ContainerImage.Pinniped/site/content/docs/reference/cli.md

---
title: Command-Line Options Reference
description: Reference for the `pinniped` command-line tool
cascade:
  layout: docs
menu:
  docs:
    name: Command-Line Options
    weight: 30
    parent: reference
---

## `pinniped version`

Print the version of this Pinniped CLI.

```sh
pinniped version [flags]
```

- `-h`, `--help`:

   help for kubeconfig

## `pinniped get kubeconfig`

Generate a Pinniped-based kubeconfig for a cluster.

```sh
pinniped get kubeconfig [flags]
```

- `-h`, `--help`:

  help for kubeconfig
- `--concierge-api-group-suffix string`:

  Concierge API group suffix (default "pinniped.dev")
- `--concierge-authenticator-name string`:

  Concierge authenticator name (default: autodiscover)
- `--concierge-authenticator-type string`:

  Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
- `--concierge-ca-bundle path`:

  Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge
- `--concierge-credential-issuer string`:

  Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)
- `--concierge-endpoint string`:

  API base for the Concierge endpoint
- `--concierge-mode mode`:

  Concierge mode of operation (default TokenCredentialRequestAPI)
- `--concierge-skip-wait`:

  Skip waiting for any pending Concierge strategies to become ready (default: false)
- `--kubeconfig string`:

  Path to kubeconfig file
- `--kubeconfig-context string`:

  Kubeconfig context name (default: current active context)
- `--no-concierge`:

  Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly
- `--oidc-ca-bundle path`:

  Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
- `--oidc-client-id string`:

  OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")
- `--oidc-issuer string`:

  OpenID Connect issuer URL (default: autodiscover)
- `--oidc-listen-port uint16`:

  TCP port for localhost listener (authorization code flow only)
- `--oidc-request-audience string`:

  Request a token with an alternate audience using RFC8693 token exchange
- `--oidc-scopes strings`:

  OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience])
- `--oidc-session-cache string`:

  Path to OpenID Connect session cache file
- `--oidc-skip-browser`:

  During OpenID Connect login, skip opening the browser (just print the URL)
- `-o`, `--output string`:

  Output file path (default: stdout)
- `--skip-validation`:

  Skip final validation of the kubeconfig (default: false)
- `--static-token string`:

  Instead of doing an OIDC-based login, specify a static token
- `--static-token-env string`:

  Instead of doing an OIDC-based login, read a static token from the environment
- `--timeout duration`:

  Timeout for autodiscovery and validation (default 10m0s)
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			`---`
			`title: Command-Line Options Reference`
			description: Reference for the `pinniped` command-line tool
			`cascade:`
			`layout: docs`
			`menu:`
			`docs:`
			`name: Command-Line Options`
			`weight: 30`
			`parent: reference`
			`---`

			## `pinniped version`

			`Print the version of this Pinniped CLI.`

			```sh
			`pinniped version [flags]`
			```

			- `-h`, `--help`:

			`help for kubeconfig`

			## `pinniped get kubeconfig`

			`Generate a Pinniped-based kubeconfig for a cluster.`

			```sh
			`pinniped get kubeconfig [flags]`
			```

			- `-h`, `--help`:

Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			`help for kubeconfig`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			- `--concierge-api-group-suffix string`:

			`Concierge API group suffix (default "pinniped.dev")`
			- `--concierge-authenticator-name string`:

			`Concierge authenticator name (default: autodiscover)`
			- `--concierge-authenticator-type string`:

			`Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)`
Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			- `--concierge-ca-bundle path`:

			`Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge`
			- `--concierge-credential-issuer string`:

			`Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)`
			- `--concierge-endpoint string`:

			`API base for the Concierge endpoint`
			- `--concierge-mode mode`:
Tweaked some wording, updated the cli page 2021-03-16 21:09:53 +00:00
Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			`Concierge mode of operation (default TokenCredentialRequestAPI)`
			- `--concierge-skip-wait`:

			`Skip waiting for any pending Concierge strategies to become ready (default: false)`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			- `--kubeconfig string`:

			`Path to kubeconfig file`
			- `--kubeconfig-context string`:

			`Kubeconfig context name (default: current active context)`
			- `--no-concierge`:

Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			`Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly`
			- `--oidc-ca-bundle path`:
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00
			`Path to TLS certificate authority bundle (PEM format, optional, can be repeated)`
			- `--oidc-client-id string`:

			`OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")`
			- `--oidc-issuer string`:

			`OpenID Connect issuer URL (default: autodiscover)`
			- `--oidc-listen-port uint16`:

			`TCP port for localhost listener (authorization code flow only)`
			- `--oidc-request-audience string`:

			`Request a token with an alternate audience using RFC8693 token exchange`
			- `--oidc-scopes strings`:

			`OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience])`
			- `--oidc-session-cache string`:

			`Path to OpenID Connect session cache file`
			- `--oidc-skip-browser`:

			`During OpenID Connect login, skip opening the browser (just print the URL)`
Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			- `-o`, `--output string`:

			`Output file path (default: stdout)`
			- `--skip-validation`:

			`Skip final validation of the kubeconfig (default: false)`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			- `--static-token string`:

			`Instead of doing an OIDC-based login, specify a static token`
			- `--static-token-env string`:

			`Instead of doing an OIDC-based login, read a static token from the environment`
Regenerate cli.md based on output of help message 2021-03-19 21:34:35 +00:00			- `--timeout duration`:

			`Timeout for autodiscovery and validation (default 10m0s)`