meshctl external-workload onboard

  meshctl external-workload onboard [flags]
  

  
# Onboard a GCP instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the k8s cluster 'test' via the k8s 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

  sudo meshctl external-workload onboard --attestor gcp --ext-workload dev/my-workload --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local"

# Onboard an AWS instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the k8s cluster 'test' via the k8s 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

  sudo meshctl external-workload onboard --attestor aws --ext-workload dev/my-workload --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Onboard an AWS instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace, in the Istio network 'vpc-123', by allowing it to connect to the cluster 'test' in a different Istio network 'vpc-456' via the cluster's 'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

  sudo meshctl external-workload onboard --attestor aws --ext-workload dev/my-workload --network vpc-123 --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Onboard an instance corresponding to the ExternalWorkload 'my-workload' in the 'dev' namespace by allowing it to connect to the cluster 'test' by using a one-time join-token 'e471c564-71e8-4a38-8bbd-02b0e267f971' via the cluster's  'istio-eastwest/istio-eastwestgateway' gateway with address '30.10.20.40', trust domain 'cluster.local':

  sudo meshctl external-workload onboard --ext-workload dev/my-workload --attestor token --join-token e471c564-71e8-4a38-8bbd-02b0e267f971 --cluster test --gateway istio-eastwest/istio-eastwestgateway --gateway-addr 30.10.20.40 --trust-domain cluster.local

# Install the agent packages as a part of the onboarding:

  sudo meshctl external-workload onboard [OPTIONS] --install --istio https://storage.test.com/istio-sidecar.deb --gloo https://storage.test.com/gloo-workload-agent.deb
  

        --admin-bootstrap-port uint16        Mesh admin API port to fetch the bootstrap config (default 31339)
      --admin-cacert-port uint16           Mesh admin API port to fetch the trust bundle (default 31338)
      --agent-flags string                 Additional flags to pass as-is to Istio's pilot agent
      --attestor string                    One of: aws, azure, gcp, token
      --aws-metadata-endpoint string       AWS endpoint to retrieve instance metadata (default "http://169.254.169.254/latest")
      --az-resource-id string              Azure resource ID (or audience) to request for the MSI token
  -t, --bootstrap-timeout duration         Timeout for the agent to bootstrap. If unspecified, timeout is disabled.
      --cluster string                     Kubernetes cluster the external workload will connect to
      --custom-dns                         Use custom DNS (external, hosts file, etc.) to resolve the hostnames for Istiod, SPIRE, and OTel services
      --dual-stack                         Enable IPv4/IPv6 dual-stack networking
      --exclude-inbound-ports strings      List of inbound ports to exclude from traffic interception.
      --exclude-interfaces strings         List of network interfaces to exclude from traffic interception.
      --exclude-outbound-cidr strings      List of outbound CIDR ranges to exclude from traffic interception.
      --exclude-outbound-ports strings     List of outbound ports to exclude from traffic interception.
  -e, --ext-workload string                Namespace and name of the ExternalWorkload resource, in the form <namespace>/<name>. The namespace must correspond to the workload cluster namespace in the 'connectedClusters' field of the ExternalWorkload resource, not the namespace that the ExternalWorkload resource is applied in.
      --external-ip string                 External IP address of the external workload. If set, traffic to the workload will be directed to this address.
      --gateway string                     Namespace and name of the k8s gateway service used to connect to the cluster, in the form <namespace>/<name>
      --gateway-addr string                IP address of the gateway used to connect to the k8s cluster
      --gcp-id-token-host string           GCP where an identity token can be retrieved from (default "metadata.google.internal")
      --gcp-service-account string         GCP service account to fetch an identity token from (default "default")
  -g, --gloo string                        URL or file path of Gloo agent package
  -h, --help                               help for onboard
  -w, --identity-socket-path string        Path of the unix domain socket used to obtain workload identity credentials (default "unix:///var/run/secrets/workload-spiffe-uds/socket")
      --install                            Install the agent packages as a part of the onboarding
      --intercept-inbound-ports strings    List of inbound ports to include for traffic interception. Defaults to all ports. (default [*])
      --intercept-outbound-cidr strings    List of outbound CIDR ranges to include for traffic interception. Defaults to all CIDR ranges. (default [*])
      --intercept-outbound-ports strings   List of outbound ports to include for traffic interception. Defaults to all ports.
  -i, --istio string                       URL or file path of Istio agent package
      --istio-ns string                    Istio control plane namespace (default "istio-system")
      --istio-rev string                   Istio control plane revision
      --istio-service-port uint16          Istio service port to connect to (default 15012)
      --join-token string                  One-time join token to use to attest the workload when using the token attestor.
      --network string                     Istio network that the external workload belongs to. Required when the workload connects to a cluster in a different network.
      --otel-env stringToString            Environment variables to pass to the OTel agent (default [])
      --otel-log-level string              Log level for the OTel agent (default "INFO")
      --otel-service string                Hostname or IP address of the OpenTelemetry collector service to connect to (default "gloo-metrics-gateway.gloo-mesh")
      --otel-service-port uint16           OpenTelemetry collector service port to connect to (default 4317)
      --spire-env stringToString           Environment variables to pass to the SPIRE agent (default [])
      --spire-log-level string             Log level for the SPIRE agent (default "INFO")
      --spire-service string               Hostname or IP address of the SPIRE service to connect to (default "gloo-spire-server.gloo-mesh.svc")
      --spire-service-port uint16          SPIRE service port to connect to (default 8081)
      --trust-bundle string                Trust bundle file path
      --trust-domain string                Trust domain of the cluster the workload will connect to. (default "cluster.local")
  

        --kubeconfig string    Path to the kubeconfig file for the cluster.
      --kubecontext string   Kubernetes context for the cluster to run the command in.
  -n, --namespace string     Namespace to run the command in. (default "gloo-mesh")
      --plain                Disable styling for terminal output.
  -v, --verbose              Enable verbose logging.