Venafi CLI Tool reference guide¶
Usage¶
venctl command [flags]
Getting help with Venafi CLI tool commands¶
Use the following command to get information on individual venctl commands and their flags:
venctl [command] --help
Quick install/uninstall commands¶
Important
Installing or uninstalling Venafi Kubernetes components into your Kubernetes cluster using these commands is not recommended for production environments.
Use these commands to install specified Venafi components into a Kubernetes cluster and remove them thereafter.
venctl components kubernetes apply¶
Install the specified Venafi components into a Kubernetes cluster.
This command applies the components specified by the provided flags and value files into a Kubernetes cluster.
Important
Any previously installed components not specified in the current run are removed.
Usage:
venctl components kubernetes apply [flags]
Examples:
Install Enterprise cert-manager using the default approver:
venctl components kubernetes apply --cert-manager --default-approver
Install Enterprise cert-manager with Approver Policy and Trust Manager:
venctl components kubernetes apply --cert-manager --approver-policy --trust-manager
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--approver-policy | Install the default version of Approver Policy. The Approver Policy version can be set manually with the --approver-policy-version flag. Do not use this flag if you have used --approver-policy-enterprise. | |
--approver-policy-custom-chart-repository | string | Custom OCI registry or Helm repository for Approver Policy charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy-enterprise. |
--approver-policy-custom-image-registry | string | Custom OCI registry for pulling Approver Policy images. Do not use this flag if you have used --approver-policy-enterprise. |
--approver-policy-values-files | strings | A comma-separated list of files providing Helm values for Approver Policy. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--approver-policy-version | string | Use this flag to specify the Approver Policy version manually . Only use this flag with --approver-policy. |
--approver-policy-enterprise | Install the default version of Approver Policy Enterprise. The Approver Policy Enterprise version can be set manually with the --approver-policy-enterprise-version flag. Do not use this flag if you have used --approver-policy. | |
--approver-policy-enterprise-custom-chart-repository | string | Custom OCI registry or Helm repository for Approver Policy Enterprise charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy. |
--approver-policy-enterprise-custom-image-registry | string | Custom OCI registry for pulling Approver Policy Enterprise images. Do not use this flag if you have used --approver-policy. |
--approver-policy-enterprise-values-files | strings | A comma-separated list of files providing Helm values for Approver Policy Enterprise. These files are relative to the directory from which the Venafi CLI tool is run when syncing a manifest to a cluster. |
--approver-policy-enterprise-version | string | Use this flag to specify the Approver Policy Enterprise version manually. Implies approver-policy-enterprise. Do not use this flag is you have used --approver-policy. |
--aws-privateca-issuer | Install the default version of AWS Private CA Issuer. The version can be set manually with the --aws-privateca-issuer-version flag. | |
--aws-privateca-issuer-custom-chart-repository | strings | Custom OCI registry or Helm repository for AWS Private CA Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--aws-privateca-issuer-custom-image-repository | string | Custom OCI registry for pulling AWS Private CA Issuer images. |
--aws-privateca-issuer-values-files | strings | A comma-separated list of files providing Helm values for AWS Private CA Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--aws-privateca-issuer-version | string | Use this flag to specify the AWS Private CA Issuer version manually. Only use this flag with --aws-privateca-issuer. |
--cert-manager | Install the default version of cert-manager. The cert-manager version can also be set manually with --cert-manager-version. The default is true. | |
--cert-manager-custom-chart-repository | string | Custom OCI registry or Helm repository for cert-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--cert-manager-custom-image-registry | string | Custom OCI registry for pulling cert-manager images. |
--cert-manager-values-files | strings | A comma-separated list of files from which Helm values for cert-manager should be read. These files are relative to the directory from which the Venafi CLI is run. |
--cert-manager-version | string | Use this flag to specify the cert-manager version manually. Only use this flag with --cert-manager. |
--csi-driver | Install the default version of csi-driver. The csi-driver version can be set manually with the --csi-driver-version flag. | |
--csi-driver-custom-chart-repository | string | Custom OCI registry or Helm repository for csi-driver charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver. |
--csi-driver-custom-image-registry | string | Custom OCI registry for pulling csi-driver images. Only use this flag with --csi-driver. |
--csi-driver-values-files | strings | A comma-separated list of files providing Helm values for csi-driver. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--csi-driver-version | string | Use this flag to specify ccsi-driver version manually. Only use this flag with --csi-driver. |
--custom-chart-repository | string | Custom OCI registry or Helm repository from which charts should be pulled. Used by default for every component which doesn't have a manual override. If unspecified, per-component defaults apply. Only use this flag if you have set --region to custom. The URL must include a scheme. |
--custom-image-registry | string | Custom OCI registry from which images are pulled in-cluster. Used by default for every component which doesn't have a manual override. If unspecified, the per-component defaults apply. Only use this flag if you have set --region to custom. |
--default-approver | If true, this flag enables the default approver in cert-manager. This prevents the installation of Approver Policy, and is not recommended in most cases. | |
--firefly | Install the default version of Firefly. The version can be set manually with the --firefly-version flag. | |
--accept-firefly-tos | Whether you accept the firefly terms of service. For more information, see the End User License Agreement. | |
--firefly-custom-chart-repository | string | Custom OCI registry or Helm repository for Firefly Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--firefly-custom-image-repository | string | Custom OCI registry for pulling Firefly Issuer images. |
--firefly-values-files | strings | A comma-separated list of files providing Helm values for Firefly. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--firefly-version | string | Use this flag to specify the Firefly version manually. Only use this flag with --firefly. |
-h, --help | Help for venctl components kubernetes apply. | |
--ignore-dependencies | If set, no component is install that is not explicitly requested. This can lead to failed or broken installs if dependencies are not already present in the target cluster. | |
--image-pull-secret-names | strings | A comma-separated list of image pull secret names which must be used by all components. The default value is [venafi-image-pull-secret]. |
--install-open-source | Whether to install open source versions of cert-manager, trust-manager and other cert-manager sub-projects. | |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | The name of the kubeconfig context to use. |
--venafi-kubernetes-agent | Install the default version of Venafi Kubernetes Agent. The Venafi Kubernetes Agent version can be set manually with the --venafi-kubernetes-agent-version flag. | |
--venafi-kubernetes-agent-custom-chart-repository | string | Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --venafi-kubernetes-agent. |
--venafi-kubernetes-agent-custom-image-registry | string | Custom OCI registry for pulling trust-manager images. Only use this flag with --venafi-kubernetes-agent. |
--venafi-kubernetes-agent-values-files | strings | A comma-separated list of files providing Helm values for Venafi Kubernetes Agent. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-kubernetes-agent-version | string | Use this flag to specify the Venafi Kubernetes Agent version manually. Only use this flag with --venafi-kubernetes-agent. |
--namespace | string | The namespace into which all components must be installed. The default is venafi. |
--no-prompts | Allow command to run without user interaction. | |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--region | string | The region from which images are pulled. Either us or eu (or custom, although this will be removed in a future release). The default is us. Not to be confused with the '--vcp-region' global flag. |
--trust-manager | Install the default version of trust-manager. The trust-manager version can be set manually with the --trust-manager-version flag. | |
--trust-manager-custom-chart-repository | string | Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --trust-manager. |
--trust-manager-custom-image-registry | string | Custom OCI registry for pulling trust-manager images. Only use this flag with --trust-manager. |
--trust-manager-values-files | strings | A comma-separated list of files providing Helm values for trust-manager. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--trust-manager-version | string | Use this flag to specify the trust-manager version manually. Only use this flag with --trust-manager. |
--use-fips-images | If set, use FIPS-compliant images for all components which have them. | |
--venafi-connection | Install the default version of Venafi Connection. | |
--venafi-connection-custom-chart-repository | string | Custom OCI registry or Helm repository for Venafi Connection charts. Overrides open source and Venafi enterprise images. Must be a URL including a scheme |
--venafi-connection-values-files | strings | A comma-separated list of files providing Helm values for Venafi Connection. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-connection-version | string | Use this flag to specify the Venafi Connection version manually. Only use this flag with --venafi-connection. |
--venafi-enhanced-issuer | Install the default version of Venafi Enhanced Issuer. The version can be set manually with the --venafi-enhanced-issuer-version flag. | |
--venafi-enhanced-issuer-custom-chart-repository | string | Custom OCI registry for pulling Venafi Enhanced Issuer images. |
--venafi-enhanced-issuer-custom-image-registry | string | Custom OCI registry or Helm repository for Venafi Enhanced Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--venafi-enhanced-issuer-values-files | strings | A comma-separated list of files providing Helm values for Venafi Enhanced Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-enhanced-issuer-version | string | Use this flag to specify the Venafi Enhanced Issuer version manually. Only use this flag with --venafi-enhanced-issuer |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes delete¶
Delete all applied Venafi components from a Kubernetes cluster. Deletes all components previously applied using the venctl component kubernetes apply command:
Usage:
venctl components kubernetes delete [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | Help for venctl components kubernetes delete. | |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | The name of the kubeconfig context to use. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
Kubernetes Manifest tool commands¶
Use the commands to generate manifests, install and manage Venafi Kubernetes components.
venctl components kubernetes manifest generate¶
Generates a Venafi Kubernetes manifest for components.
