The cpln apply command creates or updates Control Plane resources from JSON or YAML files, enabling infrastructure-as-code workflows.
When to use this
GitOps workflows Store resource definitions in Git and apply them in CI/CD pipelines
Reproducible deployments Apply the same configuration across multiple environments
Bulk operations Create or update multiple resources in a single command
Scripting & automation Automate resource management in scripts and pipelines
The cpln apply command is idempotent - running it multiple times with the same input produces the same result.
Basic usage cpln apply --file < file-pat h >
The file can be JSON or YAML containing one or more resource definitions.
Specifying the GVC For resources that belong to a GVC (Identity , Volume Set , Workload ), specify the GVC using one of these methods:
In your profile
With --gvc flag
In the resource file
Set a default GVC in your profile: cpln profile update < profile-nam e > --gvc < gvc-nam e >
All subsequent commands will use this GVC. Pass the GVC as a flag (overrides profile default): cpln apply --file < file-pat h > --gvc < gvc-nam e >
Include the GVC in the resource definition: kind : identity name : example-identity gvc : example-gvc
You can specify either a gvc property in the file or use the --gvc flag, but not both.
Apply Kubernetes manifests Convert and apply Kubernetes resources directly:
cpln apply --file < k8s-fil e > --k8s true
This uses the convert logic to transform K8s resources before applying.
Apply from stdin Pipe resource definitions from another command:
cat resources.yaml | cpln apply --file -
This is useful for dynamically generating resources or chaining commands.
Using the console The console also supports applying resources:
Click the cpln apply button in the upper right corner
Upload a JSON/YAML file or paste the resource definition
Select the target org and GVC
Click Apply
Multiple resources Apply multiple resources in a single file by separating them with ---:
kind : gvc name : my-gvc spec : staticPlacement : locationLinks : - /org/my-org/location/aws-us-west-2 --- kind : workload name : my-app gvc : my-gvc spec : containers : - name : main image : nginx:latest
If a resource references another resource (e.g., a workload references a GVC), the referenced resource must be defined in the same file unless it already exists.
Resource ordering When applying multiple resources, order matters:
GVCs and policies firstSecrets and identities nextWorkloads and domains last
Renaming resources Changing a resource’s name in the file creates a new resource. The original resource remains and must be deleted manually:
cpln < resource-typ e > delete < old-nam e >
Limitations
To create an agent , use the console or CLI agent command to obtain the bootstrap config data. The cpln apply command does not output config data.
Before creating a domain , the required DNS entries must exist. See the Configure a Domain guide. Export existing resources as templates:
Select a resource and click Actions → Export
Choose JSON Slim or YAML Slim
Download the file
cpln gvc get < gvc-nam e > -o yaml-slim > gvc.yaml cpln workload get < workload-nam e > --gvc < gvc-nam e > -o yaml-slim > workload.yaml cpln secret reveal < secret-nam e > -o yaml-slim > secret.yaml
The json-slim and yaml-slim formats output only the values needed for cpln apply, removing IDs, timestamps, and other metadata.
Use in GitOps The apply command integrates with CI/CD pipelines for GitOps workflows. See the CI/CD Usage guides for details.
Example templates Use these templates as starting points for your resource definitions.
GVC Reference Page { "kind" : "gvc" , "name" : "example-gvc" , "description" : "example-gvc description" , "tags" : { "tag1" : "value1" }, "spec" : { "pullSecretLinks" : [ "//secret/SECRET_NAME" ], "staticPlacement" : { "locationLinks" : [ "//location/aws-eu-central-1" , "//location/aws-us-west-2" , "//location/azure-eastus2" , "//location/gcp-us-east1" ] } } }
Agent Reference Page { "kind" : "agent" , "name" : "example-agent" , "description" : "example-agent description" }
Cloud Accounts Reference Page
{ "kind" : "cloudaccount" , "name" : "example-aws-cloud-account" , "description" : "example-aws-cloud-account description" , "tags" : {}, "provider" : "aws" , "data" : { "roleArn" : "ROLE_ARN" } }
{ "kind" : "cloudaccount" , "name" : "example-azure-cloud-account" , "description" : "example-azure-cloud-account description" , "tags" : {}, "provider" : "azure" , "data" : { "secretLink" : "//secret/AZURE_SECRET" } }
{ "kind" : "cloudaccount" , "name" : "example-gcp-cloud-account" , "description" : "example-gcp-cloud-account description" , "tags" : {}, "provider" : "gcp" , "data" : { "projectId" : "PROJECT_ID" } }
{ "kind" : "cloudaccount" , "name" : "example-ngs-cloud-account" , "description" : "example-ngs-cloud-account description" , "provider" : "ngs" , "data" : { "secretLink" : "//secret/NATS_SECRET" } }
Domain Reference Page { "kind" : "domain" , "name" : "sub.example.com" , "description" : "domain description" , "tags" : {} }
Secrets Reference Page
