Skip to main content

tare gateway install

Install the serve gateway for ingress exposure. Provider selection
via --type (gcp|azure).

GCP (--type gcp):
  Installs the gateway Helm chart. Prerequisites (must be prepared or
  applied via --apply-prereqs before the chart install):
    1. Wildcard DNS is created and points to the gateway static IP
    2. TLS certificate and certificate map are provisioned and ready
    3. Gateway static IP and related cloud policies are prepared
  --apply-prereqs runs the equivalent gcloud commands automatically.

Azure (--type azure):
  Covers AKS clusters on traditional Azure CNI. Enables the AGIC addon
  (provisioning an Application Gateway, ~5min) and applies an Ingress
  with the required AGIC health-probe annotations to tars-dataplane.
  Pre-flights:
    - AKS networkProfile is AGIC-compatible (plugin=azure, mode=null,
      dataplane=azure). Fails fast otherwise.
    - The signed-in identity has the required Azure roles (AKS Service
      Contributor on the AKS RG, Network Contributor on the MC_ node-RG).
      Prints the exact az-role-assignment-create commands when a role is
      missing; degrades gracefully when role-list read is denied.
    - The current kubeconfig can create Ingress in tars-dataplane.
  AGC (Cilium/Overlay clusters) is a separate path tracked as a follow-up
  to fraser#3687.

AWS is not implemented yet.

Examples:
  # Print generated values from config
  tare gateway install identity.json --type gcp --config gcp-gateway.json --print-helm-values

  # Preview prerequisite gcloud commands
  tare gateway install identity.json --type gcp --config gcp-gateway.json --dry-run-prereqs

  # Apply prerequisites then install
  tare gateway install identity.json --type gcp --config gcp-gateway.json --apply-prereqs

  # Wait until Gateway reports an address
  tare gateway install identity.json --type gcp --config gcp-gateway.json --wait

  # Azure: dry-run the AGIC enable-addons + Ingress apply
  tare gateway install identity.json --type azure --config azure-gateway.json --dry-run-prereqs

  # Azure: apply prerequisites then install, waiting for the Ingress address
  tare gateway install identity.json --type azure --config azure-gateway.json --apply-prereqs --wait

Usage:
  tare gateway install <identity-file> [flags]

Flags:

  Main:
      --ack-prereqs                     Confirm wildcard DNS/cert map/static IP prerequisites are already handled
      --apply-prereqs                   Apply supported GCP prerequisites using gcloud before install
      --certificate-map-name string     GCP certificate map name (recommended)
      --certificate-name string         Certificate resource name used for cert-map entry automation
      --config string                   Path to gcp-gateway.json configuration file
      --dns-authorization-name string   DNS authorization name for managed certificate workflow
      --dry-run-prereqs                 Print prerequisite gcloud commands and continue
      --project-id string               GCP project ID for prerequisite automation
      --security-policy string          Optional GCP security policy name
      --serve-domain string             Serve wildcard domain used by prerequisite workflow
      --serve-url string                Gateway host (default: cfg.serveUrl, then cfg.serveDomain)
      --static-ip-name string           GCP static IP name (recommended)
      --type string                     Gateway provider type (gcp supported; aws/others not implemented yet) (default "gcp")
      --wait                            Wait for Gateway to report an address after deploy


  Azure:
      --aks-cluster-name string        AKS cluster name (or set azure.aksClusterName in --config)
      --appgw-name string              Application Gateway name AGIC creates (default: <aks-cluster-name>-appgw)
      --appgw-subnet-cidr string       App Gateway subnet CIDR (default: 10.225.0.0/24)
      --azure-resource-group string    Azure resource group containing the AKS cluster (or set azure.resourceGroup in --config)
      --azure-subscription-id string   Azure subscription ID (or set azure.subscriptionId in --config)


  Plan:
      --accept-warnings   Proceed even when lint warnings are present (errors still block)
      --output string     Plan output format: text or json (default "text")
      --plan-only         Render the install Plan and exit without applying changes
      --yes               Skip the interactive Proceed? prompt; required in non-TTY contexts


  Inspect:
      --print-helm-values   Print generated Helm values to stdout without deploying
      --print-resources     Print all Kubernetes resource manifests via helm template to stdout without applying


  Other:
      --customer string      Customer label (default: inferred from identity file)
      --environment string   Environment label (required when customer is saas)