Skip to main content
logoTetrate Service BridgeVersion: next

tctl experimental

tctl experimental

Experimental commands that may be modified or deprecated

Options

  -h, --help   help for experimental

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress

Run a Istio based Ingress Controller for your application

Synopsis

Install a dedicated Ingress Controller in your environment to allow incoming/ingress traffic to be routed to your application. This controller comprises of 3 components - Istiod, Istio Ingressgateway and a TSB OpenAPI Translator. You can configure the Ingress Controller by either specifying Istio config directly in the application namespace or by specifying the OpenAPI document for your application - the OpenAPI translator converts the specification into Istio compatible configuration and applies it on your behalf.

Options

  -h, --help                             help for app-ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress docker-compose

Run App Ingress in Docker using docker-compose.

Options

  -h, --help                help for docker-compose
--network string Docker network (default "app-ingress")
--output-dir string Output directory (default "./")

Options inherited from parent commands

  -c, --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress docker-compose generate

Generate the required docker-compose.yaml and folder structure to bootstrap App Ingress.

tctl experimental app-ingress docker-compose generate [OPTIONS] [flags]

Options

  -h, --help   help for generate

Options inherited from parent commands

  -c, --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
--network string Docker network (default "app-ingress")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")
--output-dir string Output directory (default "./")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes

Run App Ingress in Kubernetes

Options

  -f, --filename string             Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
-h, --help help for kubernetes
-n, --namespace string The namespace to deploy the App Ingress deployments and services
--openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")

Options inherited from parent commands

  -c, --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes generate

Generate the Kuberenetes YAML required to install App Ingress.

tctl experimental app-ingress kubernetes generate [OPTIONS] [flags]

Options

  -h, --help   help for generate

Options inherited from parent commands

  -c, --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-f, --filename string Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
-n, --namespace string The namespace to deploy the App Ingress deployments and services
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
--openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")
-p, --profile string Use specific profile (default "default")

tctl experimental app-ingress kubernetes install

Applies a manifest, installing or reconfiguring App Ingress on a cluster.

Synopsis

The install command generates an App Ingress installation manifest and applies it to a cluster.

tctl experimental app-ingress kubernetes install [flags]

Examples

  # Install a default App Ingress in namespace foo:
tctl x app-ingress kubernetes install -n foo

Options

      --dry-run                      Console/log output only, make no changes.
-h, --help help for install
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-y, --skip-confirmation The skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
--verify Verify the Istio control plane after installation/in-place upgrade.

Options inherited from parent commands

  -c, --config string                    Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-f, --filename string Path to file containing IstioOperator custom resource to further customize the istio components in App Ingress
--istio-hub string The hub for the Istio images in App Ingress (default "docker.io/istio")
--istio-tag string The tag for the Istio images in App Ingress (default "1.19.7")
-n, --namespace string The namespace to deploy the App Ingress deployments and services
-b, --openapi-backend-service string Name of the backend service implementing the OpenAPI specification
--openapi-config-map string Name of the configmap containing the OpenAPI specification (default "openapi-translator")
-o, --openapi-translator Enable the OpenAPI translator which generates Istio configs from an OpenAPI specfication and applies them
--openapi-translator-hub string The hub for the OpenAPI Translator images in App Ingress (default "docker.io/tetrate")
--openapi-translator-tag string The tag for the OpenAPI Translator images in App Ingress (default "fbdc900b8c4bc545607bc0a8203b89d4bd8ef292")
-p, --profile string Use specific profile (default "default")

tctl experimental audit

Get the audit logs for a given resource, showing the most recent events first

tctl experimental audit <apiVersion/kind | kind | shortform> <name> [flags]

Examples

# Get the audit logs for a tenant using the apiVersion/Kind pattern
tctl audit api.tsb.tetrate.io/v2/Tenant

# Get audit logs for a workspace and all its child resources
tctl audit ws my-workspace --recursive

# Get audit logs for a workspace since a given date
tctl audit ws my-workspace --since "2021/10/21 15:54:44" --user "admin"

# Get audit logs related to security groups in the given workspcae
tctl audit ws my-workspace --recursive --kind "security.tsb.tetrate.io/v2/Group"
tctl audit ws my-workspace --recursive --kind "Group"

