS Version (default "1.17")
--elastic-version string ES version (default "7.9")
-h, --help help for aws
-n, --name string Profile name to give assets [required]
-w, --password string Password for access to ES, RDS (The master user password must contain at least one uppercase letter, one lowercase letter, one number, and one special character. But not '/', '@', '"', ' ')[required]
--postgres-version string RDS Postgres Version (default "11.9")
-r, --region string AWS region to deploy to [required] (default "us-east-1")
-g, --registry string ECR repo name [required]
-u, --username string Username for access to ES, RDS (all lower case no special characters) [required]
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")
tctl experimental sidecar-bootstrap
(experimental) Bootstrap Istio Sidecar for a workload that runs on VM or Baremetal (mesh expansion scenarios)
Synopsis
(experimental) Takes in one or more WorkloadEntry(s), generates identity(s) for them, and optionally copies generated files to the remote node(s) over SSH protocol and starts Istio Sidecar(s) there.
Alternatively, if SSH is not enabled on the remote node(s), generated files can be saved locally instead. In that case you will be able to transfer files to the remote node(s) using a mechanism that suits best your particular environment.
If you choose to copy generated files to the remote node(s) over SSH, you will be required to provide SSH credentials, i.e. either SSH Key or SSH Password. If you want to use an SSH Password or a passphrase-protected SSH Key, you must run this command on an interactive terminal to type the password in. We do not accept passwords through command line options to avoid leaking secrets into shell history.
File copying is performed over SCP protocol, and as such SCP binary must be installed on the remote node.
If SCP is installed in a location other than /usr/bin/scp
, you have to provide absolute path to the SCP binary
by adding sidecar-bootstrap.istio.io/scp-path
annotation to the respective WorkloadEntry resource.
To start Istio Sidecar on the remote node you must have Docker installed there. Istio Sidecar will be started on the host network as a docker container in capture mode.
While this command can work without any explicit configuration, it is also possible to fine tune its behavior by adding various annotations on a WorkloadEntry resource. E.g., consider the following real life example:
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
annotations:
sidecar-bootstrap.istio.io/proxy-config-dir: /etc/istio-proxy # Directory on the remote node to copy generated files into
sidecar-bootstrap.istio.io/ssh-user: istio-proxy # User to SSH as; must have permissions to run Docker commands
# and to write copied files into the target directory
sidecar.istio.io/statsInclusionRegexps: ".*" # Configure Envoy proxy to export all available stats
proxy.istio.io/config: |
concurrency: 3 # ProxyConfig overrides to apply
name: my-vm
namespace: my-namespace
spec:
address: 1.2.3.4 # At runtime, Istio Sidecar will bind incoming listeners to that address.
# At bootstrap time, this command will SSH to that address
labels:
app: ratings
version: v1
class: vm # It's very handy to have extra labels on a WorkloadEntry
# to be able to narrow down label selectors to VM workloads only
network: on-premise # If your VM doesn't have L3 connectivity to k8s Pods,
# make sure to fill in network field
serviceAccount: ratings-sa
For a complete list of supported annotations run tctl x sidecar-bootstrap --docs
.
tctl experimental sidecar-bootstrap [<workload-entry-name>[.<namespace>]] [flags]
Examples
# Show under-the-hood actions to copy workload identity of a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --dry-run
# Show under-the-hood actions to copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy --dry-run
# Copy workload identity into a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace
# Copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy
# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into an archive file (*.tgz) at a given path
tctl x sidecar-bootstrap my-vm.my-namespace --output-file path/to/output/file.tgz
# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into a directory
tctl x sidecar-bootstrap my-vm.my-namespace --output-dir path/to/output/dir
# Print a list of supported annotations on the WorkloadEntry resource:
tctl x sidecar-bootstrap --docs
Options
-a, --all bootstrap all WorkloadEntry(s) in a given namespace
-o, --archive (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name will be picked automatically)
--context string The name of the kubeconfig context to use
--docs (experimental) print a list of supported annotations on the WorkloadEntry resource
--dry-run print generated configuration and respective SSH commands but don't connect to, copy files or execute commands remotely
--duration duration (experimental) amount of time that generated ServiceAccount tokens should be valid for (default 24h0m0s)
-h, --help help for sidecar-bootstrap
--ignore-host-keys (experimental) do not verify remote host key when establishing SSH connection
--injectConfigMapName string ConfigMap name for Istio sidecar injection, key should be "config" (default "istio-sidecar-injector")
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
--meshConfigMapName string ConfigMap name for Istio mesh configuration, key should be "mesh" (default "istio")
-n, --namespace string Config namespace
-d, --output-dir string save generated files into a local directory instead of copying them to a remote machine
--output-file string (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name is picked by the user)
--ssh-connect-timeout duration (experimental) timeout on establishing SSH connection (default 10s)
-k, --ssh-key string (experimental) authenticate with SSH key at a given location
--ssh-password (experimental) force SSH password-based authentication
--ssh-port int (experimental) default port to SSH to (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-port' annotation is present on a WorkloadEntry) (default 22)
-u, --ssh-user string (experimental) default user to SSH as, defaults to the current user (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-user' annotation is present on a WorkloadEntry)
--start-istio-proxy start Istio Sidecar on a remote host after copying configuration files
--timeout duration (experimental) timeout on copying a single file to a remote host (default 1m0s)
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")
tctl experimental verify
Verify environment is ready for install or installed successfully
tctl experimental verify [flags]
Options
--failure-threshold Level The severity level of analysis at which to set a non-zero exit code. Valid values: [ Info Warn Error] (default Warn)
-h, --help help for verify
-L, --list-verifiers List the verifiers that will be run based on the execution context and passed flags
--output-threshold Level The severity level of analysis at which to display messages. Valid values: [ Info Warn Error] (default Info)
-s, --suppress stringArray Names of verifiers to suppress
--timeout duration The duration to wait before giving up (default 1m0s)
Options inherited from parent commands
--config string Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")