Skip to content

Venafi CLI Tool reference guide

Usage

venctl command [flags]

Getting help with Venafi CLI tool commands

Use the following command to get information on individual venctl commands and their flags:

venctl [command] --help

Quick install/uninstall commands

Important

Installing or uninstalling Venafi Kubernetes components into your Kubernetes cluster using these commands is not recommended for production environments.

Use these commands to install specified Venafi components into a Kubernetes cluster and remove them thereafter.

venctl components kubernetes apply

Install the specified Venafi components into a Kubernetes cluster.

This command applies the components specified by the provided flags and value files into a Kubernetes cluster.

Important

Any previously installed components not specified in the current run are removed.

Usage:

venctl components kubernetes apply [flags]

Examples:

Install cert-manager using the default approver:

venctl components kubernetes apply --cert-manager --default-approver

Install cert-manager with Approver Policy and Trust Manager:

venctl components kubernetes apply --cert-manager --approver-policy --trust-manager

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
--approver-policy Install the default version of Approver Policy. The Approver Policy version can be set manually with the --approver-policy-version flag. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-custom-chart-repository string Custom OCI registry or Helm repository for Approver Policy charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Approver Policy charts.
--approver-policy-custom-image-registry string Custom OCI registry for pulling Approver Policy images. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-values-files strings A comma-separated list of files providing Helm values for Approver Policy. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--approver-policy-version string Use this flag to specify the Approver Policy version manually . Only use this flag with --approver-policy.
--approver-policy-enterprise Install the default version of Approver Policy Enterprise. The Approver Policy Enterprise version can be set manually with the --approver-policy-enterprise-version flag. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-custom-chart-repository string Custom OCI registry or Helm repository for Approver Policy Enterprise charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-image-registry string Custom OCI registry for pulling Approver Policy Enterprise images. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-values-files strings A comma-separated list of files providing Helm values for Approver Policy Enterprise. These files are relative to the directory from which the Venafi CLI tool is run when syncing a manifest to a cluster.
--approver-policy-enterprise-version string Use this flag to specify the Approver Policy Enterprise version manually. Implies approver-policy-enterprise. Do not use this flag is you have used --approver-policy.
--aws-privateca-issuer Install the default version of AWS Private CA Issuer. The version can be set manually with the --aws-privateca-issuer-version flag.
--aws-privateca-issuer-custom-chart-repository strings Custom OCI registry or Helm repository for AWS Private CA Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--aws-privateca-issuer-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-image-repository string Custom OCI registry for pulling AWS Private CA Issuer images.
--aws-privateca-issuer-values-files strings A comma-separated list of files providing Helm values for AWS Private CA Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--aws-privateca-issuer-version string Use this flag to specify the AWS Private CA Issuer version manually. Only use this flag with --aws-privateca-issuer.
--cert-manager Install the default version of cert-manager. The cert-manager version can also be set manually with --cert-manager-version. The default is true.
--cert-manager-custom-chart-repository string Custom OCI registry or Helm repository for cert-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--cert-manager-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for cert-manager charts.
--cert-manager-custom-image-registry string Custom OCI registry for pulling cert-manager images.
--cert-manager-values-files strings A comma-separated list of files from which Helm values for cert-manager should be read. These files are relative to the directory from which the Venafi CLI is run.
--cert-manager-version string Use this flag to specify the cert-manager version manually. Only use this flag with --cert-manager.
--csi-driver Install the default version of CSI driver. The CSI driver version can be set manually with the --csi-driver-version flag.
--csi-driver-custom-chart-repository string Custom OCI registry or Helm repository for CSI driver charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver.
--csi-driver-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for CSI Driver charts.
--csi-driver-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for CSI driver charts.
--csi-driver-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for CSI driver charts.
--csi-driver-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for CSI driver charts.
--csi-driver-custom-image-registry string Custom OCI registry for pulling csi-driver images. Only use this flag with --csi-driver.
--csi-driver-values-files strings A comma-separated list of files providing Helm values for CSI driver. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--csi-driver-version string Use this flag to specify CSI driver version manually. Only use this flag with --csi-driver.
--csi-driver-spiffe Install the default version of CSI driver for SPIFFE. The CSI driver for SPIFFE version can be set manually with the --csi-driver-spiffe-version flag.
--csi-driver-spiffe-custom-chart-repository string Custom OCI registry or Helm repository for CSI driver for SPIFFE charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver-spiffe.
--csi-driver-spiffe-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for CSI Driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-image-registry string Custom OCI registry for pulling csi-driver images. Only use this flag with --csi-driver-spiffe.
--csi-driver-spiffe-values-files strings A comma-separated list of files providing Helm values for CSI driver for SPIFFE. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--csi-driver-spiffe-version string Use this flag to specify CSI driver for SPIFFE version manually. Only use this flag with --csi-driver-spiffe.
--custom-chart-repository string Custom OCI registry or Helm repository from which charts should be pulled. Used by default for every component which doesn't have a manual override. If unspecified, per-component defaults apply. Only use this flag if you have set --region to custom. The URL must include a scheme.
--custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository.
--custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository.
--custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository.
--custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository.
--custom-image-registry string Custom OCI registry from which images are pulled in-cluster. Used by default for every component which doesn't have a manual override. If unspecified, the per-component defaults apply. Only use this flag if you have set --region to custom.
--default-approver If true, this flag enables the default approver in cert-manager. This prevents the installation of Approver Policy, and is not recommended in most cases.
--firefly Install the default version of Firefly. The version can be set manually with the --firefly-version flag.
--accept-firefly-tos Whether you accept the firefly terms of service. For more information, see the End User License Agreement.
--firefly-custom-chart-repository string Custom OCI registry or Helm repository for Firefly Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--firefly-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Firefly charts.