# Get the audit logs for a gateway group
tctl audit --workspace my-workspace GatewayGroup my-group

Group kind is available for different APIs, so these helpers are available to easily retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab ApplicationAccessBindings
ab AccessBindings
ap AuthorizationPolicy
apiab APIAccessBindings
app Application
cobc ClusterOnboardingConfig
cobs ClusterOnboardingStatus
cs Cluster
dr DestinationRule
ef EnvoyFilter
eg EgressGateway
gab GatewayAccessBindings
gg GatewayGroup
gw networking.istio.io/v1beta1/Gateway
gwt gateway.tsb.tetrate.io/v2/Gateway
iab IstioInternalAccessBindings
ig IngressGateway
iig IstioInternalGroup
oab OrganizationAccessBindings
openapi api.tsb.tetrate.io/v2/API
org Organization
os OrganizationSetting
otm Metric
ots Source
pa PeerAuthentication
prof Profile
ra RequestAuthentication
sa ServiceAccount
sab SecurityAccessBindings
sd Sidecar
se ServiceEntry
sg SecurityGroup
sm SegmentationMembership
sp SegmentationPolicy
sr ServiceRoute
srs SegmentationRules
ss SecuritySetting
sss ServiceSecuritySetting
sts ServiceTrafficSetting
svc Service
t1 Tier1Gateway
tab TrafficAccessBindings
tg TrafficGroup
tnab TenantAccessBindings
tns TenantSetting
ts TrafficSetting
vs VirtualService
wab WorkspaceAccessBindings
wext WasmExtension
wp WasmPlugin
ws Workspace
wss WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
--cluster string Cluster the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
--max-logs int32 Maximum number of entries to retrieve
--text string Filter events that contain the given text
--kind apiVersion/kind Only return entries of this kind. It can be apiVersion/kind or just `kind`
--severity string Filter events by severity
--operation string Filter events by operation
--user string Filter events generated by the given user
--since string Filter events since the given time. Must be in the format: "2006/01/02 15:04:05"
--recursive Get audit logs for child resources as well
-h, --help help for audit

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental cluster-install-template

Get the install template of a given cluster in yaml format

tctl experimental cluster-install-template <name> [flags]

Examples

# Get the install template of the cluster named my-cluster
tctl experimental cluster-install-template my-cluster

Options

  -h, --help                      help for cluster-install-template
--org string Organization the object belongs to
--with-isolation-boundary If set, enable the isolation boundary in the cluster install template

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental debug

Commands to interact with the debug endpoint in TSB components

Options

  -t, --context string      The name of the kubeconfig context to use
-h, --help help for debug
-k, --kubeconfig string Kubernetes configuration file

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental debug dashboard

Opens the debug dashboard for a TSB component

tctl experimental debug dashboard <component> [flags]

Examples


# Open the debug dashboard for the MPC component
tctl debug dashboard management/mpc

Options

      --admin-server-port int    Port where the admin server is listening in the TSB component (default 5555)
--browser When --browser is supplied as false, the browser will not be opened; the URL of the admin dashboard will just be printed (default true)
-n, --controlplane string The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-h, --help help for dashboard
-m, --managementplane string The namespace where the management plane is deployed (default "tsb")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental debug health

Check for health of TSB components

tctl experimental debug health <component> [flags]

Examples

tctl debug health mp/mpc
tctl debug health cp/tsb-operator

Options

  -n, --controlplane string      The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-h, --help help for health
-m, --managementplane string The namespace where the management plane is deployed (default "tsb")
-o, --output-type string Response output type: table, yaml, json (default "yaml")
--port int Port where the health server is listening in the TSB component (default 9082)

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental debug list-components

Lists the TSB components available in the current kubernetes context

tctl experimental debug list-components [flags]

Examples


# List all the components and their plane association in the current kubectl context
tctl debug list-components

# List all the components and their plane association in the the cluster for which the
# kubectl configuration is stored in a specific context of a different file
tctl debug list-components --kubeconfig /tmp/some-config.yaml --context clusterA

# List all the components and their plane association in the the cluster for which the
# kubectl configuration is stored the default kubeconfig file, in a context different
# that the active one
tctl debug list-components --context clusterB

# If TSB is installed in non-standard namespaces, you can also provide the namespace names
# to use for each plane:
tctl debug list-components --managementplane my-managementplane-ns
tctl debug list-components --controlplane my-controlplane-ns
tctl debug list-components --dataplane my-dataplane-ns

# You can specify more than one namespace in the same command.
tctl debug list-components \
--managementplane my-managementplane-ns \
--controlplane my-controlplane-ns \
--dataplane my-dataplane-ns

Options

  -n, --controlplane string      The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-h, --help help for list-components
-m, --managementplane string The namespace where the management plane is deployed (default "tsb")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental debug log-level

Checks or sets the log level for TSB components

tctl experimental debug log-level <component> [flags]

Examples


# Check the current log levels for the IAM component
tctl debug log-level managementplane/iamserver
# or
tctl debug log-level management/iamserver
# or
tctl debug log-level mp/iamserver

# Set the log for the IAM component in the management plane to debug
tctl debug log-level management/iamserver --level debug

# Set the logger q from the API server to debug
tctl debug log-level management/apiserver --level q:debug

# Set multiple specific loggers at once
tctl debug log-level management/apiserver --level q:debug,pdp:debug

# Set all loggers to error and then some specific loggers, all at once
tctl debug log-level management/apiserver --level all:error,q:debug,pdp:debug

# Data plane commands work the same for IngressGateway, Tier1Gateway and EgressGateway.

# Check loggers for a given TSB gateway
tctl debug log-level data/bookinfo-gateway

# Set all loggers to trace for a given TSB gateway
tctl debug log-level data/bookinfo-gateway --level trace

# Set the router and http loggers to debug for a given TSB gateway
tctl debug log-level data/bookinfo-gateway --level router:debug,http:debug

Options

      --admin-server-port int     Port where the admin server is listening in the TSB component (default 5555)
-n, --controlplane string The namespace where the control plane is deployed (default "istio-system")
-d, --dataplane string The namespace where the data plane is deployed (default "istio-gateway")
-f, --file string A file containing TSB or Isito resources that will be parsed to infer the workloads that will get the log level adjusted
-h, --help help for log-level
-l, --level strings log level to set, might include a logger name.
In the form [logger:]level. If logger is omitted, the specified level
will be set for all loggers of the given component.

