Install the complete TARS dataplane in one command.
Steps performed:
1. Load and validate the identity (service-account) file
2. Optionally sync images and the serve-helm OCI chart to a private registry (--image-sync)
3. Optionally create a Kubernetes dockerconfigjson pull secret (--image-pull-secret-stdin)
4. Generate Helm values and deploy via "helm upgrade --install"
5. Wait for pods to become ready (disable with --no-wait)
helm and kubectl are downloaded automatically on first run if not already present
(on supported platforms: darwin/arm64 and linux/amd64). Before rendering manifests
or touching the cluster, tare runs preflight checks (Helm 3+, kubectl, and for live
installs cluster connectivity). Set TARE_SKIP_PREFLIGHT=1 or use --skip-preflight
to bypass these checks (e.g. in constrained CI).
On an interactive terminal, if you omit --enable-otel-collector, tare asks (before
Helm install) whether to enable the in-cluster OpenTelemetry collector and prompts
for the OTLP endpoint and optional settings (GCP Workload Identity is asked only when
the OTLP auth header uses berglas sm://). Prompts read from /dev/tty when available
so Helm install is not blocked by stdin buffering. Skipped in CI, pipes, when using
--image-pull-secret-stdin, or when you pass --enable-otel-collector explicitly.
Examples:
# Sync images to the registry, then install
tare install identity.json --image-sync acme.registry.com
# Install only: use images already in this registry (no copy step)
tare install identity.json --image-registry acme.registry.com
# Sync images only; exit before install
tare install identity.json --image-sync acme.registry.com --sync-only
# Apply CRDs only; exit before namespaces / Helm install
tare install identity.json --crds-only
# Mirror-to-mirror sync: pull from an existing mirror (--image-registry),
# push to a new one (--image-sync). The source override only applies when
# --image-sync is also set.
tare install identity.json \
--image-registry acme.registry.com \
--image-sync acme1.registry.com --sync-only
# Print generated Helm values without deploying
tare install identity.json --print-helm-values
# Print all Kubernetes resources for a GitOps workflow (no cluster access needed)
tare install identity.json --print-resources
# Full workflow: sync + pull secret + install
echo "user:password" | tare install identity.json \
--image-sync acme.registry.com \
--image-pull-secret-stdin
# Optional: deploy the in-cluster OTEL collector (requires endpoint; headers/WI optional).
# Use --otel-collector-otlp-tls-insecure=false when the OTLP server uses TLS with verification.
# customer_id is added to collector metrics from identity customerId unless --customer overrides.
tare install identity.json --image-registry REGISTRY \
--serve-url https://proxy.example.com \
--enable-otel-collector \
--otel-collector-endpoint 'https://otel.example.com:4317'
Usage:
tare install <identity-file> [flags]
Flags:
Main:
--disable-hpa Disable HPA for all supported components
--disable-pdb Disable PDBs for all supported components
--drain-timeout-seconds int EnvoyProxy.spec.shutdown.drainTimeout (seconds). Maximum time Envoy waits for in-flight requests (long LLM streams) to finish before SIGKILL. Drives the Pod's terminationGracePeriodSeconds. (default 300)
--ha Deploy the data-plane Envoy proxy with HA-safe defaults (HPA min 2, PDB min 1). Pass --ha=false for single-replica lab/CI installs (pre-ADR-041 behavior). (default true)
--no-wait Return after Helm finishes; do not wait for pods to be ready (overrides --wait)
--serve-url string Data plane gateway URL (optional). When set, registers the URL with the management plane and seeds tars-config[proxy-url] via global.serveUrl. Omit to defer URL configuration to the management plane.
--wait Wait for pods to be ready after deploy (default true; use --no-wait to disable) (default true)
Registry:
--image-pull-secret-name string With --image-pull-secret-stdin: name for the created secret (default: tars-image-pull-secret). Without: reference an existing secret by this name
--image-pull-secret-stdin Read 'user:password' from stdin and create a Kubernetes dockerconfigjson pull secret
--image-sync string Sync images and the serve-helm OCI chart to this registry before install; sets --image-registry to this destination after the sync (unless --image-registry was used to override the source)
--sync-only Sync images (requires --image-sync) then exit without deploying
Telemetry:
--enable-otel-collector Deploy the in-cluster OpenTelemetry collector and egress ALS (requires --otel-collector-endpoint)
--otel-collector-endpoint string OTLP endpoint for telemetry export (required with --enable-otel-collector)
--otel-collector-image-repository string Short image repository under global.imageRegistry (default: otel-collector-berglas)
--otel-collector-image-tag string Override otel-collector-berglas image tag (default: embedded manifest)
--otel-collector-otlp-tls-insecure Set otelCollector.exporters.otlp.tls.insecure (when true, skip TLS verification) (default true)
--otel-collector-workload-identity-email string GCP service account email for Workload Identity (collector ServiceAccount annotation)
--otel-exporter-auth-headers string Authorization header value for OTLP export (plain or sm:// for berglas)
Inspect:
--crds-only Apply CRDs to the cluster then exit; skip namespaces, pull secret, Helm install, and wait. Cannot be combined with --sync-only, --image-sync, --image-pull-secret-stdin, or any --print-* flag.
--print-helm-values Print generated Helm values to stdout without deploying
--print-images Print the list of images and exit; combine with --image-sync to show src→dst pairs
--print-resources Print all Kubernetes resource manifests via helm template to stdout without applying; uses --serve-url when provided
Output:
--parallel int Number of images to sync concurrently (1 = serial, recommended 2-4) (default 3)
--progress string Image-sync progress display: auto|tty|plain|none (default "auto")
--stall-threshold duration Flag image sync as stalled after this duration of zero throughput; escalate at 2x (default 30s)