meshctl external-workload generate-token

meshctl external-workload generate-token

Generate one or more join tokens as an attestation method to onboard external workloads to the mesh.


Join tokens are typically used for attestation when the external workload does not run in a cloud provider, such as in an on-prem, bare-metal server. The generated token is used by the workload agent to attest itself to participate in the mesh, and is considered sensitive information. The tokens are one-time use only and expire after a configurable TTL. The default TTL is 600 seconds (10 minutes).

On successful token generation, the command outputs the tokens. You must set the ‘spec.identitySelector.joinToken.enable’ field to ‘true’ in the ExternalWorkload resource before you apply the configuration. For more information, see Onboard an external workload to the service mesh.

meshctl external-workload generate-token [flags]


# Generate a join token for the external workload 'helloworld' in the 'cloud' namespace:

	meshctl external-workload gen-token \
		--ext-workload cloud/helloworld

# Generate 5 join tokens for 5 instances of the 'helloworld' external workload specification running in the 'cloud' namespace:

	meshctl external-workload gen-token \
		--ext-workload cloud/helloworld
		--count 5


      --count uint            Number of tokens to generate, typically equal to the number of external workload nodes backed by an ExternalWorkload resource (default 1)
  -e, --ext-workload string   Namespace and name of the ExternalWorkload resource, in the form <namespace>/<name>. The namespace must correspond to the workload cluster namespace in the 'connectedClusters' field of the ExternalWorkload resource, not the namespace that the ExternalWorkload resource is applied in.
  -h, --help                  help for generate-token
      --trust-domain string   The trust domain of the cluster the external workload will connect to
      --ttl uint              Token TTL in seconds (default 600)

Options inherited from parent commands

      --kubeconfig string    Path to the kubeconfig file for the cluster.
      --kubecontext string   Kubernetes context for the cluster to run the command in.
  -n, --namespace string     Namespace to run the command in. (default "gloo-mesh")
      --plain                Disable styling for terminal output.
  -v, --verbose              Enable verbose logging.