-m, --managementplane string The namespace where the management plane is deployed (default "tsb")
-o, --output-directory string If wait is provided, the directory where to store the log files. It will be created if it does not exist
-w, --wait Whether or not to wait for logs until Ctrl+C is pressed. Resulting logs will be written to separate files per pod.
-y, --yes With yes, the process will not wait for user confirmation at all

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
-p, --profile string Use specific profile (default "default")

tctl experimental es-validate

(experimental) validates Elasticsearch setting in the current Kubernetes context

Synopsis

(experimental) the command is using the current Kubernetes context to query TSB ControlPlane CRD in "istio-system" namespace

To run the command - login to the Kubernetes cluster that has TSB Control Plane deployed tctl x es-validate

The command is using the users current Kubernetes context to query TSB Custom Resources and obtains:

  • Elasticsearch credentials that are stored in "elastic-credentials" secret
  • Elasticsearch CA certificate that is stored in "es-certs" secret
  • TSB Tokens "oap-token", "xcp-edge-central-auth-token" and "otel-token"
  • "telemetryStore" and "managementPlane" (only for ControlPlane) sections of TSB Custom Resources The command analyzes the received data and tries to make an educated call to the Elasticsearch
  • if Data from Elasticsearch is returned then the correct config is displayed for the user to apply

Additional checks that are performed:

  • Encoded credentials might have a carriage return - it can cause unpredictable behavior - the package informs the user on any found carriage returns in the Kubernetes secret.
  • CA certificate if presented by Elasticsearch gets placed in /tmp directory, and can be easily applied (only if trusted)
  • curl command with the complete list of parameters is displayed to help with additional testing
  • Tokens expiration date is validated and user is informed of any expired tokens
  • Checks can be done when TSB ControlPlane is pointing to standalone Elasticsearch or via MP FrontEnvoy

NOTE:if -m <management plane namespace> is used than checks can fail for within cluster services as the source of the call (shell with tctl) can be outside of the cluster network

tctl experimental es-validate [flags]

Examples

# Check Elasticsearch setting of TSB Control Plane located in 'istio-system' namespace
tctl experimental es-validate

# Check Elasticsearch setting of TSB Control Plane located in 'cpns' namespace
tctl experimental es-validate -n cpns

# Check Elasticsearch setting of TSB Management plane located in 'tsb' namespace
tctl experimental es-validate -m tsb

Options

  -n, --controlplane string      The namespace in the cluster that the control plane is installed in. (default "istio-system")
-h, --help help for es-validate
-m, --managementplane string The namespace in the cluster that the management plane is installed in (MP is checked only when the namespace is present - MP is usually installed in 'tsb' namespace).

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental getall

Get the given resource and all the child resources the user has access to

tctl experimental getall <fqn> [flags]

Examples

tctl getall organizations/org/tenants/dev/workspaces/myapp

Options

  -h, --help   help for getall
--sort Sort the results by type

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental gitops

Configures clusters to use GitOps flows

Options

  -h, --help   help for gitops

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental gitops grant

Grant permissions to use GitOps features in the given cluster

tctl experimental gitops grant [flags]

Examples


# Grant permissions to use GitOps features in the given cluster.
# By default the cluster service account will have permissions to manage configuration in the
# configured organization.
tctl experimental gitops grant <cluster-name>

# Only give GitOps permissions on a specific tenant.
tctl experimental gitops grant <cluster-name> --tenant <tenant-name>

# Only give GitOps permissions on a specific workspace.
tctl experimental gitops grant <cluster-name> --tenant <tenant-name> --workspace <workspace-name>

Options

  -h, --help               help for grant
-t, --tenant string The name of the tenant to enable GitOps for.
-w, --workspace string The name of the workspace to enable GitOps for.

