`tare gateway install`

Install serve gateway resources (currently GCP provider).

Synopsis

tare gateway install <identity-file> [flags]

Description

tare gateway install deploys the gateway chart used to expose serve traffic.

High-level workflow:

Load identity file
Load optional gcp-gateway.json config (--config)
Resolve values from flags/config/identity (with provenance: every resolved value carries the source it came from)
Plan: render a diff between the resolved config and live GCP/k8s state, with inline lint findings and a customer-action block; in a TTY, prompt Proceed? [y/N]. CI callers pass --yes.
Optional prereq workflow (--dry-run-prereqs or --apply-prereqs)
Run preflight checks
Install chart with Helm
Optional wait for Gateway address (--wait) and print DNS A-record action

The Plan view is the same JSON contract (apiVersion: tare.tetrate.io/v1alpha1) used by tare gateway config lint; use --plan-only --output json to consume it from other tooling.

Plan / Confirm / Apply flags

Flag	Description
`--plan-only`	Render the Plan and exit without applying changes.
`--yes`	Skip the interactive `Proceed?` prompt. Required in non-TTY contexts (CI).
`--accept-warnings`	Proceed even when lint warnings are present. Errors still block.
`--output text\|json`	Plan output format. Default: `text`.

Provider support:

gcp: supported (GCP Cloud Load Balancer + certificate-manager + Helm chart)
azure: supported (AKS + AGIC addon + Ingress): traditional Azure CNI only
aws: returns explicit not-implemented error

Prerequisites

Before install, you must either:

run --apply-prereqs, or
confirm prerequisites are already done with --ack-prereqs

GCP prerequisites

Expected prerequisites:

wildcard DNS prepared for your serve hostname
TLS certificate + certificate map prepared
static IP / cloud policy resources prepared

If --apply-prereqs is used, gcloud must be installed and authenticated.

Azure prerequisites

Expected prerequisites:

AKS cluster exists with AGIC-compatible networking (networkPlugin: azure, networkPluginMode: null, networkDataplane: azure)
az CLI installed and az login completed
signed-in identity has the required Azure roles (see below)
kubectl context points at the target AKS cluster

If --apply-prereqs is used, the install runs az aks enable-addons --addons ingress-appgw (which provisions an Application Gateway, ~5min) before applying the Ingress.

Pre-flights that run before any side effects:

AGIC networking compatibility: az aks show ... --query networkProfile must report {plugin: azure, mode: null, dataplane: azure}. If the cluster is Cilium/Overlay, fails fast with a pointer to AGC follow-up.
Azure RBAC: checks Azure Kubernetes Service Contributor Role on the AKS RG and Network Contributor on the MC_<rg>_<cluster>_<region> node-RG. Missing roles fail with the exact az role assignment create command to fix. If Microsoft.Authorization/roleAssignments/read is itself denied, the pre-flight degrades to a warning and proceeds (the install will surface AuthorizationFailed itself if a role is genuinely missing).
Kubernetes RBAC: kubectl auth can-i create ingress -n tars-dataplane. Fails with a hint pointing at the edit ClusterRole if denied.

Config file

Use --config to provide gateway settings:

tare gateway install identity.json --type gcp --config gcp-gateway.json
tare gateway install identity.json --type azure --config azure-gateway.json

Full schemas:

Usage

Render the Plan and exit

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --plan-only

Outputs the resolved values (with provenance), the GCP/k8s deltas against live state, inline lint findings, and the customer-action block. No side effects.

Print generated Helm values

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --print-helm-values

Preview prerequisite `gcloud` commands

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --dry-run-prereqs

Apply prerequisites and install

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --apply-prereqs \
  --wait

Install when prereqs are already managed externally

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --ack-prereqs \
  --wait

Print rendered manifests without applying

tare gateway install identity.json \
  --type gcp \
  --config gcp-gateway.json \
  --print-resources

On the Azure path, --print-resources emits the tars-ingress YAML (with the AGIC health-probe annotations) instead of helm-templated chart output.

Azure: preview the `az` plan without applying

tare gateway install identity.json \
  --type azure \
  --config azure-gateway.json \
  --dry-run-prereqs

Azure: apply prerequisites and install

tare gateway install identity.json \
  --type azure \
  --config azure-gateway.json \
  --apply-prereqs --wait

Runs the AGIC compat pre-flight, the Azure RBAC pre-flight (printing remediation commands when needed), and the K8s can-i create ingress pre-flight; then enables the AGIC addon, applies the Ingress with health-probe annotations, waits for the Ingress to report an address, and prints the DNS A-record customer action.

