meshctl experimental external-workload onboard

meshctl experimental external-workload onboard

Onboard the external workload instance to the mesh.

Synopsis

Onboard the external workload instance to the mesh. This command must be run as root because it installs packages and configures services that require root privileges. To install the agent software as a part of the onboarding, use the –install, –istio, –spire, –otel flags in addition to the onboard options.

meshctl experimental external-workload onboard [flags]

Examples

# Onboard a GCP instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the k8s cluster 'test' via the k8s 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

	sudo meshctl external-workload onboard --attestor gcp --ext-workload dev/my-workload --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local"

# Onboard an AWS instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the k8s cluster 'test' via the k8s 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

	sudo meshctl external-workload onboard --attestor aws --ext-workload dev/my-workload --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Onboard an AWS instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace, in the Istio network 'vpc-123', by allowing it to connect to the cluster 'test' in a different Istio network 'vpc-456' via the cluster's 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

	sudo meshctl external-workload onboard --attestor aws --ext-workload dev/my-workload --network vpc-123 --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Onboard an instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the cluster 'test' by using a one-time join-token 'e471c564-71e8-4a38-8bbd-02b0e267f971' via the cluster's  'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

	sudo meshctl external-workload onboard --ext-workload dev/my-workload --attestor token --join-token e471c564-71e8-4a38-8bbd-02b0e267f971 --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Install the agent packages as a part of the onboarding:

	sudo meshctl external-workload onboard [OPTIONS] --install --istio https://storage.test.com/istio-sidecar.deb --spire https://storage.test.com/gloo-spire-agent.deb --otel https://storage.test.com/gloo-otel-collector.deb

Options

      --agent-flags string             Additional flags to pass as-is to Istio's pilot agent
      --attestor string                One of: aws, azure, gcp, token
      --aws-metadata-endpoint string   AWS endpoint to retrieve instance metadata (default "http://169.254.169.254/latest")
      --az-resource-id string          Azure resource ID (or audience) to request for the MSI token
  -t, --bootstrap-timeout duration     Timeout for the agent to bootstrap. If unspecified, timeout is disabled.
      --cluster string                 Kubernetes cluster the external workload will connect to
      --custom-dns                     Use custom DNS (external, hosts file, etc.) to resolve the hostnames for Istiod, SPIRE, and OTel services
  -e, --ext-workload string            Namespace and name of the ExternalWorkload resource, in the form <namespace>/<name>. The namespace must correspond to the workload cluster namespace in the 'connectedClusters' field of the ExternalWorkload resource, not the namespace that the ExternalWorkload resource is applied in.
      --external-ip string             External IP address of the external workload. If set, traffic to the workload will be directed to this address.
      --gateway string                 Namespace and name of the k8s gateway service used to connect to the cluster, in the form <namespace>/<name>
      --gateway-addr string            IP address of the gateway used to connect to the k8s cluster
      --gcp-id-token-host string       GCP where an identity token can be retrieved from (default "metadata.google.internal")
      --gcp-service-account string     GCP service account to fetch an identity token from (default "default")
  -h, --help                           help for onboard
  -w, --identity-socket-path string    Path of the unix domain socket used to obtain workload identity credentials (default "unix:///var/run/secrets/workload-spiffe-uds/socket")
      --install                        Install the agent packages as a part of the onboarding
  -i, --istio string                   URL or file path of Istio package
      --istio-ns string                Istio control plane namespace (default "istio-system")
      --istio-rev string               Istio control plane revision
      --join-token string              One-time join token to use to attest the workload when using the token attestor.
      --network string                 Istio network that the external workload belongs to. Required when the workload connects to a cluster in a different network.
  -o, --otel string                    URL or file path of OpenTelemetry Collector package
      --otel-env stringToString        Environment variables to pass to the OTel agent (default [])
      --otel-log-level string          Log level for the OTel agent (default "INFO")
      --otel-service string            Hostname or IP address of the OpenTelemetry collector service to connect to (default "gloo-metrics-gateway.gloo-mesh")
  -s, --spire string                   URL or file path of SPIRE package
      --spire-env stringToString       Environment variables to pass to the SPIRE agent (default [])
      --spire-log-level string         Log level for the SPIRE agent (default "INFO")
      --spire-service string           Hostname or IP address of the SPIRE service to connect to (default "gloo-spire-server.gloo-mesh.svc")
      --trust-bundle string            Trust bundle file path
      --trust-domain string            Trust domain of the cluster the workload will connect to. (default "cluster.local")

Options inherited from parent commands

      --kubeconfig string    Path to the kubeconfig file for the cluster.
      --kubecontext string   Kubernetes context for the cluster to run the command in.
  -n, --namespace string     Namespace to run the command in. (default "gloo-mesh")
      --plain                Disable styling for terminal output.
  -v, --verbose              Enable verbose logging.

SEE ALSO

• meshctl experimental external-workload - Operations on external workloads that are onboarded to the service mesh.