datumctl auth update-kubeconfig produces a standard
kubeconfig
whose credential comes from datumctl itself, these tools can reconcile
git-defined resources onto a Datum Cloud control plane without you managing any
static keys.
The supported topology
The key detail is how authentication works.datumctl auth update-kubeconfig
writes a kubeconfig whose user is a
client-go exec credential plugin:
on each request the tooling invokes the datumctl binary to fetch a fresh,
short-lived token. Any tool that reads a kubeconfig and uses client-go
authentication can therefore talk to the Datum Cloud control plane — as long
as the environment running that tool has the datumctl binary available and an
active session. See Using kubectl for the full
mechanics; this page does not repeat them.
That constraint defines the supported shape for GitOps:
- Run your GitOps tooling (Flux, Argo CD, and their CLIs) from a CI runner or
machine that has
datumctlinstalled and is authenticated. - In CI, authenticate with a service account so there is no interactive login step and no long-lived keys checked into your repo.
- Point the tooling at the control plane through the exec-credential kubeconfig
that
datumctlgenerates, then let it reconcile the resources defined in your git repository.
The shape of the flow
- Set up
datumctlon the runner or machine and authenticate. In CI, this is a service account; see Automating in CI/CD. - Generate a kubeconfig for the target control plane with
datumctl auth update-kubeconfig— see Using kubectl. Use--exec-interactive-mode Neverso the exec plugin fails fast instead of waiting on a prompt no one can answer. - Run the GitOps step. Flux, Argo CD, and their CLIs read that kubeconfig and authenticate to the Datum Cloud control plane through the exec plugin, reconciling the resources your git repository declares.
--project or --organization
flag on update-kubeconfig; see Contexts & scoping
for how scope resolution works.
A concrete CI example
Thedatum-cloud/setup-datumctl-action installs datumctl and authenticates a
service account on a GitHub Actions runner. From there you generate a kubeconfig
and hand off to your GitOps tool. See GitHub Actions
for the full action reference.
The exact
flux / argocd CLI commands depend on how you have structured
your repository and your reconciliation model. Consult the
Flux and Argo CD
documentation for those specifics. What matters here is the connection
pattern: both read a kubeconfig, and the kubeconfig datumctl writes carries
the credential automatically. Nothing above pins static keys.A simpler loop: datumctl in CI
You do not need a GitOps controller to get a git-driven deployment flow. If your resources live in git, a CI job can treat the repository as the source of truth and reconcile on every change usingdatumctl directly:
- Preview what would change with
datumctl diff -f <path>. - Apply the desired state with
datumctl apply -f <path>.
datumctl — no exec-credential kubeconfig and
no second tool to install — and it runs on the same CI runner with the same
service-account session. See Safe changes & declarative config
for the diff-then-apply workflow and Automating in CI/CD
for wiring it into a pipeline.
Related
- Using kubectl — how the exec-credential kubeconfig is generated and how the credential handoff works.
- Kubernetes tools — point Helm, the Terraform Kubernetes provider, k9s, and other kubeconfig-driven tools at Datum Cloud.
- Service accounts — non-interactive identities for CI and automation.
- GitHub Actions — the
setup-datumctl-actionreference. - Automating in CI/CD — general patterns for running
datumctlin pipelines. - Safe changes & declarative config — the
diff-then-applyworkflow for the datumctl-native loop.