Flags

Main

Flag	Default	Description
`--type`	`gcp`	Gateway provider type (`gcp\|azure`)
`--config <file>`	none	Path to gateway config (`gcp-gateway.json` or `azure-gateway.json`)
`--project-id <id>`	from config	(GCP) project for prereq automation
`--serve-domain <host>`	from config/serve-url	Hostname/domain used by prereq automation
`--certificate-name <name>`	from config	(GCP) certificate resource name for managed cert workflow
`--dns-authorization-name <name>`	from config/derived	(GCP) DNS authorization resource name
`--serve-url <url-or-host>`	config → identity	Gateway host override
`--certificate-map-name <name>`	from config	(GCP) certificate map name
`--static-ip-name <name>`	from config	(GCP) optional static IP resource name
`--security-policy <name>`	from config	(GCP) optional Cloud Armor security policy name
`--customer <name>`	identity/config	Customer label
`--environment <name>`	from config	Environment label (required when customer is `saas`)
`--ack-prereqs`	`false`	Confirm prereqs are already handled
`--dry-run-prereqs`	`false`	Print prereq cloud-CLI plan (`gcloud` or `az`)
`--apply-prereqs`	`false`	Run prereq cloud-CLI plan
`--wait`	`false`	Wait until Gateway has an address (Azure: Ingress address)

Azure (only consulted under `--type azure`)

Flag	Default	Description
`--azure-subscription-id <uuid>`	from config	Azure subscription scoping `az` calls
`--azure-resource-group <name>`	from config	Resource group holding the AKS cluster
`--aks-cluster-name <name>`	from config	AKS cluster name
`--appgw-name <name>`	`<aks-cluster>-appgw`	Application Gateway name AGIC creates
`--appgw-subnet-cidr <cidr>`	`10.225.0.0/24`	App Gateway subnet CIDR

Inspect

Flag	Default	Description
`--print-helm-values`	`false`	Print generated Helm values to stdout
`--print-resources`	`false`	Print rendered Kubernetes manifests to stdout

Advanced / hidden

Flag	Default	Description
`--timeout`	`10m`	Timeout for `--wait`
`--release-name`	`tars-gateway`	Helm release name
`--namespace`	`tars-gateway`	Helm release namespace
`--system-namespace`	`tars-system`	Namespace referenced by gateway routes
`--dataplane-namespace`	`tars-dataplane`	Dataplane namespace referenced by gateway routes
`--chart-path`	embedded	Override chart source path/OCI/HTTP
`--chart-version`	none	Chart version (needed for remote charts)
`--helm-values`	none	Extra Helm values file to merge
`--skip-preflight`	`false`	Skip preflight checks

Output behavior

Progress and operator guidance are written to stderr
--print-helm-values and --print-resources write generated artifacts to stdout

When --wait succeeds, CLI prints:

resolved Gateway address
customer DNS A-record action (Host, Type A, Value, TTL)
certificate provisioning reminder

Verification

kubectl get gateway -n tars-gateway
kubectl get httproute -n tars-system
kubectl get httproute -n tars-dataplane
kubectl get gtwpc -n tars-gateway

If using managed certificates, also verify certificate state:

gcloud certificate-manager certificates describe <certificate-name> \
  --project <project-id> \
  --format="yaml(name,managed.state,managed.domainStatus)"

Troubleshooting

missing projectId: set --project-id or projectId in config when using prereq workflow
missing certificate map name: set --certificate-map-name or certificateMap.name in config
provider "aws" is not implemented yet: use --type gcp
wait timeout: check Gateway events and cloud LB provisioning status
certificate still PROVISIONING: ensure DNS authorization record and final A record are correct

Where to go next

gcp-gateway.json schema

Full field reference for the GCP gateway config file.

azure-gateway.json schema

Full field reference for the Azure gateway config file.

Synopsis​

Description​

Plan / Confirm / Apply flags​

Prerequisites​

GCP prerequisites​

Azure prerequisites​

Config file​

Usage​

Render the Plan and exit​

Print generated Helm values​

Preview prerequisite gcloud commands​

Apply prerequisites and install​

Install when prereqs are already managed externally​

Print rendered manifests without applying​

Azure: preview the az plan without applying​

Azure: apply prerequisites and install​

Flags​

Main​

Azure (only consulted under --type azure)​

Inspect​

Advanced / hidden​

Output behavior​

Verification​

Troubleshooting​