gcp-gateway.json schema (tare gateway install)
The JSON config file accepted by tare gateway install --type gcp, consumed through the --config flag.
This document describes the JSON config file accepted by:
tare gateway install identity.json --type gcp --config gcp-gateway.json
The parser is implemented in
svc/cli/internal/tare/gateway/config/types.go (Config).
Tip: Use
tare gateway config initto bootstrap a starter file from just a serve domain and a GCP project ID: the remaining fields documented below are pre-filled with sensible derivations and defaults that you can edit in place.
Azure: for the
--type azureflow, seeazure-gateway.jsonschema.
Supported keys
All keys are optional in JSON, but some become required by the selected workflow.
| Key | Type | Used for | Required when |
|---|---|---|---|
projectId | string | GCP project for prerequisite automation | --dry-run-prereqs or --apply-prereqs |
serveDomain | string | DNS hostname/domain for DNS authorization + cert map entry | creating cert/dns prereqs from CLI |
customer | string | Helm value customer | unless provided by identity / --customer |
environment | string | Helm value environment | required when customer is saas |
serveUrl | string | Helm value serveUrl | optional (falls back to identity fields) |
securityPolicy | string | Helm value securityPolicy | optional |
certificateMap.name | string | GCP cert map name + Helm certificateMap.name | prereq workflow and recommended for deploy |
gateway.staticIpName | string | GCP global static IP name + Helm gateway.staticIpName | optional but recommended |
certificate.name | string | Managed cert resource name (gcloud automation) | when automating cert creation |
dnsAuthorization.name | string | DNS authorization resource name (gcloud automation) | optional (auto-derived if omitted) |
namespaces.gateway | string | Gateway release namespace | optional (default tars-gateway) |
namespaces.system | string | System namespace reference | optional (default tars-system) |
namespaces.dataplane | string | Dataplane namespace reference | optional (default tars-dataplane) |
gcloud.skipExisting | bool | Continue when gcloud create hits "already exists" | optional (false default) |
Example
examples/gcp-gateway.pocnt.json:
{
"projectId": "withfraser",
"serveDomain": "proxy.pocnt.tetrate.ai",
"customer": "pocnt",
"environment": "production",
"serveUrl": "proxy.pocnt.tetrate.ai",
"certificateMap": {
"name": "pocnt-tetrate-ai"
},
"certificate": {
"name": "pocnt-serve-cert"
},
"dnsAuthorization": {
"name": "proxy-pocnt-tetrate-ai-dns-auth"
},
"namespaces": {
"gateway": "tars-gateway",
"system": "tars-system",
"dataplane": "tars-dataplane"
},
"gcloud": {
"skipExisting": false
}
}
Field precedence
For most values, precedence is:
- explicit CLI flag
gcp-gateway.json(--config)- identity file defaults / built-in defaults
Notable defaults:
--serve-url: falls back toserveUrl(config), thenserveDomain(config), then identityserveUrl, then identityproxy(legacy).--dns-authorization-name: if omitted and cert automation is enabled, default becomes<normalized-serve-domain>-dns-auth.
Minimal configs by use case
A) Install only (prereqs handled outside CLI)
Usually enough:
{
"customer": "acme",
"serveUrl": "proxy.acme.example.com",
"certificateMap": { "name": "acme-cert-map" }
}
Then run:
tare gateway install identity.json \
--type gcp \
--config gcp-gateway.json \
--ack-prereqs
B) Use --apply-prereqs / --dry-run-prereqs
Provide at least:
projectIdcertificateMap.name
And for certificate + DNS automation:
certificate.nameserveDomain
gateway.staticIpName is optional (CLI only creates static IP when set).
Where to go next