Skip to main content
Version: Next

CLI reference

Use the Constellation CLI to create and manage your clusters.

Usage:

constellation [command]

Commands:

  • config: Work with the Constellation configuration file
    • generate: Generate a default configuration and state file
    • fetch-measurements: Fetch measurements for configured cloud provider and image
    • instance-types: Print the supported instance types for all cloud providers
    • kubernetes-versions: Print the Kubernetes versions supported by this CLI
    • migrate: Migrate a configuration file to a new version
  • create: Create instances on a cloud platform for your Constellation cluster
  • apply: Apply a configuration to a Constellation cluster
  • mini: Manage MiniConstellation clusters
    • up: Create and initialize a new MiniConstellation cluster
    • down: Destroy a MiniConstellation cluster
  • status: Show status of a Constellation cluster
  • verify: Verify the confidential properties of a Constellation cluster
  • upgrade: Find and apply upgrades to your Constellation cluster
    • check: Check for possible upgrades
    • apply: Apply an upgrade to a Constellation cluster
  • recover: Recover a completely stopped Constellation cluster
  • terminate: Terminate a Constellation cluster
  • iam: Work with the IAM configuration on your cloud provider
    • create: Create IAM configuration on a cloud platform for your Constellation cluster
      • aws: Create IAM configuration on AWS for your Constellation cluster
      • azure: Create IAM configuration on Microsoft Azure for your Constellation cluster
      • gcp: Create IAM configuration on GCP for your Constellation cluster
    • destroy: Destroy an IAM configuration and delete local Terraform files
    • upgrade: Find and apply upgrades to your IAM profile
      • apply: Apply an upgrade to an IAM profile
  • version: Display version of this CLI
  • init: Initialize the Constellation cluster

constellation config

Work with the Constellation configuration file

Synopsis

Work with the Constellation configuration file.

Options

  -h, --help   help for config

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation config generate

Generate a default configuration and state file

Synopsis

Generate a default configuration and state file for your selected cloud provider.

constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]

Options

  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
-h, --help help for generate
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.29")
-t, --tags strings additional tags for created resources given a list of key=value

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation config fetch-measurements

Fetch measurements for configured cloud provider and image

Synopsis

Fetch measurements for configured cloud provider and image.

A config needs to be generated first.

constellation config fetch-measurements [flags]

Options

  -h, --help                   help for fetch-measurements
-s, --signature-url string alternative URL to fetch measurements' signature from
-u, --url string alternative URL to fetch measurements from

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation config instance-types

Print the supported instance types for all cloud providers

Synopsis

Print the supported instance types for all cloud providers.

constellation config instance-types [flags]

Options

  -h, --help   help for instance-types

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation config kubernetes-versions

Print the Kubernetes versions supported by this CLI

Synopsis

Print the Kubernetes versions supported by this CLI.

constellation config kubernetes-versions [flags]

Options

  -h, --help   help for kubernetes-versions

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation config migrate

Migrate a configuration file to a new version

Synopsis

Migrate a configuration file to a new version.

constellation config migrate [flags]

Options

  -h, --help   help for migrate

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation create

Create instances on a cloud platform for your Constellation cluster

Synopsis

Create instances on a cloud platform for your Constellation cluster.

constellation create [flags]

Options

  -h, --help   help for create
-y, --yes create the cluster without further confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation apply

Apply a configuration to a Constellation cluster

Synopsis

Apply a configuration to a Constellation cluster to initialize or upgrade the cluster.

constellation apply [flags]

Options

      --conformance           enable conformance mode
-h, --help help for apply
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
--skip-helm-wait install helm charts without waiting for deployments to be ready
--skip-phases strings comma-separated list of upgrade phases to skip
one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s }
-y, --yes run command without further confirmation
WARNING: the command might delete or update existing resources without additional checks. Please read the docs.

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation mini

Manage MiniConstellation clusters

Synopsis

Manage MiniConstellation clusters.

Options

  -h, --help   help for mini

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation mini up

Create and initialize a new MiniConstellation cluster

Synopsis

Create and initialize a new MiniConstellation cluster.

A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM.

constellation mini up [flags]

Options

  -h, --help               help for up
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true)

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation mini down

Destroy a MiniConstellation cluster

Synopsis

Destroy a MiniConstellation cluster.

constellation mini down [flags]

Options

  -h, --help   help for down
-y, --yes terminate the cluster without further confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation status

Show status of a Constellation cluster

Synopsis

Show the status of a constellation cluster.

Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades.

constellation status [flags]

Options

  -h, --help   help for status

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation verify

Verify the confidential properties of a Constellation cluster

Synopsis

Verify the confidential properties of a Constellation cluster. If arguments aren't specified, values are read from constellation-state.yaml.

constellation verify [flags]

Options

      --cluster-id string      expected cluster identifier
-h, --help help for verify
-e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT]
-o, --output string print the attestation document in the output format {json|raw}

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation upgrade

Find and apply upgrades to your Constellation cluster

Synopsis

Find and apply upgrades to your Constellation cluster.

Options

  -h, --help   help for upgrade

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation upgrade check

Check for possible upgrades

Synopsis

Check which upgrades can be applied to your Constellation Cluster.

constellation upgrade check [flags]

Options

  -h, --help            help for check
--ref string the reference to use for querying new versions (default "-")
--stream string the stream to use for querying new versions (default "stable")
-u, --update-config update the specified config file with the suggested versions

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation upgrade apply

Apply an upgrade to a Constellation cluster

Synopsis

Apply an upgrade to a Constellation cluster by applying the chosen configuration.

constellation upgrade apply [flags]

Options

      --conformance           enable conformance mode
-h, --help help for apply
--skip-helm-wait install helm charts without waiting for deployments to be ready
--skip-phases strings comma-separated list of upgrade phases to skip
one or multiple of { infrastructure | helm | image | k8s }
-y, --yes run upgrades without further confirmation
WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs.
WARNING: might unintentionally overwrite measurements in the running cluster.

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation recover

Recover a completely stopped Constellation cluster

Synopsis

Recover a Constellation cluster by sending a recovery key to an instance in the boot stage.

This is only required if instances restart without other instances available for bootstrapping.

constellation recover [flags]

Options

  -e, --endpoint string   endpoint of the instance, passed as HOST[:PORT]
-h, --help help for recover

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation terminate

Terminate a Constellation cluster

Synopsis

Terminate a Constellation cluster.

The cluster can't be started again, and all persistent storage will be lost.

constellation terminate [flags]

Options

  -h, --help   help for terminate
-y, --yes terminate the cluster without further confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation iam

Work with the IAM configuration on your cloud provider

Synopsis

Work with the IAM configuration on your cloud provider.

Options

  -h, --help   help for iam

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation iam create

Create IAM configuration on a cloud platform for your Constellation cluster

Synopsis

Create IAM configuration on a cloud platform for your Constellation cluster.

Options

  -h, --help            help for create
--update-config update the config file with the specific IAM information
-y, --yes create the IAM configuration without further confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation iam create aws

Create IAM configuration on AWS for your Constellation cluster

Synopsis

Create IAM configuration on AWS for your Constellation cluster.

constellation iam create aws [flags]

Options

  -h, --help            help for aws
--prefix string name prefix for all resources (required)
--zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required)
See the Constellation docs for a list of currently supported regions.

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation

constellation iam create azure

Create IAM configuration on Microsoft Azure for your Constellation cluster

Synopsis

Create IAM configuration on Microsoft Azure for your Constellation cluster.

constellation iam create azure [flags]

Options

  -h, --help                      help for azure
--region string region the resources will be created in, e.g., westus (required)
--resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required)
--servicePrincipal string name of the service principal that will be created (required)

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation

constellation iam create gcp

Create IAM configuration on GCP for your Constellation cluster

Synopsis

Create IAM configuration on GCP for your Constellation cluster.

constellation iam create gcp [flags]

Options

  -h, --help                      help for gcp
--projectID string ID of the GCP project the configuration will be created in (required)
Find it on the welcome screen of your project: https://console.cloud.google.com/welcome
--serviceAccountID string ID for the service account that will be created (required)
Must be 6 to 30 lowercase letters, digits, or hyphens.
--zone string GCP zone the cluster will be deployed in (required)
Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation

constellation iam destroy

Destroy an IAM configuration and delete local Terraform files

Synopsis

Destroy an IAM configuration and delete local Terraform files.

constellation iam destroy [flags]

Options

  -h, --help   help for destroy
-y, --yes destroy the IAM configuration without asking for confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation iam upgrade

Find and apply upgrades to your IAM profile

Synopsis

Find and apply upgrades to your IAM profile.

Options

  -h, --help   help for upgrade

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation iam upgrade apply

Apply an upgrade to an IAM profile

Synopsis

Apply an upgrade to an IAM profile.

constellation iam upgrade apply [flags]

Options

  -h, --help   help for apply
-y, --yes run upgrades without further confirmation

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation version

Display version of this CLI

Synopsis

Display version of this CLI.

constellation version [flags]

Options

  -h, --help   help for version

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace

constellation init

Initialize the Constellation cluster

Synopsis

Initialize the Constellation cluster.

Start your confidential Kubernetes.

constellation init [flags]

Options

      --conformance        enable conformance mode
-h, --help help for init
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
--skip-helm-wait install helm charts without waiting for deployments to be ready

Options inherited from parent commands

      --debug              enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace