> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ankra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# ankra cluster

> Cluster operations

## ankra cluster

Commands for managing and operating on clusters.

**Flags**

| Flag        | Default | Description                                                                   |
| ----------- | ------- | ----------------------------------------------------------------------------- |
| `--cluster` |         | Target cluster name or ID for this command, overriding `ankra cluster select` |

## ankra cluster access

List, grant, and revoke per-user access to a cluster's Kubernetes API
through the Ankra gateway (the access used by 'ankra cluster kubeconfig' and
'ankra cluster kube-token').

Managing access requires organisation admin rights. Grants apply to one
cluster and one organisation member, identified by email.

Examples:
ankra cluster access list --cluster my-cluster
ankra cluster access grant [user@example.com](mailto:user@example.com) --cluster my-cluster --role view
ankra cluster access grant [user@example.com](mailto:user@example.com) --cluster my-cluster --role edit --namespace staging
ankra cluster access revoke [user@example.com](mailto:user@example.com) --cluster my-cluster
ankra cluster access revoke 6f1f9aca-2c3d-4e5f-8a9b-0c1d2e3f4a5b --cluster my-cluster

## ankra cluster access grant

Grant an organisation member access to a cluster's Kubernetes API through
the Ankra gateway.

The grant is cluster-wide by default; pass --namespace to limit it to one
namespace. Roles map to the standard Kubernetes ClusterRoles: view, edit,
admin, cluster-admin.

```bash theme={null}
ankra cluster access grant <email> [flags]
```

**Flags**

| Flag             | Default | Description                                                        |
| ---------------- | ------- | ------------------------------------------------------------------ |
| `--cluster`      |         | Cluster name or ID (defaults to the selected cluster)              |
| `--namespace`    |         | Limit the grant to one namespace (default: cluster-wide)           |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)              |
| `--role`         | `view`  | Kubernetes role for the grant: view, edit, admin, or cluster-admin |

## ankra cluster access list

List access grants for a cluster

```bash theme={null}
ankra cluster access list [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `--cluster`      |         | Cluster name or ID (defaults to the selected cluster) |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster access revoke

Revoke gateway access from a cluster.

Pass a grant ID (from 'ankra cluster access list') to revoke a single grant,
or an email address to revoke every grant that member has on the cluster.

```bash theme={null}
ankra cluster access revoke <grant-id|email> [flags]
```

**Flags**

| Flag        | Default | Description                                           |
| ----------- | ------- | ----------------------------------------------------- |
| `--cluster` |         | Cluster name or ID (defaults to the selected cluster) |

## ankra cluster addons

Commands to list, manage settings, and uninstall addons.

## ankra cluster addons available

List addons available for installation

```bash theme={null}
ankra cluster addons available [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster addons list

List addons for the active cluster; or show details for a single addon

```bash theme={null}
ankra cluster addons list [addon name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster addons settings

Get settings for an addon

```bash theme={null}
ankra cluster addons settings <addon_name> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster addons uninstall

Uninstall an addon from the cluster

```bash theme={null}
ankra cluster addons uninstall <addon_name> [flags]
```

**Flags**

| Flag       | Default | Description                       |
| ---------- | ------- | --------------------------------- |
| `--delete` | `false` | Also delete the addon permanently |
| `--yes`    | `false` | Skip the confirmation prompt      |

## ankra cluster addons update

Update addon settings by providing a JSON file that conforms to the settings schema.

Example JSON file:
\{
"retry\_policy": \{ "limit": 3, "backoff": \{ "duration": "5s", "factor": 2, "max\_duration": "3m" } },
"sync\_policy": \{ "automated": true, "self\_heal": true, "auto\_prune": false },
"revision\_history\_limit": 10
}

Usage:
ankra cluster addons update my-addon -f settings.json

```bash theme={null}
ankra cluster addons update <addon_name> [flags]
```

**Flags**

| Flag           | Default | Description                           |
| -------------- | ------- | ------------------------------------- |
| `-f`, `--file` |         | Path to JSON settings file (required) |

## ankra cluster addons upgrade

Upgrade an addon by patching just the fields you supply.

At least one mutating flag is required. Examples:

# Bump chart version

ankra cluster addons upgrade ankra-website --chart-version 1.0.146 \
\--cluster website-demo

# Tweak a single Helm values field with --set (mutates the existing values)

ankra cluster addons upgrade website --set image.tag=1.0.146 \
\--cluster website-demo

# Address a list item by a field instead of an index

ankra cluster addons upgrade website --set 'env\[name=LOG\_LEVEL].value=debug' \
\--cluster website-demo

# Replace the whole values document

ankra cluster addons upgrade website \
\--values-from-file ./values.yaml --cluster website-demo

\--set\* and --values-from-file are mutually exclusive: --set\* mutates the
existing values document while --values-from-file replaces it.

Changing --namespace is destructive (Helm reinstall in the new namespace,
leaves the old release orphaned). Use --yes to skip the confirmation prompt
or interactively confirm.

```bash theme={null}
ankra cluster addons upgrade <addon_name> [flags]
```

**Flags**

| Flag                         | Default | Description                                                                                                        |
| ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------ |
| `--add-parent`               | `[]`    | Add a dependency parent, e.g. --add-parent name=infisical-ns,kind=manifest (kind defaults to manifest; repeatable) |
| `--chart-version`            |         | New chart version to install                                                                                       |
| `--cluster`                  |         | Target cluster (name or ID); defaults to the active selection                                                      |
| `--dry-run`                  | `false` | Print the proposed before/after spec without applying changes                                                      |
| `--namespace`                |         | Change the addon's namespace (destructive: Helm reinstall)                                                         |
| `-o`, `--output`             |         | Output format: json or yaml (default: human-readable)                                                              |
| `--registry-credential-name` |         | New helm registry credential name                                                                                  |
| `--registry-name`            |         | New helm registry name                                                                                             |
| `--registry-url`             |         | New helm registry URL                                                                                              |
| `--remove-parent`            | `[]`    | Remove a dependency parent, e.g. --remove-parent name=infisical-ns,kind=manifest (repeatable)                      |
| `--set`                      | `[]`    | Helm-style values mutation, e.g. --set image.tag=1.0.0 (MUTATES existing values; repeatable, comma-separated)      |
| `--set-file`                 | `[]`    | Like --set but reads the value from a file: key=path or key=@path                                                  |
| `--set-parent`               | `[]`    | Replace ALL dependency parents with the given set (repeatable); pass none with the others to clear                 |
| `--set-string`               | `[]`    | Like --set but always treats the value as a string                                                                 |
| `--stack`                    |         | Stack name (required when the addon exists in multiple stacks)                                                     |
| `--values`                   |         | Use `-` to read values YAML from stdin (REPLACES the entire values document)                                       |
| `--values-from-file`         |         | Path to YAML values file (REPLACES the entire values document)                                                     |
| `--yes`                      | `false` | Skip the confirmation prompt for destructive changes (--namespace)                                                 |

## ankra cluster addons values

Print the current Helm values document for an addon.

By default the decoded YAML is written to stdout, making it easy to pipe into
a file or edit and re-apply with --values-from-file:

ankra cluster addons values my-addon > values.yaml
ankra cluster addons values my-addon -o raw   # base64-encoded form

```bash theme={null}
ankra cluster addons values <addon_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                   |
| ---------------- | ------- | ------------------------------------------------------------- |
| `--cluster`      |         | Target cluster (name or ID); defaults to the active selection |
| `-o`, `--output` |         | Output format: yaml (decoded, default) or raw (base64)        |

## ankra cluster agent

Commands to view agent status, get tokens, and upgrade agents.

## ankra cluster agent status

Get agent status for the selected cluster

```bash theme={null}
ankra cluster agent status [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster agent token

Get or generate agent token for the selected cluster

```bash theme={null}
ankra cluster agent token [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `--generate`     | `false` | Generate a new agent token                            |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster agent upgrade

Upgrade the agent on the selected cluster

```bash theme={null}
ankra cluster agent upgrade
```

## ankra cluster apply

Apply an ImportCluster YAML to the Ankra API

```bash theme={null}
ankra cluster apply [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--dry-run`      | `false` | Validate the ImportCluster YAML locally without calling the API                                         |
| `-f`, `--file`   |         | Path to the ImportCluster YAML file to apply                                                            |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster clear

Clear the active cluster selection

```bash theme={null}
ankra cluster clear
```

## ankra cluster clone

Clone stacks from an existing cluster ImportCluster YAML to a new cluster.

