Retrieving Agent Router data plane Kubernetes resources for review or GitOps

This guide renders the Kubernetes resources that tare install would deploy, without applying them to a cluster. Use this workflow to review the manifest, run a server-side dry run, or commit the rendered YAML to a GitOps repository before deployment.

Prerequisites

A data plane credential file from the dashboard, saved locally as data-plane-credentials.json.
The tare CLI installed and available on PATH.
helm and kubectl available locally. Recent tare releases can download their own tool bundle, but most enterprise workstations manage these tools directly.

Install the CLI if needed:

curl -sSL https://tare.tetrate.ai/tools/install.sh | bash
export PATH="$PATH:$HOME/.tare/bin"
tare --version

The sections below describe two different options for retrieving the resource definitions:

Option 1 - Rendering the manifest as a single file (YAML format)
Option 2 - Rendering the manifest using an Artifact Registry

Option 1: render the manifest

Run tare install with --print-resources:

tare install ./data-plane-credentials.json --print-resources > tare-data-plane.yaml

The command writes the rendered Kubernetes YAML to stdout. Progress and preflight messages go to stderr, so redirecting stdout produces a clean manifest file.

The rendered file contains the same Kubernetes resources tare install would deploy through Helm: namespaces, CRDs, service accounts, RBAC, secrets, config maps, services, deployments, autoscaling resources, gateway resources, and install jobs.

tip

The data plane URL can be set later from the dashboard after the gateway and DNS are ready:

Log in the the Admin Dashboard.
Navigate to System → Settings
Select tab Data planes.
Click the Edit action icon.
Locate item URL.
Update the URL.
Click button Save changes.

Option 2: render with an artifact registry

When the cluster pulls from a mirrored registry, set the image registry in the rendered Helm values:

tare install ./data-plane-credentials.json \
  --image-registry us-central1-docker.pkg.dev/acme-prod/tare \
  --print-resources > tare-data-plane.yaml

When the registry requires an image pull secret that already exists in the target namespaces, reference it:

tare install ./data-plane-credentials.json \
  --image-registry us-central1-docker.pkg.dev/acme-prod/tare \
  --image-pull-secret-name tare-registry-pull \
  --print-resources > tare-data-plane.yaml

To render the pull-secret object from credentials on stdin:

printf '%s\n' 'user:password' | tare install ./data-plane-credentials.json \
  --image-registry us-central1-docker.pkg.dev/acme-prod/tare \
  --image-pull-secret-stdin \
  --print-resources > tare-data-plane.yaml

Validate before applying

Run a server-side dry run against the target cluster:

kubectl apply --dry-run=server -f tare-data-plane.yaml

Apply once the manifest has been reviewed:

kubectl apply -f tare-data-plane.yaml

For GitOps, commit tare-data-plane.yaml to the repository managed by Argo CD, Flux, or the internal deployment system instead of applying it directly.

Common issues

Error message: `tare: command not found`

The installer places the binary in ~/.tare/bin by default. Add it to PATH:

export PATH="$PATH:$HOME/.tare/bin"

Error message: `unknown command "cli" for "tare"`

Use tare install, not tare cli:

tare install ./data-plane-credentials.json --print-resources

If an older CLI requires a URL, upgrade tare first. When an immediate upgrade is not possible, include --serve-url as a compatibility workaround:

tare install ./data-plane-credentials.json \
  --serve-url https://proxy.acme.example.com \
  --print-resources

Error message: `Missing serve URL`

Upgrade tare and retry. Current releases allow --print-resources without a data plane Proxy URL:

curl -sSL https://tare.tetrate.ai/tools/install.sh | bash
tare install ./data-plane-credentials.json --print-resources

When an immediate upgrade is not possible, pass a valid planned public hostname:

tare install ./data-plane-credentials.json \
  --serve-url https://proxy.acme.example.com \
  --print-resources

The hostname does not need to resolve while rendering. After the gateway and DNS are live, set or update the data plane URL in the dashboard.

Where to go next

Data plane installation

Apply the rendered resources by running a full data plane installation on AWS, Azure, or GCP.

Gateway installation

Install the gateway components that manage inbound access to the data plane.

Prerequisites​

Option 1: render the manifest​

Option 2: render with an artifact registry​

Validate before applying​

Common issues​

Error message: tare: command not found​

Error message: unknown command "cli" for "tare"​

Error message: Missing serve URL​