Tetrate Istio SubscriptionVersion: NextGitHub Action
TCA is available as a GitHub Action, enabling you to automate Istio configuration validation as part of your CI/CD pipeline. This integration helps teams catch potential issues early in the development cycle and maintain consistent configuration standards across their service mesh deployments.
Features
- Validates Istio configurations in pull requests
- Supports multiple operating modes (hybrid, local-only, cluster)
- Provides detailed analysis results as PR comments
- Enables scheduled configuration audits
- Integrates with existing CI/CD workflows
Prerequisites
Before using the TCA GitHub Action, ensure you have:
- A valid Tetrate Istio Subscription (TIS)
- Access to a Kubernetes cluster with Istio installed (for hybrid and cluster modes)
- GitHub repository with Istio configuration files
Operating Modes
TCA GitHub Action supports three operating modes to accommodate different validation scenarios:
Hybrid Mode
Hybrid mode analyzes both local configuration files and cluster context, providing comprehensive validation. This mode is ideal for validating changes before deployment while considering the existing cluster state.
name: Hybrid Config Analysis
on:
pull_request:
paths:
- 'istio/**'
jobs:
analyze-configs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate Istio Configs
uses: tetratelabs/tca-action@main
with:
tis-password: ${{ secrets.TIS_PASSWORD }}
mesh-config: |-
./istio/gateway.yaml
./istio/virtualservice.yaml
kube-config: ${{ secrets.KUBECONFIG }}
- name: Comment on PR with results
uses: thollander/actions-comment-pull-request@v3
with:
file-path: ${{ steps.tca.outputs.result-file }}
- name: Optionally Fail if there are errors
run: |
if [ ${{ env.error-count }} -gt 0 ]; then
exit 1
fi
You will see the results of the analysis in the PR comments 
Local-Only Mode
Use local-only mode for initial validation of configuration files without requiring cluster access. This mode is particularly useful in early development stages or when cluster access isn't available.
Local-only mode requires the following Istio resources to be included in your mesh-config files:
- Istio mesh-config configmap
- Istiod deployment resource
- Istio secrets
name: Local Config Analysis
on:
pull_request:
paths:
- 'istio/**'
jobs:
analyze-configs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: TCA Local Analysis
uses: tetratelabs/tca-action@main
with:
tis-password: ${{ secrets.TIS_PASSWORD }}
mesh-config: |-
./istio/mesh-configs.yaml
./istio/app-configs.yaml
local-only: true
Cluster Mode
Cluster mode performs analysis on deployed configurations in your Kubernetes cluster. This mode is ideal for regular audits and detecting configuration drift.
name: Daily Cluster Analysis
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: tetratelabs/tca-action@main
with:
tis-password: ${{ secrets.TIS_PASSWORD }}
kube-config: ${{ secrets.KUBECONFIG }}
Configuration Options
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
tis-password | Tetrate Istio Subscription (TIS) password for authentication | Yes | N/A |
local-only | Analyze configuration files locally without connecting to a Kubernetes cluster | No | false |
mesh-config | Path to the Istio service mesh configuration files. Multiple files can be specified using space or newline separator | No | "" |
kube-config | Path to the Kubernetes config file for cluster analysis. Not used in local-only mode | No | "" |
version | TCA version to use (e.g. 'v1.1.0'). Use 'latest' for most recent version | No | v1.2.0 |
Outputs
| Output | Description | Location |
|---|---|---|
result-file | Analysis results in markdown format | ${{ github.workspace }}/tca-output.txt |