The source can be either a local file path or a URL (http/https).

Examples:
ankra cluster clone cluster.yaml new-cluster.yaml
ankra cluster clone [https://github.com/user/repo/raw/main/cluster.yaml](https://github.com/user/repo/raw/main/cluster.yaml) new-cluster.yaml
ankra cluster clone cluster.yaml new-cluster.yaml --stack "monitoring" --stack "networking"

Flags:
\--clean: Replace all stacks in the new cluster with those from the existing cluster
\--force: Force merge even when stack/addon/manifest names conflict
\--copy-missing: Copy missing files even for skipped stacks
\--stack: Clone only specific stacks by name (can be used multiple times)

Without flags: Merge stacks, skipping any with conflicting names

```bash theme={null}
ankra cluster clone <existing_cluster_file_or_url> <new_cluster_path> [flags]
```

**Flags**

| Flag             | Default | Description                                                     |
| ---------------- | ------- | --------------------------------------------------------------- |
| `--clean`        | `false` | Replace all stacks in the new cluster                           |
| `--copy-missing` | `false` | Copy missing files even for skipped stacks                      |
| `--force`        | `false` | Force merge even when names conflict                            |
| `--stack`        | `[]`    | Clone only specific stacks by name (can be used multiple times) |

## ankra cluster decrypt

Decrypt SOPS-encrypted values stored on a cluster or in a local cluster.yaml.

## ankra cluster decrypt addon

Decrypt a SOPS-encrypted addon's Helm values and print the result to stdout.

Two modes:
Cluster mode (default): fetch the addon values from a live cluster, decrypt,
and print to stdout.

File mode (-f cluster.yaml): read the addon values file referenced from a
local cluster.yaml, decrypt, and print to stdout.

Examples:
ankra cluster decrypt addon --name grafana
ankra cluster decrypt addon --name grafana --cluster prod --stack monitoring
ankra cluster decrypt addon --name grafana -f cluster.yaml

```bash theme={null}
ankra cluster decrypt addon [flags]
```

**Flags**

| Flag           | Default | Description                                                                  |
| -------------- | ------- | ---------------------------------------------------------------------------- |
| `--cluster`    |         | Target cluster (name or ID); defaults to the active selection (cluster mode) |
| `-f`, `--file` |         | Path to a local cluster YAML (enables file mode)                             |
| `--name`       |         | Name of the addon (required)                                                 |
| `--stack`      |         | Stack name (cluster mode; required when the addon exists in multiple stacks) |

## ankra cluster decrypt manifest

Decrypt a SOPS-encrypted manifest and print the result to stdout.

Two modes:
Cluster mode (default): fetch the manifest from a live cluster, decrypt it,
and print to stdout.

File mode (-f cluster.yaml): read the manifest file referenced from a local
cluster.yaml, decrypt it, and print to stdout.

Examples:

# Cluster mode against the selected cluster

ankra cluster decrypt manifest db-secret

# Cluster mode against a specific cluster

ankra cluster decrypt manifest db-secret --cluster prod

# File mode

ankra cluster decrypt manifest db-secret -f cluster.yaml

```bash theme={null}
ankra cluster decrypt manifest <manifest_name> [flags]
```

**Flags**

| Flag           | Default | Description                                                                  |
| -------------- | ------- | ---------------------------------------------------------------------------- |
| `--cluster`    |         | Target cluster (name or ID); defaults to the active selection (cluster mode) |
| `-f`, `--file` |         | Path to a local cluster YAML (enables file mode)                             |

## ankra cluster deprovision

Stop a running managed cluster. This will shut down the cluster but not delete it.

If no cluster name is provided, uses the currently selected cluster.

For cloud clusters (hetzner, ovh, upcloud) this command routes to the provider-specific
deprovision endpoint so cloud resources are released.

```bash theme={null}
ankra cluster deprovision [cluster_name] [flags]
```

**Flags**

| Flag             | Default | Description                                                 |
| ---------------- | ------- | ----------------------------------------------------------- |
| `--auto-delete`  | `false` | Automatically delete the cluster after deprovisioning       |
| `--force`        | `false` | Force deprovision even if cluster is in an unexpected state |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)       |
| `--yes`          | `false` | Skip the confirmation prompt                                |

## ankra cluster draft

Stage all changes in an ImportCluster YAML as drafts on the cluster
without deploying anything. The local checks run first (the same ones as
'ankra cluster apply --dry-run'), then each stack in the file is saved as a
resource draft you can review, edit, and deploy from the Ankra stack builder.

If the cluster does not exist yet it is imported first without its stacks,
since drafts can only be attached to an existing cluster; every stack in the
file is then staged as a draft. Stacks that already match the cluster's
desired state are reported as "no changes" rather than creating an empty
draft.

```bash theme={null}
ankra cluster draft [flags]
```

**Flags**

| Flag             | Default | Description                                            |
| ---------------- | ------- | ------------------------------------------------------ |
| `-f`, `--file`   |         | Path to the ImportCluster YAML file to stage as drafts |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)  |

## ankra cluster encrypt

Encrypt sensitive values in manifest or addon configuration files using SOPS.

## ankra cluster encrypt addon

Encrypt a specific key in an addon's Helm values using SOPS.

\--key takes the YAML key name whose values should be encrypted. SOPS matches
key names anywhere in the document, not dotted paths; a dotted --key is
normalised to its last segment. A key whose own name starts with a dot (such
as ".dockerconfigjson") is kept literally. After encrypting, the CLI verifies
the value is actually ENC\[...] ciphertext and fails if it is not.

Two modes:
Cluster mode (default): fetch the addon's values from a live cluster,
encrypt the key, and push the result back via the partial-stack PATCH
endpoint. The owning stack is resolved automatically.

File mode (-f cluster.yaml): rewrite the local addon values file referenced
by the cluster.yaml in place, adding the key to encrypted\_paths.

Examples:

# Cluster mode against the selected cluster

ankra cluster encrypt addon --name grafana --key adminPassword

# Cluster mode against a specific cluster, disambiguating stack

ankra cluster encrypt addon --name grafana --key adminPassword --cluster prod --stack monitoring

# File mode

ankra cluster encrypt addon --name grafana --key adminPassword -f cluster.yaml

```bash theme={null}
ankra cluster encrypt addon [flags]
```

**Flags**

| Flag           | Default | Description                                                                                                                                      |
| -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--cluster`    |         | Target cluster (name or ID); defaults to the active selection (cluster mode)                                                                     |
| `-f`, `--file` |         | Path to a local cluster YAML (enables file mode)                                                                                                 |
| `--key`        |         | YAML key name to encrypt (required); dotted paths are normalised to the last segment, a leading-dot key like .dockerconfigjson is kept literally |
| `--name`       |         | Name of the addon (required)                                                                                                                     |
| `--stack`      |         | Stack name (cluster mode; required when the addon exists in multiple stacks)                                                                     |

## ankra cluster encrypt manifest

Encrypt a specific key in a manifest using SOPS.

\--key takes the YAML key name whose values should be encrypted (for a Secret's
data.password, that is "password"). SOPS matches key names anywhere in the
document, not dotted paths; a dotted --key is normalised to its last segment.
A key whose own name starts with a dot (such as ".dockerconfigjson" in a
kubernetes.io/dockerconfigjson Secret) is kept literally. After encrypting, the
CLI verifies the value is actually ENC\[...] ciphertext and fails if it is not.

Two modes:
Cluster mode (default): fetch the manifest from a live cluster, encrypt the
key, and push the result back via the partial-stack PATCH endpoint. The
owning stack is resolved automatically.

File mode (-f cluster.yaml): rewrite a local cluster.yaml's referenced
from\_file in place, adding the key to encrypted\_paths in the file. Used by
GitOps workflows where the source of truth is on disk.

Examples:

# Cluster mode against the selected cluster

ankra cluster encrypt manifest db-secret --key password

# Cluster mode against a specific cluster

ankra cluster encrypt manifest db-secret --key password --cluster prod

# File mode

ankra cluster encrypt manifest db-secret --key password -f cluster.yaml

```bash theme={null}
ankra cluster encrypt manifest <manifest_name> [flags]
```

**Flags**

| Flag           | Default | Description                                                                                                                                      |
| -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--cluster`    |         | Target cluster (name or ID); defaults to the active selection (cluster mode)                                                                     |
| `-f`, `--file` |         | Path to a local cluster YAML (enables file mode)                                                                                                 |
| `--key`        |         | YAML key name to encrypt (required); dotted paths are normalised to the last segment, a leading-dot key like .dockerconfigjson is kept literally |

## ankra cluster get

Get Kubernetes resources from the active cluster.

