Unkey
DocsDesignGitHub
CLIRun

Ctrl

Run the Unkey control plane service for managing infrastructure and services

Command Syntax

unkey run ctrl [flags]

Some flags are required for this command to work properly.

Flags

--http-port

HTTP port for the control plane server to listen on. Default: 8080

  • Type: integer
  • Default: 8080
  • Environment: UNKEY_HTTP_PORT

--color

Enable colored log output. Default: true

  • Type: boolean
  • Default: true
  • Environment: UNKEY_LOGS_COLOR

--platform

Cloud platform identifier for this node. Used for logging and metrics.

  • Type: string
  • Environment: UNKEY_PLATFORM

--image

Container image identifier. Used for logging and metrics.

  • Type: string
  • Environment: UNKEY_IMAGE

--region

Geographic region identifier. Used for logging and routing. Default: unknown

  • Type: string
  • Default: "unknown"
  • Environment: AWS_REGION

--instance-id

Unique identifier for this instance. Auto-generated if not provided.

  • Type: string
  • Default: "ins_26qK8q"
  • Environment: UNKEY_INSTANCE_ID

--database-primary (required)

MySQL connection string for primary database. Required for all deployments. Example: user:pass@host:3306/unkey?parseTime=true

  • Type: string
  • Environment: UNKEY_DATABASE_PRIMARY

--database-hydra (required)

MySQL connection string for hydra database. Required for all deployments. Example: user:pass@host:3306/hydra?parseTime=true

  • Type: string
  • Environment: UNKEY_DATABASE_HYDRA

--otel

Enable OpenTelemetry tracing and metrics

  • Type: boolean
  • Default: false
  • Environment: UNKEY_OTEL

--otel-trace-sampling-rate

Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25

  • Type: float
  • Default: 0.25
  • Environment: UNKEY_OTEL_TRACE_SAMPLING_RATE

--tls-cert-file

Path to TLS certificate file for HTTPS. Both cert and key must be provided to enable HTTPS.

  • Type: string
  • Environment: UNKEY_TLS_CERT_FILE

--tls-key-file

Path to TLS key file for HTTPS. Both cert and key must be provided to enable HTTPS.

  • Type: string
  • Environment: UNKEY_TLS_KEY_FILE

--auth-token

Authentication token for control plane API access. Required for secure deployments.

  • Type: string
  • Environment: UNKEY_AUTH_TOKEN

--metald-address (required)

Full URL of the metald service for VM operations. Required for deployments. Example: https://metald.example.com:8080

  • Type: string
  • Environment: UNKEY_METALD_ADDRESS

--spiffe-socket-path

Path to SPIFFE agent socket for mTLS authentication. Default: /var/lib/spire/agent/agent.sock

  • Type: string
  • Default: "/var/lib/spire/agent/agent.sock"
  • Environment: UNKEY_SPIFFE_SOCKET_PATH

Previous

Api

Next

Version

On this page