$ roxctl declarative-config [command] [flags]
Manage the declarative configuration.
$ roxctl declarative-config [command] [flags]
Command | Description |
---|---|
|
Create declarative configurations. |
|
Lint an existing declarative configuration YAML file. |
The roxctl declarative-config
command supports the following options inherited from the parent roxctl
command:
Option | Description |
---|---|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
Set |
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
Enable insecure connection options. Alternatively, by setting the |
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
Disable the color output. Alternatively, by setting the |
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
Use an unencrypted connection. Alternatively, by setting the |
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the |
Lint an existing declarative configuration YAML file.
$ roxctl declarative-config lint [flags]
Option | Description |
---|---|
|
Read the declarative configuration from the |
|
File containing the declarative configuration in YAML format. |
|
Read the declarative configuration from the |
|
Read the declarative configuration from the specified |
Create declarative configurations.
$ roxctl declarative-config create [flags]
Option | Description |
---|---|
|
Write the declarative configuration YAML in the configuration map. If not specified and the |
|
Required if you want to write the declarative configuration YAML to a configuration map or secret. If not specified, the default namespace in the current Kubernetes configuration is used. |
|
Write the declarative configuration YAML in the secret. You must use secrets for sensitive data. If not specified and the |
Create a declarative configuration for a role.
$ roxctl declarative-config create role [flags]
Option | Description |
---|---|
|
By providing the name, you can specify the referenced access scope. |
|
Set a description for the role. |
|
Specify the name of the role. |
|
By providing the name, you can specify the referenced permission set. |
Create a declarative configuration for a notifier.
$ roxctl declarative-config create notifier [flags]
Option | Description |
---|---|
|
Specify the name of the notifier. |
Create a declarative configuration for an access scope.
$ roxctl declarative-config create access-scope [flags]
Option | Description |
---|---|
|
Specify the criteria for creating a label selector based on the cluster’s labels. The key-value pairs represent requirements, and you can use this flag multiple times to create a combination of requirements. The default value is |
|
Set a description for the access scope. |
|
Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is |
|
Specify the name of the access scope. |
|
Specify the criteria for creating a label selector based on the namespace’s labels. Similar to the cluster-label-selector, you can use this flag multiple times for the combination of requirements. For more details, run the |
Create a declarative configuration for an authentication provider.
$ roxctl declarative-config create auth-provider [flags]
Option | Description |
---|---|
|
Specify additional user interface (UI) endpoints from which the authentication provider is used. The expected format is |
|
Set the keys of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
Set the role of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
Set the values of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
Set the minimum access role of the authentication provider. You can leave this field empty if you do not want to configure the minimum access role by using the declarative configuration. |
|
Specify the name of the authentication provider. |
|
Set a list of attributes that the authentication provider must return during authentication. The default value is |
|
Set the UI endpoint from which the authentication provider is used. This is usually the public endpoint where RHACS is available. The expected format is |
Create a declarative configuration for a permission set.
$ roxctl declarative-config create permission-set [flags]
Option | Description |
---|---|
|
Set the description of the permission set. |
|
Specify the name of the permission set. |
|
Set a list of resources with their respective access levels. The default value is |
Create a declarative configuration for a splunk notifier.
$ roxctl declarative-config create notifier splunk [flags]
Option | Description |
---|---|
|
Enable audit logging. The default value is |
|
Specify Splunk source types as comma-separated |
|
Specify the Splunk HTTP endpoint. This is a mandatory option. |
|
Use an insecure connection to Splunk. The default value is |
|
Specify the Splunk HTTP token. This is a mandatory option. |
|
Specify the Splunk truncate limit. The default value is |
Create a declarative configuration for a generic notifier.
$ roxctl declarative-config create notifier generic [flags]
Option | Description |
---|---|
|
Enable audit logging. The default value is |
|
Specify additional fields as comma-separated |
|
Specify headers as comma-separated |
|
Specify the file name of the endpoint CA certificate in PEM format. |
|
Specify the URL of the webhook endpoint. |
|
Specify the password for basic authentication of the webhook endpoint. No authentication if not specified. Requires |
|
Skip webhook TLS verification. The default value is |
|
Specify the username for basic authentication of the webhook endpoint. No authentication occurs if not specified. Requires |
Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.
$ roxctl declarative-config create auth-provider iap [flags]
Option | Description |
---|---|
|
Specify the target group that you want to validate. |
Create a declarative configuration for an OpenID Connect (OIDC) authentication provider.
$ roxctl declarative-config create auth-provider oidc [flags]
Option | Description |
---|---|
|
Specify a list of non-standard claims from the identity provider (IdP) token that you want to include in the authentication provider’s rules. The default value is |
|
Specify the client ID of the OIDC client. |
|
Specify the client secret of the OIDC client. |
|
Disable the request for the offline_access from the OIDC IdP. You need to use this option if the OIDC IdP limits the number of sessions with the |
|
Specify the issuer of the OIDC client. |
|
Specify the callback mode that you want to use. Valid values include |
Create a declarative configuration for a SAML authentication provider.
$ roxctl declarative-config create auth-provider saml [flags]
Option | Description |
---|---|
|
Specify the file containing the SAML identity provider (IdP) certificate in PEM format. |
|
Specify the issuer of the IdP. |
|
Specify the metadata URL of the service provider. |
|
Specify the format of the name ID. |
|
Specify the issuer of the service provider. |
|
Specify the URL of the IdP for single sign-on (SSO). |
Create a declarative configuration for an user PKI authentication provider.
$ roxctl declarative-config create auth-provider userpki [flags]
Option | Description |
---|---|
|
Specify the file containing the certification authorities in PEM format. |