Examples:
ankra cluster get pods
ankra cluster get deployments -n kube-system
ankra cluster get nodes
ankra cluster get services --all-namespaces

## ankra cluster get configmaps

List configmaps in the cluster

```bash theme={null}
ankra cluster get configmaps [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get cronjobs

List cronjobs in the cluster

```bash theme={null}
ankra cluster get cronjobs [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get daemonsets

List daemonsets in the cluster

```bash theme={null}
ankra cluster get daemonsets [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get deployments

List deployments in the cluster

```bash theme={null}
ankra cluster get deployments [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get events

List events in the cluster

```bash theme={null}
ankra cluster get events [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get ingresses

List ingresses in the cluster

```bash theme={null}
ankra cluster get ingresses [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get k8s-jobs

List Kubernetes jobs in the cluster

```bash theme={null}
ankra cluster get k8s-jobs [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get namespaces

List namespaces in the cluster

```bash theme={null}
ankra cluster get namespaces [name] [flags]
```

**Flags**

| Flag               | Default | Description                      |
| ------------------ | ------- | -------------------------------- |
| `--name`           |         | Filter by resource name          |
| `-o`, `--output`   | `table` | Output format: table, json, yaml |
| `-l`, `--selector` |         | Label selector                   |

## ankra cluster get nodes

List nodes in the cluster

```bash theme={null}
ankra cluster get nodes [name] [flags]
```

**Flags**

| Flag               | Default | Description                      |
| ------------------ | ------- | -------------------------------- |
| `--name`           |         | Filter by resource name          |
| `-o`, `--output`   | `table` | Output format: table, json, yaml |
| `-l`, `--selector` |         | Label selector                   |

## ankra cluster get pods

List pods or get a specific pod's manifest

```bash theme={null}
ankra cluster get pods [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by pod name (contains)    |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `--node`                 |         | Filter by node name              |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |

## ankra cluster get resources

Fetch any Kubernetes resource type. Use for kinds not covered by dedicated commands.

Example:
ankra cluster resources PersistentVolumeClaim -n default
ankra cluster resources NetworkPolicy --all-namespaces

```bash theme={null}
ankra cluster get resources <kind> [flags]
```

**Flags**

| Flag                     | Default | Description                              |
| ------------------------ | ------- | ---------------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces               |
| `--api-version`          | `v1`    | API version (e.g. v1, v1beta1)           |
| `--group`                |         | API group (e.g. apps, networking.k8s.io) |
| `--name`                 |         | Filter by resource name                  |
| `-n`, `--namespace`      |         | Kubernetes namespace                     |
| `-o`, `--output`         | `table` | Output format: table, json, yaml         |
| `-l`, `--selector`       |         | Label selector                           |

## ankra cluster get secrets

List secrets in the cluster

```bash theme={null}
ankra cluster get secrets [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get services

List services in the cluster

```bash theme={null}
ankra cluster get services [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster get statefulsets

List statefulsets in the cluster

```bash theme={null}
ankra cluster get statefulsets [name] [flags]
```

**Flags**

| Flag                     | Default | Description                      |
| ------------------------ | ------- | -------------------------------- |
| `-A`, `--all-namespaces` | `false` | List across all namespaces       |
| `--name`                 |         | Filter by resource name          |
| `-n`, `--namespace`      |         | Kubernetes namespace             |
| `-o`, `--output`         | `table` | Output format: table, json, yaml |
| `-l`, `--selector`       |         | Label selector                   |

## ankra cluster helm

Commands to list and uninstall Helm releases running in the cluster.

## ankra cluster helm releases

List Helm releases in the cluster

```bash theme={null}
ankra cluster helm releases [flags]
```

**Flags**

| Flag                     | Default | Description                          |
| ------------------------ | ------- | ------------------------------------ |
| `-A`, `--all-namespaces` | `false` | List across all namespaces (default) |
| `-n`, `--namespace`      |         | Kubernetes namespace                 |
| `-o`, `--output`         | `table` | Output format: table, json           |

## ankra cluster helm uninstall

Uninstall a Helm release from the cluster

```bash theme={null}
ankra cluster helm uninstall <release_name> [flags]
```

**Flags**

| Flag                | Default | Description                     |
| ------------------- | ------- | ------------------------------- |
| `-n`, `--namespace` |         | Kubernetes namespace (required) |
| `--yes`             | `false` | Skip the confirmation prompt    |

## ankra cluster hetzner

Commands to create, deprovision, and scale Hetzner clusters.

## ankra cluster hetzner control-plane

Inspect and change the control plane configuration. The cluster must be stopped
to change the controller count or instance type. Only 1 or 3 controllers are
allowed (etcd needs an odd number of voting members for quorum). Changes apply
the next time the cluster is started.

## ankra cluster hetzner control-plane get

Show the current control plane configuration

```bash theme={null}
ankra cluster hetzner control-plane get <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner control-plane set-count

Change the controller count (1 or 3)

```bash theme={null}
ankra cluster hetzner control-plane set-count <cluster_id> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner control-plane set-instance-type

Change the controller instance type

```bash theme={null}
ankra cluster hetzner control-plane set-instance-type <cluster_id> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner create

Create a new Hetzner cluster

```bash theme={null}
ankra cluster hetzner create [flags]
```

**Flags**

| Flag                          | Default       | Description                                                                                                                                                                                                    |
| ----------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--bastion-server-type`       | `cx23`        | Bastion server type                                                                                                                                                                                            |
| `--control-plane-count`       | `1`           | Number of control plane nodes                                                                                                                                                                                  |
| `--control-plane-server-type` | `cx33`        | Control plane server type                                                                                                                                                                                      |
| `--credential-id`             |               | Hetzner API credential ID (required)                                                                                                                                                                           |
| `--distribution`              | `k3s`         | Kubernetes distribution                                                                                                                                                                                        |
| `--external-cloud-provider`   | `true`        | Install the Hetzner CCM and CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass --external-cloud-provider=false to skip, which also disables --include-networking)        |
| `--gitops-branch`             | `master`      | GitOps branch to commit to                                                                                                                                                                                     |
| `--gitops-credential-name`    |               | GitOps GitHub credential name; when set with --gitops-repository, the generated hcloud stack is committed to Git (optional)                                                                                    |
| `--gitops-repository`         |               | GitOps repository (e.g. org/repo) to commit the generated stack to (optional)                                                                                                                                  |
| `--include-networking`        | `true`        | Install Traefik + cert-manager for ingress (default on; pass --include-networking=false to skip). Requires --external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager) |
| `--kubernetes-version`        |               | Kubernetes version (optional)                                                                                                                                                                                  |
| `--location`                  |               | Hetzner location (required)                                                                                                                                                                                    |
| `--name`                      |               | Cluster name (required)                                                                                                                                                                                        |
| `--network-ip-range`          | `10.0.0.0/16` | Network IP range                                                                                                                                                                                               |
| `-o`, `--output`              |               | Output format: json or yaml (default: human-readable)                                                                                                                                                          |
| `--ssh-key-credential-id`     |               | SSH key credential ID (single key, use --ssh-key-credential-ids for multiple)                                                                                                                                  |
| `--ssh-key-credential-ids`    | `[]`          | SSH key credential IDs (comma-separated or repeated)                                                                                                                                                           |
| `--subnet-range`              | `10.0.1.0/24` | Subnet range                                                                                                                                                                                                   |
| `--worker-count`              | `1`           | Number of worker nodes                                                                                                                                                                                         |
| `--worker-server-type`        | `cx33`        | Worker server type                                                                                                                                                                                             |

## ankra cluster hetzner deprovision

Initiate asynchronous deprovision of a Hetzner cluster. The platform schedules teardown jobs that delete cloud resources (servers, networks, SSH keys). Cloud resources are not deleted by the time this command returns; track progress via operations or the UI.

```bash theme={null}
ankra cluster hetzner deprovision <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                                                                |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| `--force`        | `false` | Force deprovision without waiting for the cluster agent (use only when the cluster agent is permanently offline; cloud resources may leak) |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                                                      |
| `--yes`          | `false` | Skip the confirmation prompt                                                                                                               |

## ankra cluster hetzner k8s-version

Get current Kubernetes version for a Hetzner cluster

```bash theme={null}
ankra cluster hetzner k8s-version <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner locations

List the Hetzner Cloud locations the supplied credential can deploy in. Only these locations are valid for cluster creation.

