Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

docs: misc fixes

Browse Source
This commit is contained in:
Thomas Tendyck 2023-07-07 15:38:13 +02:00 committed by Thomas Tendyck
parent 1ff40533f1
commit 0aaf58b710
8 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/docs/architecture/attestation.md
View File

@ -144,7 +144,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | Secure Boot State | Azure, Constellation Bootloader | No | | 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | - | - | - | | 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Userspace[^1] | Linux IMA[^1] | No[^1] | | 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes | | 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes | | 13 | Reserved | (Constellation Bootloader) | Yes |
@ -177,7 +177,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | | 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | - | - | - | | 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Userspace[^1] | Linux IMA[^1] | No[^1] | | 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes | | 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes | | 13 | Reserved | (Constellation Bootloader) | Yes |
@ -311,6 +311,6 @@ flowchart LR
## References ## References
[^1]: Linux IMA produces runtime measurements of user space binaries. [^1]: Linux IMA produces runtime measurements of user-space binaries.
However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value. However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value.
Instead, a policy engine must be used to verify the TPM event log against a policy. Instead, a policy engine must be used to verify the TPM event log against a policy.

2
docs/docs/architecture/versions.md
View File

@ -7,7 +7,7 @@ Additional `PATCH` releases may be created on demand, to fix security issues or
New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases). New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases).
### Kubernetes support policy ## Kubernetes support policy
Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions. Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions.
When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions. When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions.

1
docs/docs/getting-started/first-steps-local.md
View File

@ -126,6 +126,7 @@ attaching persistent storage, or autoscaling aren't available.
```shell-session ```shell-session
$ constellation init $ constellation init
Your Constellation master secret was successfully written to ./constellation-mastersecret.json Your Constellation master secret was successfully written to ./constellation-mastersecret.json
Note: If you just created the cluster, it can take a few minutes to connect.
Initializing cluster ... Initializing cluster ...
Your Constellation cluster was successfully initialized. Your Constellation cluster was successfully initialized.

2
docs/docs/getting-started/first-steps.md
View File

@ -60,6 +60,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
* `eastus` * `eastus`
* `northeurope` * `northeurope`
* `westeurope` * `westeurope`
* `southeastasia`
</tabItem> </tabItem>
@ -148,6 +149,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
```shell-session ```shell-session
$ constellation init $ constellation init
Your Constellation master secret was successfully written to ./constellation-mastersecret.json Your Constellation master secret was successfully written to ./constellation-mastersecret.json
Note: If you just created the cluster, it can take a few minutes to connect.
Initializing cluster ... Initializing cluster ...
Your Constellation cluster was successfully initialized. Your Constellation cluster was successfully initialized.

6
docs/docs/reference/migration.md
View File

@ -6,9 +6,9 @@ Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to a
## Migrating from Azure's service principal authentication to managed identity authentication ## Migrating from Azure's service principal authentication to managed identity authentication
- The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. - The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed.
- To keep using an existing UAMI add the `Owner` permission with the scope of your `resourceGroup`. - To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`.
- Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-iam-credentials) and use the created UAMI. - Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI.
- To migrate the authentication for an existing Constellation on Azure to an UAMI with the necessary permissions: - To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions:
1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret. 1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret.
2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`. 2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`.
3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods. 3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods.

4
docs/docs/workflows/config.md
View File

@ -107,6 +107,7 @@ Note that CVMs are currently only supported in a few regions, check [Azure's pro
* `eastus` * `eastus`
* `northeurope` * `northeurope`
* `westeurope` * `westeurope`
* `southeastasia`
Paste the output into the corresponding fields of the `constellation-conf.yaml` file. Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
@ -175,12 +176,13 @@ The following describes the configuration fields and how you obtain the required
* `eastus` * `eastus`
* `northeurope` * `northeurope`
* `westeurope` * `westeurope`
* `southeastasia`
* **resourceGroup**: [Create a new resource group in Azure](https://portal.azure.com/#create/Microsoft.ResourceGroup) for your Constellation cluster. Set this configuration field to the name of the created resource group. * **resourceGroup**: [Create a new resource group in Azure](https://portal.azure.com/#create/Microsoft.ResourceGroup) for your Constellation cluster. Set this configuration field to the name of the created resource group.
* **userAssignedIdentity**: [Create a new managed identity in Azure](https://portal.azure.com/#create/Microsoft.ManagedIdentity). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination. * **userAssignedIdentity**: [Create a new managed identity in Azure](https://portal.azure.com/#create/Microsoft.ManagedIdentity). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination.
Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group. Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor`, and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group.
Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity. Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity.

