CLI reference
Use the Constellation CLI to create and manage your clusters.
Usage:
constellation [command]
Commands:
- config: Work with the Constellation configuration file
- generate: Generate a default configuration and state file
- fetch-measurements: Fetch measurements for configured cloud provider and image
- instance-types: Print the supported instance types for all cloud providers
- kubernetes-versions: Print the Kubernetes versions supported by this CLI
- migrate: Migrate a configuration file to a new version
 
- create: Create instances on a cloud platform for your Constellation cluster
- apply: Apply a configuration to a Constellation cluster
- mini: Manage MiniConstellation clusters
- status: Show status of a Constellation cluster
- verify: Verify the confidential properties of a Constellation cluster
- upgrade: Find and apply upgrades to your Constellation cluster
- recover: Recover a completely stopped Constellation cluster
- terminate: Terminate a Constellation cluster
- iam: Work with the IAM configuration on your cloud provider
- version: Display version of this CLI
- init: Initialize the Constellation cluster
constellation config
Work with the Constellation configuration file
Synopsis
Work with the Constellation configuration file.
Options
  -h, --help   help for config
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation config generate
Generate a default configuration and state file
Synopsis
Generate a default configuration and state file for your selected cloud provider.
constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]
Options
  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
  -h, --help                 help for generate
  -k, --kubernetes string    Kubernetes version to use in format MAJOR.MINOR (default "v1.28")
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation config fetch-measurements
Fetch measurements for configured cloud provider and image
Synopsis
Fetch measurements for configured cloud provider and image.
A config needs to be generated first.
constellation config fetch-measurements [flags]
Options
  -h, --help                   help for fetch-measurements
  -s, --signature-url string   alternative URL to fetch measurements' signature from
  -u, --url string             alternative URL to fetch measurements from
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation config instance-types
Print the supported instance types for all cloud providers
Synopsis
Print the supported instance types for all cloud providers.
constellation config instance-types [flags]
Options
  -h, --help   help for instance-types
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation config kubernetes-versions
Print the Kubernetes versions supported by this CLI
Synopsis
Print the Kubernetes versions supported by this CLI.
constellation config kubernetes-versions [flags]
Options
  -h, --help   help for kubernetes-versions
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation config migrate
Migrate a configuration file to a new version
Synopsis
Migrate a configuration file to a new version.
constellation config migrate [flags]
Options
  -h, --help   help for migrate
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation create
Create instances on a cloud platform for your Constellation cluster
Synopsis
Create instances on a cloud platform for your Constellation cluster.
constellation create [flags]
Options
  -h, --help   help for create
  -y, --yes    create the cluster without further confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation apply
Apply a configuration to a Constellation cluster
Synopsis
Apply a configuration to a Constellation cluster to initialize or upgrade the cluster.
constellation apply [flags]
Options
      --conformance           enable conformance mode
  -h, --help                  help for apply
      --merge-kubeconfig      merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
      --skip-helm-wait        install helm charts without waiting for deployments to be ready
      --skip-phases strings   comma-separated list of upgrade phases to skip
                              one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s }
  -y, --yes                   run command without further confirmation
                              WARNING: the command might delete or update existing resources without additional checks. Please read the docs.
                              
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation mini
Manage MiniConstellation clusters
Synopsis
Manage MiniConstellation clusters.
Options
  -h, --help   help for mini
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation mini up
Create and initialize a new MiniConstellation cluster
Synopsis
Create and initialize a new MiniConstellation cluster.
A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM.
constellation mini up [flags]
Options
  -h, --help               help for up
      --merge-kubeconfig   merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true)
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation mini down
Destroy a MiniConstellation cluster
Synopsis
Destroy a MiniConstellation cluster.
constellation mini down [flags]
Options
  -h, --help   help for down
  -y, --yes    terminate the cluster without further confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation status
Show status of a Constellation cluster
Synopsis
Show the status of a constellation cluster.
Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades.
constellation status [flags]
Options
  -h, --help   help for status
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation verify
Verify the confidential properties of a Constellation cluster
Synopsis
Verify the confidential properties of a Constellation cluster.
If arguments aren't specified, values are read from constellation-state.yaml.
constellation verify [flags]
Options
      --cluster-id string      expected cluster identifier
  -h, --help                   help for verify
  -e, --node-endpoint string   endpoint of the node to verify, passed as HOST[:PORT]
  -o, --output string          print the attestation document in the output format {json|raw}
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation upgrade
Find and apply upgrades to your Constellation cluster
Synopsis
Find and apply upgrades to your Constellation cluster.