The generated file can be used as an installation manifest by the Venafi CLI tool to install components into a Kubernetes cluster, which you can store in source control along with other infrastructure-as-code resources.
All supported components have flags to mark them for installation as well as for configuring other aspects of how the tool should be installed:
- Custom helm chart repository
- Custom image registry for inside the cluster
- Custom version
- Lists of
values.yamlfiles which provide Helm values. For more information on the supported values for each component, see its related Helm values reference page.
Dependencies of explicitly requested components are automatically included in the manifest.
Usage:
venctl components kubernetes manifest generate [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--approver-policy | Install the default version of Approver Policy. The Approver Policy version can be set manually with the --approver-policy-version flag. Do not use this flag if you have used --approver-policy-enterprise. | |
--approver-policy-custom-chart-repository | string | Custom OCI registry or Helm repository for Approver Policy charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy-enterprise. |
--approver-policy-custom-image-registry | string | Custom OCI registry for pulling Approver Policy images. Do not use this flag if you have used --approver-policy-enterprise. |
--approver-policy-values-files | strings | A comma-separated list of files providing Helm values for Approver Policy. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--approver-policy-version | string | Use this flag to specify the Approver Policy version manually . Only use this flag with --approver-policy. |
--approver-policy-enterprise | Install the default version of Approver Policy Enterprise. The Approver Policy Enterprise version can be set manually with the --approver-policy-enterprise-version flag. Do not use this flag if you have used --approver-policy. | |
--approver-policy-enterprise-custom-chart-repository | string | Custom OCI registry or Helm repository for Approver Policy Enterprise charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy. |
--approver-policy-enterprise-custom-image-registry | string | Custom OCI registry for pulling Approver Policy Enterprise images. Do not use this flag if you have used --approver-policy. |
--approver-policy-enterprise-values-files | strings | A comma-separated list of files providing Helm values for Approver Policy Enterprise. These files are relative to the directory from which the Venafi CLI tool is run when syncing a manifest to a cluster. |
--approver-policy-enterprise-version | string | Use this flag to specify the Approver Policy Enterprise version manually. Implies approver-policy-enterprise. Do not use this flag is you have used --approver-policy. |
--aws-privateca-issuer | Install the default version of AWS Private CA Issuer. The version can be set manually with the --aws-privateca-issuer-version flag. | |
--aws-privateca-issuer-custom-chart-repository | strings | Custom OCI registry or Helm repository for AWS Private CA Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--aws-privateca-issuer-custom-image-repository | string | Custom OCI registry for pulling AWS Private CA Issuer images. |
--aws-privateca-issuer-values-files | strings | A comma-separated list of files providing Helm values for AWS Private CA Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--aws-privateca-issuer-version | string | Use this flag to specify the AWS Private CA Issuer version manually. Only use this flag with --aws-privateca-issuer. |
--cert-manager | Install the default version of cert-manager. The cert-manager version can also be set manually with --cert-manager-version. The default is true. | |
--cert-manager-custom-chart-repository | string | Custom OCI registry or Helm repository for cert-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--cert-manager-custom-image-registry | string | Custom OCI registry for pulling cert-manager images. |
--cert-manager-values-files | strings | A comma-separated list of files from which Helm values for cert-manager should be read. These files are relative to the directory from which the Venafi CLI is run. |
--cert-manager-version | string | Use this flag to specify the cert-manager version manually. Only use this flag with --cert-manager. |
--csi-driver | Install the default version of csi-driver. The csi-driver version can be set manually with the --csi-driver-version flag. | |
--csi-driver-custom-chart-repository | string | Custom OCI registry or Helm repository for csi-driver charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver. |
--csi-driver-custom-image-registry | string | Custom OCI registry for pulling csi-driver images. Only use this flag with --csi-driver. |
--csi-driver-values-files | strings | A comma-separated list of files providing Helm values for csi-driver. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--csi-driver-version | string | Use this flag to specify ccsi-driver version manually. Only use this flag with --csi-driver. |
--custom-chart-repository | string | Custom OCI registry or Helm repository from which charts should be pulled. Used by default for every component which doesn't have a manual override. If unspecified, per-component defaults apply. Only use this flag if you have set --region to custom. The URL must include a scheme. |
--custom-image-registry | string | Custom OCI registry from which images are pulled in-cluster. Used by default for every component which doesn't have a manual override. If unspecified, the per-component defaults apply. Only use this flag if you have set --region to custom. |
