Skip to main content
Version: 1.5.x

tctl experimental

tctl experimental

Experimental commands that may be modified or deprecated

Options

  -h, --help   help for experimental

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress

Run a Istio based Ingress Controller for your application

Synopsis

Install a dedicated Ingress Controller in your environment to allow incoming/ingress traffic to be routed to your application. This controller comprises of 3 components - Istiod, Istio Ingressgateway and a TSB OpenAPI Translator. You can configure the Ingress Controller by either specifying Istio config directly in the application namespace or by specifying the OpenAPI document for your application - the OpenAPI translator converts the specification into Istio compatible configuration and applies it on your behalf.

Options

  -h, --help                             help for app-ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress docker-compose

Run App Ingress in Docker using docker-compose.

Options

  -h, --help                help for docker-compose
--network string Docker network (default "app-ingress")
--output-dir string Output directory (default "./")

Options inherited from parent commands

      --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress docker-compose generate

Generate the required docker-compose.yaml and folder structure to bootstrap App Ingress.

tctl experimental app-ingress docker-compose generate [OPTIONS] [flags]

Options

  -h, --help   help for generate

Options inherited from parent commands

      --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
--network string Docker network (default "app-ingress")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")
--output-dir string Output directory (default "./")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes

Run App Ingress in Kubernetes

Options

  -f, --filename string             Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
-h, --help help for kubernetes
--local-charts Enables App Ingress to use the Istio Helm charts (version: 1.13.5) embedded in the binary to generate the Kubernetes manifests.
-n, --namespace string The namespace to deploy the App Ingress deployments and services
-c, --openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")

Options inherited from parent commands

      --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes generate

Generate the Kuberenetes YAML required to install App Ingress.

tctl experimental app-ingress kubernetes generate [OPTIONS] [flags]

Options

  -h, --help   help for generate

Options inherited from parent commands

      --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-f, --filename string Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
--local-charts Enables App Ingress to use the Istio Helm charts (version: 1.13.5) embedded in the binary to generate the Kubernetes manifests.
-n, --namespace string The namespace to deploy the App Ingress deployments and services
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-c, --openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes install

Applies a manifest, installing or reconfiguring App Ingress on a cluster.

Synopsis

The install command generates an App Ingress installation manifest and applies it to a cluster.

tctl experimental app-ingress kubernetes install [flags]

Examples

  # Install a default App Ingress in namespace foo:
tctl x app-ingress kubernetes install -n foo

Options

      --dry-run                      Console/log output only, make no changes.
-h, --help help for install
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-y, --skip-confirmation The skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
--verify Verify the Istio control plane after installation/in-place upgrade.

Options inherited from parent commands

      --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-f, --filename string Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.13.5")
--local-charts Enables App Ingress to use the Istio Helm charts (version: 1.13.5) embedded in the binary to generate the Kubernetes manifests.
-n, --namespace string The namespace to deploy the App Ingress deployments and services
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-c, --openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "1103a4be187d61a1b1926f7484621c7f981af20d")
-p, --profile string Use specific profile (default "default")

tctl experimental audit

Get the audit logs for a given resource, showing the most recent events first

tctl experimental audit <apiVersion/kind | kind | shortform> <name> [flags]

Examples

# Get the audit logs for a tenant using the apiVersion/Kind pattern
tctl experimental audit api.tsb.tetrate.io/v2/Tenant

# Get audit logs for a workspace and all its child resources
tctl experimental audit ws my-workspace --recursive

# Get audit logs for a workspace since a given date
tctl experimental audit ws my-workspace --since "2021/10/21 15:54:44" --user "admin"

# Get audit logs related to security groups in the given workspcae
tctl experimental audit ws my-workspace --recursive --kind "security.tsb.tetrate.io/v2/Group"
tctl experimental audit ws my-workspace --recursive --kind "Group"

# Get the audit logs for a gateway group
tctl experimental audit --workspace my-workspace GatewayGroup my-group

Group kind is available for different APIs, so these helpers are available to easily retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab: ApplicationAccessBindings
ab: AccessBindings
ap: AuthorizationPolicy
apiab: APIAccessBindings
app: Application
cs: Cluster
dr: DestinationRule
eg: EgressGateway
gab: GatewayAccessBindings
gg: GatewayGroup
gw: Gateway
iab: IstioInternalAccessBindings
ig: IngressGateway
iig: IstioInternalGroup
oab: OrganizationAccessBindings
org: Organization
os: OrganizationSetting
otm: Metric
ots: Source
pa: PeerAuthentication
ra: RequestAuthentication
sa: ServiceAccount
sab: SecurityAccessBindings
sd: Sidecar
se: ServiceEntry
sg: SecurityGroup
sr: ServiceRoute
ss: SecuritySetting
svc: Service
t1: Tier1Gateway
tab: TrafficAccessBindings
tg: TrafficGroup
tnab: TenantAccessBindings
tns: TenantSetting
ts: TrafficSetting
vs: VirtualService
wab: WorkspaceAccessBindings
ws: Workspace
wss: WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
--max-logs int32 Maximum number of entries to retrieve
--text string Filter events that contain the given text
--kind apiVersion/kind Only return entries of this kind. It can be apiVersion/kind or just `kind`
--severity string Filter events by severity
--operation string Filter events by operation
--user string Filter events generated by the given user
--since string Filter events since the given time. Must be in the format: "2006/01/02 15:04:05"
--recursive Get audit logs for child resources as well
-h, --help help for audit

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental debug

Commands to interact with the debug endpoint in TSB components

Options

  -t, --context string      The name of the kubeconfig context to use
-h, --help help for debug
-k, --kubeconfig string Kubernetes configuration file

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental debug dashboard

Opens the debug dashboard for a TSB component

tctl experimental debug dashboard <component> [flags]

Examples


# Open the debug dashboard for the MPC component
tctl experimental debug dashboard management/mpc

Options

      --admin-server-port int    Port where the admin server is listening in the TSB component (default 5555)
--browser When --browser is supplied as false, the browser will not be opened; the URL of the admin dashboard will just be printed (default true)
-c, --controlplane string The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-h, --help help for dashboard
-m, --managementplane string The namespace where the management plane is deployed (default "tsb")

Options inherited from parent commands

      --config string       Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental debug list-components

Lists the TSB components available in the current kubernetes context

tctl experimental debug list-components [flags]

Examples


# List all the components and their plane association in the current kubectl context
tctl experimental debug list-components

# List all the components and their plane association in the the cluster for which the
# kubectl configuration is stored in a specific context of a different file
tctl experimental debug list-components --kubeconfig /tmp/some-config.yaml --context clusterA

# List all the components and their plane association in the the cluster for which the
# kubectl configuration is stored the default kubeconfig file, in a context different
# that the active one
tctl experimental debug list-components --context clusterB

# If TSB is installed in non-standard namespaces, you can also provide the namespace names
# to use for each plane:
tctl experimental debug list-components --managementplane my-managementplane-ns
tctl experimental debug list-components --controlplane my-controlplane-ns
tctl experimental debug list-components --dataplane my-dataplane-ns

# You can specify more than one namespace in the same command.
tctl experimental debug list-components \
--managementplane my-managementplane-ns \
--controlplane my-controlplane-ns \
--dataplane my-dataplane-ns

Options

  -c, --controlplane string      The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-h, --help help for list-components
-m, --managementplane string The namespace where the management plane is deployed (default "tsb")

Options inherited from parent commands

      --config string       Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental debug log-level

Checks or sets the log level for TSB components

tctl experimental debug log-level <component> [flags]

Examples


# Check the current log levels for the IAM component
tctl experimental debug log-level management/iamserver

# Set the log for the IAM component in the management plane to debug
tctl experimental debug log-level management/iamserver --level debug