--firefly-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Firefly charts.
--firefly-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Firefly charts.
--firefly-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Firefly charts.
--firefly-custom-image-repository string Custom OCI registry for pulling Firefly Issuer images.
--firefly-values-files strings A comma-separated list of files providing Helm values for Firefly. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--firefly-version string Use this flag to specify the Firefly version manually. Only use this flag with --firefly.
-h, --help Help for venctl components kubernetes apply.
--ignore-dependencies If set, no component is install that is not explicitly requested. This can lead to failed or broken installs if dependencies are not already present in the target cluster.
--image-pull-secret-names strings A comma-separated list of image pull secret names which must be used by all components. The default value is [venafi-image-pull-secret].
--install-open-source Whether to install open source versions of cert-manager, trust-manager and other cert-manager sub-projects.
--istio-csr string Whether to install Istio CSR. Implied by --istio-csr-version, --istio-csr-values-files, --istio-csr-custom-chart-repository, --istio-csr-custom-image-registry.
--istio-csr-custom-chart-repository string A custom OCI registry or Helm repository for Istio CSR charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--istio-csr-custom-chart-repository-ca string The path of a PEM-formatted CA bundle used to validate the Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-config string The path to a dockerconfig JSON file to use with a custom OCI Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Istio CSR charts.
--istio-csr-custom-image-registry string A Custom OCI registry for pulling Istio CSR images.
--istio-csr-values-files strings A comma-separated list of files providing Helm values for Istio CSR. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--istio-csr-version string The manually-specified Istio CSR version.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string The name of the kubeconfig context to use.
--openshift-routes string Whether to install OpenShift Routes. Implied by --openshift-routes-version, --openshift-routes-values-files, --openshift-routes-custom-chart-repository, --openshift-routes-custom-image-registry.
--openshift-routes-custom-chart-repository string A custom OCI registry or Helm repository for OpenShift Routes charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--openshift-routes-custom-chart-repository-ca string The path of a PEM-formatted CA bundle used to validate the Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-config string The path to a dockerconfig JSON file to use with a custom OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-password string The password to use when using a custom non-OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-username string The username to use when using a custom non-OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-image-registry string A Custom OCI registry for pulling OpenShift Routes images.
--openshift-routes-values-files strings A comma-separated list of files providing Helm values for OpenShift Routes. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--openshift-routes-version string The manually-specified OpenShift Routes version.
--venafi-kubernetes-agent Install the default version of Venafi Kubernetes Agent. The Venafi Kubernetes Agent version can be set manually with the --venafi-kubernetes-agent-version flag.
--venafi-kubernetes-agent-custom-chart-repository string Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --venafi-kubernetes-agent.
--venafi-kubernetes-agent-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-image-registry string Custom OCI registry for pulling trust-manager images. Only use this flag with --venafi-kubernetes-agent.
--venafi-kubernetes-agent-values-files strings A comma-separated list of files providing Helm values for Venafi Kubernetes Agent. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-kubernetes-agent-version string Use this flag to specify the Venafi Kubernetes Agent version manually. Only use this flag with --venafi-kubernetes-agent.
--namespace string The namespace into which all components must be installed. The default is venafi.
--no-prompts Allow command to run without user interaction.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--log-format string CLI output format (one of: json, text, none). The default is text.
--region string The region from which images are pulled. Either us or eu (or custom, although this will be removed in a future release). The default is us. Not to be confused with the '--vcp-region' global flag.
--trust-manager Install the default version of trust-manager. The trust-manager version can be set manually with the --trust-manager-version flag.
--trust-manager-custom-chart-repository string Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --trust-manager.
--trust-manager-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Trust Manager charts.
--trust-manager-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Trust Manager charts.
--trust-manager-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Trust Manager charts.
--trust-manager-spiffe-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Trust Manager charts.
--trust-manager-custom-image-registry string Custom OCI registry for pulling trust-manager images. Only use this flag with --trust-manager.
--trust-manager-values-files strings A comma-separated list of files providing Helm values for trust-manager. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--trust-manager-version string Use this flag to specify the trust-manager version manually. Only use this flag with --trust-manager.
--use-fips-images If set, use FIPS-compliant images for all components which have them.
--venafi-connection Install the default version of Venafi Connection.
--venafi-connection-custom-chart-repository string Custom OCI registry or Helm repository for Venafi Connection charts. Overrides open source and Venafi enterprise images. Must be a URL including a scheme
--venafi-connection-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Connection charts.
--venafi-connection-values-files strings A comma-separated list of files providing Helm values for Venafi Connection. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-connection-version string Use this flag to specify the Venafi Connection version manually. Only use this flag with --venafi-connection.
--venafi-enhanced-issuer Install the default version of Venafi Enhanced Issuer. The version can be set manually with the --venafi-enhanced-issuer-version flag.
--venafi-enhanced-issuer-custom-chart-repository string Custom OCI registry for pulling Venafi Enhanced Issuer images.
--venafi-enhanced-issuer-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-image-registry string Custom OCI registry or Helm repository for Venafi Enhanced Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--venafi-enhanced-issuer-values-files strings A comma-separated list of files providing Helm values for Venafi Enhanced Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-enhanced-issuer-version string Use this flag to specify the Venafi Enhanced Issuer version manually. Only use this flag with --venafi-enhanced-issuer
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes delete

Delete all applied Venafi components from a Kubernetes cluster. Deletes all components previously applied using the venctl component kubernetes apply command:

Usage:

venctl components kubernetes delete [flags]

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help Help for venctl components kubernetes delete.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string The name of the kubeconfig context to use.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--no-prompts Allow command to run without user interaction.
--vcp-region string The Venafi Control Plane region. The default is US.