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental grafana

Commands to get and upload the TSB Grafana dashboards

Options

  -h, --help   help for grafana

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental grafana dashboard

List and download the TSB Grafana dashboards

tctl experimental grafana dashboard [flags]

Examples


tctl x grafana dashboard # List all available dashboards
tctl x grafana dashboard <file name> -o json # Get the JSON document for a given dashboard

Options

  -h, --help                 help for dashboard
-o, --output-type string Response output type: table, json (default "table")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental grafana upload

Uploads the dashboards to the given grafana instance

tctl experimental grafana upload [flags]

Examples


tctl grafana upload --url http://grafana:3000 --apikey <api key> # Upload all dashboards to Grafana
tctl grafana upload --url http://grafana:3000 --apikey <api key> --overwrite # Upload all dashboards forcing an overwrite if they exist
tctl grafana upload <file name> --url http://grafana:3000 --apikey <api key> # Upload a single dashboard to Grafana

Options

      --apikey string               the API key to use for authentication
-h, --help help for upload
--overwrite whether to overwrite the dashboard if it already exists
--password string the password to use for authentication
--timeout duration the timeout for the HTTP request
--tls-custom-ca-file string the path to the custom CA file
--tls-insecure whether to skip TLS verification
--url string the URL of the grafana instance
--username string the username to use for authentication

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental profiles

Commands to manage TSB profiles

Options

  -h, --help   help for profiles

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental profiles blame

Gather the effective profile for troubleshooting a resource configuration

tctl experimental profiles blame <apiVersion/kind | kind | shortform> [<name>] | <fqn> [flags]

Examples

# Get the effective profile of a traffic group using its resource FQN
tctl x profiles blame organizations/tetrate/tenants/tetrate/workspaces/bookinfo/trafficgroups/bookinfo

# The same but using flags:
tctl x profiles blame profile --org tetrate --tenant tetrate --workspace bookinfo trafficgroup bookinfo

Effective profiles are available for the resources that can attach profiles:
- Organization
- Tenant
- Workspace
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

Options

      --org string           Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-o, --output-type string Response output type: text, yaml, json (default "text")
-h, --help help for blame

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental profiles list-available

List available profiles that can be attached to a resource

tctl experimental profiles list-available <apiVersion/kind> <name> | <fqn> [flags]

Examples

# List the profiles that can be attached to a tenant
tctl x profiles list-available tenant foo

# List the profiles that can be attached to a workspace
tctl x profiles list-available --org organization --tenant foo ws bar

# List the profiles that can be attached specifying the fqn of the resource
tctl x profiles list-available organizations/foo/tenants/foo/workspaces/foo/gatewaygroups/foo

# List the profiles that can be attached to a resource using the apiVersion/Kind pattern
tctl x profiles list-available traffic.tsb.tetrate.io/v2/Group my-traffic-group

# List the profiles that can be attached to a resource with user defined org and tenant
tctl x profiles list-available ws my-workspace

These are the available short forms:
aab ApplicationAccessBindings
ab AccessBindings
ap AuthorizationPolicy
apiab APIAccessBindings
app Application
cobc ClusterOnboardingConfig
cobs ClusterOnboardingStatus
cs Cluster
dr DestinationRule
ef EnvoyFilter
eg EgressGateway
gab GatewayAccessBindings
gg GatewayGroup
gw networking.istio.io/v1beta1/Gateway
gwt gateway.tsb.tetrate.io/v2/Gateway
iab IstioInternalAccessBindings
ig IngressGateway
iig IstioInternalGroup
oab OrganizationAccessBindings
openapi api.tsb.tetrate.io/v2/API
org Organization
os OrganizationSetting
otm Metric
ots Source
pa PeerAuthentication
prof Profile
ra RequestAuthentication
sa ServiceAccount
sab SecurityAccessBindings
sd Sidecar
se ServiceEntry
sg SecurityGroup
sm SegmentationMembership
sp SegmentationPolicy
sr ServiceRoute
srs SegmentationRules
ss SecuritySetting
sss ServiceSecuritySetting
sts ServiceTrafficSetting
svc Service
t1 Tier1Gateway
tab TrafficAccessBindings
tg TrafficGroup
tnab TenantAccessBindings
tns TenantSetting
ts TrafficSetting
vs VirtualService
wab WorkspaceAccessBindings
wext WasmExtension
wp WasmPlugin
ws Workspace
wss WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string         Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-h, --help help for list-available

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental role

Command to manage TSB roles

Options

  -h, --help   help for role

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental role get-cluster-role

Get the Kubernetes ClusterRole for a given role.

tctl experimental role get-cluster-role <role-fqn> [flags]

Options

  -h, --help                 help for get-cluster-role
-o, --output-type string Output format (yaml|json) (default "yaml")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental segmentation

Commands to interact with the TSB segmentation policies

Options

  -t, --context string           The name of the kubeconfig context to use
-h, --help help for segmentation
-k, --kubeconfig string Kubernetes configuration file
--managementplane string The namespace where the management plane is deployed (default "tsb")
--n2ac-address string If set, the address for the N2AC, otherwise access will be port-forwarded
--n2ac-port int Port where the N2AC service is listening (default 8080)

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental segmentation access

Return the accessible resources for a given source or target

tctl experimental segmentation access [--source <fqn>] [--target <fqn>] [flags]

Examples


# Find all the resources accessible by a given source
access --source organizations/tetrate/tenants/t1

# Find all the resources that can access a given target
access --target organizations/tetrate/tenants/t2/workspaces/w1

Options

  -h, --help            help for access
--source string The FQN of the source resource
--target string The FQN of the target resource

