constellation/joinservice/README.md

# Join Service

Implementation for Constellation's node flow to join an existing cluster.

The join service runs on each control-plane node of the Kubernetes cluster.
New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over [aTLS](../coordinator/atls/).
The join service verifies the new nodes certificate and attestation statement.
If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

The join service uses klog v2 for logging.
Use the `-v` flag to set the log verbosity level.
Use different verbosity levels during development depending on the information:

* 2 for information that should always be logged. Examples: server starting, new gRPC request.

* 4 for general logging. If you are unsure what log level to use, use 4.

* 6 for low level information logging. Example: values of new expected measurements

* Potentially sensitive information, such as return values of functions should never be logged.

## Packages

### [joinproto](./joinproto/)

Proto definitions for the join service.

### [internal/server](./internal/server/)

The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the join service and joining nodes are secured using [aTLS](../internal/atls/README.md)

```mermaid
sequenceDiagram
    participant New Node
    participant Join Service
    New Node-->>Join Service: aTLS Handshake (server side verification)
    Join Service-->>New Node:
    New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Join Service: DiskEncryptionKey
    Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
```

### [internal/kms](./internal/kms/)

Implements interaction with Constellation's key management service.
This is needed for fetching data encryption keys for joining nodes.

### [internal/kubeadm](./internal/kubeadm/)

Implements interaction with the Kubernetes API to create join tokens for new nodes.

### [internal/validator](./internal/validator/)

A wrapper for the more generic `atls.Validator`, allowing for updates to the underlying validator without having to restart the service.

## [Dockerfile](./Dockerfile)

```shell
export VERSION=1.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .
```
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`# Join Service`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`Implementation for Constellation's node flow to join an existing cluster.`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`The join service runs on each control-plane node of the Kubernetes cluster.`
			`New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over [aTLS](../coordinator/atls/).`
			`The join service verifies the new nodes certificate and attestation statement.`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			`If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.`

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`The join service uses klog v2 for logging.`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			Use the `-v` flag to set the log verbosity level.
			`Use different verbosity levels during development depending on the information:`

			`* 2 for information that should always be logged. Examples: server starting, new gRPC request.`

			`* 4 for general logging. If you are unsure what log level to use, use 4.`

			`* 6 for low level information logging. Example: values of new expected measurements`

			`* Potentially sensitive information, such as return values of functions should never be logged.`

			`## Packages`

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`### [joinproto](./joinproto/)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`Proto definitions for the join service.`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`### [internal/server](./internal/server/)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
			The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`Connections between the join service and joining nodes are secured using [aTLS](../internal/atls/README.md)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
			```mermaid
			`sequenceDiagram`
			`participant New Node`
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`participant Join Service`
			`New Node-->>Join Service: aTLS Handshake (server side verification)`
			`Join Service-->>New Node:`
			`New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)`
			`Join Service->>+KMS: grpc::GetDataKey(DiskUUID)`
			`KMS->>-Join Service: DiskEncryptionKey`
			`Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			```

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`### [internal/kms](./internal/kms/)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
			`Implements interaction with Constellation's key management service.`
			`This is needed for fetching data encryption keys for joining nodes.`

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`### [internal/kubeadm](./internal/kubeadm/)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
			`Implements interaction with the Kubernetes API to create join tokens for new nodes.`

Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`### [internal/validator](./internal/validator/)`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00
			A wrapper for the more generic `atls.Validator`, allowing for updates to the underlying validator without having to restart the service.

			`## [Dockerfile](./Dockerfile)`

			```shell
AB#2169 Implement control-plane activation in activation service (#217) * Implement Control Plane activation flow * Rename Activation RPCs Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-21 05:10:32 -04:00			`export VERSION=1.0.0`
Create internal package for joinservice 2022-07-05 07:42:07 -04:00			`DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			```