Skip to content

Kapitan: Keep your ship together

Kapitan refs: Manage Secret References

kapicorp/kapitan

CLI Reference | `kapitan refs`

`kapitan refs`

Creates, reveals, and manages encrypted secret references (?{backend:path}) backed by GPG, Vault, AWS/GCP KMS, Azure KeyVault and more.

Flags

The table below is generated from Kapitan's argument parser at docs-build time, so it always matches the installed version. See also the global flags accepted by every command, and the .kapitan dotfile to set any of these permanently.

Flag	Default	Choices	Description
`--inventory-backend`	`reclass`	reclass, reclass-rs, omegaconf	Select the inventory backend to use (default=reclass)
`--migrate`	`False`		Migrate your inventory to your selected inventory backend.
`--compose-target-name`	`False`		Create same subfolder structure from inventory/targets inside compiled folder
`--enable-class-wildcards`	`False`		Enable glob pattern expansion in classes: lists (default: off). Patterns such as clusters., dev- and * are expanded to all matching class names discovered under inventory/classes/. This flag is intentionally opt-in: inventories that contain literal glob metacharacters in class names (e.g. config[html]) or Reclass references that include ? would be incorrectly treated as patterns if expansion were always on.
`--write`, `-w`			write ref token
`--update`			update GPG recipients for ref token
`--update-targets`	`False`		update target secret refs
`--validate-targets`	`False`		validate target secret refs
`--base64`, `-b64`	`False`		base64 encode file content
`--binary`	`False`		file content should be handled as binary data
`--reveal`, `-r`	`False`		reveal refs
`--tag`			specify ref tag to reveal, e.g. "?{gkms:my/ref:123456}"
`--ref-file`, `-rf`			read ref file, set "-" for stdin
`--file`, `-f`			read file or directory, set "-" for stdin
`--target-name`, `-t`			grab recipients from target name
`--inventory-path`	`./inventory`		set inventory path, default is "./inventory"
`--recipients`, `-R`			set GPG recipients
`--key`, `-K`			set KMS key
`--vault-auth`			set authentication type for vault secrets
`--vault-mount`	`secret`		set mount point for vault secrets, default is 'secret'
`--vault-path`			set path for vault secrets where the secret gets stored on vault, default is the secret_path
`--vault-key`			set key for vault secrets
`--refs-path`	`./refs`		set refs path, default is "./refs"
`--verbose`, `-v`	`False`		set verbose mode (warning: this will potentially show sensitive data)