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
--managementplane string The namespace where the management plane is deployed (default "tsb")
--n2ac-address string If set, the address for the N2AC, otherwise access will be port-forwarded
--n2ac-port int Port where the N2AC service is listening (default 8080)
-p, --profile string Use specific profile (default "default")

tctl experimental segmentation export

Export the segmentation runtime graph for the given objects

tctl experimental segmentation export [--policy <policy-name>] [--resource <fqn>] [--node <raw node>] [flags]

Examples

export --policy ring --policy env --resource organizations/tetrate/tenants/t1 --node runtime:tsb:OA:tsb:tsb

Options

      --compact int        When set, compact names to the given length
-h, --help help for export
--node strings The raw nodes of the graph to export
--policy strings The name of the policy to export
--resource strings The FQN of the resource to export

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
--managementplane string The namespace where the management plane is deployed (default "tsb")
--n2ac-address string If set, the address for the N2AC, otherwise access will be port-forwarded
--n2ac-port int Port where the N2AC service is listening (default 8080)
-p, --profile string Use specific profile (default "default")

tctl experimental segmentation permissions

Return the permissions a source resource has on a given target resource

tctl experimental segmentation permissions --source <fqn> --target <fqn> [flags]

Examples

permissions --source organizations/tetrate/tenants/t1 --target organizations/tetrate/tenants/t2/workspaces/w1

Options

  -h, --help            help for permissions
--source string The FQN of the source resource
--target string The FQN of the target resource

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
-t, --context string The name of the kubeconfig context to use
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-k, --kubeconfig string Kubernetes configuration file
--managementplane string The namespace where the management plane is deployed (default "tsb")
--n2ac-address string If set, the address for the N2AC, otherwise access will be port-forwarded
--n2ac-port int Port where the N2AC service is listening (default 8080)
-p, --profile string Use specific profile (default "default")

tctl experimental service-account

Commands to manage TSB service accounts

Options

  -h, --help   help for service-account

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account create

Creates a new service account

Synopsis

Creates a new service account

This command creates a new service account with a new key pair and prints the generated private key to the standard output.

The private key should be stored securely, as it cannot be retrieved again and it is required if you want to generate authentication tokens for the service account.

tctl experimental service-account create <name> [flags]

Options

  -h, --help   help for create

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account delete

Deletes a service account

Synopsis

Deletes a service account and all its keys

tctl experimental service-account delete <name> [flags]

Options

  -h, --help   help for delete

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account gen-key

Generate a new key pair for the given service account

Synopsis

Generate a new key pair for the given service account

This command generates a new key pair for the service account and prints the generated private key to the standard output.

The key private key should be stored securely, as it cannot be retrieved again and it is required if you want to generate authentication tokens for the service account.

tctl experimental service-account gen-key <name> [flags]

Options

  -h, --help   help for gen-key

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account get

Get one or multiple service accounts

tctl experimental service-account get [<name>] [flags]

Options

  -h, --help                 help for get
-o, --output-type string Response output type: table, yaml, json (default "table")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account revoke-key

Revoke a given key pair for the given service account

tctl experimental service-account revoke-key <name> --id <key id> [flags]

Options

  -h, --help        help for revoke-key
--id string ID of the key to revoke

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental service-account token

Generate a new token that can be used to authenticate to TSB

Synopsis

Generate a new token that can be used to authenticate to TSB

This command generates a new token to authenticate to TSB as the service account. The command reads the private key from the specified file and uses it to sign the token. You can generate a new private key using the gen-key command.

tctl experimental service-account token <name> --key-path <key file> [--expiration <expiration>] [flags]

Options

      --expiration duration   Expiration for the token (default 30m0s)
-h, --help help for token
--key-path string Path to the file that contains the private key to use to generate the token

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental sidecar-bootstrap

(experimental) Bootstrap Istio Sidecar for a workload that runs on VM or Baremetal (mesh expansion scenarios)

Synopsis

(experimental) Takes in one or more WorkloadEntry(s), generates identity(s) for them, and optionally copies generated files to the remote node(s) over SSH protocol and starts Istio Sidecar(s) there.

Alternatively, if SSH is not enabled on the remote node(s), generated files can be saved locally instead. In that case you will be able to transfer files to the remote node(s) using a mechanism that suits best your particular environment.

If you choose to copy generated files to the remote node(s) over SSH, you will be required to provide SSH credentials, i.e. either SSH Key or SSH Password. If you want to use an SSH Password or a passphrase-protected SSH Key, you must run this command on an interactive terminal to type the password in. We do not accept passwords through command line options to avoid leaking secrets into shell history.

File copying is performed over SCP protocol, and as such SCP binary must be installed on the remote node. If SCP is installed in a location other than /usr/bin/scp, you have to provide absolute path to the SCP binary by adding sidecar-bootstrap.istio.io/scp-path annotation to the respective WorkloadEntry resource.

To start Istio Sidecar on the remote node you must have Docker installed there. Istio Sidecar will be started on the host network as a docker container in capture mode.