14
docs/docs/workflows/troubleshooting.md
View File

@ -12,6 +12,7 @@ If something doesn't work, check out the [known issues](https://github.com/edgel
### Azure: Resource Providers can't be registered ### Azure: Resource Providers can't be registered
On Azure, you may receive the following error when running `create` or `terminate` with limited IAM permissions: On Azure, you may receive the following error when running `create` or `terminate` with limited IAM permissions:
```shell-session ```shell-session
Error: Error ensuring Resource Providers are registered. Error: Error ensuring Resource Providers are registered.
@ -28,11 +29,13 @@ To continue, please ensure that the [required resource providers](../getting-sta
Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `create` or `terminate` again. Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `create` or `terminate` again.
For example: For example:
```bash ```bash
ARM_SKIP_PROVIDER_REGISTRATION=true constellation create --control-plane-nodes 1 --worker-nodes 2 -y ARM_SKIP_PROVIDER_REGISTRATION=true constellation create --control-plane-nodes 1 --worker-nodes 2 -y
``` ```
Or alternatively, for `terminate`: Or alternatively, for `terminate`:
```bash ```bash
ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate
``` ```
@ -59,6 +62,7 @@ You can use the `upgrade apply` command to change measurements of a running clus
Keep in mind that running `upgrade apply` also applies any version changes from your config to the cluster. Keep in mind that running `upgrade apply` also applies any version changes from your config to the cluster.
You can run these commands to learn about the versions currently configured in the cluster: You can run these commands to learn about the versions currently configured in the cluster:
- Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion` - Kubernetes API server version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.kubernetesClusterVersion`
- image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion` - image version: `kubectl get nodeversion constellation-version -o json -n kube-system | jq .spec.imageVersion`
- microservices versions: `helm list --filter 'constellation-services' -n kube-system` - microservices versions: `helm list --filter 'constellation-services' -n kube-system`
@ -77,7 +81,7 @@ You can view this information in the following places:
1. In your Azure subscription find the Constellation resource group. 1. In your Azure subscription find the Constellation resource group.
2. Inside the resource group find the Application Insights resource called `constellation-insights-*`. 2. Inside the resource group find the Application Insights resource called `constellation-insights-*`.
3. On the left-hand side go to `Logs`, which is located in the section `Monitoring`. 3. On the left-hand side go to `Logs`, which is located in the section `Monitoring`.
+ Close the Queries page if it pops up. - Close the Queries page if it pops up.
5. In the query text field type in `traces`, and click `Run`. 5. In the query text field type in `traces`, and click `Run`.
To **find the disk UUIDs** use the following query: `traces | where message contains "Disk UUID"` To **find the disk UUIDs** use the following query: `traces | where message contains "Disk UUID"`
@ -88,7 +92,7 @@ To **find the disk UUIDs** use the following query: `traces | where message cont
1. Select the project that hosts Constellation. 1. Select the project that hosts Constellation.
2. Go to the `Compute Engine` service. 2. Go to the `Compute Engine` service.
3. On the right-hand side of a VM entry select `More Actions` (a stacked ellipsis) 3. On the right-hand side of a VM entry select `More Actions` (a stacked ellipsis)
+ Select `View logs` - Select `View logs`
To **find the disk UUIDs** use the following query: `resource.type="gce_instance" text_payload=~"Disk UUID:.*\n" logName=~".*/constellation-boot-log"` To **find the disk UUIDs** use the following query: `resource.type="gce_instance" text_payload=~"Disk UUID:.*\n" logName=~".*/constellation-boot-log"`
@ -115,7 +119,7 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku
1. Figure out which node to connect to: 1. Figure out which node to connect to:
```sh ```bash
kubectl get nodes kubectl get nodes
# or to see more information, such as IPs: # or to see more information, such as IPs:
kubectl get nodes -o wide kubectl get nodes -o wide
@ -123,7 +127,7 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku
2. Connect to the node: 2. Connect to the node:
```sh ```bash
kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox
``` ```
@ -133,6 +137,6 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku
3. Once finished, clean up the debug pod: 3. Once finished, clean up the debug pod:
```sh ```bash
kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj
``` ```

3
docs/docs/workflows/upgrade.md
View File

@ -13,6 +13,7 @@ Most importantly, a given CLI version can only upgrade a cluster of the previous
This means that you have to upgrade your CLI and cluster one minor version at a time. This means that you have to upgrade your CLI and cluster one minor version at a time.
For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should For example, if you are currently on CLI version v2.6 and the latest version is v2.8, you should
* upgrade the CLI to v2.7, * upgrade the CLI to v2.7,
* upgrade the cluster to v2.7, * upgrade the cluster to v2.7,
* and only then continue upgrading the CLI (and the cluster) to v2.8 after. * and only then continue upgrading the CLI (and the cluster) to v2.8 after.
@ -40,7 +41,7 @@ constellation upgrade check --update-config
``` ```
You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag. You can either enter the reported target versions into your config manually or run the above command with the `--update-config` flag.
When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion` and `attestation` fields are overwritten with the smallest available upgrade. When using this flag, the `kubernetesVersion`, `image`, `microserviceVersion`, and `attestation` fields are overwritten with the smallest available upgrade.
## Apply the upgrade ## Apply the upgrade