* docs: add release v2.8.0 * docs: mention required AWS IAM permissions for upgrades --------- Co-authored-by: malt3 <malt3@users.noreply.github.com> Co-authored-by: Malte Poll <mp@edgeless.systems>
24 KiB
CLI reference
Use the Constellation CLI to create and manage your clusters.
constellation [command]
- config: Work with the Constellation configuration file
- generate: Generate a default configuration file
- fetch-measurements: Fetch measurements for configured cloud provider and image
- instance-types: Print the supported instance types for all cloud providers
- kubernetes-versions: Print the Kubernetes versions supported by this CLI
- migrate: Migrate a configuration file to a new version
- create: Create instances on a cloud platform for your Constellation cluster
- init: Initialize the Constellation cluster
- mini: Manage MiniConstellation clusters
- verify: Verify the confidential properties of a Constellation cluster
- upgrade: Find and apply upgrades to your Constellation cluster
- recover: Recover a completely stopped Constellation cluster
- terminate: Terminate a Constellation cluster
- version: Display version of this CLI
- iam: Work with the IAM configuration on your cloud provider
- status: show status of a Constellation cluster
constellation config
Work with the Constellation configuration file
Work with the Constellation configuration file.
-h, --help help for config
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation config generate
Generate a default configuration file
Generate a default configuration file for your selected cloud provider.
constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]
-a, --attestation string attestation variant to use {aws-nitro-tpm|azure-sev-snp|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
-f, --file string path to output file, or '-' for stdout (default "constellation-conf.yaml")
-h, --help help for generate
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.26")
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation config fetch-measurements
Fetch measurements for configured cloud provider and image
Fetch measurements for configured cloud provider and image.
A config needs to be generated first.
constellation config fetch-measurements [flags]
-h, --help help for fetch-measurements
--insecure skip the measurement signature verification
-s, --signature-url string alternative URL to fetch measurements' signature from
-u, --url string alternative URL to fetch measurements from
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation config instance-types
Print the supported instance types for all cloud providers
Print the supported instance types for all cloud providers.
constellation config instance-types [flags]
-h, --help help for instance-types
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation config kubernetes-versions
Print the Kubernetes versions supported by this CLI
Print the Kubernetes versions supported by this CLI.
constellation config kubernetes-versions [flags]
-h, --help help for kubernetes-versions
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation config migrate
Migrate a configuration file to a new version
Migrate a configuration file to a new version.
constellation config migrate [flags]
-h, --help help for migrate
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation create
Create instances on a cloud platform for your Constellation cluster
Create instances on a cloud platform for your Constellation cluster.
constellation create [flags]
-c, --control-plane-nodes int number of control-plane nodes (required)
-h, --help help for create
-w, --worker-nodes int number of worker nodes (required)
-y, --yes create the cluster without further confirmation
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation init
Initialize the Constellation cluster
Initialize the Constellation cluster.
Start your confidential Kubernetes.
constellation init [flags]
--conformance enable conformance mode
-h, --help help for init
--master-secret string path to base64-encoded master secret
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation mini
Manage MiniConstellation clusters
Manage MiniConstellation clusters.
-h, --help help for mini
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation mini up
Create and initialize a new MiniConstellation cluster
Create and initialize a new MiniConstellation cluster.
A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM.
constellation mini up [flags]
--config string path to the configuration file to use for the cluster
-h, --help help for up
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true)
Options inherited from parent commands
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation mini down
Destroy a MiniConstellation cluster
Destroy a MiniConstellation cluster.
constellation mini down [flags]
-h, --help help for down
-y, --yes terminate the cluster without further confirmation
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation verify
Verify the confidential properties of a Constellation cluster
Verify the confidential properties of a Constellation cluster.\nIf arguments aren't specified, values are read from constellation-id.json
constellation verify [flags]
--cluster-id string expected cluster identifier
-h, --help help for verify
-e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT]
--raw print raw attestation document
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation upgrade
Find and apply upgrades to your Constellation cluster
Find and apply upgrades to your Constellation cluster.