# Set the logger q from the API server to debug
tctl experimental debug log-level management/apiserver --level q:debug

# Set multiple loggers at once
tctl experimental debug log-level management/apiserver --level q:debug,pdp:debug

# Data plane commands work the same for IngressGateway, Tier1Gateway and EgressGateway.

# Check loggers for a given TSB gateway
tctl experimental debug log-level data/bookinfo-gateway

# Set all loggers to trace for a given TSB gateway
tctl experimental debug log-level data/bookinfo-gateway --level trace

# Set the router and http loggers to debug for a given TSB gateway
tctl experimental debug log-level data/bookinfo-gateway --level router:debug,http:debug

Options

      --admin-server-port int     Port where the admin server is listening in the TSB component (default 5555)
-c, --controlplane string The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-f, --file string A file containing TSB or Isito resources that will be parsed to infer the workloads that will get the log level adjusted
-h, --help help for log-level
-l, --level strings log level to set, might include a logger name.
In the form [logger:]level. If logger is omitted, the specified level
will be set for all loggers of the given component.

-m, --managementplane string The namespace where the management plane is deployed (default "tsb")
-o, --output-directory string If wait is provided, the directory where to store the log files. It will be created if it does not exist
-w, --wait Whether or not to wait for logs until Ctrl+C is pressed. Resulting logs will be written to separate files per pod.
-y, --yes With yes, the process will not wait for user confirmation at all

Options inherited from parent commands

      --config string       Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental es-validate

(experimental) validates Elasticsearch setting in the current Kubernetes context

Synopsis

(experimental) the command is using the current Kubernetes context to query TSB ControlPlane CRD in "istio-system" namespace

To run the command - login to the Kubernetes cluster that has TSB Control Plane deployed tctl x es-validate

The command is using the users current Kubernetes context to query TSB Custom Resources and obtains:

  • Elasticsearch credentials that are stored in "elastic-credentials" secret
  • Elasticsearch CA certificate that is stored in "es-certs" secret
  • TSB Tokens "zipkin-token", "oap-token", "xcp-edge-central-auth-token" and "otel-token"
  • "telemetryStore" and "managementPlane" (only for ControlPlane) sections of TSB Custom Resources The command analyzes the received data and tries to make an educated call to the Elasticsearch
  • if Data from Elasticsearch is returned then the correct config is displayed for the user to apply

Additional checks that are performed:

  • Encoded credentials might have a carriage return - it can cause unpredictable behavior (e.g. oap-deployment works but zipkin using the same credentials fails) - the package informs the user on any found carriage returns in the Kubernetes secret.
  • CA certificate if presented by Elasticsearch gets placed in /tmp directory, and can be easily applied (only if trusted)
  • curl command with the complete list of parameters is displayed to help with additional testing
  • Tokens expiration date is validated and user is informed of any expired tokens
  • Checks can be done when TSB ControlPlane is pointing to standalone Elasticsearch or via MP FrontEnvoy

NOTE:if -m <management plane namespace> is used than checks can fail for within cluster services as the source of the call (shell with tctl) can be outside of the cluster network

tctl experimental es-validate [flags]

Examples

# Check Elasticsearch setting of TSB Control Plane located in 'istio-system' namespace
tctl experimental es-validate

# Check Elasticsearch setting of TSB Control Plane located in 'cpns' namespace
tctl experimental es-validate -n cpns

# Check Elasticsearch setting of TSB Management plane located in 'tsb' namespace
tctl experimental es-validate -m tsb

Options

  -n, --controlplane string      The namespace in the cluster that the control plane is installed in. (default "istio-system")
-h, --help help for es-validate
-m, --managementplane string The namespace in the cluster that the management plane is installed in (MP is checked only when the namespace is present - MP is usually installed in 'tsb' namespase).

