How to run the CLI against a locally running KubeRocketCI Portal.
- A KubeRocketCI portal backend on port 3001
- The portal's
.envconfigured with a validOIDC_ISSUER_URL(e.g. a Keycloak realm) - Go 1.26+
cd krci-portal
cp .env.example .env # fill in OIDC_ISSUER_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET
pnpm devThe backend listens on http://localhost:3001. The Vite dev server
(port 5173) only proxies /api, but the CLI talks to /rest/v1/ endpoints —
point it directly at port 3001.
make build # → dist/krci
make test # race detector + coverage
make lint # golangci-lint v2
make lint-fix # auto-fix formatting
make ci # lint → test → buildThe local portal runs over HTTP, so the CLI can't auto-discover the OIDC issuer or cluster metadata. Supply everything upfront via environment variables:
KRCI_ISSUER_URL=https://idp.example.com/realms/my-realm \
KRCI_CLUSTER_NAME=my-cluster \
KRCI_NAMESPACE=my-namespace \
./dist/krci auth login --portal-url http://localhost:3001A browser window opens for authentication. On success:
Logged in as user@example.com (User Name)
All values are persisted to ~/.config/krci/config.yaml, so subsequent
commands need no flags or env vars:
./dist/krci project list
./dist/krci deployment list
./dist/krci pipelinerun list --project keycloak-operator --reason- Portal-only — the CLI talks exclusively to the portal tRPC API (Bearer
idToken). No direct Kubernetes access. - Factory gate —
internal/cmdutil/FactoryvalidatesPortalURL,ClusterName, andNamespacebefore creatingPortalClient; commands never see invalid state. - Config precedence — flags > env vars >
config.yaml> defaults (Viper-based,internal/config/). - Public OIDC issuer — the issuer URL comes from the portal's
unauthenticated
config.getendpoint (public metadata per OIDC Discovery).
Each command lives in pkg/cmd/<group>/<verb>/ and exports
NewCmd<Verb>(f, runF). Follow the existing commands as examples.