--default-approver | If true, this flag enables the default approver in cert-manager. This prevents the installation of Approver Policy, and is not recommended in most cases. | |
--firefly | Install the default version of Firefly. The version can be set manually with the --firefly-version flag. | |
--accept-firefly-tos | Whether you accept the firefly terms of service. For more information, see the End User License Agreement. | |
--firefly-custom-chart-repository | string | Custom OCI registry or Helm repository for Firefly Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--firefly-custom-image-repository | string | Custom OCI registry for pulling Firefly Issuer images. |
--firefly-values-files | strings | A comma-separated list of files providing Helm values for Firefly. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--firefly-version | string | Use this flag to specify the Firefly version manually. Only use this flag with --firefly. |
--global-affinities-file | string | The path to a YAML file containing an array of Kubernetes corev1.Affinity objects. |
--global-tolerations-file | string | The path to a YAML file containing an array of Kubernetes corev1.Toleration objects. |
--global-topology-spread-constraints-file | string | The path to a YAML file containing an array of Kubernetes corev1 TopologySpreadConstraint resources. |
--ha-values-dir | string | The path to a directory to which suggested high-availability values.yaml files should be written for each supported component. These files will be automatically included in the generated manifest. |
-h, --help | Help for venctl components kubernetes manifest generate. | |
--ignore-dependencies | If set, no component is install that is not explicitly requested. This can lead to failed or broken installs if dependencies are not already present in the target cluster. | |
--image-pull-secret-names | strings | A comma-separated list of image pull secret names which must be used by all components. The default value is [venafi-image-pull-secret]. |
--install-open-source | Whether to install open source versions of cert-manager, trust-manager and other cert-manager sub-projects. | |
--venafi-kubernetes-agent | Install the default version of Venafi Kubernetes Agent. The Venafi Kubernetes Agent version can be set manually with the --venafi-kubernetes-agent-version flag. | |
--venafi-kubernetes-agent-custom-chart-repository | string | Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --venafi-kubernetes-agent. |
--venafi-kubernetes-agent-custom-image-registry | string | Custom OCI registry for pulling trust-manager images. Only use this flag with --venafi-kubernetes-agent. |
--venafi-kubernetes-agent-values-files | strings | A comma-separated list of files providing Helm values for Venafi Kubernetes Agent. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-kubernetes-agent-version | string | Use this flag to specify the Venafi Kubernetes Agent version manually. Only use this flag with --venafi-kubernetes-agent. |
--namespace | string | The namespace into which all components must be installed. The default is venafi. |
--no-prompts | Allow command to run without user interaction. | |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--region | string | The region from which images are pulled. Either us or eu (or custom, although this will be removed in a future release). The default is us. Not to be confused with the '--vcp-region' global flag. |
--trust-manager | Install the default version of trust-manager. The trust-manager version can be set manually with the --trust-manager-version flag. | |
--trust-manager-custom-chart-repository | string | Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --trust-manager. |
--trust-manager-custom-image-registry | string | Custom OCI registry for pulling trust-manager images. Only use this flag with --trust-manager. |
--trust-manager-values-files | strings | A comma-separated list of files providing Helm values for trust-manager. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--trust-manager-version | string | Use this flag to specify the trust-manager version manually. Only use this flag with --trust-manager. |
--use-fips-images | If set, use FIPS-compliant images for all components which have them. | |
--venafi-connection | Install the default version of Venafi Connection. | |
--venafi-connection-custom-chart-repository | string | Custom OCI registry or Helm repository for Venafi Connection charts. Overrides open source and Venafi enterprise images. Must be a URL including a scheme |
--venafi-connection-values-files | strings | A comma-separated list of files providing Helm values for Venafi Connection. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-connection-version | string | Use this flag to specify the Venafi Connection version manually. Only use this flag with --venafi-connection. |
--venafi-enhanced-issuer | Install the default version of Venafi Enhanced Issuer. The version can be set manually with the --venafi-enhanced-issuer-version flag. | |
--venafi-enhanced-issuer-custom-chart-repository | string | Custom OCI registry for pulling Venafi Enhanced Issuer images. |
--venafi-enhanced-issuer-custom-image-registry | string | Custom OCI registry or Helm repository for Venafi Enhanced Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. |
--venafi-enhanced-issuer-values-files | strings | A comma-separated list of files providing Helm values for Venafi Enhanced Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster. |
--venafi-enhanced-issuer-version | string | Use this flag to specify the Venafi Enhanced Issuer version manually. Only use this flag with --venafi-enhanced-issuer |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes manifest print-versions¶
Output a list of all supported components along with their default versions.
