Pinniped Logo

Pinniped Documentation

Command-Line Options Reference

pinniped completion bash

Generate the autocompletion script for bash

Synopsis

Generate the autocompletion script for the bash shell.

This script depends on the ‘bash-completion’ package. If it is not installed already, you can install it via your OS’s package manager.

To load completions in your current shell session:

source <(pinniped completion bash)

To load completions for every new session, execute once:

Linux:

pinniped completion bash > /etc/bash_completion.d/pinniped

macOS:

pinniped completion bash > $(brew --prefix)/etc/bash_completion.d/pinniped

You will need to start a new shell for this setup to take effect.

pinniped completion bash

Options

  -h, --help              help for bash
      --no-descriptions   disable completion descriptions

SEE ALSO

pinniped completion fish

Generate the autocompletion script for fish

Synopsis

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

pinniped completion fish | source

To load completions for every new session, execute once:

pinniped completion fish > ~/.config/fish/completions/pinniped.fish

You will need to start a new shell for this setup to take effect.

pinniped completion fish [flags]

Options

  -h, --help              help for fish
      --no-descriptions   disable completion descriptions

SEE ALSO

pinniped completion powershell

Generate the autocompletion script for powershell

Synopsis

Generate the autocompletion script for powershell.

To load completions in your current shell session:

pinniped completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your powershell profile.

pinniped completion powershell [flags]

Options

  -h, --help              help for powershell
      --no-descriptions   disable completion descriptions

SEE ALSO

pinniped completion zsh

Generate the autocompletion script for zsh

Synopsis

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

echo "autoload -U compinit; compinit" >> ~/.zshrc

To load completions in your current shell session:

source <(pinniped completion zsh)

To load completions for every new session, execute once:

Linux:

pinniped completion zsh > "${fpath[1]}/_pinniped"

macOS:

pinniped completion zsh > $(brew --prefix)/share/zsh/site-functions/_pinniped

You will need to start a new shell for this setup to take effect.

pinniped completion zsh [flags]

Options

  -h, --help              help for zsh
      --no-descriptions   disable completion descriptions

SEE ALSO

pinniped get kubeconfig

Generate a Pinniped-based kubeconfig for a cluster

pinniped get kubeconfig [flags]

Options

      --concierge-api-group-suffix string        Concierge API group suffix (default "pinniped.dev")
      --concierge-authenticator-name string      Concierge authenticator name (default: autodiscover)
      --concierge-authenticator-type string      Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
      --concierge-ca-bundle path                 Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge
      --concierge-credential-issuer string       Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)
      --concierge-endpoint string                API base for the Concierge endpoint
      --concierge-mode mode                      Concierge mode of operation (default TokenCredentialRequestAPI)
      --concierge-skip-wait                      Skip waiting for any pending Concierge strategies to become ready (default: false)
      --credential-cache string                  Path to cluster-specific credentials cache
      --generated-name-suffix string             Suffix to append to generated cluster, context, user kubeconfig entries (default "-pinniped")
  -h, --help                                     help for kubeconfig
      --install-hint string                      This text is shown to the user when the pinniped CLI is not installed. (default "The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli for more details")
      --kubeconfig string                        Path to kubeconfig file
      --kubeconfig-context string                Kubeconfig context name (default: current active context)
      --no-concierge                             Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly
      --oidc-ca-bundle path                      Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
      --oidc-client-id string                    OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")
      --oidc-issuer string                       OpenID Connect issuer URL (default: autodiscover)
      --oidc-listen-port uint16                  TCP port for localhost listener (authorization code flow only)
      --oidc-request-audience string             Request a token with an alternate audience using RFC8693 token exchange
      --oidc-scopes strings                      OpenID Connect scopes to request during login (default [offline_access,openid,pinniped:request-audience,username,groups])
      --oidc-session-cache string                Path to OpenID Connect session cache file
      --oidc-skip-browser                        During OpenID Connect login, skip opening the browser (just print the URL)
  -o, --output string                            Output file path (default: stdout)
      --pinniped-cli-path string                 Full path or executable name for the Pinniped CLI binary to be embedded in the resulting kubeconfig output (e.g. 'pinniped') (default: full path of the binary used to execute this command)
      --skip-validation                          Skip final validation of the kubeconfig (default: false)
      --static-token string                      Instead of doing an OIDC-based login, specify a static token
      --static-token-env string                  Instead of doing an OIDC-based login, read a static token from the environment
      --timeout duration                         Timeout for autodiscovery and validation (default 10m0s)
      --upstream-identity-provider-flow string   The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'cli_password', 'browser_authcode')
      --upstream-identity-provider-name string   The name of the upstream identity provider used during login with a Supervisor
      --upstream-identity-provider-type string   The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory')