Kubernetes Manifest tool commands

Use the commands to generate manifests, install and manage Venafi Kubernetes components.

venctl components kubernetes manifest generate

Generates a Venafi Kubernetes manifest for components.

The generated file can be used as an installation manifest by the Venafi CLI tool to install components into a Kubernetes cluster, which you can store in source control along with other infrastructure-as-code resources.

All supported components have flags to mark them for installation as well as for configuring other aspects of how the tool should be installed:

  • Custom helm chart repository
  • Custom image registry for inside the cluster
  • Custom version
  • Lists of values.yaml files which provide Helm values. For more information on the supported values for each component, see its related Helm values reference page.

Dependencies of explicitly requested components are automatically included in the manifest.

Usage:

venctl components kubernetes manifest generate [flags]

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
--approver-policy Install the default version of Approver Policy. The Approver Policy version can be set manually with the --approver-policy-version flag. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-custom-chart-repository string Custom OCI registry or Helm repository for Approver Policy charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Approver Policy charts.
--approver-policy-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Approver Policy charts.
--approver-policy-custom-image-registry string Custom OCI registry for pulling Approver Policy images. Do not use this flag if you have used --approver-policy-enterprise.
--approver-policy-values-files strings A comma-separated list of files providing Helm values for Approver Policy. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--approver-policy-version string Use this flag to specify the Approver Policy version manually . Only use this flag with --approver-policy.
--approver-policy-enterprise Install the default version of Approver Policy Enterprise. The Approver Policy Enterprise version can be set manually with the --approver-policy-enterprise-version flag. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-custom-chart-repository string Custom OCI registry or Helm repository for Approver Policy Enterprise charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Approver Policy Enterprise charts.
--approver-policy-enterprise-custom-image-registry string Custom OCI registry for pulling Approver Policy Enterprise images. Do not use this flag if you have used --approver-policy.
--approver-policy-enterprise-values-files strings A comma-separated list of files providing Helm values for Approver Policy Enterprise. These files are relative to the directory from which the Venafi CLI tool is run when syncing a manifest to a cluster.
--approver-policy-enterprise-version string Use this flag to specify the Approver Policy Enterprise version manually. Implies approver-policy-enterprise. Do not use this flag is you have used --approver-policy.
--aws-privateca-issuer Install the default version of AWS Private CA Issuer. The version can be set manually with the --aws-privateca-issuer-version flag.
--aws-privateca-issuer-custom-chart-repository strings Custom OCI registry or Helm repository for AWS Private CA Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--aws-privateca-issuer-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for AWS Private CA Issuer charts.
--aws-privateca-issuer-custom-image-repository string Custom OCI registry for pulling AWS Private CA Issuer images.
--aws-privateca-issuer-values-files strings A comma-separated list of files providing Helm values for AWS Private CA Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--aws-privateca-issuer-version string Use this flag to specify the AWS Private CA Issuer version manually. Only use this flag with --aws-privateca-issuer.
--cert-manager Install the default version of cert-manager. The cert-manager version can also be set manually with --cert-manager-version. The default is true.
--cert-manager-custom-chart-repository string Custom OCI registry or Helm repository for cert-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--cert-manager-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for cert-manager charts.
--cert-manager-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for cert-manager charts.
--cert-manager-custom-image-registry string Custom OCI registry for pulling cert-manager images.
--cert-manager-values-files strings A comma-separated list of files from which Helm values for cert-manager should be read. These files are relative to the directory from which the Venafi CLI is run.
--cert-manager-version string Use this flag to specify the cert-manager version manually. Only use this flag with --cert-manager.
--csi-driver Install the default version of CSI driver. The CSI driver version can be set manually with the --csi-driver-version flag.
--csi-driver-custom-chart-repository string Custom OCI registry or Helm repository for CSI driver charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver.
--csi-driver-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for CSI Driver charts.
--csi-driver-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for CSI driver charts.
--csi-driver-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for CSI driver charts.
--csi-driver-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for CSI driver charts.
--csi-driver-custom-image-registry string Custom OCI registry for pulling CSI driver images. Only use this flag with --csi-driver.
--csi-driver-values-files strings A comma-separated list of files providing Helm values for CSI driver. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--csi-driver-version string Use this flag to specify CSI driver version manually. Only use this flag with --csi-driver.
--csi-driver-spiffe Install the default version of CSI driver for SPIFFE. The CSI driver for SPIFFE version can be set manually with the --csi-driver-spiffe-version flag.
--csi-driver-spiffe-custom-chart-repository string Custom OCI registry or Helm repository for CSI driver for SPIFFE charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --csi-driver-spiffe.
--csi-driver-spiffe-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for CSI Driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for CSI driver for SPIFFE charts.
--csi-driver-spiffe-custom-image-registry string Custom OCI registry for pulling CSI driver for SPIFFE images. Only use this flag with --csi-driver-spiffe.
--csi-driver-spiffe-values-files strings A comma-separated list of files providing Helm values for CSI driver for SPIFFE. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--csi-driver-spiffe-version string Use this flag to specify CSI driver for SPIFFE version manually. Only use this flag with --csi-driver-spiffe.
--custom-chart-repository string Custom OCI registry or Helm repository from which charts should be pulled. Used by default for every component which doesn't have a manual override. If unspecified, per-component defaults apply. Only use this flag if you have set --region to custom. The URL must include a scheme.
--custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository.
--custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository.
--custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository.
--custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository.
--custom-image-registry string Custom OCI registry from which images are pulled in-cluster. Used by default for every component which doesn't have a manual override. If unspecified, the per-component defaults apply. Only use this flag if you have set --region to custom.
--default-approver If true, this flag enables the default approver in cert-manager. This prevents the installation of Approver Policy, and is not recommended in most cases.
--firefly Install the default version of Firefly. The version can be set manually with the --firefly-version flag.
--accept-firefly-tos Whether you accept the firefly terms of service. For more information, see the End User License Agreement.
--firefly-custom-chart-repository string Custom OCI registry or Helm repository for Firefly Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--firefly-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Firefly charts.
--firefly-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Firefly charts.
--firefly-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Firefly charts.
--firefly-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Firefly charts.