Usage:
venctl components kubernetes manifest print-versions [flags]
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl components kubernetes manifest print-versions. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes manifest tool destroy¶
Destroys and then purges releases.
Usage:
venctl components kubernetes manifest tool destroy [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--allow-no-matching-release | string | Do not exit with an error code if the provided selector has no matching releases. |
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--args | string | Pass arguments to helm exec. |
--cascade | string | Cascade to helm exec. The default value is background. |
-c, --chart | string | Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}". |
--color | Output with color. | |
--concurrency | integer | The maximum number of concurrent helm processes to run. 0 is unlimited. |
--debug | Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect. | |
--deleteTimeout | integer | The time in seconds to wait for helm uninstall. The default is 300. |
--deleteWait | Override the helmDefaults.wait setting helm uninstall --wait. | |
--disable-force-update | Do not force helm repos to update when executing helm repo add. | |
--enable-live-output | string | Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes. |
-e, --environment | string | Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default. |
-f, --file | helmfile.yaml | Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input. |
-b, --helm-binary | string | The path to the helm binary. The default is helm. |
-h, --help | Help for venctl components kubernetes manifest tool destroy. | |
-i, --interactive | string | Request confirmation before attempting to modify clusters. |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | Set kubectl context. Uses the current context by default. |
-k, --kustomize-binary | string | Path to the kustomize binary. The default is kustomize. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --namespace | string | Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}". |
--no-color | Output without color. | |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
-q, --quiet | string | Silence output. Equivalent to log-level warn. |
-l, --selector | stringArray | Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease" |
--skip-deps | Skip running helm repo update and helm dependency build. | |
--skip-charts | Don't prepare charts when destroying releases. | |
--state-values-file | stringArray | Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template). |
--state-values-set | stringArray | Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template). |
--state-values-set-string | stringArray | Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template). |
--strip-args-values-on-exit-error | Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true. | |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes manifest tool diff¶
Diff releases defined in the state file.
Usage:
venctl components kubernetes manifest tool diff [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--allow-no-matching-release | string | Do not exit with an error code if the provided selector has no matching releases. |
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--args | string | Pass arguments to helm exec. |
-c, --chart | string | Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}". |
--color | Output with color. | |
--concurrency | integer | The maximum number of concurrent helm processes to run. 0 is unlimited. |
--context | integer | Output NUM lines of context around changes |
--debug | Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect. | |
--detailed-exitcode | Return a detailed exit code. | |
-diff-args | string | Pass arguments to helm helm-diff. |
--disable-force-update | Do not force helm repos to update when executing helm repo add. | |
--enable-live-output | string | Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes. |
-e, --environment | string | Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default. |
-f, --file | helmfile.yaml | Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input. |
-b, --helm-binary | string | The path to the helm binary. The default is helm. |
-h, --help | Help for venctl components kubernetes manifest tool diff. | |
--include-needs | Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. | |
--include-tests | Enable the diffing of the helm test hooks. | |
--include-transitive-needs | Like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions. | |
-i, --interactive | string | Request confirmation before attempting to modify clusters. |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | Set kubectl context. Uses the current context by default. |
-k, --kustomize-binary | string | Path to the kustomize binary. The default is kustomize. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --namespace | string | Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}". |
--no-color | Output without color. | |
--no-hooks | Do not diff changes made by hooks. | |
--no-prompts | Allow command to run without user interaction. | |
--output | string | Output format for the diff plugin. |
--post-renderer | string | Pass --post-renderer to helm template or helm upgrade --install. |
--post-renderer-args | stringArray | Pass --post-renderer-args to helm template or helm upgrade --install. |
-q, --quiet | string | Silence output. Equivalent to log-level warn. |
--reset-values | Override helmDefaults.reuseValues helm diff upgrade --install --reset-values. | |
--reuse-values | Override helmDefaults.reuseValues helm diff upgrade --install --reuse-values. | |
-l, --selector | stringArray | Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease" |
--set | stringArray | Additional values to be merged into the helm command--set flag |
--show-secrets | Do not redact secret values in the output. Should be used for debug purposes only. | |
--skip-charts | Don't prepare charts when destroying releases. | |
--skip-deps | Skip running helm repo update and helm dependency build. | |
--skip-diff-on-install | Skips running helm-diff on releases being newly installed on this apply. Useful when the release manifests are too huge to be reviewed, or it's too time-consuming to diff at all. | |
-skip-needs | Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided (default is true). | |
--state-values-file | stringArray | Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template). |
--state-values-set | stringArray | Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template). |
--state-values-set-string | stringArray | Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template). |
--strip-args-values-on-exit-error | Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true. | |
--strip-trailing-cr | Strip trailing carriage return on input. | |
--suppress | stringArray | Strip trailing carriage return onKubernetes objects in the output. Can be provided multiple times. For example: --suppress KeycloakClient --suppress VaultSecret. |
