Ctrl
Run the Unkey control plane service for managing infrastructure and services
Command Syntax
Some flags are required for this command to work properly.
Flags
--http-port
HTTP port for the control plane server to listen on. Default: 8080
- Type: integer
- Default:
8080 - Environment:
UNKEY_HTTP_PORT
--color
Enable colored log output. Default: true
- Type: boolean
- Default:
true - Environment:
UNKEY_LOGS_COLOR
--platform
Cloud platform identifier for this node. Used for logging and metrics.
- Type: string
- Environment:
UNKEY_PLATFORM
--image
Container image identifier. Used for logging and metrics.
- Type: string
- Environment:
UNKEY_IMAGE
--region
Geographic region identifier. Used for logging and routing. Default: unknown
- Type: string
- Default:
"unknown" - Environment:
AWS_REGION
--instance-id
Unique identifier for this instance. Auto-generated if not provided.
- Type: string
- Default:
"ins_5PkxT8" - Environment:
UNKEY_INSTANCE_ID
--database-primary (required)
MySQL connection string for primary database. Required for all deployments. Example: user:pass@host:3306/unkey?parseTime=true
- Type: string
- Environment:
UNKEY_DATABASE_PRIMARY
--database-partition (required)
MySQL connection string for partition database. Required for all deployments. Example: user:pass@host:3306/partition_002?parseTime=true
- Type: string
- Environment:
UNKEY_DATABASE_PARTITION
--otel
Enable OpenTelemetry tracing and metrics
- Type: boolean
- Default:
false - Environment:
UNKEY_OTEL
--otel-trace-sampling-rate
Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25
- Type: float
- Default:
0.25 - Environment:
UNKEY_OTEL_TRACE_SAMPLING_RATE
--tls-cert-file
Path to TLS certificate file for HTTPS. Both cert and key must be provided to enable HTTPS.
- Type: string
- Environment:
UNKEY_TLS_CERT_FILE
--tls-key-file
Path to TLS key file for HTTPS. Both cert and key must be provided to enable HTTPS.
- Type: string
- Environment:
UNKEY_TLS_KEY_FILE
--auth-token
Authentication token for control plane API access. Required for secure deployments.
- Type: string
- Environment:
UNKEY_AUTH_TOKEN
--krane-address (required)
Full URL of the krane service for VM operations. Required for deployments. Example: https://krane.example.com:8080
- Type: string
- Environment:
UNKEY_KRANE_ADDRESS
--api-key (required)
API key for simple authentication (demo purposes only). Will be replaced with JWT authentication.
- Type: string
- Environment:
UNKEY_API_KEY
--spiffe-socket-path
Path to SPIFFE agent socket for mTLS authentication. Default: /var/lib/spire/agent/agent.sock
- Type: string
- Default:
"/var/lib/spire/agent/agent.sock" - Environment:
UNKEY_SPIFFE_SOCKET_PATH
--vault-master-keys (required)
Vault master keys for encryption
- Type: string[]
- Environment:
UNKEY_VAULT_MASTER_KEYS
--vault-s3-url (required)
S3 Compatible Endpoint URL
- Type: string
- Environment:
UNKEY_VAULT_S3_URL
--vault-s3-bucket (required)
S3 bucket name
- Type: string
- Environment:
UNKEY_VAULT_S3_BUCKET
--vault-s3-access-key-id (required)
S3 access key ID
- Type: string
- Environment:
UNKEY_VAULT_S3_ACCESS_KEY_ID
--vault-s3-access-key-secret (required)
S3 secret access key
- Type: string
- Environment:
UNKEY_VAULT_S3_ACCESS_KEY_SECRET
--acme-enabled
Enable Let's Encrypt for acme challenges
- Type: boolean
- Default:
false - Environment:
UNKEY_ACME_ENABLED
--acme-cloudflare-enabled
Enable Cloudflare for wildcard certificates
- Type: boolean
- Default:
false - Environment:
UNKEY_ACME_CLOUDFLARE_ENABLED
--acme-cloudflare-api-token
Cloudflare API token for Let's Encrypt
- Type: string
- Environment:
UNKEY_ACME_CLOUDFLARE_API_TOKEN
--default-domain
Default domain for auto-generated hostnames
- Type: string
- Default:
"unkey.app" - Environment:
UNKEY_DEFAULT_DOMAIN