# Manifest reference > Reference for manifest.yaml, including the schema, initialization and validation commands, and an annotated example. `manifest.yaml` is the single input that drives every vpctl operation. It enforces the schema at load time by using an embedded CUE schema. **Commit it to version control.**: the manifest acts as a controlled input for release upgrades: bumping `releaseVersion` and any other field, and rerunning `vpctl release generate` produces a reviewable diff your team can approve before deployment, and Argo CD or your CD picks it up from there. **The manifest contains no secrets**: secrets are generated separately by `vpctl secret generate` from `secrets.import.yaml`, which lives in your CI secret store or a vault, never in Git. ## Initialize a manifest If you don't already have one, generate one interactively: ```sh vpctl manifest init ``` This walks you through platform, release version, registry, namespace, autoscaling, monitoring, and ingress settings. The output defaults to `./manifest.yaml`, you can override with `--output`. ## Validate a manifest ```sh vpctl manifest validate vpctl manifest validate --file path/to/manifest.yaml ``` Validates against the embedded CUE schema. The validation catches missing required fields, disallowed values, and cross-field rules. For example, `maxReplicas >= minReplicas`, a TLS certificate is required when TLS is enabled. ## Annotated example A minimal on-premises manifest looks like this: ```yaml # manifest.yaml platform: onprem # required: only "onprem" is documented for customer use releaseVersion: 0.13.0-rc1 # required: matches the release tag in the Unity registry artifactSync: sourceRepository: uccmpprivatecloud.azurecr.io concurrency: 5 # parallel image/ORAS sync workers (default: 5) deployment: # helmChartMode: "remote" # default "local": charts come from the release package argocd: # defaults for `release generate --format argocd` repoURL: "git@github.com:your-org/your-argocd-charts.git" pathPrefix: "" # subdirectory in the repo (e.g. "cluster1/") destinationServer: "https://kubernetes.default.svc" targetRevision: "main" configuration: networking: appDomain: uam.example.com # the FQDN your customers reach the app at allowedIngressCIDRs: # IPs allowed to reach the LoadBalancer - "203.0.113.0/24" ingress: traefik: type: LoadBalancer tls: enabled: true certificate: traefik-tls-cert # name of the K8s Secret holding the cert serviceMesh: istio: enabled: false kubernetes: namespace: asset-solutions # namespace where workloads are deployed docker: repository: registry.example.com # your registry (used after `artifact sync`) namespace: asset-solutions # subpath/namespace within the registry imagePullSecret: regcred # K8s Secret holding registry pull credentials autoscaling: minReplicas: 1 maxReplicas: 10 storage: defaultStorageClass: gp3 readWriteManyStorageClass: efs transformations: parallelism: 30 # max concurrent transformation workflows monitoring: database: enabled: true prometheus: enabled: true # auto-detected if Prometheus is already installed logCollection: enabled: true # Loki + Alloy authentication: x509: enabled: false # caSecretName: x509-ca-cert # required when enabled infrastructure: sizing: medium # small | medium (default) | large # components: { ... } # per-component CPU/memory/storage overrides ``` ## Full schema reference The annotated example above covers the most common fields. For the **complete** field list which include every type, default value, constraint, and cross-field rule, print the schema your installed vpctl is using: ```sh vpctl manifest schema ``` To export the CUE schema for standalone validation (useful in CI, without installing vpctl): ```sh vpctl manifest schema --export manifest.cue cue vet manifest.cue manifest.yaml -d '#Manifest' ``` ## Auto-discovery vpctl searches upward from the current working directory for `manifest.yaml`. Pass `--manifest ` to override.