While this command can work without any explicit configuration, it is also possible to fine tune its behavior by adding various annotations on a WorkloadEntry resource. E.g., consider the following real life example:

apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
annotations:
sidecar-bootstrap.istio.io/proxy-config-dir: /etc/istio-proxy # Directory on the remote node to copy generated files into
sidecar-bootstrap.istio.io/ssh-user: istio-proxy # User to SSH as; must have permissions to run Docker commands
# and to write copied files into the target directory
sidecar.istio.io/statsInclusionRegexps: ".*" # Configure Envoy proxy to export all available stats
proxy.istio.io/config: |
concurrency: 3 # ProxyConfig overrides to apply
name: my-vm
namespace: my-namespace
spec:
address: 1.2.3.4 # At runtime, Istio Sidecar will bind incoming listeners to that address.
# At bootstrap time, this command will SSH to that address
labels:
app: ratings
version: v1
class: vm # It's very handy to have extra labels on a WorkloadEntry
# to be able to narrow down label selectors to VM workloads only
network: on-premise # If your VM doesn't have L3 connectivity to k8s Pods,
# make sure to fill in network field
serviceAccount: ratings-sa

For a complete list of supported annotations run tctl x sidecar-bootstrap --docs.

tctl experimental sidecar-bootstrap [<workload-entry-name>[.<namespace>]] [flags]

Examples

  # Show under-the-hood actions to copy workload identity of a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --dry-run

# Show under-the-hood actions to copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy --dry-run

# Copy workload identity into a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace

# Copy workload identity and start Istio Sidecar on a VM represented by a given WorkloadEntry:
tctl x sidecar-bootstrap my-vm.my-namespace --start-istio-proxy

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into an archive file (*.tgz) at a given path
tctl x sidecar-bootstrap my-vm.my-namespace --output-file path/to/output/file.tgz

# Generate workload identity for a VM represented by a given WorkloadEntry and save generated files into a directory
tctl x sidecar-bootstrap my-vm.my-namespace --output-dir path/to/output/dir

# Print a list of supported annotations on the WorkloadEntry resource:
tctl x sidecar-bootstrap --docs

Options

  -a, --all                            bootstrap all WorkloadEntry(s) in a given namespace
-o, --archive (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name will be picked automatically)
--context string The name of the kubeconfig context to use
--docs (experimental) print a list of supported annotations on the WorkloadEntry resource
--dry-run print generated configuration and respective SSH commands but don't connect to, copy files or execute commands remotely
--duration duration (experimental) amount of time that generated ServiceAccount tokens should be valid for (default 24h0m0s)
-h, --help help for sidecar-bootstrap
--ignore-host-keys (experimental) do not verify remote host key when establishing SSH connection
-i, --istioNamespace string Istio system namespace (default "istio-system")
--kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-d, --output-dir string save generated files into a local directory instead of copying them to a remote machine
--output-file string (experimental) save generated files into a local archive file (*.tgz) instead of copying them to a remote machine (file name is picked by the user)
--ssh-connect-timeout duration (experimental) timeout on establishing SSH connection (default 10s)
-k, --ssh-key string (experimental) authenticate with SSH key at a given location
--ssh-password (experimental) force SSH password-based authentication
--ssh-port int (experimental) default port to SSH to (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-port' annotation is present on a WorkloadEntry) (default 22)
-u, --ssh-user string (experimental) default user to SSH as, defaults to the current user (is only effective unless the 'sidecar-bootstrap.istio.io/ssh-user' annotation is present on a WorkloadEntry)
--start-istio-proxy start Istio Sidecar on a remote host after copying configuration files
--timeout duration (experimental) timeout on copying a single file to a remote host (default 1m0s)

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental status

Get the status of an object

tctl experimental status <apiVersion/kind | kind | shortform> <name> [flags]

Examples

# Get the status of a workspace using the resource FQN
tctl status organizations/tetrate/tenants/my-tenant/workspaces/my-workspace

# Get the status of a tenant using the apiVersion/Kind pattern
tctl status api.tsb.tetrate.io/v2/Tenant my-tenant

# Get the status of a workspace using the short form
tctl status ws my-workspace

# Get the status of a gateway group
tctl status --workspace my-workspace GatewayGroup my-group

Group kind is available for different APIs, so this helpers are available to easly retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab ApplicationAccessBindings
ab AccessBindings
ap AuthorizationPolicy
apiab APIAccessBindings
app Application
cobc ClusterOnboardingConfig
cobs ClusterOnboardingStatus
cs Cluster
dr DestinationRule
ef EnvoyFilter
eg EgressGateway
gab GatewayAccessBindings
gg GatewayGroup
gw networking.istio.io/v1beta1/Gateway
gwt gateway.tsb.tetrate.io/v2/Gateway
iab IstioInternalAccessBindings
ig IngressGateway
iig IstioInternalGroup
oab OrganizationAccessBindings
openapi api.tsb.tetrate.io/v2/API
org Organization
os OrganizationSetting
otm Metric
ots Source
pa PeerAuthentication
prof Profile
ra RequestAuthentication
sa ServiceAccount
sab SecurityAccessBindings
sd Sidecar
se ServiceEntry
sg SecurityGroup
sm SegmentationMembership
sp SegmentationPolicy
sr ServiceRoute
srs SegmentationRules
ss SecuritySetting
sss ServiceSecuritySetting
sts ServiceTrafficSetting
svc Service
t1 Tier1Gateway
tab TrafficAccessBindings
tg TrafficGroup
tnab TenantAccessBindings
tns TenantSetting
ts TrafficSetting
vs VirtualService
wab WorkspaceAccessBindings
wext WasmExtension
wp WasmPlugin
ws Workspace
wss WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
--cluster string Cluster the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
--telemetry-source string Telemetry source the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
-h, --help help for status