--suppress-output-line-regex | stringArray | A list of regex patterns to suppress output lines from the diff output. |
--suppress-secrets | string | Suppress secrets in the output. Highly recommended to specify on CI/CD use-cases. |
--validate | string | Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the diff of available API versions. |
--values | stringArray | Additional value files to be merged into the helm command --values flag |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes manifest tool init¶
Initialize the Venafi Kubernetes Manifest tool. Performs version checking and downloads and installs Helm and other required plug-ins
Usage:
venctl components kubernetes manifest tool init [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--allow-no-matching-release | string | Do not exit with an error code if the provided selector has no matching releases. |
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-c, --chart | string | Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}". |
--color | Output with color. | |
--debug | Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect. | |
--disable-force-update | Do not force helm repos to update when executing helm repo add. | |
--enable-live-output | string | Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes. |
-e, --environment | string | Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default. |
-f, --file | helmfile.yaml | Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input. |
--force | Do not prompt, install dependencies required by helmfile. | |
-b, --helm-binary | string | The path to the helm binary. The default is helm. |
-h, --help | Help for venctl components kubernetes manifest tool init. | |
-i, --interactive | string | Request confirmation before attempting to modify clusters. |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | Set kubectl context. Uses the current context by default. |
-k, --kustomize-binary | string | Path to the kustomize binary. The default is kustomize. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --namespace | string | Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}". |
--no-color | Output without color. | |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
-q, --quiet | string | Silence output. Equivalent to log-level warn. |
-l, --selector | stringArray | Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease" |
--skip-deps | Skip running helm repo update and helm dependency build. | |
--state-values-file | stringArray | Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template). |
--state-values-set | stringArray | Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template). |
--state-values-set-string | stringArray | Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template). |
--strip-args-values-on-exit-error | Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true. | |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl components kubernetes manifest tool sync¶
Synchronize releases defined in the state file.
Usage:
venctl components kubernetes manifest tool sync [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--allow-no-matching-release | string | Do not exit with an error code if the provided selector has no matching releases. |
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--args | string | Pass arguments to helm exec. |
--cascade | string | Cascade to helm exec. The default value is background. |
-c, --chart | string | Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}". |
--color | Output with color. | |
--concurrency | integer | The maximum number of concurrent helm processes to run. 0 is unlimited. |
--debug | Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect. | |
--disable-force-update | Do not force helm repos to update when executing helm repo add. | |
--enable-live-output | string | Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes. |
-e, --environment | string | Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default. |
-f, --file | helmfile.yaml | Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input. |
-b, --helm-binary | string | The path to the helm binary. The default is helm. |
-h, --help | Help for venctl components kubernetes manifest tool sync. | |
-i, --interactive | string | Request confirmation before attempting to modify clusters. |
--include-needs | Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. | |
--include-transitive-needs | Similar to --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions. | |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | Set kubectl context. Uses the current context by default. |
-k, --kustomize-binary | string | Path to the kustomize binary. The default is kustomize. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --namespace | string | Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}". |
--no-color | Output without color. | |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--post-renderer | string | Pass --post-renderer to helm template or helm upgrade --install. |
--post-renderer-args | stringArray | Pass --post-renderer-args to helm template or helm upgrade --install. |
-q, --quiet | string | Silence output. Equivalent to log-level warn. |
--reset-values | Override helmDefaults.reuseValues helm upgrade --install --reset-values. | |
--reuse-values | Override helmDefaults.reuseValues helm upgrade --install --reuse-values. | |
-l, --selector | stringArray | Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease" |
--set | stringArray | Additional values to be merged into the helm command --set flag. |
--skip-crds | If set, no CRDs are installed on sync. By default, CRDs are installed if not already present. | |
--skip-deps | Skip running helm repo update and helm dependency build. | |
--skip-needs | Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when--selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided. The default is true. | |
--state-values-file | stringArray | Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template). |
--state-values-set | stringArray | Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template). |
--state-values-set-string | stringArray | Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template). |
--strip-args-values-on-exit-error | Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true. | |
--sync-args | string | Pass arguments to helm upgrade. |
--validate | Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, similar to the sync of available API versions. | |
--values | stringArray | Additional value files to be merged into the helm command --values flag. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
--wait | Override helmDefaults.wait setting helm upgrade --install --wait. | |
--wait-for-jobs | Override helmDefaults.waitForJobs setting helm upgrade --install --wait-for-jobs. |
venctl components kubernetes manifest tool template¶
Template releases defined in the state file.