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental gitops

Configures clusters to use GitOps flows

Options

  -h, --help   help for gitops

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental gitops grant

Grant permissions to use GitOps features in the given cluster

tctl experimental gitops grant [flags]

Examples


# Grant permissions to use GitOps features in the given cluster.
# By default the cluster service account will have permissions to manage configuration in the
# configured organization.
tctl experimental gitops grant <cluster-name>

# Only give GitOps permissions on a specific tenant.
tctl experimental gitops grant <cluster-name> --tenant <tenant-name>

# Only give GitOps permissions on a specific workspace.
tctl experimental gitops grant <cluster-name> --tenant <tenant-name> --workspace <workspace-name>

Options

  -h, --help               help for grant
-t, --tenant string The name of the tenant to enable GitOps for.
-w, --workspace string The name of the workspace to enable GitOps for.

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account

Commands to manage TSB service accounts

Options

  -h, --help   help for service-account

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account create

Creates a new service account

Synopsis

Creates a new service account

This command creates a new service account with a new key pair and prints the generated private key to the standard output.

The private key should be stored securely, as it cannot be retrieved again and it is required if you want to generate authentication tokens for the service account.

tctl experimental service-account create <name> [flags]

Options

  -h, --help   help for create

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account delete

Deletes a service account

Synopsis

Deletes a service account and all its keys

tctl experimental service-account delete <name> [flags]

Options

  -h, --help   help for delete

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account gen-key

Generate a new key pair for the given service account

Synopsis

Generate a new key pair for the given service account

This command generates a new key pair for the service account and prints the generated private key to the standard output.

The key private key should be stored securely, as it cannot be retrieved again and it is required if you want to generate authentication tokens for the service account.

tctl experimental service-account gen-key <name> [flags]

Options

  -h, --help   help for gen-key

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account get

Get one or multiple service accounts

tctl experimental service-account get [<name>] [flags]

Options

  -h, --help                 help for get
-o, --output-type string Response output type: table, yaml, json (default "table")

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account revoke-key

Revoke a given key pair for the given service account

tctl experimental service-account revoke-key <name> --id <key id> [flags]

Options

  -h, --help        help for revoke-key
--id string ID of the key to revoke

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental service-account token

Generate a new token that can be used to authenticate to TSB

Synopsis

Generate a new token that can be used to authenticate to TSB

This command generates a new token to authenticate to TSB as the service account. The command reads the private key from the specified file and uses it to sign the token. You can generate a new private key using the gen-key command.

tctl experimental service-account token <name> --key-path <key file> [--expiration <expiration>] [flags]

Options

      --expiration duration   Expiration for the token (default 30m0s)
-h, --help help for token
--key-path string Path to the file that contains the private key to use to generate the token

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental sidecar-bootstrap

(experimental) Bootstrap Istio Sidecar for a workload that runs on VM or Baremetal (mesh expansion scenarios)

Synopsis

(experimental) Takes in one or more WorkloadEntry(s), generates identity(s) for them, and optionally copies generated files to the remote node(s) over SSH protocol and starts Istio Sidecar(s) there.

Alternatively, if SSH is not enabled on the remote node(s), generated files can be saved locally instead. In that case you will be able to transfer files to the remote node(s) using a mechanism that suits best your particular environment.

If you choose to copy generated files to the remote node(s) over SSH, you will be required to provide SSH credentials, i.e. either SSH Key or SSH Password. If you want to use an SSH Password or a passphrase-protected SSH Key, you must run this command on an interactive terminal to type the password in. We do not accept passwords through command line options to avoid leaking secrets into shell history.

File copying is performed over SCP protocol, and as such SCP binary must be installed on the remote node. If SCP is installed in a location other than /usr/bin/scp, you have to provide absolute path to the SCP binary by adding sidecar-bootstrap.istio.io/scp-path annotation to the respective WorkloadEntry resource.

To start Istio Sidecar on the remote node you must have Docker installed there. Istio Sidecar will be started on the host network as a docker container in capture mode.

