datumctl — see
Using kubectl for the full walkthrough — you get a
standard kubeconfig
whose user is a client-go exec credential plugin.
That means any client-go-based tool that reads a kubeconfig authenticates
to the Datum Cloud control plane the same way kubectl does: it runs datumctl
to fetch a fresh, short-lived credential on each request. There are no static
keys to embed and nothing to rotate by hand.
The one requirement
The machine running the tool must have the
datumctl binary on its PATH
and an active session (an interactive login, or a
service account for automation).datumctl as an exec credential
plugin, the credential handoff only happens where datumctl is installed and
signed in. A tool can read the kubeconfig from anywhere, but the actual token
exchange runs locally through datumctl. If datumctl isn’t on PATH or has
no session, the tool will fail to authenticate.
The generated kubeconfig entry is portable across tools, but it references
datumctl by name — so keep the binary available in the same environment where
the tool runs. For non-interactive environments, generate the entry with
--exec-interactive-mode Never so the exec plugin fails fast instead of
waiting on a prompt that can never be answered (see
Using kubectl).
Generate the kubeconfig first
Every tool below assumes you have already written a kubeconfig entry and selected it as your current context:--organization vs --project, --kubeconfig,
--hostname, and --exec-interactive-mode — lives on
Using kubectl. To keep Datum Cloud entries separate
from your other clusters, write to a dedicated file with --kubeconfig and
point each tool at it. See Contexts & scoping
for how organization and project scope map to control planes.
Helm
Helm uses the current kubeconfig context by default, so once your Datum Cloud context is selected, Helm authenticates throughdatumctl with no extra configuration. As with kubectl, you can point Helm at a
specific file or context:
Terraform Kubernetes provider
Configure the Terraform Kubernetes provider against your kubeconfig. The simplest form points the provider at the file and context:exec block, which mirrors what
datumctl auth update-kubeconfig already writes into the kubeconfig — the
provider invokes datumctl to obtain a credential on each apply. Either way,
datumctl must be on PATH with an active session on the machine (or CI
runner) that runs terraform. Consult the
Terraform Kubernetes provider
docs for the full schema.
k9s and other kubeconfig-driven tools
k9s and similar kubeconfig-driven tools read the same kubeconfig and honor theKUBECONFIG environment variable and current context. Point them at your Datum
Cloud context — for example by exporting KUBECONFIG — and they authenticate
through datumctl automatically:
Automation and GitOps
For CI/CD and GitOps, run the tool from a CI runner or workstation that hasdatumctl installed and is authenticated with a
service account. The
GitHub Actions setup action installs datumctl
and authenticates a service account for you; see
Automating in CI/CD for the broader pattern.
Related
- Using kubectl — how
datumctl auth update-kubeconfigwrites the kubeconfig entry and how the credential handoff works. - GitOps with Flux & Argo CD — run a git-driven deployment loop onto a Datum Cloud control plane using the same exec-credential kubeconfig.
- Service accounts — non-interactive credentials for automated environments.
- GitHub Actions — install and authenticate
datumctlon a CI runner. - Automating in CI/CD — the supported topology for running these tools from automation.
- Contexts & scoping — how organization and project scope map to control planes.