Usage:
venctl components kubernetes manifest tool template [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--allow-no-matching-release | string | Do not exit with an error code if the provided selector has no matching releases. |
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--args | string | Pass arguments to helm exec. |
-c, --chart | string | Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}". |
--color | Output with color. | |
--concurrency | integer | The maximum number of concurrent helm processes to run. 0 is unlimited. |
--debug | Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect. | |
--disable-force-update | Do not force helm repos to update when executing helm repo add. | |
--enable-live-output | string | Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes. |
-e, --environment | string | Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default. |
-f, --file | helmfile.yaml | Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input. |
-b, --helm-binary | string | The path to the helm binary. The default is helm. |
-h, --help | Help for venctl components kubernetes manifest tool template. | |
--include-crds | string | Include CRDs in the templated output. |
--include-needs | string | Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. |
--include-transitive-needs | Like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions. | |
-i, --interactive | string | Request confirmation before attempting to modify clusters. |
--kubeconfig | string | The path to the kubeconfig file to use for CLI requests. |
--kube-context | string | Set kubectl context. Uses the current context by default. |
--kube-version | string | Pass --kube-version to helm template. Overrides kubeVersion in helmfile.yaml |
-k, --kustomize-binary | string | Path to the kustomize binary. The default is kustomize. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --namespace | string | Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}". |
--no-color | Output without color. | |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--output-dir | string | The output directory to pass to helm template (helm template --output-dir). |
--output-dir-template | string | The Go text template for generating the output directory. Default: {{ .OutputDir }}/{{ .State.BaseName }}-{{ .State.AbsPathSHA1 }}-{{ .Release.Name}}. |
--post-renderer | string | Pass --post-renderer to helm template or helm upgrade --install. |
--post-renderer-args | stringArray | Pass --post-renderer-args to helm template or helm upgrade --install. |
-q, --quiet | string | Silence output. Equivalent to log-level warn. |
-l, --selector | stringArray | Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease" |
--set | stringArray | Additional values to be merged into the helm command --set flag. |
--skip-cleanup | Stop cleaning up temporary values generated by helmfile and helm-secrets. Useful for debugging. Don't use in production for security. | |
--skip-deps | Skip running helm repo update and helm dependency build. | |
--skip-needs | Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when--selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided. The default is true. | |
--skip-tests | Skip tests from templated output. | |
--state-values-file | stringArray | Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template). |
--state-values-set | stringArray | Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template). |
--state-values-set-string | stringArray | Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template). |
--strip-args-values-on-exit-error | Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true. | |
--validate | Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, similar to the sync of available API versions. | |
--values | stringArray | Additional value files to be merged into the helm command --values flag |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
Service Account commands¶
Use these commands to create and manage service accounts in Venafi Control Plane.
venctl iam service-accounts agent create¶
Create a new service account that can be used by Venafi Kubernetes Agent.
Usage:
venctl iam service-accounts agent create [flags]
Example:
venctl iam service-accounts agent create --credential-format secret --name sa-agent --api-key xyz
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl iam service-accounts agent create. |
--auth.client-id | string | The ID of the service account used to authenticate against the Venafi Control Plane. |
--credential-file | string | The file where you want to store the service account credentials. |
--credential-format | string | Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json. |
--auth.key | string | The authenticating service account JSON or private key code used to authenticate against the Venafi Control Plane. |
--auth.key-file | string | The path to the authenticating service account credential file in JSON format or private key (.pem) file used to authenticate against the Venafi Control Plane. This flag must be used in conjunction with the --auth.client-id flag. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts custom-integration create¶
Create a new service account for custom integrations with the Venafi Control Plane.
Usage:
venctl iam service-accounts custom-integration create [flags]
Example:
To create a new service account with the ability to create other service accounts, type:
venctl iam service-accounts custom-integration create \
--name sa-custom-integration \
--scopes svcaccount-write \
--credential-file svcaccount-write-credential.json \
--api-key xyz
| Flag | Type | Description |
|---|---|---|
--api-key | string | The API key you want to use to connect to Venafi Control Plane. |
--credential-file | string | The file where you want to store the service account credentials. |
--credential-format | string | Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json. |
-h, --help | string | Help for venctl iam service-accounts custom-integration create. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--scopes | strings | The scopes for which the service account will be created. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts delete¶
Delete a service account from the Venafi Control Plane.
