2022-09-21 16:58:04 +02:00
# Installation and setup
2022-09-02 11:52:42 +02:00
2022-09-21 16:58:04 +02:00
Constellation runs entirely in your cloud environment and can be controlled via a dedicated command-line interface (CLI).
2022-09-02 11:52:42 +02:00
2022-09-21 16:58:04 +02:00
The following guides you through the steps of installing the CLI on your machine, verifying it, and connecting it to your cloud service provider (CSP).
2022-09-02 11:52:42 +02:00
2022-09-21 16:58:04 +02:00
## Prerequisites
2022-09-02 11:52:42 +02:00
2022-09-13 12:05:07 +02:00
Make sure the following requirements are met:
2022-09-02 11:52:42 +02:00
2022-09-13 12:05:07 +02:00
- Your machine is running Linux or macOS
2022-09-02 11:52:42 +02:00
- You have admin rights on your machine
- [kubectl ](https://kubernetes.io/docs/tasks/tools/ ) is installed
2022-09-21 16:58:04 +02:00
- Your CSP is Microsoft Azure or Google Cloud Platform (GCP)
2022-09-02 11:52:42 +02:00
## Install the Constellation CLI
2022-09-21 10:57:50 +02:00
The CLI executable is available at [GitHub ](https://github.com/edgelesssys/constellation/releases ).
Install it with the following commands:
2022-09-02 11:52:42 +02:00
2022-09-21 10:57:50 +02:00
< tabs >
< tabItem value = "linux-amd64" label = "Linux (amd64)" >
1. Download the CLI:
```bash
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-amd64
```
2. [Verify the signature ](../workflows/verify-cli.md ) (optional)
3. Install the CLI to your PATH:
```bash
sudo install constellation-linux-amd64 /usr/local/bin/constellation
```
< / tabItem >
< tabItem value = "linux-arm64" label = "Linux (arm64)" >
1. Download the CLI:
```bash
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-linux-arm64
```
2. [Verify the signature ](../workflows/verify-cli.md ) (optional)
3. Install the CLI to your PATH:
```bash
sudo install constellation-linux-arm64 /usr/local/bin/constellation
```
< / tabItem >
< tabItem value = "darwin-arm64" label = "macOS (Apple Silicon)" >
1. Download the CLI:
```bash
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-arm64
```
2. [Verify the signature ](../workflows/verify-cli.md ) (optional)
3. Install the CLI to your PATH:
```bash
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
```
< / tabItem >
< tabItem value = "darwin-amd64" label = "macOS (Intel)" >
1. Download the CLI:
```bash
curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/constellation-darwin-amd64
```
2. [Verify the signature ](../workflows/verify-cli.md ) (optional)
3. Install the CLI to your PATH:
```bash
sudo install constellation-darwin-amd64 /usr/local/bin/constellation
```
< / tabItem >
< / tabs >
2022-09-02 11:52:42 +02:00
2022-09-13 12:05:07 +02:00
:::tip
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
:::
2022-09-02 11:52:42 +02:00
## Set up cloud credentials
2022-09-21 16:58:04 +02:00
The CLI makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP.
2022-09-02 11:52:42 +02:00
2022-09-21 16:58:04 +02:00
### Required permissions
2022-09-02 11:52:42 +02:00
2022-09-21 16:58:04 +02:00
< tabs groupId = "csp" >
< tabItem value = "azure" label = "Azure" >
You need the following permissions for your user account:
- `Contributor` (to create cloud resources)
- `User Access Administrator` (to create a service account)
If you don't have these permissions with scope *subscription* , ask your administrator to [create the service account and a resource group for your Constellation cluster ](first-steps.md ).
Your user account needs the `Contributor` permission scoped to this resource group.
< / tabItem >
< tabItem value = "gcp" label = "GCP" >
Create a new project for Constellation or use an existing one.
Enable the [Compute Engine API ](https://console.cloud.google.com/apis/library/compute.googleapis.com ) on it.
You need the following permissions on this project:
- `compute.*` (or the subset defined by `roles/compute.instanceAdmin.v1` )
- `iam.serviceAccountUser`
Follow Google's guide on [understanding ](https://cloud.google.com/iam/docs/understanding-roles ) and [assigning roles ](https://cloud.google.com/iam/docs/granting-changing-revoking-access ).
< / tabItem >
< / tabs >
### Authentication
You need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments.
2022-09-02 11:52:42 +02:00
2022-09-26 15:19:09 +02:00
:::note
2022-09-13 12:05:07 +02:00
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
2022-09-02 11:52:42 +02:00
:::
2022-09-09 17:01:57 +02:00
< tabs groupId = "csp" >
2022-09-21 16:58:04 +02:00
< tabItem value = "azure" label = "Azure" >
2022-09-02 11:52:42 +02:00
**Testing**
2022-09-13 12:05:07 +02:00
Simply open the [Azure Cloud Shell ](https://docs.microsoft.com/en-us/azure/cloud-shell/overview ).
2022-09-02 11:52:42 +02:00
**Production**
2022-09-13 12:05:07 +02:00
Use the latest version of the [Azure CLI ](https://docs.microsoft.com/en-us/cli/azure/ ) on a trusted machine:
2022-09-02 11:52:42 +02:00
```bash
az login
```
Other options are described in Azure's [authentication guide ](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli ).
< / tabItem >
2022-09-21 16:58:04 +02:00
< tabItem value = "gcp" label = "GCP" >
2022-09-02 11:52:42 +02:00
**Testing**
2022-09-21 16:58:04 +02:00
You can use the [Google Cloud Shell ](https://cloud.google.com/shell ). Make sure your [session is authorized ](https://cloud.google.com/shell/docs/auth ). For example, execute `gsutil` and accept the authorization prompt.
2022-09-02 11:52:42 +02:00
**Production**
2022-09-21 16:58:04 +02:00
Use one of the following options on a trusted machine:
2022-09-02 11:52:42 +02:00
- Use the [`gcloud` CLI ](https://cloud.google.com/sdk/gcloud )
```bash
gcloud auth application-default login
```
2022-09-13 12:05:07 +02:00
This will ask you to log-in to your Google account and create your credentials.
2022-09-02 11:52:42 +02:00
The Constellation CLI will automatically load these credentials when needed.
- Set up a service account and pass the credentials manually
Follow [Google's guide ](https://cloud.google.com/docs/authentication/production#manually ) for setting up your credentials.
< / tabItem >
< / tabs >
2022-09-21 16:58:04 +02:00
## Next steps
2022-09-02 11:52:42 +02:00
2022-09-13 12:05:07 +02:00
You are now ready to [deploy your first confidential Kubernetes cluster and application ](first-steps.md ).