Skip to main content
Version: 0.9.x

tctl experimental

tctl experimental

Experimental commands that may be modified or deprecated

Options

  -h, --help   help for experimental

Options inherited from parent commands

      --config string    Path to the  file to use
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental migrate-lbs

Generate the V2 configuration for the existing V1 objects

tctl experimental migrate-lbs [flags]

Examples

02f7a69a441e17e56191f8c629c342a2a74c4427 x migrate-lbs --output-directory=/tmp/config

Options

      --raw-env-data string       File with the raw environment data to parse, instead of downloading it.
-o, --output-directory string Directory where to write the files with the translated config (default ".")
--use-direct-mode Flag to enable conversion to Istio DIRECT mode.
--exclude-tier1 Flag to exclude Tier1 load balancers from the conversion.
--default-network string Default network to use when generating clusters for Tier1 load balancers. If omitted no network will be set.
-h, --help help for migrate-lbs

Options inherited from parent commands

      --config string    Path to the  file to use
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental sidecar-bootstrap

(experimental) Bootstrap Istio Sidecar for a workload that runs on VM or Baremetal (mesh expansion scenarios)

Synopsis

(experimental) Takes in one or more WorkloadEntry(s), generates identity(s) for them, and optionally copies generated files to the remote node(s) over SSH protocol and starts Istio Sidecar(s) there.

Alternatively, if SSH is not enabled on the remote node(s), generated files can be saved locally instead. In that case you will be able to transfer files to the remote node(s) using a mechanism that suits best your particular environment.

If you choose to copy generated files to the remote node(s) over SSH, you will be required to provide SSH credentials, i.e. either SSH Key or SSH Password. If you want to use an SSH Password or a passphrase-protected SSH Key, you must run this command on an interactive terminal to type the password in. We do not accept passwords through command line options to avoid leaking secrets into shell history.

File copying is performed over SCP protocol, and as such SCP binary must be installed on the remote node. If SCP is installed in a location other than /usr/bin/scp, you have to provide absolute path to the SCP binary by adding sidecar-bootstrap.istio.io/scp-path annotation to the respective WorkloadEntry resource.

To start Istio Sidecar on the remote node you must have Docker installed there. Istio Sidecar will be started on the host network as a docker container in capture mode.

While this command can work without any explicit configuration, it is also possible to fine tune its behavior by adding various annotations on a WorkloadEntry resource. E.g., consider the following real life example:

apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
annotations:
sidecar-bootstrap.istio.io/proxy-config-dir: /etc/istio-proxy # Directory on the remote node to copy generated files into
sidecar-bootstrap.istio.io/ssh-user: istio-proxy # User to SSH as; must have permissions to run Docker commands
# and to write copied files into the target directory
sidecar.istio.io/statsInclusionRegexps: ".*" # Configure Envoy proxy to export all available stats
proxy.istio.io/config: |
concurrency: 3 # ProxyConfig overrides to apply
name: my-vm
namespace: my-namespace
spec:
address: 1.2.3.4 # At runtime, Istio Sidecar will bind incoming listeners to that address.
# At bootstrap time, this command will SSH to that address
labels:
app: ratings
version: v1
class: vm # It's very handy to have extra labels on a WorkloadEntry
# to be able to narrow down label selectors to VM workloads only
network: on-premise # If your VM doesn't have L3 connectivity to k8s Pods,
# make sure to fill in network field
serviceAccount: ratings-sa

For a complete list of supported annotations run tctl x sidecar-bootstrap --docs.

tctl experimental sidecar-bootstrap [<workload-entry-name>[.<namespace>]] [flags]

Examples

  # Show under-the-hood actions to copy workload identity of a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --dry-run

# Show under-the-hood actions to copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy --dry-run

# Copy workload identity into a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace

# Copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into an archive file (*.tgz) at a given path
tctl x sidecar-bootstrap my-vm.my-namespace --output-file path/to/output/file.tgz

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into a directory
tctl x sidecar-bootstrap my-vm.my-namespace --output-dir path/to/output/dir

# Print a list of supported annotations on the WorkloadEntry resource:
tctl x sidecar-bootstrap --docs

Options

  -a, --all                            bootstrap all WorkloadEntry(s) in a given namespace
-o, --archive (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name will be picked automatically)
--context string The name of the kubeconfig context to use
--docs (experimental) print a list of supported annotations on the WorkloadEntry resource
--dry-run print generated configuration and respective SSH commands but don't connect to, copy files or execute commands remotely
--duration duration (experimental) amount of time that generated ServiceAccount tokens should be valid for (default 24h0m0s)
-h, --help help for sidecar-bootstrap
--ignore-host-keys (experimental) do not verify remote host key when establishing SSH connection
--injectConfigMapName string ConfigMap name for Istio sidecar injection, key should be "config" (default "istio-sidecar-injector")
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
--meshConfigMapName string ConfigMap name for Istio mesh configuration, key should be "mesh" (default "istio")
-n, --namespace string Config namespace
-d, --output-dir string save generated files into a local directory instead of copying them to a remote machine
--output-file string (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name is picked by the user)
--ssh-connect-timeout duration (experimental) timeout on establishing SSH connection (default 10s)
-k, --ssh-key string (experimental) authenticate with SSH key at a given location
--ssh-password (experimental) force SSH password-based authentication
--ssh-port int (experimental) default port to SSH to (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-port' annotation is present on a WorkloadEntry) (default 22)
-u, --ssh-user string (experimental) default user to SSH as, defaults to the current user (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-user' annotation is present on a WorkloadEntry)
--start-istio-proxy start Istio Sidecar on a remote host after copying configuration files
--timeout duration (experimental) timeout on copying a single file to a remote host (default 1m0s)

Options inherited from parent commands

      --config string    Path to the  file to use
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")

tctl experimental verify

Verify environment is ready for install or installed successfully

tctl experimental verify [flags]

Options

      --failure-threshold Level   The severity level of analysis at which to set a non-zero exit code. Valid values: [   Info Warn Error] (default Warn)
-h, --help help for verify
-L, --list-verifiers List the verifiers that will be run based on the execution context and passed flags
--output-threshold Level The severity level of analysis at which to display messages. Valid values: [ Info Warn Error] (default Info)
-s, --suppress stringArray Names of verifiers to suppress
--timeout duration The duration to wait before giving up (default 1m0s)

Options inherited from parent commands

      --config string    Path to the  file to use
--debug Print debug messages for all requests and responses
-p, --profile string Use specific profile (default "default")