Usage:
venctl iam service-accounts delete [flags]
Example:
venctl iam service-accounts delete --name "My Service Account" --api-key xyz
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl service-accounts delete. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts describe¶
Provides information on a service account.
Usage:
venctl iam service-accounts describe [flags]
Example:
venctl iam service-accounts describe --api-key xyz -n myaccount --output json --no-prompts >> accinfo.json
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl iam service-accounts describe. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts firefly create¶
Create a service account for Venafi Firefly.
Usage:
venctl iam service-accounts firefly create [flags]
Examples:
To create a new service account that can be used by Venafi Firefly, type:
venctl iam service-accounts firefly create --name sa-firefly --api-key xyz
To export the service account credential in Kubernetes secret format, type:
venctl iam service-accounts firefly create --credential-format secret --name sa-firefly --api-key xyz
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl iam service-accounts firefly create. |
--credential-file | string | The file where you want to store the service account credentials. |
--credential-format | string | Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --name | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts list¶
Lists the service accounts in the Venafi Control Plane.
Usage:
venctl iam service-accounts list [flags]
Example:
venctl iam service-accounts list --api-key xyz --output json --no-prompts >> acclist.json
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl iam service-accounts list. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
-p, --page-size | integer | The number of service accounts displayed per page. Only valid for the table format. The default value is 20. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl iam service-accounts registry create¶
Create a new service account in the Venafi Control Plane for accessing container images from the Venafi OCI registry.
Usage:
venctl iam service-accounts registry create [flags]
Example:
venctl iam service-accounts registry create --name "My Service Account" --credential-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl service-accounts registry create. |
--credential-file | string | The file where you want to store the service account credentials. |
-f, --credential-format | string | Options for formatting the registry credentials output. Valid options are: json, secret, dockerconfig. The default is json. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--name, -n | string | The name or ID of the service account. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team to set as the owner of the service account. The team can be passed by name or ID. |
--scopes | string | The scopes for which the service account is created. Valid options are: enterprise-cert-manager, enterprise-approver-policy, enterprise-venafi-issuer. The default value is enterprise-cert-manager. |
--validity | integer | The validity, in days, for the service account that is generated. The default value is 365 days. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
Cluster connection command¶
Use this command to connect a Kubernetes cluster to Venafi Control Plane.
venctl installation cluster connect¶
Connect a Kubernetes cluster to Venafi Control Plane.
Usage:
venctl installation cluster connect [flags]
Example:
venctl installation cluster connect --name "My Cluster" --api-key xyz
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
--description | string | A textual description for the cluster resource. |
-h, --help | string | Help for venctl installation cluster connect. |
--helm-chart-repository | string | The custom Helm repository from which to pull the Venafi Kubernetes Agent chart. The path to the Venafi Kubernetes Agent chart must use the following format: oci://<registry URI>/charts. For example: oci://my-registry.example.com/charts. If not specified, defaults to the Venafi registry. |
--image-registry | string | The custom OCI registry from which to pull the Venafi Kubernetes Agent image. The path to the Venafi Kubernetes Agent image must use the following format: <registry URI>/<optional subfolder>/venafi-agent. For example: my-registry.example.com/venafi-images/venafi-agent. If not specified, defaults to the Venafi registry. |
--image-pull-secret | string | The name of the Kubernetes image pull secret. |
--kubeconfig | string | The path to the kubeConfig file you want to use to connect to the cluster. |
--kubeconfig-context | string | The name of the kubeConfig file context you want to use to connect to the cluster. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
-n, --name | string | Name for the cluster resource. This flag is mandatory with this command. |
--namespace | string | The namespace where the agent is installed. The default is venafi. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--owning-team | string | The team set as owner of the cluster resource. The team can be passed as names or IDs. |
--vcp-region | string | The region of Venafi Control Plane. The default is US. |
Venafi CLI tool version and maintenance commands¶
Use these commands to find out which version of the Venafi CLI tool you're using, and update to the latest version.
venctl update¶
Updates the venctl binary to the latest available stable version.
Usage:
venctl update [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl update. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |
venctl version¶
Prints the venctl version and build information.
Usage:
venctl version [flags]
Flags:
| Flag | Type | Description |
|---|---|---|
--api-key | string | API key you want to use to connect to Venafi Control Plane. |
-h, --help | string | Help for venctl version. |
--log-level | string | CLI log level (debug, info, warn, error). The default is info. |
--no-prompts | Allow command to run without user interaction. | |
-o, --output | string | CLI output format (one of: json, text, none). The default is text. |
--vcp-region | string | The Venafi Control Plane region. The default is US. |