While this command can work without any explicit configuration, it is also possible to fine tune its behavior by adding various annotations on a WorkloadEntry resource. E.g., consider the following real life example:

apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
annotations:
sidecar-bootstrap.istio.io/proxy-config-dir: /etc/istio-proxy # Directory on the remote node to copy generated files into
sidecar-bootstrap.istio.io/ssh-user: istio-proxy # User to SSH as; must have permissions to run Docker commands
# and to write copied files into the target directory
sidecar.istio.io/statsInclusionRegexps: ".*" # Configure Envoy proxy to export all available stats
proxy.istio.io/config: |
concurrency: 3 # ProxyConfig overrides to apply
name: my-vm
namespace: my-namespace
spec:
address: 1.2.3.4 # At runtime, Istio Sidecar will bind incoming listeners to that address.
# At bootstrap time, this command will SSH to that address
labels:
app: ratings
version: v1
class: vm # It's very handy to have extra labels on a WorkloadEntry
# to be able to narrow down label selectors to VM workloads only
network: on-premise # If your VM doesn't have L3 connectivity to k8s Pods,
# make sure to fill in network field
serviceAccount: ratings-sa

For a complete list of supported annotations run tctl x sidecar-bootstrap --docs.

tctl experimental sidecar-bootstrap [<workload-entry-name>[.<namespace>]] [flags]

Examples

  # Show under-the-hood actions to copy workload identity of a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --dry-run

# Show under-the-hood actions to copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy --dry-run

# Copy workload identity into a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace

# Copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into an archive file (*.tgz) at a given path
tctl x sidecar-bootstrap my-vm.my-namespace --output-file path/to/output/file.tgz

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into a directory
tctl x sidecar-bootstrap my-vm.my-namespace --output-dir path/to/output/dir

# Print a list of supported annotations on the WorkloadEntry resource:
tctl x sidecar-bootstrap --docs

Options

  -a, --all                            bootstrap all WorkloadEntry(s) in a given namespace
-o, --archive (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name will be picked automatically)
--context string The name of the kubeconfig context to use
--docs (experimental) print a list of supported annotations on the WorkloadEntry resource
--dry-run print generated configuration and respective SSH commands but don't connect to, copy files or execute commands remotely
--duration duration (experimental) amount of time that generated ServiceAccount tokens should be valid for (default 24h0m0s)
-h, --help help for sidecar-bootstrap
--ignore-host-keys (experimental) do not verify remote host key when establishing SSH connection
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-d, --output-dir string save generated files into a local directory instead of copying them to a remote machine
--output-file string (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name is picked by the user)
--ssh-connect-timeout duration (experimental) timeout on establishing SSH connection (default 10s)
-k, --ssh-key string (experimental) authenticate with SSH key at a given location
--ssh-password (experimental) force SSH password-based authentication
--ssh-port int (experimental) default port to SSH to (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-port' annotation is present on a WorkloadEntry) (default 22)
-u, --ssh-user string (experimental) default user to SSH as, defaults to the current user (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-user' annotation is present on a WorkloadEntry)
--start-istio-proxy start Istio Sidecar on a remote host after copying configuration files
--timeout duration (experimental) timeout on copying a single file to a remote host (default 1m0s)

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental status

Get the status of an object

tctl experimental status <apiVersion/kind | kind | shortform> <name> [flags]

Examples

# Get the status of a tenant using the apiVersion/Kind pattern
tctl experimental status api.tsb.tetrate.io/v2/Tenant my-tenant