```bash theme={null}
ankra cluster hetzner locations [flags]
```

**Flags**

| Flag              | Default | Description                          |
| ----------------- | ------- | ------------------------------------ |
| `--credential-id` |         | Hetzner API credential ID (required) |

## ankra cluster hetzner node-group

List, add, scale, upgrade, and delete node groups.

## ankra cluster hetzner node-group add

Add a node group

```bash theme={null}
ankra cluster hetzner node-group add <cluster_id> [flags]
```

**Flags**

| Flag              | Default | Description                                                                                             |
| ----------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--count`         | `1`     | Number of nodes (0-100)                                                                                 |
| `--instance-type` | `cx33`  | Server type for nodes                                                                                   |
| `--name`          |         | Node group name (required)                                                                              |
| `-o`, `--output`  |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`       | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`          | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster hetzner node-group delete

Delete a node group and all its nodes

```bash theme={null}
ankra cluster hetzner node-group delete <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |
| `--yes`          | `false` | Skip the confirmation prompt                                                                            |

## ankra cluster hetzner node-group list

List node groups

```bash theme={null}
ankra cluster hetzner node-group list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner node-group scale

Scale a node group

```bash theme={null}
ankra cluster hetzner node-group scale <cluster_id> <group_name> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster hetzner node-group upgrade

Upgrade instance type for a node group (cannot be reversed)

```bash theme={null}
ankra cluster hetzner node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster hetzner nodes

Inspect every server Ankra manages for the cluster (control plane, workers,
and bastion or gateway). Soft-deleted entries from a stopped cluster are
included so the saved topology is visible before re-provisioning.

## ankra cluster hetzner nodes get

Show full spec and metadata for a single node

```bash theme={null}
ankra cluster hetzner nodes get <cluster_id> <node_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner nodes list

List all nodes for the cluster

```bash theme={null}
ankra cluster hetzner nodes list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner scale

Scale the number of worker nodes up or down for a Hetzner cluster.

```bash theme={null}
ankra cluster hetzner scale <cluster_id> <worker_count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner server-types

List Hetzner Cloud server types. Pass --location to see which types are currently available for provisioning there, and --available-only to hide the rest.

```bash theme={null}
ankra cluster hetzner server-types [flags]
```

**Flags**

| Flag               | Default | Description                                                             |
| ------------------ | ------- | ----------------------------------------------------------------------- |
| `--available-only` | `false` | Only show server types available for provisioning (use with --location) |
| `--credential-id`  |         | Hetzner API credential ID (required)                                    |
| `--location`       |         | Filter availability by location                                         |

## ankra cluster hetzner upgrade

Upgrade the Kubernetes (k3s) version on all nodes in a Hetzner cluster.

```bash theme={null}
ankra cluster hetzner upgrade <cluster_id> <target_version> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster hetzner workers

Get current worker count for a Hetzner cluster

```bash theme={null}
ankra cluster hetzner workers <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster info

Show details of a specific cluster.

If no name is provided, shows details for the currently selected cluster.

```bash theme={null}
ankra cluster info [name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster k3s-versions

List the k3s versions the platform can provision or upgrade to. Use one of these values with `ankra cluster upgrade &lt;cluster_id&gt; &lt;target_version&gt;` (the provider is detected automatically).

```bash theme={null}
ankra cluster k3s-versions
```

## ankra cluster kube-token

Print a short-lived Kubernetes ExecCredential so kubectl can authenticate to the
Ankra cluster gateway.

This command is intended to be invoked by kubectl as a client-go credential plugin,
for example in a kubeconfig:

users:

* name: ankra
  user:
  exec:
  apiVersion: client.authentication.k8s.io/v1
  command: ankra
  args: \["cluster", "kube-token", "--cluster", "\<cluster-name-or-id>", "--org", "\<organisation-id>"]

Pinning --org to the cluster's organisation ID keeps the entry working when
your selected organisation differs from the cluster's ('ankra cluster
kubeconfig add' writes it automatically).

It prints JSON to stdout and never prompts; run 'ankra login' first.

```bash theme={null}
ankra cluster kube-token [flags]
```

**Flags**

| Flag        | Default | Description                                           |
| ----------- | ------- | ----------------------------------------------------- |
| `--cluster` |         | Cluster name or ID (defaults to the selected cluster) |

## ankra cluster kubeconfig

Add, remove, and list the Ankra cluster contexts in your kubeconfig.

By default 'add' writes an exec-based context that fetches a short-lived token
on demand via 'ankra cluster kube-token', so credentials stay ephemeral and
SSO-backed (run 'ankra login' once). Other clusters/users/contexts already in
your kubeconfig are left untouched.

These commands read and write a single file: --kubeconfig if given, otherwise
the first entry of \$KUBECONFIG, otherwise \~/.kube/config.

Examples:
ankra cluster kubeconfig add --cluster my-cluster --use
ankra cluster kubeconfig add --all
ankra cluster kubeconfig add --cluster my-cluster --print > my-cluster.yaml
ankra cluster kubeconfig list
ankra cluster kubeconfig remove --cluster my-cluster
ankra cluster kubeconfig remove --all

## ankra cluster kubeconfig add

Add or update an Ankra context in your kubeconfig

```bash theme={null}
ankra cluster kubeconfig add [flags]
```

**Flags**

| Flag                         | Default | Description                                                                                              |
| ---------------------------- | ------- | -------------------------------------------------------------------------------------------------------- |
| `--all`                      | `false` | Add every cluster you can access                                                                         |
| `--cluster`                  |         | Cluster name or ID (defaults to the selected cluster)                                                    |
| `--embed-token`              | `false` | Embed a short-lived token instead of the exec credential plugin                                          |
| `--exec-command`             | `ankra` | Executable kubectl invokes for credentials in exec mode (use an absolute path if 'ankra' is not on PATH) |
| `--insecure-skip-tls-verify` | `false` | Skip TLS verification for the cluster server (dev only)                                                  |
| `--kubeconfig`               |         | Path to the kubeconfig file (default: \$KUBECONFIG or \~/.kube/config)                                   |
| `--namespace`                |         | Default namespace for the context                                                                        |
| `--print`                    | `false` | Print a standalone kubeconfig to stdout instead of writing the file                                      |
| `--use`                      | `false` | Set the added context as the active current-context                                                      |

## ankra cluster kubeconfig list

List Ankra-managed contexts in your kubeconfig

```bash theme={null}
ankra cluster kubeconfig list [flags]
```

**Flags**

| Flag           | Default | Description                                                            |
| -------------- | ------- | ---------------------------------------------------------------------- |
| `--kubeconfig` |         | Path to the kubeconfig file (default: \$KUBECONFIG or \~/.kube/config) |

## ankra cluster kubeconfig remove

Remove Ankra contexts from your kubeconfig

```bash theme={null}
ankra cluster kubeconfig remove [flags]
```

**Flags**

| Flag           | Default | Description                                                            |
| -------------- | ------- | ---------------------------------------------------------------------- |
| `--all`        | `false` | Remove all Ankra-managed contexts                                      |
| `--cluster`    |         | Cluster name or ID                                                     |
| `--kubeconfig` |         | Path to the kubeconfig file (default: \$KUBECONFIG or \~/.kube/config) |

## ankra cluster list

List all clusters

```bash theme={null}
ankra cluster list [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster logs

Stream log output from a pod in the active cluster.

Example:
ankra cluster logs my-pod -n default -c my-container --tail 100

```bash theme={null}
ankra cluster logs <pod_name> [flags]
```

**Flags**

| Flag                | Default | Description                              |
| ------------------- | ------- | ---------------------------------------- |
| `-c`, `--container` |         | Container name (defaults to pod name)    |
| `-n`, `--namespace` |         | Kubernetes namespace (required)          |
| `--since`           | `0`     | Seconds of logs to retrieve              |
| `--tail`            | `0`     | Number of lines from the end of the logs |

## ankra cluster manifests

Commands to list, view, upgrade, and delete manifests.

## ankra cluster manifests delete

Disconnect a manifest from its stack. The manifest's resources are
removed from the cluster and dependent resources are reconnected to the
manifest's own parents.

The owning stack is discovered automatically (manifest names are unique per
cluster). Use --dry-run to preview the target without making changes.

```bash theme={null}
ankra cluster manifests delete <manifest_name> [flags]
```

**Flags**

| Flag        | Default | Description                                                          |
| ----------- | ------- | -------------------------------------------------------------------- |
| `--cluster` |         | Target cluster (name or ID); defaults to the active selection        |
| `--dry-run` | `false` | Print the manifest that would be disconnected without making changes |
| `--yes`     | `false` | Skip the confirmation prompt                                         |

## ankra cluster manifests get

Print the current YAML content of a manifest.

