v0.3.0

Drafts, Validation, Async Writes, kubectl Access, Self-Update, and OVH Parity

A big release: stage changes as drafts, validate specs server-side, run kubectl through Ankra, query metrics, manage stack profiles and support tickets from the terminal, and keep the CLI current with a built-in self-update. Plus verified SOPS encryption and full OVH parity with the web UI.

Verified SOPS encryption

ankra cluster encrypt manifest|addon could previously produce files that only looked encrypted: a dotted --key such as data.password matched no YAML key during SOPS tree traversal, so the file gained sops: metadata while the secret value stayed plaintext base64. A dotted --key is now normalised to its last segment (data.password → password) with a notice, and after every encryption the CLI verifies the target key’s value is real ENC[...] ciphertext — hard-failing before any file write or stack update when nothing was encrypted. If you encrypted keys with a dotted --key on an older CLI version, re-run the encrypt command to confirm the values are actually encrypted.

Draft and validate before you apply

ankra cluster draft -f <file> stages every stack in an ImportCluster YAML as reviewable drafts instead of deploying. Local checks run first; stacks already at desired state report “no changes”. If the cluster doesn’t exist yet it’s imported first.
ankra cluster validate -f <file> runs server-side validation the offline checks can’t do — chart existence in your connected registries, plaintext-secret detection, and parent references resolved against a cluster. --strict-secrets turns plaintext secrets into errors; --cluster <id> validates against a live cluster.
ankra cluster apply now validates referenced files and the parent/dependency tree (unique names, valid kinds, no cycles) before anything is sent to the API, and ankra cluster apply --dry-run / ankra delete cluster --dry-run run fully offline with no token — ready for pre-merge CI.

Asynchronous writes with `--wait`

ankra cluster apply and the node-group mutation commands now submit asynchronously and return immediately. Add --wait (with an optional --timeout) to block until the platform finishes and report success or failure. Re-running with --wait is also how you follow a previously submitted change to completion.

Run kubectl through Ankra

ankra cluster kubeconfig add|remove|list manages Ankra contexts in your kubeconfig. By default add writes an auto-refreshing, SSO-backed exec context (no static credentials); --all, --use, --embed-token, --print, and --namespace are supported.
ankra cluster kube-token prints a short-lived ExecCredential for use as a kubectl credential plugin (wired up automatically by kubeconfig add).

See Accessing Clusters with kubectl.

Query cluster metrics

ankra cluster metrics query <promql> and ankra cluster metrics query-range run PromQL against the cluster’s configured Prometheus source, proxied through the agent. Supports --range/--start/--end/--step and -o table|json|yaml.

Stack profiles and support from the CLI

ankra stack-profiles list|export-iac|import manages reusable stack profiles.
ankra support create|list|get|comment|attach|close files and tracks support requests, with AI review before submission (--force to override a flag).

OVH command parity with the web UI

ankra cluster ovh regions --credential-id <id> — list the regions a credential’s project can actually deploy in.
ankra cluster ovh stop <id> and ankra cluster ovh start <id> [--scope all|control_plane] — stop a cluster’s compute while keeping its configuration, then start it again later.
ankra cluster ovh access-info <id> — gateway and control-plane IPs with ready-to-use ssh -J jump and Kubernetes API port-forward commands.
ankra cluster ovh ssh-keys get|set — view and replace the SSH key credentials attached to a cluster.
ankra cluster ovh node-group add ... --labels --taints, plus node-group labels and node-group taints subcommands to update them later.
ankra cluster ovh control-plane ... and ankra cluster ovh nodes ... now work over the public API with a token-authenticated CLI session.

Watch operations and machine-readable output

ankra cluster operations list --watch polls until every execution reaches a terminal state (--interval, default 5s); operations list and operations steps support -o json|yaml.
Shared -o json|yaml output across commands for scripting and CI.
Unexpected platform errors now print a ready-made ankra support create command, so you can file a bug without leaving the terminal.

Self-update and beta channel

ankra upgrade (alias ankra self-update) downloads and installs a release in place, verifying its SHA-256 checksum first. --version pins an exact release (and doubles as a rollback), --check reports availability, and --force/--yes control prompts.
ankra config beta enable|disable|status opts into pre-release (release candidate) versions for ankra upgrade.

