constellation/activation/README.md

# Activation

Implementation for Constellation's node activation flow.

The activation service runs on each control-plane node of the Kubernetes cluster.
New nodes (at cluster start, or later through autoscaling) send an activation request to the service over [aTLS](../coordinator/atls/).
The activation service verifies the new nodes certificate and attestation statement.
If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

The activation service uses klog v2 for logging.
Use the `-v` flag to set the log verbosity level.
Use different verbosity levels during development depending on the information:

* 2 for information that should always be logged. Examples: server starting, new gRPC request.

* 4 for general logging. If you are unsure what log level to use, use 4.

* 6 for low level information logging. Example: values of new expected measurements

* Potentially sensitive information, such as return values of functions should never be logged.

## Packages

### [activationproto](./activationproto/)

Proto definitions for the activation service.

### [server](./server/)

The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the activation service and joining nodes are secured using [aTLS](../internal/atls/README.md)

Worker nodes call the `ActivateNode` endpoint.

```mermaid
sequenceDiagram
    participant New Node
    participant Activation Service
    New Node-->>Activation Service: aTLS Handshake (server side verification)
    Activation Service-->>New Node: 
    New Node->>+Activation Service: grpc::ActivateNode(DiskUUID)
    Activation Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Activation Service: DiskEncryptionKey
    Activation Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken]
```

Control-plane nodes call the `ActivateCoordinator` endpoint.

### [kms](./kms/)

Implements interaction with Constellation's key management service.
This is needed for fetching data encryption keys for joining nodes.

### [kubeadm](./kubeadm/)

Implements interaction with the Kubernetes API to create join tokens for new nodes.

### [validator](./validator/)

A wrapper for the more generic `atls.Validator`, allowing for updates to the underlying validator without having to restart the service.

### [watcher](./watcher/)

Uses fsnotify to wait for expected measurement updates, and updates the validator if any occur.

## [Dockerfile](./Dockerfile)

```shell
export VERSION=1.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/activation-service:v${VERSION} -f activation/Dockerfile .
```
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			`# Activation`

			`Implementation for Constellation's node activation flow.`

			`The activation service runs on each control-plane node of the Kubernetes cluster.`
			`New nodes (at cluster start, or later through autoscaling) send an activation request to the service over [aTLS](../coordinator/atls/).`
			`The activation service verifies the new nodes certificate and attestation statement.`
			`If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.`

			`The activation service uses klog v2 for logging.`
			Use the `-v` flag to set the log verbosity level.
			`Use different verbosity levels during development depending on the information:`

			`* 2 for information that should always be logged. Examples: server starting, new gRPC request.`

			`* 4 for general logging. If you are unsure what log level to use, use 4.`

			`* 6 for low level information logging. Example: values of new expected measurements`

			`* Potentially sensitive information, such as return values of functions should never be logged.`

			`## Packages`

			`### [activationproto](./activationproto/)`

			`Proto definitions for the activation service.`

			`### [server](./server/)`

			The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.

			`Connections between the activation service and joining nodes are secured using [aTLS](../internal/atls/README.md)`

			Worker nodes call the `ActivateNode` endpoint.

			```mermaid
			`sequenceDiagram`
			`participant New Node`
			`participant Activation Service`
			`New Node-->>Activation Service: aTLS Handshake (server side verification)`
			`Activation Service-->>New Node:`
			`New Node->>+Activation Service: grpc::ActivateNode(DiskUUID)`
			`Activation Service->>+KMS: grpc::GetDataKey(DiskUUID)`
			`KMS->>-Activation Service: DiskEncryptionKey`
			`Activation Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken]`
			```

			Control-plane nodes call the `ActivateCoordinator` endpoint.

			`### [kms](./kms/)`

			`Implements interaction with Constellation's key management service.`
			`This is needed for fetching data encryption keys for joining nodes.`

			`### [kubeadm](./kubeadm/)`

			`Implements interaction with the Kubernetes API to create join tokens for new nodes.`

			`### [validator](./validator/)`

			A wrapper for the more generic `atls.Validator`, allowing for updates to the underlying validator without having to restart the service.

			`### [watcher](./watcher/)`

			`Uses fsnotify to wait for expected measurement updates, and updates the validator if any occur.`

			`## [Dockerfile](./Dockerfile)`

			```shell
AB#2169 Implement control-plane activation in activation service (#217) * Implement Control Plane activation flow * Rename Activation RPCs Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-21 05:10:32 -04:00			`export VERSION=1.0.0`
			`DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/activation-service:v${VERSION} -f activation/Dockerfile .`
Implement activation service Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-05-23 05:36:54 -04:00			```