By default the decoded YAML is written to stdout, making it easy to pipe into
a file or edit and re-apply with --from-file:

ankra cluster manifests get web > web.yaml
ankra cluster manifests get web -o raw   # base64-encoded form

```bash theme={null}
ankra cluster manifests get <manifest_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                   |
| ---------------- | ------- | ------------------------------------------------------------- |
| `--cluster`      |         | Target cluster (name or ID); defaults to the active selection |
| `-o`, `--output` |         | Output format: yaml (decoded, default) or raw (base64)        |

## ankra cluster manifests list

List manifests for the active cluster; or show details for a single manifest

```bash theme={null}
ankra cluster manifests list [manifest name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster manifests upgrade

Upgrade a manifest by patching just the fields you supply.

At least one mutating flag is required. Examples:

# Patch a single path in-place, e.g. bump a Deployment image tag

ankra cluster manifests upgrade web \
\--set 'spec.template.spec.containers\[name=app].image=nginx:1.27' \
\--cluster website-demo

# When the manifest holds multiple documents, select which one to edit

ankra cluster manifests upgrade web --target-kind Deployment --target-name web \
\--set 'spec.replicas=3' --cluster website-demo

# Replace the manifest content from a file

ankra cluster manifests upgrade demo-namespace \
\--from-file manifests/demo-namespace.yaml --cluster website-demo

# Read the manifest from stdin

cat manifest.yaml | ankra cluster manifests upgrade demo-namespace \
\--manifest - --cluster website-demo

\--set/--set-string/--set-file MUTATE the existing manifest YAML and address
list items by a stable field (e.g. containers\[name=app]) as well as by numeric
index (containers\[0]). --from-file / --manifest - REPLACE the whole manifest
and are mutually exclusive with --set\*.

When no content or --set flag is supplied, the existing content is re-sent
unchanged (only namespace is updated). This is required because the backend's
manifest validation rejects empty manifest\_base64.

```bash theme={null}
ankra cluster manifests upgrade <manifest_name> [flags]
```

**Flags**

| Flag              | Default | Description                                                                                                                                                        |
| ----------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--add-parent`    | `[]`    | Add a dependency parent, e.g. --add-parent name=infisical-ns,kind=manifest (kind defaults to manifest; repeatable)                                                 |
| `--cluster`       |         | Target cluster (name or ID); defaults to the active selection                                                                                                      |
| `--dry-run`       | `false` | Print the proposed before/after spec without applying changes                                                                                                      |
| `--from-file`     |         | Path to manifest YAML file (REPLACES the entire manifest)                                                                                                          |
| `--manifest`      |         | Use `-` to read manifest YAML from stdin (REPLACES the entire manifest)                                                                                            |
| `--namespace`     |         | Change the manifest's namespace                                                                                                                                    |
| `-o`, `--output`  |         | Output format: json or yaml (default: human-readable)                                                                                                              |
| `--remove-parent` | `[]`    | Remove a dependency parent, e.g. --remove-parent name=infisical-ns,kind=manifest (repeatable)                                                                      |
| `--set`           | `[]`    | In-place edit of the manifest YAML, e.g. --set 'spec.template.spec.containers\[name=app].image=nginx:1.27' (MUTATES existing content; repeatable, comma-separated) |
| `--set-file`      | `[]`    | Like --set but reads the value from a file: key=path or key=@path                                                                                                  |
| `--set-parent`    | `[]`    | Replace ALL dependency parents with the given set (repeatable)                                                                                                     |
| `--set-string`    | `[]`    | Like --set but always treats the value as a string                                                                                                                 |
| `--target-kind`   |         | With --set: select the document to edit by Kubernetes kind (e.g. Deployment) when the manifest holds multiple documents                                            |
| `--target-name`   |         | With --set: select the document to edit by metadata.name when the manifest holds multiple documents                                                                |
| `--yes`           | `false` | Skip confirmation prompts                                                                                                                                          |

## ankra cluster metrics

Query the Prometheus metrics source configured for a cluster.

The query is proxied through the Ankra agent to the in-cluster Prometheus
endpoint configured in Cluster Settings > Metrics.

**Flags**

| Flag        | Default | Description                                     |
| ----------- | ------- | ----------------------------------------------- |
| `--cluster` |         | Cluster name (defaults to the selected cluster) |

## ankra cluster metrics query

Run an instant PromQL query against the cluster's Prometheus source.

Examples:
ankra cluster metrics query 'up'
ankra cluster metrics query 'sum(rate(container\_cpu\_usage\_seconds\_total\[5m])) by (pod)'

```bash theme={null}
ankra cluster metrics query [promql] [flags]
```

**Flags**

| Flag             | Default | Description                                    |
| ---------------- | ------- | ---------------------------------------------- |
| `-o`, `--output` | `table` | Output format: table, json, yaml               |
| `--timeout`      | `0`     | Query timeout in seconds (default server-side) |

## ankra cluster metrics query-range

Run a range PromQL query against the cluster's Prometheus source.

Provide either --range (a duration relative to now) or both --start and --end
(Unix seconds). When --step is omitted a sensible step is chosen automatically.

Examples:
ankra cluster metrics query-range 'up' --range 1h
ankra cluster metrics query-range 'rate(node\_cpu\_seconds\_total\[5m])' --range 6h --step 5m
ankra cluster metrics query-range 'up' --start 1717000000 --end 1717003600 --step 1m

```bash theme={null}
ankra cluster metrics query-range [promql] [flags]
```

**Flags**

| Flag             | Default | Description                                          |
| ---------------- | ------- | ---------------------------------------------------- |
| `--end`          |         | Range end as Unix seconds (use with --start)         |
| `-o`, `--output` | `table` | Output format: table, json, yaml                     |
| `--range`        |         | Duration relative to now (e.g. 15m, 1h, 6h, 24h, 7d) |
| `--start`        |         | Range start as Unix seconds (use with --end)         |
| `--step`         |         | Resolution step (e.g. 30s, 1m, 5m)                   |
| `--timeout`      | `0`     | Query timeout in seconds (default server-side)       |

## ankra cluster node-group

List, add, scale, upgrade, and delete node groups on a cloud cluster.

The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from
the cluster.

## ankra cluster node-group add

Add a node group

```bash theme={null}
ankra cluster node-group add <cluster_id> [flags]
```

**Flags**

| Flag              | Default | Description                                                                                             |
| ----------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--count`         | `1`     | Number of nodes                                                                                         |
| `--instance-type` |         | Server type / flavor / plan for nodes (required)                                                        |
| `--name`          |         | Node group name (required)                                                                              |
| `-o`, `--output`  |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`       | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`          | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster node-group delete

Delete a node group and all its nodes

```bash theme={null}
ankra cluster node-group delete <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |
| `--yes`          | `false` | Skip the confirmation prompt                                                                            |

## ankra cluster node-group list

List node groups

```bash theme={null}
ankra cluster node-group list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster node-group scale

Scale a node group

```bash theme={null}
ankra cluster node-group scale <cluster_id> <group_name> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster node-group upgrade

Upgrade instance type for a node group (cannot be reversed)

```bash theme={null}
ankra cluster node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster operations

Commands to list, inspect, retry, and cancel executions and their steps.

## ankra cluster operations cancel

Cancel one or more running executions

```bash theme={null}
ankra cluster operations cancel <execution_id> [<execution_id>...] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster operations cancel-step

Cancel a specific step within an execution

```bash theme={null}
ankra cluster operations cancel-step <execution_id> <step_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster operations list

List executions for the active cluster; optionally, provide an ID for details

```bash theme={null}
ankra cluster operations list [execution ID] [flags]
```

**Flags**

| Flag             | Default | Description                                                                  |
| ---------------- | ------- | ---------------------------------------------------------------------------- |
| `--failed`       | `false` | Shortcut for --status failed --status critical                               |
| `--interval`     | `5s`    | Polling interval used when --watch is set                                    |
| `--limit`        | `50`    | Maximum number of executions to return (max 100)                             |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                        |
| `--status`       | `[]`    | Filter by execution status (repeatable). Examples: failed, critical, running |
| `-w`, `--watch`  | `false` | Continuously poll and refresh until all executions reach a terminal state    |

## ankra cluster operations retry

Retry a terminal execution (failed/cancelled/timeout)

```bash theme={null}
ankra cluster operations retry <execution_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster operations steps

List steps for a specific execution

```bash theme={null}
ankra cluster operations steps <execution_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh

Commands to create, deprovision, and scale OVH Cloud clusters.

## ankra cluster ovh access-info

Show the gateway (bastion) and control plane IPs plus ready-to-use SSH jump and Kubernetes API port-forward commands.

```bash theme={null}
ankra cluster ovh access-info <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh control-plane

Inspect and change the control plane configuration. The cluster must be stopped
to change the controller count or instance type. Only 1 or 3 controllers are
allowed (etcd needs an odd number of voting members for quorum). Changes apply
the next time the cluster is started.

## ankra cluster ovh control-plane get

Show the current control plane configuration

```bash theme={null}
ankra cluster ovh control-plane get <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh control-plane set-count

Change the controller count (1 or 3)

```bash theme={null}
ankra cluster ovh control-plane set-count <cluster_id> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh control-plane set-instance-type

Change the controller instance type

```bash theme={null}
ankra cluster ovh control-plane set-instance-type <cluster_id> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh create

Create a new OVH cluster

```bash theme={null}
ankra cluster ovh create [flags]
```

**Flags**

| Flag                        | Default       | Description                                                                                                                                                                                                      |
| --------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--control-plane-count`     | `1`           | Number of control plane nodes                                                                                                                                                                                    |
| `--control-plane-flavor-id` | `b2-15`       | Control plane instance flavor                                                                                                                                                                                    |
| `--credential-id`           |               | OVH API credential ID (required)                                                                                                                                                                                 |
| `--dhcp-end`                | `10.0.1.200`  | DHCP range end                                                                                                                                                                                                   |
| `--dhcp-start`              | `10.0.1.100`  | DHCP range start                                                                                                                                                                                                 |
| `--distribution`            | `k3s`         | Kubernetes distribution                                                                                                                                                                                          |
| `--external-cloud-provider` | `true`        | Install the OpenStack CCM and Cinder CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass --external-cloud-provider=false to skip, which also disables --include-networking) |
| `--gateway-flavor-id`       | `b2-7`        | Gateway instance flavor                                                                                                                                                                                          |
| `--gitops-branch`           | `master`      | GitOps branch to commit to                                                                                                                                                                                       |
| `--gitops-credential-name`  |               | GitOps GitHub credential name; when set with --gitops-repository, the generated ovh-cloud stack is committed to Git (optional)                                                                                   |
| `--gitops-repository`       |               | GitOps repository (e.g. org/repo) to commit the generated stack to (optional)                                                                                                                                    |
| `--include-networking`      | `true`        | Install Traefik + cert-manager for ingress (default on; pass --include-networking=false to skip). Requires --external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager)   |
| `--kubernetes-version`      |               | Kubernetes version (optional)                                                                                                                                                                                    |
| `--name`                    |               | Cluster name (required)                                                                                                                                                                                          |
| `--network-vlan-id`         | `0`           | Network VLAN ID                                                                                                                                                                                                  |
| `-o`, `--output`            |               | Output format: json or yaml (default: human-readable)                                                                                                                                                            |
| `--region`                  |               | OVH Cloud region (required)                                                                                                                                                                                      |
| `--ssh-key-credential-id`   |               | SSH key credential ID (required)                                                                                                                                                                                 |
| `--subnet-cidr`             | `10.0.1.0/24` | Subnet CIDR                                                                                                                                                                                                      |
| `--worker-count`            | `1`           | Number of worker nodes                                                                                                                                                                                           |
| `--worker-flavor-id`        | `b2-15`       | Worker instance flavor                                                                                                                                                                                           |

## ankra cluster ovh deprovision

Deprovision an OVH cluster

```bash theme={null}
ankra cluster ovh deprovision <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |
| `--yes`          | `false` | Skip the confirmation prompt                          |

## ankra cluster ovh k8s-version

Get current Kubernetes version for an OVH cluster

```bash theme={null}
ankra cluster ovh k8s-version <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh node-group

List, add, scale, upgrade, label, taint, and delete node groups.

## ankra cluster ovh node-group add

Add a node group

```bash theme={null}
ankra cluster ovh node-group add <cluster_id> [flags]
```

**Flags**

| Flag              | Default | Description                                                                                             |
| ----------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--count`         | `1`     | Number of nodes (0-100)                                                                                 |
| `--instance-type` | `b2-15` | Instance flavor for nodes                                                                               |
| `--labels`        |         | Comma-separated key=value labels to apply to the node group                                             |
| `--name`          |         | Node group name (required)                                                                              |
| `-o`, `--output`  |         | Output format: json or yaml (default: human-readable)                                                   |
| `--taints`        |         | Comma-separated key=value:Effect taints to apply to the node group                                      |
| `--timeout`       | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`          | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster ovh node-group delete

Delete a node group and all its nodes

```bash theme={null}
ankra cluster ovh node-group delete <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |
| `--yes`          | `false` | Skip the confirmation prompt                                                                            |

## ankra cluster ovh node-group labels

Replace the labels on every node in the group. Pass --labels as a comma-separated list of key=value pairs, or --clear to remove all labels.

```bash theme={null}
ankra cluster ovh node-group labels <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--clear`        | `false` | Remove all labels from the node group                                                                   |
| `--labels`       |         | Comma-separated key=value pairs to set on the group                                                     |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster ovh node-group list

List node groups

```bash theme={null}
ankra cluster ovh node-group list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh node-group scale

Scale a node group

```bash theme={null}
ankra cluster ovh node-group scale <cluster_id> <group_name> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster ovh node-group taints

Replace the taints on every node in the group. Pass --taints as a comma-separated list of key=value:Effect (value optional, effect defaults to NoSchedule), or --clear to remove all taints.

```bash theme={null}
ankra cluster ovh node-group taints <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `--clear`        | `false` | Remove all taints from the node group                                                                   |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--taints`       |         | Comma-separated key=value:Effect taints to set on the group                                             |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster ovh node-group upgrade

Upgrade instance type for a node group (cannot be reversed)

```bash theme={null}
ankra cluster ovh node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster ovh nodes

Inspect every server Ankra manages for the cluster (control plane, workers,
and bastion or gateway). Soft-deleted entries from a stopped cluster are
included so the saved topology is visible before re-provisioning.

## ankra cluster ovh nodes get

Show full spec and metadata for a single node

```bash theme={null}
ankra cluster ovh nodes get <cluster_id> <node_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh nodes list

List all nodes for the cluster

```bash theme={null}
ankra cluster ovh nodes list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh regions

List the OVH Cloud regions the supplied credential's project can deploy in. Only these regions are valid for cluster creation.

```bash theme={null}
ankra cluster ovh regions [flags]
```

**Flags**

| Flag              | Default | Description                                           |
| ----------------- | ------- | ----------------------------------------------------- |
| `--credential-id` |         | OVH API credential ID (required)                      |
| `-o`, `--output`  |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh scale

Scale the number of worker nodes up or down for an OVH cluster.

```bash theme={null}
ankra cluster ovh scale <cluster_id> <worker_count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh ssh-keys

Get and set the SSH key credentials authorised to access an OVH cluster's nodes.

## ankra cluster ovh ssh-keys get

Show SSH keys attached to an OVH cluster

```bash theme={null}
ankra cluster ovh ssh-keys get <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh ssh-keys set

Replace the SSH key credentials attached to an OVH cluster. Changes take effect on the next reconciliation.

```bash theme={null}
ankra cluster ovh ssh-keys set <cluster_id> [flags]
```

**Flags**

| Flag                       | Default | Description                                                    |
| -------------------------- | ------- | -------------------------------------------------------------- |
| `-o`, `--output`           |         | Output format: json or yaml (default: human-readable)          |
| `--ssh-key-credential-ids` | `[]`    | SSH key credential IDs to attach (comma-separated or repeated) |

## ankra cluster ovh start

Start (re-provision) a stopped OVH cluster. Use --scope control\_plane to bring up only the control plane.

```bash theme={null}
ankra cluster ovh start <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |
| `--scope`        | `all`   | Provisioning scope: 'all' or 'control\_plane'         |

## ankra cluster ovh stop

Stop an OVH cluster's compute while keeping its configuration so it can be started again later.

```bash theme={null}
ankra cluster ovh stop <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh upgrade

Upgrade the Kubernetes (k3s) version on all nodes in an OVH cluster.

```bash theme={null}
ankra cluster ovh upgrade <cluster_id> <target_version> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ovh workers

Get current worker count for an OVH cluster

```bash theme={null}
ankra cluster ovh workers <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster provision

Start a managed cluster that was previously created but is not yet running.

