This page describes the available arguments to
Identify the cluster You have the following options to identify the cluster:
- The project ID that the cluster was created in.
- The name of the cluster.
- Either the zone (for single-zone clusters) or region (for regional clusters) that the cluster was created in.
kubeconfig context to use.
- The certificate authority (CA) to use to manage
mutual TLS certificates. Specify either
mesh_cato use Anthos Service Mesh certificate authority (Mesh CA) or
citadelto use the Istio CA. For information about which CA to use, see Choosing a certificate authority. For additional options that you must specify when using Istio CA, see Options for Istio CA custom certificate.
- The name of the
IstioOperatorcustom resource (CR) YAML file to enable a feature that isn't enabled by default. The script must be able to locate the YAML file, so the file either needs to be in the same directory as the script, or you can specify a relative path. To add multiple files, specify
--co|--custom_overlayand the filename, for example:
--co overlay_file1.yaml --co overlay_file2.yaml --co overlay_file3.yaml
- If using attached Amazon EKS clusters, use
--hub-registration-extra-flagsto register the cluster to the fleet if it isn't already registered.
--network_idto set the
topology.istio.io/networklabel applied to the
istio-systemnamespace. For GKE,
--network_iddefaults to the network name for the cluster. For other environments,
defaultwill be used.
- The name of a YAML file from the
anthos-service-meshpackage that contains the
IstioOperatorCR to enable an optional feature. When including one of these files, you don't need to download the
anthos-service-meshpackage first, and you don't specify the
.yamlextension. If you need to modify any of the files, download the
anthos-service-meshpackage, make your changes, and use the
--custom_overlayoption. To add multiple files, specify
-o|--optionand the filename, for example:
-o option_file1 -o option_file2 -o option_file3
- If not specified, the script creates a temporary directory where it
downloads files and configurations necessary for installing Anthos Service Mesh.
--output-dirflag to specify a relative path to a directory to use instead. Upon completion, the specified directory contains the
asmdirectory contains the configuration for the installation. The
istio-1.10.6-asm.2directory contains the extracted contents of installation file, which contains
istioctl, samples, and manifests. If you specify
--output-dirand the directory already contains the necessary files, the script uses those files instead of downloading them again.
-r|--revision_name REVISION NAME>
- A revision label is a key-value pair that
is set on the control plane. The revision label key is always
istio.io/rev. By default, the script sets the value for the revision label based on the Anthos Service Mesh version, for example:
asm-1106-2. Include this option if you want to override the default value and specify your own. The
REVISION NAMEargument must be a DNS-1035 label, and it must consist of lower case alphanumeric characters or
-, start with an alphabetic character, and end with an alphanumeric character (such as
abc-123). The regex used for validation is:
- The name of a service account used to install Anthos Service Mesh. If not
specified, the active user account in the current
gcloudconfiguration is used. If you need to change the active user account, run gcloud auth login.
- The key file for a service account. Omit this option if you aren't using a service account.
Options for Citadel custom certificate
If you specified
--ca citadel and you are using a custom CA, include the
--ca_cert FILE_PATH: The intermediate certificate
--ca_key FILE_PATH: The key for the intermediate certificate
--root_cert FILE_PATH: The root certificate
--cert_chain FILE_PATH: The certificate chain
For more information, see Plugging in existing CA Certificates.
The flags that start with
--enable let the script enable the required
Google APIs, set
required Identity and Access Management (IAM) permissions,
and update your cluster. If you prefer, you can
update your project and cluster yourself before running the script as described
in the Setting up your project and
Setting up your cluster sections of the
Multi-project installation guide. All of these flags are are incompatible with
--only_validate, and the script terminates with an error in this case.
- Allow the script to perform all of the individual enable actions described below.
- Allow the script to attempt to bind the Google Cloud user or service
account running the script to the
cluster-adminrole on your cluster. The script determines the user account from the
gcloud config get core/accountcommand. If you are running the script locally with a user account, make sure that you call the
gcloud auth logincommand before running the script. If you need to change the user account, run the
gcloud config set core/account GCP_EMAIL_ADDRESScommand where GCP_EMAIL_ADDRESS is the account that you use to log in to Google Cloud.
- Allow the script to set required cluster labels.
Allow the script to enable the following required Google Cloud managed services and components:
Allow the script to enable all required Google APIs.
Allow the script to set the required IAM permissions.
Allow the script to register the cluster to the project that the cluster is in. If you don't include this flag, follow the steps in Registering a cluster to manually register the cluster. Note that unlike the other enablement flags,
--enable_registrationis only included in
--enable_allwhen you specify an option (such as
--option hub-meshca) that requires cluster registration. Otherwise, you need to specify this flag separately.
- Print commands, but don't execute them.
- Register a cluster to a fleet using the fleet's host project ID. This flag is
required for non-Google Cloud clusters. When not provided for
Google Cloud clusters, it defaults to the cluster's project ID. You can
asmcli installalong with
--fleet_idprior to the installation, or as part of the installation by passing the
--fleet-idflags. This setting cannot be changed after it is configured.
- Run validation but don't update the project or cluster and don't install
Anthos Service Mesh. This flag is incompatible with the
enablement flags. The script terminates with an
error if you specify
--only_validatewith any enablement flag.
- Instead of installing Anthos Service Mesh, print all of the compiled YAML to standard output (stdout). All other output is written to standard error (stderr), even if it would normally go to stdout. The script skips all validations and setup when you specify this flag.
- By default, the script deploys the
Canonical Service controller
to your cluster. If you don't want the script to deploy the controller,
--disable_canonical_service. For more information, refer to Enabling and disabling the Canonical Service controller.
- Show a help message describing the options and flags and exit.
- As the script runs, if prints the command that it will run next. With the
--verboseflag, the script prints the command after execution as well.
- Print the version of
asmcliand exit. If you don't have the most recent version, you can download the most recent version of