{ "kind" : "secret" , "name" : "example-aws-secret" , "description" : "example-aws-secret description" , "tags" : {}, "type" : "aws" , "data" : { "accessKey" : "AKIAIOSFODNN7EXAMPLE" , "roleArn" : "arn:awskey" , "secretKey" : "AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" , "externalId" : "EXTERNAL_ID" } }
{ "kind" : "secret" , "name" : "example-azure-connector-secret" , "description" : "example-azure-connector-secret description" , "tags" : {}, "type" : "azure-connector" , "data" : { "code" : "CODE" , "url" : "URL" } }
{ "kind" : "secret" , "name" : "example-azure-sdk-secret" , "description" : "example-azure-sdk-secret" , "tags" : {}, "type" : "azure-sdk" , "data" : "{ \" subscriptionId \" : \" 2cd8674e-4f89-4a1f-b420-7a1361b46ef7 \" , \" tenantId \" : \" 292f5674-c8b0-488b-9ff8-6d30d77f38d9 \" , \" clientId \" : \" 649846ce-d862-49d5-a5eb-7d5aad90f54e \" , \" clientSecret \" : \" cpln \" }" }
{ "kind" : "secret" , "name" : "example-dictionary-secret" , "description" : "example-dictionary-secret description" , "tags" : {}, "type" : "dictionary" , "data" : { "key01" : "value01" , "key02" : "value02" } }
{ "kind" : "secret" , "name" : "example-docker-secret" , "description" : "example-docker-secret description" , "tags" : {}, "type" : "docker" , "data" : "{ \" auths \" :{ \" https://index.docker.io/v1/ \" :{ \" username \" : \" USERNAME \" , \" password \" : \" PASSWORD \" }}}" }
{ "kind" : "secret" , "name" : "example-ecr-secret" , "description" : "example-ecr-secret description" , "tags" : {}, "type" : "ecr" , "data" : { "accessKey" : "AKIA_ACCESS_KEY" , "repos" : [ "015716931711.dkr.ecr.us-west-2.amazonaws.com/repo" ], "secretKey" : "SECRET_KEY" , "externalId" : "EXTERNAL_ID" } }
{ "kind" : "secret" , "name" : "example-gcp-secret" , "description" : "example-gcp-secret description" , "tags" : {}, "type" : "gcp" , "data" : "{ \" type \" : \" gcp \" , \" project_id \" : \" cpln12345 \" , \" private_key_id \" : \" pvt_key \" , \" private_key \" : \" key \" , \" client_email \" : \" [email protected] \" , \" client_id \" : \" 12744 \" , \" auth_uri \" : \" cloud.google.com \" , \" token_uri \" : \" token.cloud.google.com \" , \" auth_provider_x509_cert_url \" : \" cert.google.com \" , \" client_x509_cert_url \" : \" cert.google.com \" }" }
The example below uses a self-signed certificate. Do not use for production.
{ "kind" : "secret" , "name" : "example-keypair-secret" , "description" : "example-keypair-secret description" , "tags" : {}, "type" : "keypair" , "data" : { "passphrase" : "cpln" , "publicKey" : "-----BEGIN PUBLIC KEY----- \n ... \n -----END PUBLIC KEY----- \n " , "secretKey" : "-----BEGIN RSA PRIVATE KEY----- \n ... \n -----END RSA PRIVATE KEY-----" } }
{ "kind" : "secret" , "name" : "example-opaque-secret" , "description" : "example-opaque-secret" , "tags" : {}, "type" : "opaque" , "data" : { "encoding" : "plain" , "payload" : "sample payload" } }
{ "kind" : "secret" , "name" : "example-tls-secret" , "description" : "example-tls-secret description" , "tags" : {}, "type" : "tls" , "data" : { "cert" : "-----BEGIN CERTIFICATE----- \n ... \n -----END CERTIFICATE-----" , "chain" : "-----BEGIN CERTIFICATE----- \n ... \n -----END CERTIFICATE-----" , "key" : "-----BEGIN PRIVATE KEY----- \n ... \n -----END PRIVATE KEY-----" } }
Secret - Username/Password
{ "kind" : "secret" , "name" : "example-username-secret" , "description" : "example-username-secret description" , "tags" : {}, "type" : "userpass" , "data" : { "encoding" : "plain" , "password" : "PASSWORD" , "username" : "USERNAME" } }
Groups Reference Page See the Group Query Rules reference page for details on how to create a query. { "kind" : "group" , "name" : "example-group" , "description" : "example-group description" , "tags" : {}, "memberLinks" : [ "//serviceaccount/SERVICE_ACCOUNT_NAME" , "//user/USER_EMAIL" ], "memberQuery" : { "kind" : "user" , "fetch" : "items" , "spec" : { "match" : "all" , "terms" : [ { "op" : "=" , "tag" : "test-tag" , "value" : "test-value" } ] } } }
Policies Reference Page Each targetKind has its own set of permissions. Get them via:
{ "kind" : "policy" , "name" : "example-policy-explicit" , "description" : "example-policy description" , "tags" : {}, "targetKind" : "secret" , "bindings" : [ { "permissions" : [ "edit" , "manage" ], "principalLinks" : [ "//group/GROUP_NAME" , "//gvc/GVC_NAME/identity/IDENTITY_NAME" , "//serviceaccount/SERVICE_ACCOUNT_NAME" , "//user/USER_EMAIL" ] } ], "targetLinks" : [ "//secret/SECRET_NAME" ] }
{ "kind" : "policy" , "name" : "example-policy-all" , "description" : "example-policy-all description" , "tags" : {}, "targetKind" : "secret" , "target" : "all" , "bindings" : [ { "permissions" : [ "edit" , "manage" ], "principalLinks" : [ "//group/GROUP_NAME" , "//serviceaccount/SERVICE_ACCOUNT_NAME" , "//user/USER_EMAIL" ] } ] }
Identity Reference Page { "kind" : "identity" , "name" : "example-identity" , "description" : "example-identity description" , "tags" : {}, "gvc" : "example-gvc" }
Workload Reference Page { "kind" : "workload" , "name" : "example-workload" , "description" : "example-workload description" , "tags" : {}, "gvc" : "example-gvc" , "spec" : { "type" : "serverless" , "containers" : [ { "name" : "main" , "image" : "nginx:latest" , "port" : 80 , "memory" : "128Mi" , "cpu" : "50m" } ], "defaultOptions" : { "autoscaling" : { "minScale" : 1 , "maxScale" : 5 } } } }
Next steps 
