CLI Configuration

The Jitera CLI allows developers to interact with a Jitera Self-Hosted environment from their local machine. To enable CLI access, the administrator generates an RSA key pair, configures the private key in the Helm chart, and distributes the public key to CLI users.

Overview

CLI setup consists of two sides:

Side	Responsibility
Administrator	Generate an RSA key pair, configure the private key in `values.yaml`, distribute the public key to CLI users
CLI user	Install the CLI, configure the backend/frontend endpoints, set the public key on each operating machine

Endpoint and public key configuration on the CLI side is required only once per operating machine, on the first use.

1. Generate an RSA Key Pair

Generate a 2048-bit RSA key pair. The private key is configured in the Helm chart; the public key is distributed to CLI users.

macOS / Linux
Windows

Use the built-in openssl tool:

# Generate a 2048-bit private key
openssl genrsa -out private_key.pem 2048

# Extract the public key from the private key
openssl rsa -in private_key.pem -pubout -out public_key.pem

If Git Bash or WSL is installed, use the same commands as macOS / Linux.Alternatively, install OpenSSL for Windows and run in Command Prompt or PowerShell:

openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem

The keys are saved in the current directory.

This produces two files:

private_key.pem — the private key (used in values.yaml)
public_key.pem — the public key (distributed to CLI users)

Store the private key securely. Anyone with access to it can authenticate against your Jitera Self-Hosted environment.

2. Configure the Private Key in values.yaml

Set the private key under ultron.secret.CLI_ZIPPER_PRIVATE_KEY in your Helm values.yaml. The key must be written as a YAML literal block scalar so that newlines are preserved exactly:

ultron:
  secret:
    CLI_ZIPPER_PRIVATE_KEY: |
      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEAx9ZbDv7b...

      YPr9xvQ29fftgN92Mohy1fToJ...

      1tfqVh1aJ/nM4PUZ3+QUZxVe9...

      ...

      -----END RSA PRIVATE KEY-----

Follow this formatting exactly:

Use the YAML literal block scalar indicator | after the key name
Indent every line of the key content by 2 spaces relative to CLI_ZIPPER_PRIVATE_KEY (4 spaces from the left margin in the example above)
Include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- markers
Insert a blank line between every line of the key body, including between the BEGIN marker and the first line, and between the last line and the END marker
Preserve the original line breaks produced by openssl (typically 64 characters per line) — do not rewrap or concatenate lines

Incorrect indentation, missing markers, missing blank lines between content lines, or rewrapped lines will cause the RSA key parser in Ultron to fail and the CLI to reject authentication.

Why the blank lines are required: The Helm chart renders CLI_ZIPPER_PRIVATE_KEY into the Kubernetes Secret without a YAML block scalar indicator (| or >). As a result, the value is parsed as an implicit multi-line plain scalar — YAML folds single newlines between non-empty lines into a single space, which would collapse the PEM into one line and break the key. Only blank lines between content lines are preserved as actual newlines in the rendered Secret. The | in values.yaml itself is not enough — the blank lines must be present inside the block.

Apply the change by upgrading the Helm release. See Deployment Upgrade for details.

3. Install the CLI

CLI users install the Jitera CLI on their local machine.

4. Configure Endpoints

On each CLI machine, configure the backend API and frontend URLs for your self-hosted environment. Both endpoints are served from the same ingress domain (ingress.domainName in values.yaml):

# Backend API endpoint — Kong routes /automation/private to the Automation (Rails) service
jitera set PRIVATE_API_ENDPOINT=https://app.yourdomain.com/automation/private

# Frontend URL — the Jitera Studio root
jitera set STUDIO_URL=https://app.yourdomain.com

Replace app.yourdomain.com with the actual ingress.domainName configured in your Helm values. The /automation/private path suffix on PRIVATE_API_ENDPOINT is required — the CLI appends /graphql and other paths to this base URL, and Kong routes the /automation/private prefix to the Automation Rails service.

5. Configure the Public Key

On each CLI machine, set the public key generated in Step 1. The public key must match the private key configured in values.yaml.

macOS / Linux
Windows

jitera set ENCRYPTED_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"

Load the key from a file:

jitera set ENCRYPTED_PUBLIC_KEY --file C:\Users\YourUsername\Desktop\public_key.pem

The CLI is now ready to use against your Jitera Self-Hosted environment.

Deployment Upgrade

Apply changes to values.yaml via Helm upgrade

Release Notes

Documentation Index

​Overview

​1. Generate an RSA Key Pair

​2. Configure the Private Key in values.yaml

​3. Install the CLI

​4. Configure Endpoints

​5. Configure the Public Key

​Related Documentation

Deployment Upgrade

Overview

1. Generate an RSA Key Pair

2. Configure the Private Key in values.yaml

3. Install the CLI

4. Configure Endpoints

5. Configure the Public Key

Related Documentation