ContainerImage.Pinniped/site/content/docs/reference/cli.md

108 lines
2.9 KiB
Markdown
Raw Normal View History

---
title: Command-Line Options Reference
description: Reference for the `pinniped` command-line tool
cascade:
layout: docs
menu:
docs:
name: Command-Line Options
weight: 30
parent: reference
---
## `pinniped version`
Print the version of this Pinniped CLI.
```sh
pinniped version [flags]
```
- `-h`, `--help`:
help for kubeconfig
## `pinniped get kubeconfig`
Generate a Pinniped-based kubeconfig for a cluster.
```sh
pinniped get kubeconfig [flags]
```
- `-h`, `--help`:
help for kubeconfig
- `--concierge-api-group-suffix string`:
Concierge API group suffix (default "pinniped.dev")
- `--concierge-authenticator-name string`:
Concierge authenticator name (default: autodiscover)
- `--concierge-authenticator-type string`:
Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
- `--concierge-ca-bundle path`:
Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge
- `--concierge-credential-issuer string`:
Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)
- `--concierge-endpoint string`:
API base for the Concierge endpoint
- `--concierge-mode mode`:
Concierge mode of operation (default TokenCredentialRequestAPI)
- `--concierge-skip-wait`:
Skip waiting for any pending Concierge strategies to become ready (default: false)
- `--kubeconfig string`:
Path to kubeconfig file
- `--kubeconfig-context string`:
Kubeconfig context name (default: current active context)
- `--no-concierge`:
Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly
- `--oidc-ca-bundle path`:
Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
- `--oidc-client-id string`:
OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")
- `--oidc-issuer string`:
OpenID Connect issuer URL (default: autodiscover)
- `--oidc-listen-port uint16`:
TCP port for localhost listener (authorization code flow only)
- `--oidc-request-audience string`:
Request a token with an alternate audience using RFC8693 token exchange
- `--oidc-scopes strings`:
OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience])
- `--oidc-session-cache string`:
Path to OpenID Connect session cache file
- `--oidc-skip-browser`:
During OpenID Connect login, skip opening the browser (just print the URL)
- `-o`, `--output string`:
Output file path (default: stdout)
- `--skip-validation`:
Skip final validation of the kubeconfig (default: false)
- `--static-token string`:
Instead of doing an OIDC-based login, specify a static token
- `--static-token-env string`:
Instead of doing an OIDC-based login, read a static token from the environment
- `--timeout duration`:
Timeout for autodiscovery and validation (default 10m0s)