Fixes

ankra credentials get resolves a name to an ID (v2 platform-credential lookup before the legacy table).
ankra org members / ankra org current honour --org and validate the saved selection instead of sending a stale value.
An unknown --cluster name fails clearly instead of forwarding a non-UUID value and producing an opaque server-side error.
ankra cluster apply understands the prometheus_metrics spec field.

v0.2.5

Variables, Live-Cluster SOPS, Dependency Parents, and Multi-Org

Rounds out stack CRUD from the CLI: template variables at every scope, SOPS encryption against live clusters, dependency-parent editing, read/delete commands, a global organisation override, and offline-installable Agent Skills.

Variables (org / cluster / stack scopes)

Full CRUD for the template variables substituted into stack manifests and addon values at deploy time, at three scopes:

ankra org variables list|get|set|delete — organisation-wide, available to every cluster.
ankra cluster variables list|get|set|delete [--cluster <name|id>] — per cluster; shadows org variables on that cluster.
ankra cluster stacks variables list|get|set|delete <stack> — per stack; the most specific scope.

set is an upsert (create or update). Values can be read from stdin with - for piping secrets, list / get support -o json|yaml, and delete prompts for confirmation (--yes to skip). Resolution at deploy time is stack > cluster > organisation — a more specific scope shadows less specific ones for the same name.

SOPS encrypt/decrypt against live clusters

ankra cluster encrypt and ankra cluster decrypt now operate directly on a live cluster, with no local cluster.yaml required.

ankra cluster encrypt manifest <name> --key <key> [--cluster <name|id>]
ankra cluster encrypt addon --name <addon> --key <key> [--cluster <name|id>] [--stack <stack>]
ankra cluster decrypt manifest <name> [--cluster <name|id>]
ankra cluster decrypt addon --name <addon> [--cluster <name|id>] [--stack <stack>]

Cluster mode fetches the current content, runs it through the SOPS API, and (for encrypt) pushes the result back via the partial-stack PATCH with encrypted_paths updated. The -f cluster.yaml file mode is unchanged for GitOps workflows; the two modes are mutually exclusive and cluster mode is the default. decrypt addon is new, bringing the addon variant to parity with manifests.

Dependency parents on upgrade

ankra cluster addons upgrade and ankra cluster manifests upgrade now edit the dependency parents that control deployment ordering inside a stack, without re-applying the whole cluster.yaml:

--add-parent name=<n>,kind=<manifest|addon> — repeatable; kind defaults to manifest.
--remove-parent name=<n>,kind=<manifest|addon> — repeatable; removing the last parent clears the link.
--set-parent name=<n>,kind=<manifest|addon> — replaces ALL parents; mutually exclusive with --add-parent / --remove-parent.

Read and delete

ankra cluster addons values <name> — print an addon’s current Helm values (decoded; -o raw for the base64 form).
ankra cluster manifests get <name> — print a manifest’s current YAML (decoded; -o raw for the base64 form).
ankra cluster manifests delete <name> — disconnect a manifest from its stack and remove its resources; the owning stack is resolved automatically and a confirmation prompt protects the operation (--yes to skip, --dry-run to preview).

Run a command against another organisation

A global --org <name|id> flag (or the ANKRA_ORG environment variable) runs a single command against any organisation you belong to, without changing your selected organisation:

ankra --org "Acme Corp" cluster list
export ANKRA_ORG="Acme Corp"   # scope a whole shell session

The override is per request and never changes the ankra org switch selection. You must be an active member of the target organisation.

Install Ankra Agent Skills

ankra skills installs the curated Ankra Agent Skills into a Cursor/Claude skills directory. The skills are embedded in the binary, so installation works offline and is versioned with the release.

ankra skills list                  # list available skills (marks installed ones)
ankra skills install               # install all into ~/.cursor/skills (personal)
ankra skills install --project .   # install into ./.cursor/skills (project)
ankra skills install ankra-gitops  # install only named skills
ankra skills uninstall             # remove all Ankra skills

Use --force to overwrite existing skills and --source <dir> to install from a local directory instead of the embedded copy. This is separate from ankra openclaw skill, which generates a per-cluster SKILL.md.

v0.2.4

Surgical Addon and Manifest Upgrades

Two new subcommands for in-place updates that go through the same partial-stack endpoint as the UI. Atomic, locked, single git commit per invocation.

Addon Upgrade

ankra cluster addons upgrade <addon> --chart-version <version> — bump the chart version.
ankra cluster addons upgrade <addon> --set <key>=<value> — mutate a single Helm values field (helm-style; supports dotted paths, [idx] indexing, and [key=value] list selectors such as env[name=LOG_LEVEL].value).
ankra cluster addons upgrade <addon> --values-from-file <path> — replace the entire values document.
ankra cluster addons upgrade <addon> --registry-name, --registry-url, --registry-credential-name — atomically retag the addon’s registry.
ankra cluster addons upgrade <addon> --namespace <new> — destructive Helm reinstall in a new namespace; requires --yes or an interactive confirmation.

