2022-07-05 13:42:07 +02:00
# Join Service
2022-05-23 11:36:54 +02:00
2022-07-05 13:42:07 +02:00
Implementation for Constellation's node flow to join an existing cluster.
2022-05-23 11:36:54 +02:00
2022-07-05 13:42:07 +02:00
The join service runs on each control-plane node of the Kubernetes cluster.
2022-09-02 11:52:42 +02:00
New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over [aTLS ](../internal/atls/ ).
2022-07-05 13:42:07 +02:00
The join service verifies the new nodes certificate and attestation statement.
2022-05-23 11:36:54 +02:00
If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.
## Packages
2022-07-05 13:42:07 +02:00
### [joinproto](./joinproto/)
2022-05-23 11:36:54 +02:00
2022-07-05 13:42:07 +02:00
Proto definitions for the join service.
2022-05-23 11:36:54 +02:00
2022-07-05 13:42:07 +02:00
### [internal/server](./internal/server/)
2022-05-23 11:36:54 +02:00
The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.
2022-07-05 13:42:07 +02:00
Connections between the join service and joining nodes are secured using [aTLS ](../internal/atls/README.md )
2022-05-23 11:36:54 +02:00
```mermaid
sequenceDiagram
participant New Node
2022-07-05 13:42:07 +02:00
participant Join Service
New Node-->>Join Service: aTLS Handshake (server side verification)
2022-07-14 15:45:04 +02:00
Join Service-->>New Node: #
2022-07-05 13:42:07 +02:00
New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
KMS->>-Join Service: DiskEncryptionKey
Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
2022-05-23 11:36:54 +02:00
```
2022-07-05 13:42:07 +02:00
### [internal/kms](./internal/kms/)
2022-05-23 11:36:54 +02:00
2023-01-11 10:08:57 +01:00
Implements interaction with Constellation's keyservice.
2022-05-23 11:36:54 +02:00
This is needed for fetching data encryption keys for joining nodes.
2022-07-05 13:42:07 +02:00
### [internal/kubeadm](./internal/kubeadm/)
2022-05-23 11:36:54 +02:00
Implements interaction with the Kubernetes API to create join tokens for new nodes.
2023-04-04 15:24:43 +02:00
## Docker image
Build the image:
2022-05-23 11:36:54 +02:00
```shell
2023-04-04 15:24:43 +02:00
bazel build //joinservice/cmd:joinservice
bazel build //bazel/release:joinservice_sum
bazel build //bazel/release:joinservice_tar
bazel run //bazel/release:joinservice_push
2022-05-23 11:36:54 +02:00
```