If no cluster name is provided, uses the currently selected cluster.

```bash theme={null}
ankra cluster provision [cluster_name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster reconcile

Trigger a reconciliation for a cluster to sync desired state with actual state.

If no cluster name is provided, uses the currently selected cluster.
If a cluster name is provided, reconciles that specific cluster.

```bash theme={null}
ankra cluster reconcile [cluster_name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster roll-to

Roll a cluster to a specific resource version.

Uses the currently selected cluster unless --cluster is provided.

Example:
ankra cluster roll-to --version abc123

```bash theme={null}
ankra cluster roll-to [flags]
```

**Flags**

| Flag        | Default | Description                               |
| ----------- | ------- | ----------------------------------------- |
| `--version` |         | Resource version ID to roll to (required) |

## ankra cluster scale

Scale the number of default-pool worker nodes up or down for a cloud cluster.

The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from
the cluster, so you do not need to remember which provider it runs on. To scale
a named node group instead, use 'ankra cluster node-group scale'.

Example:
ankra cluster scale 62f4559a-a44d-46d7-aab3-a57c9dd6b4c6 3

```bash theme={null}
ankra cluster scale <cluster_id> <worker_count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster select

Select a cluster and save it as the active cluster for subsequent commands.

If a cluster name is provided, it will be selected directly without prompting.
If no name is provided, an interactive picker is shown.

Examples:
ankra cluster select
ankra cluster select my-cluster

```bash theme={null}
ankra cluster select [cluster_name]
```

## ankra cluster sops-config

Show the SOPS encryption configuration including the public key used for encrypting secrets.

```bash theme={null}
ankra cluster sops-config
```

## ankra cluster ssh-keys

Get, set, and re-sync the SSH key credentials authorised to access a cloud
cluster's nodes.

The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from
the cluster.

## ankra cluster ssh-keys get

Show SSH keys attached to a cluster

```bash theme={null}
ankra cluster ssh-keys get <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ssh-keys resync

Re-sync the cluster's SSH key with the cloud provider. Use this to repair a
stale provider-side SSH key reference (for example when the key was deleted and
re-created in the provider console) that blocks new node creation, and to
re-apply the authorised keys to running nodes.

```bash theme={null}
ankra cluster ssh-keys resync <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster ssh-keys set

Replace the SSH key credentials attached to a cluster. Changes take effect on
the next reconciliation and are applied to running nodes.

Pass --clear to remove all user SSH keys (the Ankra-managed key always remains).

```bash theme={null}
ankra cluster ssh-keys set <cluster_id> [flags]
```

**Flags**

| Flag                       | Default | Description                                                  |
| -------------------------- | ------- | ------------------------------------------------------------ |
| `--clear`                  | `false` | Remove all user SSH keys (the Ankra-managed key is retained) |
| `-o`, `--output`           |         | Output format: json or yaml (default: human-readable)        |
| `--ssh-key-credential-ids` | `[]`    | SSH key credential IDs (comma-separated or repeated)         |

## ankra cluster stacks

Commands to list, create, delete, rename, and view history of stacks.

## ankra cluster stacks clone

Clone a stack from the current cluster to a target cluster.
The cloned stack will be created as a draft in the target cluster,
allowing you to review and modify it before deployment.

Encrypted values will be stripped during cloning for security reasons
and will need to be reconfigured in the target cluster.

```bash theme={null}
ankra cluster stacks clone <stack_name> --to <target_cluster> [flags]
```

**Flags**

| Flag               | Default | Description                                           |
| ------------------ | ------- | ----------------------------------------------------- |
| `--include-config` | `true`  | Include addon configurations                          |
| `-n`, `--name`     |         | New stack name (optional, defaults to original)       |
| `-o`, `--output`   |         | Output format: json or yaml (default: human-readable) |
| `-t`, `--to`       |         | Target cluster name or ID (required)                  |

## ankra cluster stacks delete

Delete a stack

```bash theme={null}
ankra cluster stacks delete <name> [flags]
```

**Flags**

| Flag    | Default | Description                  |
| ------- | ------- | ---------------------------- |
| `--yes` | `false` | Skip the confirmation prompt |

## ankra cluster stacks history

Show history of changes for a stack

```bash theme={null}
ankra cluster stacks history <name> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster stacks list

List stacks for the active cluster; or show details for a single stack

```bash theme={null}
ankra cluster stacks list [stack name] [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster stacks rename

Rename a stack

```bash theme={null}
ankra cluster stacks rename <old_name> <new_name>
```

## ankra cluster stacks variables

Manage variables on a specific stack. Stack variables are the most
specific scope and shadow cluster and organisation variables of the same name
when this stack's manifests/addons are rendered.

ankra cluster stacks variables list \<stack>
ankra cluster stacks variables get \<stack> DB\_HOST
ankra cluster stacks variables set \<stack> DB\_HOST db.prod.example.com
ankra cluster stacks variables delete \<stack> DB\_HOST

Stack variables are stored on the stack spec itself; edits use the same
partial-stack PATCH endpoint as manifests/addons upgrade.

## ankra cluster stacks variables delete

Delete a variable from a stack

```bash theme={null}
ankra cluster stacks variables delete <stack> <name> [flags]
```

**Flags**

| Flag        | Default | Description                                                   |
| ----------- | ------- | ------------------------------------------------------------- |
| `--cluster` |         | Target cluster (name or ID); defaults to the active selection |
| `--yes`     | `false` | Skip the confirmation prompt                                  |

## ankra cluster stacks variables get

Get a single stack variable

```bash theme={null}
ankra cluster stacks variables get <stack> <name> [flags]
```

**Flags**

| Flag        | Default | Description                                                   |
| ----------- | ------- | ------------------------------------------------------------- |
| `--cluster` |         | Target cluster (name or ID); defaults to the active selection |

## ankra cluster stacks variables list

List variables on a stack

```bash theme={null}
ankra cluster stacks variables list <stack> [flags]
```

**Flags**

| Flag             | Default | Description                                                   |
| ---------------- | ------- | ------------------------------------------------------------- |
| `--cluster`      |         | Target cluster (name or ID); defaults to the active selection |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)         |

## ankra cluster stacks variables set

Create or update a stack variable. The value can be read from stdin by
passing "-".

```bash theme={null}
ankra cluster stacks variables set <stack> <name> <value> [flags]
```

**Flags**

| Flag        | Default | Description                                                   |
| ----------- | ------- | ------------------------------------------------------------- |
| `--cluster` |         | Target cluster (name or ID); defaults to the active selection |
| `--dry-run` | `false` | Print the proposed change without writing                     |

## ankra cluster upcloud

Commands to create, deprovision, and scale UpCloud clusters.

## ankra cluster upcloud control-plane

Inspect and change the control plane configuration. The cluster must be stopped
to change the controller count or instance type. Only 1 or 3 controllers are
allowed (etcd needs an odd number of voting members for quorum). Changes apply
the next time the cluster is started.

## ankra cluster upcloud control-plane get

Show the current control plane configuration

```bash theme={null}
ankra cluster upcloud control-plane get <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud control-plane set-count

Change the controller count (1 or 3)

```bash theme={null}
ankra cluster upcloud control-plane set-count <cluster_id> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud control-plane set-instance-type

Change the controller instance type

```bash theme={null}
ankra cluster upcloud control-plane set-instance-type <cluster_id> <instance_type> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud create

Create a new UpCloud cluster

```bash theme={null}
ankra cluster upcloud create [flags]
```