--set and --values-from-file are mutually exclusive: --set* MUTATES the existing values document, --values-from-file REPLACES it. Use --set-string to force a value to remain a string, and --set-file key=path to load a value from a file.

Manifest Upgrade

ankra cluster manifests upgrade <manifest> --from-file <path> — replace the manifest content.
ankra cluster manifests upgrade <manifest> --manifest - — read manifest YAML from stdin.
ankra cluster manifests upgrade <manifest> --set <key>=<value> — mutate a single path in the manifest YAML (helm-style; supports dotted paths, [idx] indexing, and [key=value] list selectors such as containers[name=app].image).
ankra cluster manifests upgrade <manifest> --target-kind <kind> --target-name <name> — with --set, pick which document to edit when the manifest holds multiple Kubernetes resources.
ankra cluster manifests upgrade <manifest> --namespace <new> — change the manifest’s namespace.

--set* MUTATE the existing manifest and are mutually exclusive with --from-file / --manifest -, which REPLACE it. Use --set-string to force a value to remain a string, and --set-file key=path to load a value from a file.

Addon and manifest field selectors

Both addons upgrade and manifests upgrade --set paths can address a list item by a stable field instead of a numeric index — for example env[name=LOG_LEVEL].value=debug or spec.template.spec.containers[name=app].image=nginx:1.27. A selector that matches nothing fails with a clear error rather than guessing.

Common Options

--cluster <name|id> — defaults to the active selection.
--stack <name> — addons only, required when the same addon name exists in multiple stacks. Manifest names are globally unique on a cluster, so manifests upgrade has no --stack flag.
--dry-run — print before/after without writing.
-o json|yaml — machine-readable output (the --dry-run envelope is {before, after, notices}).

Example: bump `image.tag` for the website addon

ankra cluster addons upgrade website \
  --set image.tag=1.0.146 \
  --cluster website-demo

Example: bump a Deployment image tag in a manifest

ankra cluster manifests upgrade web \
  --set 'spec.template.spec.containers[name=app].image=nginx:1.27' \
  --cluster website-demo

v0.2.0

Helm, Kubernetes Resources & Security Hardening

Helm management, Kubernetes resource access, direct cluster selection, and client hardening.

Helm Release Commands

Commands for managing Helm releases in the active cluster:

ankra cluster helm releases — List Helm releases (--namespace, --all-namespaces, --output json)
ankra cluster helm uninstall <release> --namespace <ns> — Uninstall a Helm release

Helm Registry Commands

ankra helm registries list — List Helm registries
ankra helm registries get <name> — Get registry details
ankra helm registries create --name <name> --url <url> — Create a registry
ankra helm registries delete <name> — Delete a registry

Helm Credential Commands

ankra helm credentials list — List registry credentials
ankra helm credentials create --name <name> — Create a credential with secure prompts
ankra helm credentials delete <name> — Delete a credential

Kubernetes Resource Commands

Commands for accessing Kubernetes resources in the active cluster:

ankra cluster pods — List pods (--namespace, --all-namespaces, --output json)
ankra cluster resources <kind> — Get resources by kind (--namespace, --name, --output json)
ankra cluster logs <pod> — Stream pod logs (--namespace, --container, --follow, --tail, --previous)

Cluster Selection & Info

ankra cluster select <name> — Select a cluster directly by name without the interactive picker
ankra cluster info [name] — Show cluster details (defaults to selected cluster; replaces cluster get)

Security & Reliability

HTTP client timeouts and response body size limits
URL encoding for all API path and query parameters
Config file permissions restricted to owner-only (0600)
Machine ID hashed with SHA-256
Browser URL validation before opening

v0.1.129

Node Groups, UpCloud & OVH

Node group management commands and new UpCloud/OVH commands for cluster and credential management.