--firefly-custom-image-repository string Custom OCI registry for pulling Firefly Issuer images.
--firefly-values-files strings A comma-separated list of files providing Helm values for Firefly. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--firefly-version string Use this flag to specify the Firefly version manually. Only use this flag with --firefly.
--global-affinities-file string The path to a YAML file containing an array of Kubernetes corev1.Affinity objects.
--global-tolerations-file string The path to a YAML file containing an array of Kubernetes corev1.Toleration objects.
--global-topology-spread-constraints-file string The path to a YAML file containing an array of Kubernetes corev1 TopologySpreadConstraint resources.
--ha-values-dir string The path to a directory to which suggested high-availability values.yaml files should be written for each supported component. These files will be automatically included in the generated manifest.
-h, --help Help for venctl components kubernetes manifest generate.
--ignore-dependencies If set, no component is install that is not explicitly requested. This can lead to failed or broken installs if dependencies are not already present in the target cluster.
--image-pull-secret-names strings A comma-separated list of image pull secret names which must be used by all components. The default value is [venafi-image-pull-secret].
--install-open-source Whether to install open source versions of cert-manager, trust-manager and other cert-manager sub-projects.
--istio-csr string Whether to install Istio CSR. Implied by --istio-csr-version, --istio-csr-values-files, --istio-csr-custom-chart-repository, --istio-csr-custom-image-registry.
--istio-csr-custom-chart-repository string A custom OCI registry or Helm repository for Istio CSR charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--istio-csr-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-config string The path to a dockerconfig JSON file to use with a custom OCI Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Istio CSR charts.
--istio-csr-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Istio CSR charts.
--istio-csr-custom-image-registry string A Custom OCI registry for pulling Istio CSR images.
--istio-csr-values-files strings A comma-separated list of files providing Helm values for Istio CSR. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--istio-csr-version string The manually-specified Istio CSR version.
--openshift-routes string Whether to install OpenShift Routes. Implied by --openshift-routes-version, --openshift-routes-values-files, --openshift-routes-custom-chart-repository, --openshift-routes-custom-image-registry.
--openshift-routes-custom-chart-repository string A custom OCI registry or Helm repository for OpenShift Routes charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--openshift-routes-custom-chart-repository-ca string The path of a PEM-formatted CA bundle used to validate the Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-config string The path to a dockerconfig JSON file to use with a custom OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-password string The password to use when using a custom non-OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-chart-repository-username string The username to use when using a custom non-OCI Helm repository for OpenShift Routes charts.
--openshift-routes-custom-image-registry string A Custom OCI registry for pulling OpenShift Routes images.
--openshift-routes-values-files strings A comma-separated list of files providing Helm values for OpenShift Routes. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--openshift-routes-version string The manually-specified OpenShift Routes version.
--venafi-kubernetes-agent Install the default version of Venafi Kubernetes Agent. The Venafi Kubernetes Agent version can be set manually with the --venafi-kubernetes-agent-version flag.
--venafi-kubernetes-agent-custom-chart-repository string Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --venafi-kubernetes-agent.
--venafi-kubernetes-agent-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Kubernetes Agent charts.
--venafi-kubernetes-agent-custom-image-registry string Custom OCI registry for pulling trust-manager images. Only use this flag with --venafi-kubernetes-agent.
--venafi-kubernetes-agent-values-files strings A comma-separated list of files providing Helm values for Venafi Kubernetes Agent. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-kubernetes-agent-version string Use this flag to specify the Venafi Kubernetes Agent version manually. Only use this flag with --venafi-kubernetes-agent.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--log-format string CLI output format (one of: json, text, none). The default is text.
--namespace string The namespace into which all components must be installed. The default is venafi.
--no-prompts Allow command to run without user interaction.
--region string The region from which images are pulled. Either us or eu (or custom, although this will be removed in a future release). The default is us. Not to be confused with the '--vcp-region' global flag.
--trust-manager Install the default version of trust-manager. The trust-manager version can be set manually with the --trust-manager-version flag.
--trust-manager-custom-chart-repository string Custom OCI registry or Helm repository for trust-manager charts. Overrides open source and Venafi enterprise images. The URL must include a scheme. Only use this flag with --trust-manager.
--trust-manager-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Trust Manager charts.
--trust-manager-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Trust Manager charts.
--trust-manager-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Trust Manager charts.
--trust-manager-spiffe-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Trust Manager charts.
--trust-manager-custom-image-registry string Custom OCI registry for pulling trust-manager images. Only use this flag with --trust-manager.
--trust-manager-values-files strings A comma-separated list of files providing Helm values for trust-manager. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--trust-manager-version string Use this flag to specify the trust-manager version manually. Only use this flag with --trust-manager.
--use-fips-images If set, use FIPS-compliant images for all components which have them.
--venafi-connection Install the default version of Venafi Connection.
--venafi-connection-custom-chart-repository string Custom OCI registry or Helm repository for Venafi Connection charts. Overrides open source and Venafi enterprise images. Must be a URL including a scheme
--venafi-connection-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Connection charts.
--venafi-connection-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Connection charts.
--venafi-connection-values-files strings A comma-separated list of files providing Helm values for Venafi Connection. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-connection-version string Use this flag to specify the Venafi Connection version manually. Only use this flag with --venafi-connection.
--venafi-enhanced-issuer Install the default version of Venafi Enhanced Issuer. The version can be set manually with the --venafi-enhanced-issuer-version flag.
--venafi-enhanced-issuer-custom-chart-repository string Custom OCI registry for pulling Venafi Enhanced Issuer images.
--venafi-enhanced-issuer-custom-chart-repository-ca string The path to a PEM-formatted CA bundle used to validate the Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-config string The credential configuration to employ when using a custom OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-password string The password to employ when using a custom non-OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-chart-repository-username string The username to employ when using a custom non-OCI Helm repository for Venafi Enhanced Issuer charts.
--venafi-enhanced-issuer-custom-image-registry string Custom OCI registry or Helm repository for Venafi Enhanced Issuer charts. Overrides open source and Venafi enterprise images. The URL must include a scheme.
--venafi-enhanced-issuer-values-files strings A comma-separated list of files providing Helm values for Venafi Enhanced Issuer. These files are relative to the directory from which the Venafi CLI is run when syncing a manifest to a cluster.
--venafi-enhanced-issuer-version string Use this flag to specify the Venafi Enhanced Issuer version manually. Only use this flag with --venafi-enhanced-issuer
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes manifest print-versions