**Flags**

| Flag                        | Default       | Description                                                                                                                                                                                                    |
| --------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--bastion-plan`            | `1xCPU-2GB`   | Bastion plan                                                                                                                                                                                                   |
| `--control-plane-count`     | `1`           | Number of control plane nodes                                                                                                                                                                                  |
| `--control-plane-plan`      | `2xCPU-4GB`   | Control plane plan                                                                                                                                                                                             |
| `--credential-id`           |               | UpCloud API credential ID (required)                                                                                                                                                                           |
| `--distribution`            | `k3s`         | Kubernetes distribution                                                                                                                                                                                        |
| `--external-cloud-provider` | `true`        | Install the UpCloud CCM and CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass --external-cloud-provider=false to skip, which also disables --include-networking)        |
| `--gitops-branch`           | `master`      | GitOps branch to commit to                                                                                                                                                                                     |
| `--gitops-credential-name`  |               | GitOps GitHub credential name; when set with --gitops-repository, the generated upcloud-cloud-provider stack is committed to Git (optional)                                                                    |
| `--gitops-repository`       |               | GitOps repository (e.g. org/repo) to commit the generated stack to (optional)                                                                                                                                  |
| `--include-networking`      | `true`        | Install Traefik + cert-manager for ingress (default on; pass --include-networking=false to skip). Requires --external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager) |
| `--kubernetes-version`      |               | Kubernetes version (optional)                                                                                                                                                                                  |
| `--name`                    |               | Cluster name (required)                                                                                                                                                                                        |
| `--network-ip-range`        | `10.0.0.0/16` | Network IP range                                                                                                                                                                                               |
| `-o`, `--output`            |               | Output format: json or yaml (default: human-readable)                                                                                                                                                          |
| `--ssh-key-credential-id`   |               | SSH key credential ID (required)                                                                                                                                                                               |
| `--worker-count`            | `1`           | Number of worker nodes                                                                                                                                                                                         |
| `--worker-plan`             | `2xCPU-4GB`   | Worker plan                                                                                                                                                                                                    |
| `--zone`                    |               | UpCloud zone (required)                                                                                                                                                                                        |

## ankra cluster upcloud deprovision

Deprovision an UpCloud cluster

```bash theme={null}
ankra cluster upcloud deprovision <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |
| `--yes`          | `false` | Skip the confirmation prompt                          |

## ankra cluster upcloud k8s-version

Get current Kubernetes version for an UpCloud cluster

```bash theme={null}
ankra cluster upcloud k8s-version <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud node-group

List, add, scale, upgrade, and delete node groups.

## ankra cluster upcloud node-group add

Add a node group

```bash theme={null}
ankra cluster upcloud node-group add <cluster_id> [flags]
```

**Flags**

| Flag              | Default     | Description                                                                                             |
| ----------------- | ----------- | ------------------------------------------------------------------------------------------------------- |
| `--count`         | `1`         | Number of nodes (0-100)                                                                                 |
| `--instance-type` | `2xCPU-4GB` | Server plan for nodes                                                                                   |
| `--name`          |             | Node group name (required)                                                                              |
| `-o`, `--output`  |             | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`       | `10m0s`     | Maximum time to wait when --wait is set                                                                 |
| `--wait`          | `false`     | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster upcloud node-group delete

Delete a node group and all its nodes

```bash theme={null}
ankra cluster upcloud node-group delete <cluster_id> <group_name> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |
| `--yes`          | `false` | Skip the confirmation prompt                                                                            |

## ankra cluster upcloud node-group list

List node groups

```bash theme={null}
ankra cluster upcloud node-group list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud node-group scale

Scale a node group

```bash theme={null}
ankra cluster upcloud node-group scale <cluster_id> <group_name> <count> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster upcloud node-group upgrade

Upgrade server plan for a node group

```bash theme={null}
ankra cluster upcloud node-group upgrade <cluster_id> <group_name> <plan> [flags]
```

**Flags**

| Flag             | Default | Description                                                                                             |
| ---------------- | ------- | ------------------------------------------------------------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)                                                   |
| `--timeout`      | `10m0s` | Maximum time to wait when --wait is set                                                                 |
| `--wait`         | `false` | Wait for the operation to finish and report success or failure (default: submit and return immediately) |

## ankra cluster upcloud nodes

Inspect every server Ankra manages for the cluster (control plane, workers,
and bastion or gateway). Soft-deleted entries from a stopped cluster are
included so the saved topology is visible before re-provisioning.

## ankra cluster upcloud nodes get

Show full spec and metadata for a single node

```bash theme={null}
ankra cluster upcloud nodes get <cluster_id> <node_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud nodes list

List all nodes for the cluster

```bash theme={null}
ankra cluster upcloud nodes list <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud scale

Scale the number of worker nodes up or down for an UpCloud cluster.

```bash theme={null}
ankra cluster upcloud scale <cluster_id> <worker_count> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud start

Start (re-provision) a stopped UpCloud cluster. Use --scope control\_plane to bring up only the control plane.

```bash theme={null}
ankra cluster upcloud start <cluster_id> [flags]
```

**Flags**

| Flag      | Default | Description                                   |
| --------- | ------- | --------------------------------------------- |
| `--scope` | `all`   | Provisioning scope: 'all' or 'control\_plane' |

## ankra cluster upcloud stop

Stop an UpCloud cluster's compute while keeping its configuration so it can be started again later.

```bash theme={null}
ankra cluster upcloud stop <cluster_id>
```

## ankra cluster upcloud upgrade

Upgrade the Kubernetes (k3s) version on all nodes in an UpCloud cluster.

```bash theme={null}
ankra cluster upcloud upgrade <cluster_id> <target_version> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upcloud workers

Get current worker count for an UpCloud cluster

```bash theme={null}
ankra cluster upcloud workers <cluster_id> [flags]
```

**Flags**

| Flag             | Default | Description                                           |
| ---------------- | ------- | ----------------------------------------------------- |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable) |

## ankra cluster upgrade

Upgrade the Kubernetes (k3s) version on all nodes in a cloud cluster.

The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from
the cluster, so you do not need to remember which provider it runs on. List
the available target versions with 'ankra cluster k3s-versions'.

Example:
ankra cluster upgrade 62f4559a-a44d-46d7-aab3-a57c9dd6b4c6 v1.36.1+k3s1

```bash theme={null}
ankra cluster upgrade <cluster_id> <target_version>
```

## ankra cluster validate

Validate an ImportCluster YAML file. The local structural, dependency,
and YAML checks run first (the same ones as 'ankra cluster apply --dry-run'),
then the file is sent to the Ankra API for server-side validation that the
offline checks cannot perform:

* chart existence in the Helm registries connected to your organisation
* plaintext Kubernetes Secret / unencrypted addon value detection
* parent references resolved against a cluster's existing resources

Nothing is applied. Use --cluster \<id> to validate the spec against an
existing cluster's deployed resources, and --strict-secrets to treat
plaintext secrets as errors instead of warnings.

```bash theme={null}
ankra cluster validate [flags]
```

**Flags**

| Flag               | Default | Description                                                   |
| ------------------ | ------- | ------------------------------------------------------------- |
| `--cluster`        |         | Validate against an existing cluster's resources (cluster ID) |
| `-f`, `--file`     |         | Path to the ImportCluster YAML file to validate               |
| `-o`, `--output`   |         | Output format: json or yaml (default: human-readable)         |
| `--strict-secrets` | `false` | Treat plaintext secrets as errors instead of warnings         |

## ankra cluster variables

Manage cluster-scoped variables that are available to every stack on the
cluster as template substitutions in manifests and addon values. Cluster
variables shadow organisation variables of the same name on this cluster.

ankra cluster variables list
ankra cluster variables get DB\_HOST --cluster prod
ankra cluster variables set DB\_HOST db.prod.example.com
ankra cluster variables delete DB\_HOST

When --cluster is omitted, the active selection is used.

## ankra cluster variables delete

Delete a cluster variable

```bash theme={null}
ankra cluster variables delete <name> [flags]
```

**Flags**

| Flag        | Default | Description                                                   |
| ----------- | ------- | ------------------------------------------------------------- |
| `--cluster` |         | Target cluster (name or ID); defaults to the active selection |
| `--yes`     | `false` | Skip the confirmation prompt                                  |

## ankra cluster variables get

Get a single cluster variable

```bash theme={null}
ankra cluster variables get <name> [flags]
```

**Flags**

| Flag             | Default | Description                                                   |
| ---------------- | ------- | ------------------------------------------------------------- |
| `--cluster`      |         | Target cluster (name or ID); defaults to the active selection |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)         |

## ankra cluster variables list

List variables for a cluster

```bash theme={null}
ankra cluster variables list [flags]
```

**Flags**

| Flag             | Default | Description                                                   |
| ---------------- | ------- | ------------------------------------------------------------- |
| `--cluster`      |         | Target cluster (name or ID); defaults to the active selection |
| `-o`, `--output` |         | Output format: json or yaml (default: human-readable)         |

## ankra cluster variables set

Create or update a cluster variable (upsert). The value can be read from
stdin by passing "-".

```bash theme={null}
ankra cluster variables set <name> <value> [flags]
```

**Flags**

| Flag            | Default | Description                                                   |
| --------------- | ------- | ------------------------------------------------------------- |
| `--cluster`     |         | Target cluster (name or ID); defaults to the active selection |
| `--description` |         | Optional human-readable description                           |