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental troubleshoot

Commands for troubleshooting clusters, services and requests from tctl collect archives.

Options

  -h, --help   help for troubleshoot

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental troubleshoot log-explorer

Analyze access logs from a tctl collect tar.gz file

Options

  -h, --help   help for log-explorer

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental troubleshoot log-explorer cluster

Lists details of a cluster from a tctl collect tar.gz file

tctl experimental troubleshoot log-explorer cluster [flags]

Examples

tctl experimental log-explorer cluster [tar.gz file]

Options

  -h, --help               help for cluster
-n, --namespace string List details of only specified namespace
--workspace string List details of only specified workspace

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental troubleshoot log-explorer request

Analyze an individual request from a tctl collect tar.gz file

tctl experimental troubleshoot log-explorer request [flags]

Examples

tctl experimental log-explorer request [tar.gz file] [requestID]

Options

  -h, --help                 help for request
-o, --output-type string Select the output type, available formats json and yaml, default format is yaml (default "yaml")

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental troubleshoot log-explorer service

Analyze access logs to a service from a tctl collect tar.gz file

tctl experimental troubleshoot log-explorer service [flags]

Examples

tctl experimental log-explorer service [tar.gz file] [service]

Options

      --all                Show all requests instead of just the longest ones and those with errors.
--full-log Print the full Envoy access log instead of a summary.
-h, --help help for service
--limit int Number of requests to show (defaults to 10). (default 10)
-n, --namespace string The namespace containing the service.

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental verify

Run verifications for TSB

Options

  -h, --help   help for verify

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental verify environment

Verify environment is ready for install or installed successfully

tctl experimental verify environment [flags]

Options

      --failure-threshold Level   The severity level of analysis at which to set a non-zero exit code. Valid values: [   Info Warn Error] (default Warn)
-h, --help help for environment
-L, --list-verifiers List the verifiers that will be run based on the execution context and passed flags
--output-threshold Level The severity level of analysis at which to display messages. Valid values: [ Info Warn Error] (default Info)
-s, --suppress stringArray Names of verifiers to suppress
--timeout duration The duration to wait before giving up (default 1m0s)

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental verify gateway-certs

Verify the expiration date of all the certifcates binded to a gateway

tctl experimental verify gateway-certs [flags]

Examples

tctl experimental verify gateway-certs

Options

  -x, --context string           The kube context for the cluster.
-n, --controlplane string The namespace in the cluster that the control plane is installed in. (default "istio-system")
--expire-days int16 Show certificates which are goint to expire in X days. (default 30)
-h, --help help for gateway-certs
-k, --kubeconfig string The kubeconfig file for the cluster.
-m, --managementplane string The namespace that the management plane is installed in. (default "tsb")
--print-all-certs If set to true, shown expiry date for all certificates.

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental verify gateway-deployments

Verify the gateway deployments found in the cluster.

Synopsis

(experimental) check gateway deployments for multi cluster missconfigurations.

Checks that the gateway deployments found in the kubernetes context are correct for multi cluster usage.

tctl experimental gateway-deployments "IngressGateway/gateways-a/no-match-local": no pods back service "no-match-local" and run in the nodes that match the "traffic.istio.io/nodeSelector" annotation on the service ('{"beta.kubernetes.io/os": "foobar"}')

For each gateway deployment, it shows its name (in the format <Gateway kind>/<namespace>/<name>) and the problems found for it. If no problems are found, no output is generated.

tctl experimental verify gateway-deployments [flags]

Examples


tctl experimental gateway-deployments
"IngressGateway/gateways-a/no-match-local":
no pods back service "no-match-local" and run in the nodes that match the "traffic.istio.io/nodeSelector"
annotation on the service ('{"beta.kubernetes.io/os": "foobar"}')
"IngressGateway/gateways-b/no-annotation":
extracting annotation: service has NodePort type, but it is missing the "traffic.istio.io/nodeSelector" annotation
"IngressGateway/gateways-a/invalid-annotation":
extracting annotation: annotation "traffic.istio.io/nodeSelector" does not seem to be valid: 'foobar'
"IngressGateway/gateways-a/no-match-cluster":
label selector '{"beta.kubernetes.io/os": "foobar"}' does not match any node

# filter per namespace
tctl experimental gateway-deployments -n gateways-b
"IngressGateway/gateways-b/no-annotation":
extracting annotation: service has NodePort type, but it is missing the "traffic.istio.io/nodeSelector" annotation

Options

  -x, --context string      The kube context for the management plane cluster.
-h, --help help for gateway-deployments
-k, --kubeconfig string The kubeconfig file for the management plane cluster. Must be able to manage secrets and cert-manager custom resources.
-n, --namespace string Check gateways only in the provided namespace

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental verify istio-ca

Verify the expiration date of the Istio CA certs

tctl experimental verify istio-ca [flags]

Examples

tctl experimental verify istio-ca

Options

  -x, --context string      The kube context for the cluster.
-h, --help help for istio-ca
-k, --kubeconfig string The kubeconfig file for the cluster.

