On this page
meshctl experimental external-workload generate-bootstrap-bundle
meshctl experimental external-workload generate-bootstrap-bundle
Generate the bootstrap bundle that is required to onboard an external workload to your Gloo Mesh environment.
Synopsis
After you generate the bootstrap bundle, copy the bundle to your external workload to onboard it to your service mesh. For more information, see Onboard an external workload to the service mesh.
If you do not include the ‘–out’ or ‘-o’ flags, the bundle is generated as a compressed tar file in the tar.gz format. To use a different archive format, specify the output file with its extension type, which determines the archive and compression formats.
Supported compression formats:
- brotli (.br)
- bzip2 (.bz2)
- flate (.zip)
- gzip (.gz)
- lz4 (.lz4)
- snappy (.sz)
- xz (.xz)
- zlib (.zz)
- zstandard (.zst)
Supported archive formats:
- .zip
- .tar (including any compressed variants like .tar.gz)
- .rar (read-only)
- .7z (read-only)
meshctl experimental external-workload generate-bootstrap-bundle [flags]
Examples
# Generate a bootstrap bundle for the external workload with a specification
# defined in extworkload.yaml, that connects to cluster1, and uses a join token generated
# by the 'meshctl experimental external-workload generate-token' command as the attestation mechanism:
meshctl x external-workload gen-bundle \
-f extworkload.yaml \
--cluster cluster1 \
--attestor token \
-o /tmp/bootstrap.tar.gz
# Generate a bootstrap bundle for the external workload with a specification defined in extworkload.yaml,
# that connects to cluster1, and uses the AWS attestation mechanism:
meshctl x external-workload gen-bundle \
-f extworkload.yaml \
--cluster cluster1 \
--attestor aws \
-o /tmp/bootstrap.tar.gz
Options
--agent-flags string Additional flags to pass as-is to Istio's pilot agent
--attestor string One of: aws, azure, gcp, token
--aws-metadata-endpoint string AWS endpoint to retrieve instance metadata (default "http://169.254.169.254/latest")
--az-resource-id string Azure resource ID (or audience) to request for the MSI token
--cluster string Kubernetes cluster the external workload will connect to
--cluster-gw-svc string Service name (<ns>/<name>) or IP address of the Istio east-west gateway used by the external workload to connect to Istio control plane (default "istio-gateway-ew/istio-eastwestgateway")
-f, --file string File containing the ExternalWorkload configuration
--gcp-id-token-host string GCP where an identity token can be retrieved from (default "metadata.google.internal")
--gcp-service-account string GCP service account to fetch an identity token from (default "default")
-h, --help help for generate-bootstrap-bundle
-i, --identity-socket-path string Path of the unix domain socket used to obtain workload identity credentials (default "/var/run/secrets/workload-spiffe-uds/socket")
--otel-service string Hostname or IP address of the OpenTelemetry collector service to connect to (default "gloo-metrics-gateway.gloo-mesh")
-o, --out string Path to output bootstrap bundle
--revision string Istio control plane revision
--spire-log-level string Log level for the SPIRE agent (default "DEBUG")
--spire-service string Hostname or IP address of the SPIRE service to connect to (default "gloo-spire-server.gloo-mesh.svc")
--use-hosts-file Use the hosts file to resolve the hostnames for Istiod and SPIRE services
Options inherited from parent commands
--kubeconfig string Path to the kubeconfig file for the cluster.
--kubecontext string Kubernetes context for the cluster to run the command in.
-n, --namespace string Namespace to run the command in. (default "gloo-mesh")
--plain Disable styling for terminal output.
-v, --verbose Enable verbose logging.
SEE ALSO
- meshctl experimental external-workload - Operations on external workloads that are onboarded to the service mesh.