Output a list of all supported components along with their default versions.

Usage:

venctl components kubernetes manifest print-versions [flags]
Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl components kubernetes manifest print-versions.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--no-prompts Allow command to run without user interaction.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes manifest tool destroy

Destroys and then purges releases.

Usage:

venctl components kubernetes manifest tool destroy [flags]

Flags:

Flag Type Description
--allow-no-matching-release string Do not exit with an error code if the provided selector has no matching releases.
--api-key string API key you want to use to connect to Venafi Control Plane.
--args string Pass arguments to helm exec.
--cascade string Cascade to helm exec. The default value is background.
-c, --chart string Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}".
--color Output with color.
--concurrency integer The maximum number of concurrent helm processes to run. 0 is unlimited.
--debug Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect.
--deleteTimeout integer The time in seconds to wait for helm uninstall. The default is 300.
--deleteWait Override the helmDefaults.wait setting helm uninstall --wait.
--disable-force-update Do not force helm repos to update when executing helm repo add.
--enable-live-output string Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes.
-e, --environment string Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default.
-f, --file helmfile.yaml Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input.
-b, --helm-binary string The path to the helm binary. The default is helm.
-h, --help Help for venctl components kubernetes manifest tool destroy.
-i, --interactive string Request confirmation before attempting to modify clusters.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string Set kubectl context. Uses the current context by default.
-k, --kustomize-binary string Path to the kustomize binary. The default is kustomize.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --namespace string Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}".
--no-color Output without color.
--no-prompts Allow command to run without user interaction.
-q, --quiet string Silence output. Equivalent to log-level warn.
-l, --selector stringArray Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease"
--skip-deps Skip running helm repo update and helm dependency build.
--skip-charts Don't prepare charts when destroying releases.
--state-values-file stringArray Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template).
--state-values-set stringArray Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template).
--state-values-set-string stringArray Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).
--strip-args-values-on-exit-error Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes manifest tool diff

Diff releases defined in the state file.

Usage:

venctl components kubernetes manifest tool diff [flags]

Flags:

Flag Type Description
--allow-no-matching-release string Do not exit with an error code if the provided selector has no matching releases.
--api-key string API key you want to use to connect to Venafi Control Plane.
--args string Pass arguments to helm exec.
-c, --chart string Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}".
--color Output with color.
--concurrency integer The maximum number of concurrent helm processes to run. 0 is unlimited.
--context integer Output NUM lines of context around changes
--debug Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect.
--detailed-exitcode Return a detailed exit code.
-diff-args string Pass arguments to helm helm-diff.
--disable-force-update Do not force helm repos to update when executing helm repo add.
--enable-live-output string Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes.
-e, --environment string Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default.
-f, --file helmfile.yaml Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input.
-b, --helm-binary string The path to the helm binary. The default is helm.
-h, --help Help for venctl components kubernetes manifest tool diff.
--include-needs Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided.
--include-tests Enable the diffing of the helm test hooks.
--include-transitive-needs Like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.
-i, --interactive string Request confirmation before attempting to modify clusters.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string Set kubectl context. Uses the current context by default.
-k, --kustomize-binary string Path to the kustomize binary. The default is kustomize.
--log-format string Output format for the diff plugin.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --namespace string Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}".
--no-color Output without color.
--no-hooks Do not diff changes made by hooks.
--no-prompts Allow command to run without user interaction.
--post-renderer string Pass --post-renderer to helm template or helm upgrade --install.
--post-renderer-args stringArray Pass --post-renderer-args to helm template or helm upgrade --install.
-q, --quiet string Silence output. Equivalent to log-level warn.
--reset-values Override helmDefaults.reuseValues helm diff upgrade --install --reset-values.
--reuse-values Override helmDefaults.reuseValues helm diff upgrade --install --reuse-values.
-l, --selector stringArray Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease"
--set stringArray Additional values to be merged into the helm command--set flag
--show-secrets Do not redact secret values in the output. Should be used for debug purposes only.
--skip-charts Don't prepare charts when destroying releases.
--skip-deps Skip running helm repo update and helm dependency build.
--skip-diff-on-install Skips running helm-diff on releases being newly installed on this apply. Useful when the release manifests are too huge to be reviewed, or it's too time-consuming to diff at all.
-skip-needs Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided (default is true).
--state-values-file stringArray Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template).
--state-values-set stringArray Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template).
--state-values-set-string stringArray Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).
--strip-args-values-on-exit-error Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true.
--strip-trailing-cr Strip trailing carriage return on input.
--suppress stringArray Strip trailing carriage return onKubernetes objects in the output. Can be provided multiple times. For example: --suppress KeycloakClient --suppress VaultSecret.
--suppress-output-line-regex stringArray A list of regex patterns to suppress output lines from the diff output.
--suppress-secrets string Suppress secrets in the output. Highly recommended to specify on CI/CD use-cases.
--validate string Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the diff of available API versions.
--values stringArray Additional value files to be merged into the helm command --values flag
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes manifest tool init

Initialize the Venafi Kubernetes Manifest tool. Performs version checking and downloads and installs Helm and other required plug-ins

Usage:

venctl components kubernetes manifest tool init [flags]

Flags:

Flag Type Description
--allow-no-matching-release string Do not exit with an error code if the provided selector has no matching releases.
--api-key string API key you want to use to connect to Venafi Control Plane.
-c, --chart string Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}".
--color Output with color.
--debug Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect.
--disable-force-update Do not force helm repos to update when executing helm repo add.
--enable-live-output string Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes.
-e, --environment string Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default.
-f, --file helmfile.yaml Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input.
--force Do not prompt, install dependencies required by helmfile.
-b, --helm-binary string The path to the helm binary. The default is helm.
-h, --help Help for venctl components kubernetes manifest tool init.
-i, --interactive string Request confirmation before attempting to modify clusters.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string Set kubectl context. Uses the current context by default.
-k, --kustomize-binary string Path to the kustomize binary. The default is kustomize.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --namespace string Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}".
--no-color Output without color.
--no-prompts Allow command to run without user interaction.
-q, --quiet string Silence output. Equivalent to log-level warn.
-l, --selector stringArray Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease"
--skip-deps Skip running helm repo update and helm dependency build.
--state-values-file stringArray Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template).
--state-values-set stringArray Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template).
--state-values-set-string stringArray Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).
--strip-args-values-on-exit-error Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl components kubernetes manifest tool sync

Synchronize releases defined in the state file.

Usage:

venctl components kubernetes manifest tool sync [flags]

Flags:

Flag Type Description
--allow-no-matching-release string Do not exit with an error code if the provided selector has no matching releases.
--api-key string API key you want to use to connect to Venafi Control Plane.
--args string Pass arguments to helm exec.
--cascade string Cascade to helm exec. The default value is background.
-c, --chart string Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}".
--color Output with color.
--concurrency integer The maximum number of concurrent helm processes to run. 0 is unlimited.
--debug Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect.
--disable-force-update Do not force helm repos to update when executing helm repo add.
--enable-live-output string Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes.
-e, --environment string Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default.
-f, --file helmfile.yaml Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input.
-b, --helm-binary string The path to the helm binary. The default is helm.
-h, --help Help for venctl components kubernetes manifest tool sync.
-i, --interactive string Request confirmation before attempting to modify clusters.
--include-needs Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided.
--include-transitive-needs Similar to --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string Set kubectl context. Uses the current context by default.
-k, --kustomize-binary string Path to the kustomize binary. The default is kustomize.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --namespace string Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}".
--no-color Output without color.
--no-prompts Allow command to run without user interaction.
--post-renderer string Pass --post-renderer to helm template or helm upgrade --install.
--post-renderer-args stringArray Pass --post-renderer-args to helm template or helm upgrade --install.
-q, --quiet string Silence output. Equivalent to log-level warn.
--reset-values Override helmDefaults.reuseValues helm upgrade --install --reset-values.
--reuse-values Override helmDefaults.reuseValues helm upgrade --install --reuse-values.
-l, --selector stringArray Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease"
--set stringArray Additional values to be merged into the helm command --set flag.
--skip-crds If set, no CRDs are installed on sync. By default, CRDs are installed if not already present.
--skip-deps Skip running helm repo update and helm dependency build.
--skip-needs Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when--selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided. The default is true.
--state-values-file stringArray Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template).
--state-values-set stringArray Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template).
--state-values-set-string stringArray Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).
--strip-args-values-on-exit-error Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true.
--sync-args string Pass arguments to helm upgrade.
--validate Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, similar to the sync of available API versions.
--values stringArray Additional value files to be merged into the helm command --values flag.
--vcp-region string The Venafi Control Plane region. The default is US.
--wait Override helmDefaults.wait setting helm upgrade --install --wait.
--wait-for-jobs Override helmDefaults.waitForJobs setting helm upgrade --install --wait-for-jobs.

venctl components kubernetes manifest tool template

Template releases defined in the state file.

Usage:

venctl components kubernetes manifest tool template [flags]

Flags:

Flag Type Description
--allow-no-matching-release string Do not exit with an error code if the provided selector has no matching releases.
--api-key string API key you want to use to connect to Venafi Control Plane.
--args string Pass arguments to helm exec.
-c, --chart string Set chart. Uses the chart set in release by default, and is available in template as "{{ .Chart }}".
--color Output with color.
--concurrency integer The maximum number of concurrent helm processes to run. 0 is unlimited.
--debug Enable verbose output for Helm and set log-level to debug. This disables --quiet/-q effect.
--disable-force-update Do not force helm repos to update when executing helm repo add.
--enable-live-output string Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr. It only applies for the Helm CLI commands. Stdout/Stderr for Hooks are still displayed only when its execution finishes.
-e, --environment string Specify the environment name. Overrides HELMFILE_ENVIRONMENT OS environment variable when specified. The default is default.
-f, --file helmfile.yaml Load configuration from a file or directory. The default is helmfile.yaml, helmfile.yaml.gotmpl, or helmfile.d (means "helmfile.d/*.yaml" or "helmfile.d/*.yaml.gotmpl") in this preference. Specify - to load the configuration from the standard input.
-b, --helm-binary string The path to the helm binary. The default is helm.
-h, --help Help for venctl components kubernetes manifest tool template.
--include-crds string Include CRDs in the templated output.
--include-needs string Automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided.
--include-transitive-needs Like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.
-i, --interactive string Request confirmation before attempting to modify clusters.
--kubeconfig string The path to the kubeconfig file to use for CLI requests.
--kube-context string Set kubectl context. Uses the current context by default.
--kube-version string Pass --kube-version to helm template. Overrides kubeVersion in helmfile.yaml
-k, --kustomize-binary string Path to the kustomize binary. The default is kustomize.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --namespace string Set namespace. Uses the namespace set in the context by default, and is available in templates as "{{ .Namespace }}".
--no-color Output without color.
--no-prompts Allow command to run without user interaction.
--output-dir string The output directory to pass to helm template (helm template --log-format-dir).
--output-dir-template string The Go text template for generating the output directory. Default: {{ .OutputDir }}/{{ .State.BaseName }}-{{ .State.AbsPathSHA1 }}-{{ .Release.Name}}.
--post-renderer string Pass --post-renderer to helm template or helm upgrade --install.
--post-renderer-args stringArray Pass --post-renderer-args to helm template or helm upgrade --install.
-q, --quiet string Silence output. Equivalent to log-level warn.
-l, --selector stringArray Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar. A release must match all labels in a group in order to be used. Multiple groups can be specified at once. "--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases. The name of a release can be used as a label: "--selector name=myrelease"
--set stringArray Additional values to be merged into the helm command --set flag.
--show-only stringArray Pass --show-only to the "helm template".
--skip-cleanup Stop cleaning up temporary values generated by helmfile and helm-secrets. Useful for debugging. Don't use in production for security.
--skip-deps Skip running helm repo update and helm dependency build.
--skip-needs Do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when--selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided. The default is true.
--skip-tests Skip tests from templated output.
--state-values-file stringArray Specify state values in a YAML file. Used to override .Values within the helmfile template (not the values template).
--state-values-set stringArray Set state values on the command line (you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not the values template).
--state-values-set-string stringArray Set state STRING values on the command line. you can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).
--strip-args-values-on-exit-error Strip the potential secret values of the helm command arguments contained in a helmfile error message . The default is true.
--validate Validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, similar to the sync of available API versions.
--values stringArray Additional value files to be merged into the helm command --values flag
--vcp-region string The Venafi Control Plane region. The default is US.

Service Account commands

Use these commands to create and manage service accounts in Venafi Control Plane.

venctl iam service-accounts agent create

Create a new service account that can be used by Venafi Kubernetes Agent.

Usage:

venctl iam service-accounts agent create [flags]

Example:

venctl iam service-accounts agent create --output secret --name sa-agent --api-key xyz
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl iam service-accounts agent create.
--auth.client-id string The ID of the service account used to authenticate against the Venafi Control Plane.
--output-file string The file where you want to store the service account credentials.
--output string Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json.
--auth.key string The authenticating service account JSON or private key code used to authenticate against the Venafi Control Plane.
--auth.key-file string The path to the authenticating service account credential file in JSON format or private key (.pem) file used to authenticate against the Venafi Control Plane. This flag must be used in conjunction with the --auth.client-id flag.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name of the service account.
--no-prompts Allow command to run without user interaction.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts custom-integration create

Create a new service account for custom integrations with the Venafi Control Plane.

