tare/gateway/install
tare gateway install
Install the serve gateway for ingress exposure. Provider selection
via --type (gcp|azure).
GCP (--type gcp):
Installs the gateway Helm chart. Prerequisites (must be prepared or
applied via --apply-prereqs before the chart install):
1. Wildcard DNS is created and points to the gateway static IP
2. TLS certificate and certificate map are provisioned and ready
3. Gateway static IP and related cloud policies are prepared
--apply-prereqs runs the equivalent gcloud commands automatically.
Azure (--type azure):
Covers AKS clusters on traditional Azure CNI. Enables the AGIC addon
(provisioning an Application Gateway, ~5min) and applies an Ingress
with the required AGIC health-probe annotations to tars-dataplane.
Pre-flights:
- AKS networkProfile is AGIC-compatible (plugin=azure, mode=null,
dataplane=azure). Fails fast otherwise.
- The signed-in identity has the required Azure roles (AKS Service
Contributor on the AKS RG, Network Contributor on the MC_ node-RG).
Prints the exact az-role-assignment-create commands when a role is
missing; degrades gracefully when role-list read is denied.
- The current kubeconfig can create Ingress in tars-dataplane.
AGC (Cilium/Overlay clusters) is a separate path tracked as a follow-up
to fraser#3687.
AWS is not implemented yet.
Examples:
# Print generated values from config
tare gateway install identity.json --type gcp --config gcp-gateway.json --print-helm-values
# Preview prerequisite gcloud commands
tare gateway install identity.json --type gcp --config gcp-gateway.json --dry-run-prereqs
# Apply prerequisites then install
tare gateway install identity.json --type gcp --config gcp-gateway.json --apply-prereqs
# Wait until Gateway reports an address
tare gateway install identity.json --type gcp --config gcp-gateway.json --wait
# Azure: dry-run the AGIC enable-addons + Ingress apply
tare gateway install identity.json --type azure --config azure-gateway.json --dry-run-prereqs
# Azure: apply prerequisites then install, waiting for the Ingress address
tare gateway install identity.json --type azure --config azure-gateway.json --apply-prereqs --wait
Usage:
tare gateway install <identity-file> [flags]
Flags:
Main:
--ack-prereqs Confirm wildcard DNS/cert map/static IP prerequisites are already handled
--apply-prereqs Apply supported GCP prerequisites using gcloud before install
--certificate-map-name string GCP certificate map name (recommended)
--certificate-name string Certificate resource name used for cert-map entry automation
--config string Path to gcp-gateway.json configuration file
--dns-authorization-name string DNS authorization name for managed certificate workflow
--dry-run-prereqs Print prerequisite gcloud commands and continue
--project-id string GCP project ID for prerequisite automation
--security-policy string Optional GCP security policy name
--serve-domain string Serve wildcard domain used by prerequisite workflow
--serve-url string Gateway host (default: cfg.serveUrl, then cfg.serveDomain)
--static-ip-name string GCP static IP name (recommended)
--type string Gateway provider type (gcp supported; aws/others not implemented yet) (default "gcp")
--wait Wait for Gateway to report an address after deploy
Azure:
--aks-cluster-name string AKS cluster name (or set azure.aksClusterName in --config)
--appgw-name string Application Gateway name AGIC creates (default: <aks-cluster-name>-appgw)
--appgw-subnet-cidr string App Gateway subnet CIDR (default: 10.225.0.0/24)
--azure-resource-group string Azure resource group containing the AKS cluster (or set azure.resourceGroup in --config)
--azure-subscription-id string Azure subscription ID (or set azure.subscriptionId in --config)
Plan:
--accept-warnings Proceed even when lint warnings are present (errors still block)
--output string Plan output format: text or json (default "text")
--plan-only Render the install Plan and exit without applying changes
--yes Skip the interactive Proceed? prompt; required in non-TTY contexts
Inspect:
--print-helm-values Print generated Helm values to stdout without deploying
--print-resources Print all Kubernetes resource manifests via helm template to stdout without applying
Other:
--customer string Customer label (default: inferred from identity file)
--environment string Environment label (required when customer is saas)