-h, --help help for upgrade
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation upgrade check
Check for possible upgrades
Check which upgrades can be applied to your Constellation Cluster.
constellation upgrade check [flags]
-h, --help help for check
--ref string the reference to use for querying new versions (default "-")
--stream string the stream to use for querying new versions (default "stable")
-w, --write-config update the specified config file with the suggested versions
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation upgrade apply
Apply an upgrade to a Constellation cluster
Apply an upgrade to a Constellation cluster by applying the chosen configuration.
constellation upgrade apply [flags]
-h, --help help for apply
-y, --yes run upgrades without further confirmation
WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs.
WARNING: might unintentionally overwrite measurements in the running cluster.
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation recover
Recover a completely stopped Constellation cluster
Recover a Constellation cluster by sending a recovery key to an instance in the boot stage.
This is only required if instances restart without other instances available for bootstrapping.
constellation recover [flags]
-e, --endpoint string endpoint of the instance, passed as HOST[:PORT]
-h, --help help for recover
--master-secret string path to master secret file (default "constellation-mastersecret.json")
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation terminate
Terminate a Constellation cluster
Terminate a Constellation cluster.
The cluster can't be started again, and all persistent storage will be lost.
constellation terminate [flags]
-h, --help help for terminate
-y, --yes terminate the cluster without further confirmation
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation version
Display version of this CLI
Display version of this CLI.
constellation version [flags]
-h, --help help for version
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation iam
Work with the IAM configuration on your cloud provider
Work with the IAM configuration on your cloud provider.
-h, --help help for iam
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation iam create
Create IAM configuration on a cloud platform for your Constellation cluster
Create IAM configuration on a cloud platform for your Constellation cluster.
--generate-config automatically generate a configuration file and fill in the required fields
-h, --help help for create
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR - only usable in combination with --generate-config (default "v1.26")
-y, --yes create the IAM configuration without further confirmation
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation iam create aws
Create IAM configuration on AWS for your Constellation cluster
Create IAM configuration on AWS for your Constellation cluster.
constellation iam create aws [flags]
-h, --help help for aws
--prefix string name prefix for all resources (required)
--zone string AWS availability zone the resources will be created in, e.g. us-east-2a (required)
Find available zones here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones. Note that we do not support every zone / region. You can find a list of all supported regions in our docs.
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--generate-config automatically generate a configuration file and fill in the required fields
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR - only usable in combination with --generate-config (default "v1.26")
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
-y, --yes create the IAM configuration without further confirmation
constellation iam create azure
Create IAM configuration on Microsoft Azure for your Constellation cluster
Create IAM configuration on Microsoft Azure for your Constellation cluster.
constellation iam create azure [flags]
-h, --help help for azure
--region string region the resources will be created in, e.g. westus (required)
--resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required)
--servicePrincipal string name of the service principal that will be created (required)
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--generate-config automatically generate a configuration file and fill in the required fields
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR - only usable in combination with --generate-config (default "v1.26")
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
-y, --yes create the IAM configuration without further confirmation
constellation iam create gcp
Create IAM configuration on GCP for your Constellation cluster
Create IAM configuration on GCP for your Constellation cluster.
constellation iam create gcp [flags]
-h, --help help for gcp
--projectID string ID of the GCP project the configuration will be created in (required)
Find it on the welcome screen of your project: https://console.cloud.google.com/welcome.
--serviceAccountID string ID for the service account that will be created (required)
Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$.
--zone string GCP zone the cluster will be deployed in (required)
Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available.
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--generate-config automatically generate a configuration file and fill in the required fields
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR - only usable in combination with --generate-config (default "v1.26")
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
-y, --yes create the IAM configuration without further confirmation
constellation iam destroy
Destroy an IAM configuration and delete local Terraform files
Destroy an IAM configuration and delete local Terraform files.
constellation iam destroy [flags]
-h, --help help for destroy
-y, --yes destroy the IAM configuration without asking for confirmation
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")
constellation status
show status of a Constellation cluster
Show status of a constellation cluster.
Shows microservice, image and Kubernetes versions installed in the cluster. Also show status of current version upgrades.
constellation status [flags]
-h, --help help for status
Options inherited from parent commands
--config string path to the configuration file (default "constellation-conf.yaml")
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string sets the Terraform log level (default "NONE" - no logs) (default "NONE")