Node Group Commands

Available for all three providers (hetzner, ovh, upcloud):

ankra cluster <provider> node-group list <cluster_id> — List node groups
ankra cluster <provider> node-group add <cluster_id> --name <name> --instance-type <type> --count <n> — Add a group
ankra cluster <provider> node-group scale <cluster_id> <group_name> <count> — Scale a group
ankra cluster <provider> node-group upgrade <cluster_id> <group_name> <instance_type> — Upgrade instance type
ankra cluster <provider> node-group delete <cluster_id> <group_name> — Delete a group

UpCloud Commands

Credentials:

ankra credentials upcloud list — List UpCloud API credentials
ankra credentials upcloud create --name <name> — Create credential with secure token prompt
ankra credentials upcloud ssh-key list — List SSH key credentials
ankra credentials upcloud ssh-key create --name <name> --generate — Create SSH key

Clusters:

ankra cluster upcloud create — Create an UpCloud cluster
ankra cluster upcloud deprovision <cluster_id> — Deprovision a cluster
ankra cluster upcloud workers <cluster_id> — Get worker count
ankra cluster upcloud scale <cluster_id> <count> — Scale workers
ankra cluster upcloud k8s-version <cluster_id> — Get Kubernetes version
ankra cluster upcloud upgrade <cluster_id> <version> — Upgrade Kubernetes version

OVH Commands

Credentials:

ankra credentials ovh list — List OVH API credentials
ankra credentials ovh create --name <name> --project-id <id> — Create credential with secure prompts
ankra credentials ovh ssh-key list — List SSH key credentials
ankra credentials ovh ssh-key create --name <name> --generate — Create SSH key

Clusters:

ankra cluster ovh create — Create an OVH cluster
ankra cluster ovh deprovision <cluster_id> — Deprovision a cluster
ankra cluster ovh workers <cluster_id> — Get worker count
ankra cluster ovh scale <cluster_id> <count> — Scale workers
ankra cluster ovh k8s-version <cluster_id> — Get Kubernetes version
ankra cluster ovh upgrade <cluster_id> <version> — Upgrade Kubernetes version

v0.1.127

OVH Cloud Support

OVH Cloud commands for cluster and credential management.

OVH Credential Commands

ankra credentials ovh list — List OVH API credentials
ankra credentials ovh create --name <name> --project-id <id> — Create credential with secure prompts
ankra credentials ovh ssh-key list — List SSH key credentials
ankra credentials ovh ssh-key create --name <name> --generate — Create SSH key

OVH Cluster Commands

ankra cluster ovh create — Create an OVH cluster with configurable control planes, workers, networking, and gateway
ankra cluster ovh deprovision <cluster_id> — Deprovision a cluster
ankra cluster ovh workers <cluster_id> — Get worker count
ankra cluster ovh scale <cluster_id> <count> — Scale workers
ankra cluster ovh k8s-version <cluster_id> — Get Kubernetes version
ankra cluster ovh upgrade <cluster_id> <version> — Upgrade Kubernetes version

v0.1.125

SOPS Encryption & API Tokens

New SOPS encryption commands and API token management.

SOPS Encryption

ankra cluster sops-config — Display the SOPS encryption configuration
ankra cluster encrypt manifest <name> --key <key> -f <file> — Encrypt a manifest key
ankra cluster encrypt addon --name <addon> --key <key> -f <file> — Encrypt an addon key
ankra cluster decrypt manifest <name> -f <file> — Decrypt a manifest

API Tokens

ankra tokens list — List API tokens
ankra tokens create <name> — Create a token
ankra tokens revoke <id> — Revoke a token
ankra tokens delete <id> — Delete a revoked token

​Drafts, Validation, Async Writes, kubectl Access, Self-Update, and OVH Parity

​Verified SOPS encryption

​Draft and validate before you apply

​Asynchronous writes with --wait

​Run kubectl through Ankra

​Query cluster metrics

​Stack profiles and support from the CLI

​OVH command parity with the web UI

​Watch operations and machine-readable output

​Self-update and beta channel

​Fixes

​Variables, Live-Cluster SOPS, Dependency Parents, and Multi-Org

​Variables (org / cluster / stack scopes)

​SOPS encrypt/decrypt against live clusters

​Dependency parents on upgrade

​Read and delete

​Run a command against another organisation

​Install Ankra Agent Skills

​Surgical Addon and Manifest Upgrades

​Addon Upgrade

​Manifest Upgrade

​Addon and manifest field selectors

​Common Options

​Example: bump image.tag for the website addon

​Example: bump a Deployment image tag in a manifest

​Helm, Kubernetes Resources & Security Hardening

​Helm Release Commands

​Helm Registry Commands

​Helm Credential Commands

​Kubernetes Resource Commands

​Cluster Selection & Info

​Security & Reliability

​Node Groups, UpCloud & OVH

​Node Group Commands

​UpCloud Commands

​OVH Commands

​OVH Cloud Support

​OVH Credential Commands

​OVH Cluster Commands

​SOPS Encryption & API Tokens

​SOPS Encryption

​API Tokens