SEE ALSO

pinniped help

Help about any command

Synopsis

Help provides help for any command in the application. Simply type pinniped help [path to command] for full details.

pinniped help [command] [flags]

Options

  -h, --help   help for help

SEE ALSO

pinniped login oidc

Login using an OpenID Connect provider

Synopsis

Login using an OpenID Connect provider

Use “pinniped get kubeconfig” to generate a kubeconfig file which includes this login command in its configuration. This login command is not meant to be invoked directly by a user.

This login command is a Kubernetes client-go credential plugin which is meant to be configured inside a kubeconfig file. (See the Kubernetes authentication documentation for more information about client-go credential plugins.)

pinniped login oidc --issuer ISSUER [flags]

Options

      --ca-bundle strings                        Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
      --ca-bundle-data strings                   Base64 encoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
      --client-id string                         OpenID Connect client ID (default "pinniped-cli")
      --concierge-api-group-suffix string        Concierge API group suffix (default "pinniped.dev")
      --concierge-authenticator-name string      Concierge authenticator name
      --concierge-authenticator-type string      Concierge authenticator type (e.g., 'webhook', 'jwt')
      --concierge-ca-bundle-data string          CA bundle to use when connecting to the Concierge
      --concierge-endpoint string                API base for the Concierge endpoint
      --credential-cache string                  Path to cluster-specific credentials cache ("" disables the cache) (default "/root/.config/pinniped/credentials.yaml")
      --enable-concierge                         Use the Concierge to login
  -h, --help                                     help for oidc
      --issuer string                            OpenID Connect issuer URL
      --listen-port uint16                       TCP port for localhost listener (authorization code flow only)
      --request-audience string                  Request a token with an alternate audience using RFC8693 token exchange
      --scopes strings                           OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience,username,groups])
      --session-cache string                     Path to session cache file (default "/root/.config/pinniped/sessions.yaml")
      --skip-browser                             Skip opening the browser (just print the URL)
      --upstream-identity-provider-flow string   The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password')
      --upstream-identity-provider-name string   The name of the upstream identity provider used during login with a Supervisor
      --upstream-identity-provider-type string   The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory') (default "oidc")

SEE ALSO

pinniped login static

Login using a static token

Synopsis

Login using a static token

Use “pinniped get kubeconfig” to generate a kubeconfig file which includes this login command in its configuration. This login command is not meant to be invoked directly by a user.

This login command is a Kubernetes client-go credential plugin which is meant to be configured inside a kubeconfig file. (See the Kubernetes authentication documentation for more information about client-go credential plugins.)

pinniped login static [--token TOKEN] [--token-env TOKEN_NAME] [flags]

Options

      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
      --concierge-authenticator-name string   Concierge authenticator name
      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
      --concierge-ca-bundle-data string       CA bundle to use when connecting to the Concierge
      --concierge-endpoint string             API base for the Concierge endpoint
      --credential-cache string               Path to cluster-specific credentials cache ("" disables the cache) (default "/root/.config/pinniped/credentials.yaml")
      --enable-concierge                      Use the Concierge to login
  -h, --help                                  help for static
      --token string                          Static token to present during login
      --token-env string                      Environment variable containing a static token

SEE ALSO

pinniped version

Print the version of this Pinniped CLI

pinniped version [flags]

Options

  -h, --help            help for version
  -o, --output string   one of 'yaml' or 'json'

SEE ALSO

pinniped whoami

Print information about the current user

pinniped whoami [flags]

Options

      --api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
  -h, --help                        help for whoami
      --kubeconfig string           Path to kubeconfig file
      --kubeconfig-context string   Kubeconfig context name (default: current active context)
  -o, --output string               Output format (e.g., 'yaml', 'json', 'text') (default "text")
      --timeout duration            Timeout for the WhoAmI API request (default: 0, meaning no timeout)

SEE ALSO