# CLI reference Use the Constellation CLI to create and manage your clusters. Usage: ``` constellation [command] ``` Commands: * [config](#constellation-config): Work with the Constellation configuration file * [generate](#constellation-config-generate): Generate a default configuration file * [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image * [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers * [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI * [migrate](#constellation-config-migrate): Migrate a configuration file to a new version * [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster * [init](#constellation-init): Initialize the Constellation cluster * [mini](#constellation-mini): Manage MiniConstellation clusters * [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster * [down](#constellation-mini-down): Destroy a MiniConstellation cluster * [status](#constellation-status): Show status of a Constellation cluster * [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster * [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster * [check](#constellation-upgrade-check): Check for possible upgrades * [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster * [recover](#constellation-recover): Recover a completely stopped Constellation cluster * [terminate](#constellation-terminate): Terminate a Constellation cluster * [iam](#constellation-iam): Work with the IAM configuration on your cloud provider * [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster * [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster * [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster * [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster * [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files * [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile * [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile * [version](#constellation-version): Display version of this CLI ## constellation config Work with the Constellation configuration file ### Synopsis Work with the Constellation configuration file. ### Options ``` -h, --help help for config ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation config generate Generate a default configuration file ### Synopsis Generate a default configuration file for your selected cloud provider. ``` constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] ``` ### Options ``` -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used -h, --help help for generate -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.27") ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation config fetch-measurements Fetch measurements for configured cloud provider and image ### Synopsis Fetch measurements for configured cloud provider and image. A config needs to be generated first. ``` constellation config fetch-measurements [flags] ``` ### Options ``` -h, --help help for fetch-measurements -s, --signature-url string alternative URL to fetch measurements' signature from -u, --url string alternative URL to fetch measurements from ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation config instance-types Print the supported instance types for all cloud providers ### Synopsis Print the supported instance types for all cloud providers. ``` constellation config instance-types [flags] ``` ### Options ``` -h, --help help for instance-types ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation config kubernetes-versions Print the Kubernetes versions supported by this CLI ### Synopsis Print the Kubernetes versions supported by this CLI. ``` constellation config kubernetes-versions [flags] ``` ### Options ``` -h, --help help for kubernetes-versions ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation config migrate Migrate a configuration file to a new version ### Synopsis Migrate a configuration file to a new version. ``` constellation config migrate [flags] ``` ### Options ``` -h, --help help for migrate ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation create Create instances on a cloud platform for your Constellation cluster ### Synopsis Create instances on a cloud platform for your Constellation cluster. ``` constellation create [flags] ``` ### Options ``` -h, --help help for create -y, --yes create the cluster without further confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation init Initialize the Constellation cluster ### Synopsis Initialize the Constellation cluster. Start your confidential Kubernetes. ``` constellation init [flags] ``` ### Options ``` --conformance enable conformance mode -h, --help help for init --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config --skip-helm-wait install helm charts without waiting for deployments to be ready ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation mini Manage MiniConstellation clusters ### Synopsis Manage MiniConstellation clusters. ### Options ``` -h, --help help for mini ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation mini up Create and initialize a new MiniConstellation cluster ### Synopsis Create and initialize a new MiniConstellation cluster. A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM. ``` constellation mini up [flags] ``` ### Options ``` -h, --help help for up --merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true) ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation mini down Destroy a MiniConstellation cluster ### Synopsis Destroy a MiniConstellation cluster. ``` constellation mini down [flags] ``` ### Options ``` -h, --help help for down -y, --yes terminate the cluster without further confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation status Show status of a Constellation cluster ### Synopsis Show the status of a constellation cluster. Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades. ``` constellation status [flags] ``` ### Options ``` -h, --help help for status ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation verify Verify the confidential properties of a Constellation cluster ### Synopsis Verify the confidential properties of a Constellation cluster. If arguments aren't specified, values are read from `constellation-state.yaml`. ``` constellation verify [flags] ``` ### Options ``` --cluster-id string expected cluster identifier -h, --help help for verify -e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT] -o, --output string print the attestation document in the output format {json|raw} ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation upgrade Find and apply upgrades to your Constellation cluster ### Synopsis Find and apply upgrades to your Constellation cluster. ### Options ``` -h, --help help for upgrade ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation upgrade check Check for possible upgrades ### Synopsis Check which upgrades can be applied to your Constellation Cluster. ``` constellation upgrade check [flags] ``` ### Options ``` -h, --help help for check --ref string the reference to use for querying new versions (default "-") --stream string the stream to use for querying new versions (default "stable") -u, --update-config update the specified config file with the suggested versions ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation upgrade apply Apply an upgrade to a Constellation cluster ### Synopsis Apply an upgrade to a Constellation cluster by applying the chosen configuration. ``` constellation upgrade apply [flags] ``` ### Options ``` --conformance enable conformance mode -h, --help help for apply --skip-helm-wait install helm charts without waiting for deployments to be ready --skip-phases strings comma-separated list of upgrade phases to skip one or multiple of { infrastructure | helm | image | k8s } -y, --yes run upgrades without further confirmation WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs. WARNING: might unintentionally overwrite measurements in the running cluster. ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation recover Recover a completely stopped Constellation cluster ### Synopsis Recover a Constellation cluster by sending a recovery key to an instance in the boot stage. This is only required if instances restart without other instances available for bootstrapping. ``` constellation recover [flags] ``` ### Options ``` -e, --endpoint string endpoint of the instance, passed as HOST[:PORT] -h, --help help for recover ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation terminate Terminate a Constellation cluster ### Synopsis Terminate a Constellation cluster. The cluster can't be started again, and all persistent storage will be lost. ``` constellation terminate [flags] ``` ### Options ``` -h, --help help for terminate -y, --yes terminate the cluster without further confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation iam Work with the IAM configuration on your cloud provider ### Synopsis Work with the IAM configuration on your cloud provider. ### Options ``` -h, --help help for iam ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation iam create Create IAM configuration on a cloud platform for your Constellation cluster ### Synopsis Create IAM configuration on a cloud platform for your Constellation cluster. ### Options ``` -h, --help help for create --update-config update the config file with the specific IAM information -y, --yes create the IAM configuration without further confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation iam create aws Create IAM configuration on AWS for your Constellation cluster ### Synopsis Create IAM configuration on AWS for your Constellation cluster. ``` constellation iam create aws [flags] ``` ### Options ``` -h, --help help for aws --prefix string name prefix for all resources (required) --zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required) See the Constellation docs for a list of currently supported regions. ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") --update-config update the config file with the specific IAM information -C, --workspace string path to the Constellation workspace -y, --yes create the IAM configuration without further confirmation ``` ## constellation iam create azure Create IAM configuration on Microsoft Azure for your Constellation cluster ### Synopsis Create IAM configuration on Microsoft Azure for your Constellation cluster. ``` constellation iam create azure [flags] ``` ### Options ``` -h, --help help for azure --region string region the resources will be created in, e.g., westus (required) --resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required) --servicePrincipal string name of the service principal that will be created (required) ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") --update-config update the config file with the specific IAM information -C, --workspace string path to the Constellation workspace -y, --yes create the IAM configuration without further confirmation ``` ## constellation iam create gcp Create IAM configuration on GCP for your Constellation cluster ### Synopsis Create IAM configuration on GCP for your Constellation cluster. ``` constellation iam create gcp [flags] ``` ### Options ``` -h, --help help for gcp --projectID string ID of the GCP project the configuration will be created in (required) Find it on the welcome screen of your project: https://console.cloud.google.com/welcome --serviceAccountID string ID for the service account that will be created (required) Must be 6 to 30 lowercase letters, digits, or hyphens. --zone string GCP zone the cluster will be deployed in (required) Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") --update-config update the config file with the specific IAM information -C, --workspace string path to the Constellation workspace -y, --yes create the IAM configuration without further confirmation ``` ## constellation iam destroy Destroy an IAM configuration and delete local Terraform files ### Synopsis Destroy an IAM configuration and delete local Terraform files. ``` constellation iam destroy [flags] ``` ### Options ``` -h, --help help for destroy -y, --yes destroy the IAM configuration without asking for confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation iam upgrade Find and apply upgrades to your IAM profile ### Synopsis Find and apply upgrades to your IAM profile. ### Options ``` -h, --help help for upgrade ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation iam upgrade apply Apply an upgrade to an IAM profile ### Synopsis Apply an upgrade to an IAM profile. ``` constellation iam upgrade apply [flags] ``` ### Options ``` -h, --help help for apply -y, --yes run upgrades without further confirmation ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ``` ## constellation version Display version of this CLI ### Synopsis Display version of this CLI. ``` constellation version [flags] ``` ### Options ``` -h, --help help for version ``` ### Options inherited from parent commands ``` --debug enable debug logging --force disable version compatibility checks - might result in corrupted clusters --tf-log string Terraform log level (default "NONE") -C, --workspace string path to the Constellation workspace ```