Usage:

venctl iam service-accounts custom-integration create [flags]

Example:

To create a new service account with the ability to create other service accounts, type:

venctl iam service-accounts custom-integration create \
    --name sa-custom-integration \
    --scopes svcaccount-write \
    --output-file svcaccount-write-credential.json \
    --api-key xyz
Flag Type Description
--api-key string The API key you want to use to connect to Venafi Control Plane.
--output-file string The file where you want to store the service account credentials.
--output string Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json.
-h, --help string Help for venctl iam service-accounts custom-integration create.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--scopes strings The scopes for which the service account will be created.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts delete

Delete a service account from the Venafi Control Plane.

Usage:

venctl iam service-accounts delete [flags]

Example:

venctl iam service-accounts delete --name "My Service Account" --api-key xyz
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl service-accounts delete.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts describe

Provides information on a service account.

Usage:

venctl iam service-accounts describe [flags]

Example:

venctl iam service-accounts describe --api-key xyz -n myaccount --log-format json --no-prompts >> accinfo.json
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl iam service-accounts describe.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts firefly create

Create a service account for Venafi Firefly.

Usage:

venctl iam service-accounts firefly create [flags]

Examples:

To create a new service account that can be used by Venafi Firefly, type:

venctl iam service-accounts firefly create --name sa-firefly --api-key xyz

To export the service account credential in Kubernetes secret format, type:

venctl iam service-accounts firefly create --output secret --name sa-firefly --api-key xyz
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl iam service-accounts firefly create.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --name string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
--output string Options for formatting the service account credentials output. Valid options are: json, secret, text. The default is json.
--output-file string The file where you want to store the service account credentials.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts list

Lists the service accounts in the Venafi Control Plane.

Usage:

venctl iam service-accounts list [flags]

Example:

venctl iam service-accounts list --api-key xyz --log-format json --no-prompts >> acclist.json
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl iam service-accounts list.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
-p, --page-size integer The number of service accounts displayed per page. Only valid for the table format. The default value is 20.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl iam service-accounts registry create

Create a new service account in the Venafi Control Plane for accessing container images from the Venafi OCI registry.

Usage:

venctl iam service-accounts registry create [flags]

Example:

venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "cert-manager-components" --validity 365 --api-key xyz
Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl service-accounts registry create.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--name, -n string The name or ID of the service account.
--no-prompts Allow command to run without user interaction.
--output string Options for formatting the registry credentials output. Valid options are: json, secret, dockerconfig. The default is json.
--output-file string The file where you want to store the service account credentials.
--owning-team string The team to set as the owner of the service account. The team can be passed by name or ID.
--scopes string The scopes for which the service account is created. Valid options are: cert-manager-components, enterprise-approver-policy, enterprise-venafi-issuer. The default value is cert-manager-components.
--validity integer The validity, in days, for the service account that is generated. The default value is 365 days.
--vcp-region string The Venafi Control Plane region. The default is US.

Cluster connection command

Use this command to connect a Kubernetes cluster to Venafi Control Plane.

venctl installation cluster connect

Connect a Kubernetes cluster to Venafi Control Plane.

Usage:

venctl installation cluster connect [flags]

Example:

venctl installation cluster connect --name "My Cluster" --api-key xyz

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
--description string A textual description for the cluster resource.
-h, --help string Help for venctl installation cluster connect.
--helm-chart-repository string The custom Helm repository from which to pull the Venafi Kubernetes Agent chart. The path to the Venafi Kubernetes Agent chart must use the following format: oci://<registry URI>/charts. For example: oci://my-registry.example.com/charts. If not specified, defaults to the Venafi registry.
--image-registry string The custom OCI registry from which to pull the Venafi Kubernetes Agent image. The path to the Venafi Kubernetes Agent image must use the following format: <registry URI>/<optional subfolder>/venafi-agent. For example: my-registry.example.com/venafi-images/venafi-agent. If not specified, defaults to the Venafi registry.
--image-pull-secret string The name of the Kubernetes image pull secret.
--kubeconfig string The path to the kubeConfig file you want to use to connect to the cluster.
--kubeconfig-context string The name of the kubeConfig file context you want to use to connect to the cluster.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
-n, --name string Name for the cluster resource. This flag is mandatory with this command.
--namespace string The namespace where the agent is installed. The default is venafi.
--no-prompts Allow command to run without user interaction.
--owning-team string The team set as owner of the cluster resource. The team can be passed as names or IDs.
--vcp-region string The region of Venafi Control Plane. The default is US.

Venafi CLI tool version and maintenance commands

Use these commands to find out which version of the Venafi CLI tool you're using, and update to the latest version.

venctl update

Updates the venctl binary to the latest available stable version.

Usage:

venctl update [flags]

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl update.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--no-prompts Allow command to run without user interaction.
--vcp-region string The Venafi Control Plane region. The default is US.

venctl version

Prints the venctl version and build information.

Usage:

venctl version [flags]

Flags:

Flag Type Description
--api-key string API key you want to use to connect to Venafi Control Plane.
-h, --help string Help for venctl version.
--log-format string CLI output format (one of: json, text, none). The default is text.
--log-level string CLI log level (debug, info, warn, error). The default is info.
--no-prompts Allow command to run without user interaction.
--vcp-region string The Venafi Control Plane region. The default is US.