# Get the status of a workspace using the short form
tctl experimental status ws my-workspace

# Get the status of a gateway group
tctl experimental status --workspace my-workspace GatewayGroup my-group

Group kind is available for different APIs, so this helpers are available to easly retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab: ApplicationAccessBindings
ab: AccessBindings
ap: AuthorizationPolicy
apiab: APIAccessBindings
app: Application
cs: Cluster
dr: DestinationRule
eg: EgressGateway
gab: GatewayAccessBindings
gg: GatewayGroup
gw: Gateway
iab: IstioInternalAccessBindings
ig: IngressGateway
iig: IstioInternalGroup
oab: OrganizationAccessBindings
org: Organization
os: OrganizationSetting
otm: Metric
ots: Source
pa: PeerAuthentication
ra: RequestAuthentication
sa: ServiceAccount
sab: SecurityAccessBindings
sd: Sidecar
se: ServiceEntry
sg: SecurityGroup
sr: ServiceRoute
ss: SecuritySetting
svc: Service
t1: Tier1Gateway
tab: TrafficAccessBindings
tg: TrafficGroup
tnab: TenantAccessBindings
tns: TenantSetting
ts: TrafficSetting
vs: VirtualService
wab: WorkspaceAccessBindings
ws: Workspace
wss: WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
--telemetry-source string Telemetry source the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
-h, --help help for status

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental verify

Verify environment is ready for install or installed successfully

tctl experimental verify [flags]

Options

      --failure-threshold Level   The severity level of analysis at which to set a non-zero exit code. Valid values: [   Info Warn Error] (default Warn)
-h, --help help for verify
-L, --list-verifiers List the verifiers that will be run based on the execution context and passed flags
--output-threshold Level The severity level of analysis at which to display messages. Valid values: [ Info Warn Error] (default Info)
-s, --suppress stringArray Names of verifiers to suppress
--timeout duration The duration to wait before giving up (default 1m0s)

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental wait

Wait until a resource reaches the desired status

tctl experimental wait <apiVersion/kind | kind | shortform> <name> [flags]

Examples

Wait command assumes the default desired status is READY for any resource.
Also, --status and --event optional parameters can be provided to specificy another status to wait for.
Keep in mind that the desired status could never be reached if something fails, it would reach
a failed status instead. In this case, the wait command would finish even though the resource didn't reach the desired status.

# Wait for a tenant using the apiVersion/Kind pattern
tctl experimental wait api.tsb.tetrate.io/v2/Tenant

# Wait for a workspace to be ready using the short form
tctl experimental wait ws my-workspace --status READY

# Wait for a workspace to be ready in no more than 1 minute
tctl experimental wait workspace my-workspace --status READY --timeout 1m

# Wait for a a gateway group to be accepted by XCP
tctl experimental wait --workspace my-workspace GatewayGroup my-group --status ACCEPTED --event XCP_ACCEPTED

Group kind is available for different APIs, so these helpers are available to easily retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab: ApplicationAccessBindings
ab: AccessBindings
ap: AuthorizationPolicy
apiab: APIAccessBindings
app: Application
cs: Cluster
dr: DestinationRule
eg: EgressGateway
gab: GatewayAccessBindings
gg: GatewayGroup
gw: Gateway
iab: IstioInternalAccessBindings
ig: IngressGateway
iig: IstioInternalGroup
oab: OrganizationAccessBindings
org: Organization
os: OrganizationSetting
otm: Metric
ots: Source
pa: PeerAuthentication
ra: RequestAuthentication
sa: ServiceAccount
sab: SecurityAccessBindings
sd: Sidecar
se: ServiceEntry
sg: SecurityGroup
sr: ServiceRoute
ss: SecuritySetting
svc: Service
t1: Tier1Gateway
tab: TrafficAccessBindings
tg: TrafficGroup
tnab: TenantAccessBindings
tns: TenantSetting
ts: TrafficSetting
vs: VirtualService
wab: WorkspaceAccessBindings
ws: Workspace
wss: WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
--status string The status to wait for. One of [ACCEPTED READY FAILED DIRTY PARTIAL] (default "READY")
--event string The type of the last event to wait for. One of [TSB_ACCEPTED MPC_ACCEPTED XCP_ACCEPTED XCP_REJECTED MPC_FAILED XCP_UNKNOWN XCP_PARTIALLY_APPLIED XCP_APPLIED XCP_ERRORED XCP_IGNORED MPC_DIRTY]
--timeout duration The timeout to fail the command if the condition is not reached (default 2m0s)
-h, --help help for wait

Options inherited from parent commands

      --config string    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")