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")

tctl experimental wait

Wait until a resource reaches the desired status

tctl experimental wait <apiVersion/kind | kind | shortform> <name> [flags]

Examples

Wait command assumes the default desired status is READY for any resource.
Also, --status and --event optional parameters can be provided to specificy another status to wait for.
Keep in mind that the desired status could never be reached if something fails, it would reach
a failed status instead. In this case, the wait command would finish even though the resource didn't reach the desired status.

# Get for a workspace using the resource FQN
tctl experimental wait organizations/tetrate/tenants/my-tenant/workspaces/my-workspace

# Wait for a tenant using the apiVersion/Kind pattern
tctl experimental wait api.tsb.tetrate.io/v2/Tenant

# Wait for a workspace to be ready using the short form
tctl experimental wait ws my-workspace --status READY

# Wait for a workspace to be ready in no more than 1 minute
tctl experimental wait workspace my-workspace --status READY --timeout 1m

# Wait for a a gateway group to be accepted by XCP
tctl experimental wait --workspace my-workspace GatewayGroup my-group --status ACCEPTED --event XCP_ACCEPTED

Group kind is available for different APIs, so these helpers are available to easily retrieve them:
- TrafficGroup
- SecurityGroup
- GatewayGroup
- IstioInternalGroup

These are the available short forms:
aab ApplicationAccessBindings
ab AccessBindings
ap AuthorizationPolicy
apiab APIAccessBindings
app Application
cobc ClusterOnboardingConfig
cobs ClusterOnboardingStatus
cs Cluster
dr DestinationRule
ef EnvoyFilter
eg EgressGateway
gab GatewayAccessBindings
gg GatewayGroup
gw networking.istio.io/v1beta1/Gateway
gwt gateway.tsb.tetrate.io/v2/Gateway
iab IstioInternalAccessBindings
ig IngressGateway
iig IstioInternalGroup
oab OrganizationAccessBindings
openapi api.tsb.tetrate.io/v2/API
org Organization
os OrganizationSetting
otm Metric
ots Source
pa PeerAuthentication
prof Profile
ra RequestAuthentication
sa ServiceAccount
sab SecurityAccessBindings
sd Sidecar
se ServiceEntry
sg SecurityGroup
sm SegmentationMembership
sp SegmentationPolicy
sr ServiceRoute
srs SegmentationRules
ss SecuritySetting
sss ServiceSecuritySetting
sts ServiceTrafficSetting
svc Service
t1 Tier1Gateway
tab TrafficAccessBindings
tg TrafficGroup
tnab TenantAccessBindings
tns TenantSetting
ts TrafficSetting
vs VirtualService
wab WorkspaceAccessBindings
wext WasmExtension
wp WasmPlugin
ws Workspace
wss WorkspaceSetting

For API version and kind, please refer to: https://docs.tetrate.io/service-bridge/latest/en-us/reference

Options

      --org string                  Organization the object belongs to
--tenant string Tenant the object belongs to
-w, --workspace string Workspace the object belongs to
-g, --group string Group the object belongs to
-t, --trafficgroup string Traffic group the object belongs to
-s, --securitygroup string Security group the object belongs to
-l, --gatewaygroup string Gateway group the object belongs to
-i, --istiointernalgroup string Istio internal group the object belongs to
-a, --application string Application the object belongs to
--api string API the object belongs to
-o, --output-type string Response output type: table, yaml, json (default "table")
--status string The status to wait for. One of [ACCEPTED READY FAILED DIRTY PARTIAL] (default "READY")
--event string The type of the last event to wait for. One of [TSB_ACCEPTED MPC_ACCEPTED XCP_ACCEPTED XCP_REJECTED MPC_FAILED XCP_UNKNOWN XCP_PARTIALLY_APPLIED XCP_APPLIED XCP_ERRORED XCP_IGNORED MPC_DIRTY]
--timeout duration The timeout to fail the command if the condition is not reached (default 2m0s)
-h, --help help for wait

Options inherited from parent commands

  -c, --config string               Path to the config file to use. Can also be
specified via TCTL_CONFIG env variable. This flag
takes precedence over the env variable.
--debug Print debug messages for all requests and responses
--disable-tctl-version-warn If set, disable the outdated tctl version warning. Can also be
specified via TCTL_DISABLE_VERSION_WARN env variable.
-p, --profile string Use specific profile (default "default")