Options
  -h, --help   help for upgrade
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation upgrade check
Check for possible upgrades
Synopsis
Check which upgrades can be applied to your Constellation Cluster.
constellation upgrade check [flags]
Options
  -h, --help            help for check
      --ref string      the reference to use for querying new versions (default "-")
      --stream string   the stream to use for querying new versions (default "stable")
  -u, --update-config   update the specified config file with the suggested versions
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation upgrade apply
Apply an upgrade to a Constellation cluster
Synopsis
Apply an upgrade to a Constellation cluster by applying the chosen configuration.
constellation upgrade apply [flags]
Options
      --conformance           enable conformance mode
  -h, --help                  help for apply
      --skip-helm-wait        install helm charts without waiting for deployments to be ready
      --skip-phases strings   comma-separated list of upgrade phases to skip
                              one or multiple of { infrastructure | helm | image | k8s }
  -y, --yes                   run upgrades without further confirmation
                              WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs.
                              WARNING: might unintentionally overwrite measurements in the running cluster.
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation recover
Recover a completely stopped Constellation cluster
Synopsis
Recover a Constellation cluster by sending a recovery key to an instance in the boot stage.
This is only required if instances restart without other instances available for bootstrapping.
constellation recover [flags]
Options
  -e, --endpoint string   endpoint of the instance, passed as HOST[:PORT]
  -h, --help              help for recover
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation terminate
Terminate a Constellation cluster
Synopsis
Terminate a Constellation cluster.
The cluster can't be started again, and all persistent storage will be lost.
constellation terminate [flags]
Options
  -h, --help   help for terminate
  -y, --yes    terminate the cluster without further confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation iam
Work with the IAM configuration on your cloud provider
Synopsis
Work with the IAM configuration on your cloud provider.
Options
  -h, --help   help for iam
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation iam create
Create IAM configuration on a cloud platform for your Constellation cluster
Synopsis
Create IAM configuration on a cloud platform for your Constellation cluster.
Options
  -h, --help            help for create
      --update-config   update the config file with the specific IAM information
  -y, --yes             create the IAM configuration without further confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation iam create aws
Create IAM configuration on AWS for your Constellation cluster
Synopsis
Create IAM configuration on AWS for your Constellation cluster.
constellation iam create aws [flags]
Options
  -h, --help            help for aws
      --prefix string   name prefix for all resources (required)
      --zone string     AWS availability zone the resources will be created in, e.g., us-east-2a (required)
                        See the Constellation docs for a list of currently supported regions.
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
      --update-config      update the config file with the specific IAM information
  -C, --workspace string   path to the Constellation workspace
  -y, --yes                create the IAM configuration without further confirmation
constellation iam create azure
Create IAM configuration on Microsoft Azure for your Constellation cluster
Synopsis
Create IAM configuration on Microsoft Azure for your Constellation cluster.
constellation iam create azure [flags]
Options
  -h, --help                      help for azure
      --region string             region the resources will be created in, e.g., westus (required)
      --resourceGroup string      name prefix of the two resource groups your cluster / IAM resources will be created in (required)
      --servicePrincipal string   name of the service principal that will be created (required)
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
      --update-config      update the config file with the specific IAM information
  -C, --workspace string   path to the Constellation workspace
  -y, --yes                create the IAM configuration without further confirmation
constellation iam create gcp
Create IAM configuration on GCP for your Constellation cluster
Synopsis
Create IAM configuration on GCP for your Constellation cluster.
constellation iam create gcp [flags]
Options
  -h, --help                      help for gcp
      --projectID string          ID of the GCP project the configuration will be created in (required)
                                  Find it on the welcome screen of your project: https://console.cloud.google.com/welcome
      --serviceAccountID string   ID for the service account that will be created (required)
                                  Must be 6 to 30 lowercase letters, digits, or hyphens.
      --zone string               GCP zone the cluster will be deployed in (required)
                                  Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
      --update-config      update the config file with the specific IAM information
  -C, --workspace string   path to the Constellation workspace
  -y, --yes                create the IAM configuration without further confirmation
constellation iam destroy
Destroy an IAM configuration and delete local Terraform files
Synopsis
Destroy an IAM configuration and delete local Terraform files.
constellation iam destroy [flags]
Options
  -h, --help   help for destroy
  -y, --yes    destroy the IAM configuration without asking for confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation iam upgrade
Find and apply upgrades to your IAM profile
Synopsis
Find and apply upgrades to your IAM profile.
Options
  -h, --help   help for upgrade
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation iam upgrade apply
Apply an upgrade to an IAM profile
Synopsis
Apply an upgrade to an IAM profile.
constellation iam upgrade apply [flags]
Options
  -h, --help   help for apply
  -y, --yes    run upgrades without further confirmation
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation version
Display version of this CLI
Synopsis
Display version of this CLI.
constellation version [flags]
Options
  -h, --help   help for version
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
constellation init
Initialize the Constellation cluster
Synopsis
Initialize the Constellation cluster.
Start your confidential Kubernetes.
constellation init [flags]
Options
      --conformance        enable conformance mode
  -h, --help               help for init
      --merge-kubeconfig   merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
      --skip-helm-wait     install helm charts without waiting for deployments to be ready
Options inherited from parent commands
      --debug              enable debug logging
      --force              disable version compatibility checks - might result in corrupted clusters
      --tf-log string      Terraform log level (default "NONE")
  -C, --workspace string   path to the Constellation workspace
