CLI
This section covers the spec of every subcommand provided by the tazuna binary, one command per page.
The pages are designed to be read as a contract. For command choice and operational usage, see Guides; for what each command is solving in the first place, see Concepts.
Subcommand List
tazuna init— generate an includes-basedtazuna.yamlskeletontazuna apply— applytazuna.yamlto the cluster (writes state back)tazuna build— emit the rendering result without touching the clustertazuna check— validatetazuna.yamltazuna destroy— delete Tazuna-managed resources from the clustertazuna plan— diff the Build result against the live cluster field by fieldtazuna status— show the readiness of managed resources recorded in Statetazuna state list— list the resources recorded in Statetazuna state diff— show the difference between the Build result and Statetazuna state drift— detect drift between State and the live clustertazuna secret-to-genesissecret— write existing Secrets to 1Password and GenesisSecrettazuna tags— list the tags written intazuna.yamltazuna version— output version information
Global Flags
Persistent flags inherited by every subcommand.
| Flag | Alias | Type | Default | Description |
|---|---|---|---|---|
--file-path | -f | string | tazuna.yaml | Path to tazuna.yaml. |
--log-level | -l | string | info | Log level. One of debug / info / warn / error. |
--otlp-endpoint | - | string | "" | The OpenTelemetry OTLP/gRPC endpoint (e.g. localhost:4317). When empty, a no-op tracer is used and it runs with zero external dependencies. |
--otlp-insecure | - | bool | true | Use plaintext gRPC for the OTLP exporter (no TLS). |
--version | - | - | - | A flag set only on the root command. Prints version info and exits. Equivalent to tazuna version. |
Common Behavior
kubeconfig
Subcommands that access the cluster load kubeconfig at startup and operate against the cluster pointed to by current-context. Tazuna does not provide its own KUBECONFIG environment variable or --kubeconfig equivalent flag; it follows the same resolution rules as kubectl.
Evaluating context_matches
When spec.context_matches is set in tazuna.yaml, the current-context name is matched against it immediately before touching the cluster.
- Commands where evaluation runs:
apply/destroy - Commands where evaluation does not run:
build/check/plan/status/state list/state diff/state drift/tags/version/secret-to-genesissecret
The evaluation mode follows spec.context_match_mode (or / and, default or). See tazuna.yaml schema - context_matches for details.
Validating tazuna.yaml
apply / build / destroy / check / tags all load and validate tazuna.yaml at the very start of execution. On validation failure, no cluster access happens. For the list of check items, see tazuna.yaml schema - Validation summary.
In addition, on every command that loads tazuna.yaml (including plan / status / state list / state diff / state drift on top of the above), spec.minimumSupportedTazunaVersion is compared against the running tazuna’s version at load time. If the running version is below it, the command exits with an error immediately. See tazuna.yaml schema - minimumSupportedTazunaVersion for details.
Exit Codes
| Exit Codes | Meaning |
|---|---|
0 | Success |
| Non-zero | Failure. An error in the form error: ... is printed to stderr. |
Non-zero exit can be treated as failure as-is by CI. There is currently no distinction in exit code per command.
Environment Variables
In addition to CLI flags, here is the list of environment variables Tazuna consults.
| Environment Variables | Value | Affected commands | Effect |
|---|---|---|---|
TAZUNA_DESTROY_EXECUTABLE | true | destroy | Unless this is set to true, destroy does not actually delete anything. Even if you say Yes at the prompt, nothing happens without this environment variable. |
KUBECONFIG | Path | All cluster-touching commands | Follows the same kubeconfig resolution rules as ordinary kubectl. |
The old
TAZUNA_STATE_SYNC_DELETEenvironment variable has been removed along withtazuna state sync. To delete resources in theremovedcategory, usetazuna apply --sync --prune.