Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-22 16:00:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Create internal package for joinservice

Browse Source
This commit is contained in:
katexochen 2022-07-05 13:42:07 +02:00 committed by Paul Meyer
parent 43eb94b6dc
commit 2083d37b11
10 changed files with 25 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
joinservice/README.md
View File

@ -1,13 +1,13 @@
# Activation
# Join Service
Implementation for Constellation's node activation flow.
Implementation for Constellation's node flow to join an existing cluster.
The activation service runs on each control-plane node of the Kubernetes cluster.
New nodes (at cluster start, or later through autoscaling) send an activation request to the service over [aTLS](../coordinator/atls/).
The activation service verifies the new nodes certificate and attestation statement.
The join service runs on each control-plane node of the Kubernetes cluster.
New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over [aTLS](../coordinator/atls/).
The join service verifies the new nodes certificate and attestation statement.
If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.
The activation service uses klog v2 for logging.
The join service uses klog v2 for logging.
Use the `-v` flag to set the log verbosity level.
Use different verbosity levels during development depending on the information:
@ -21,52 +21,44 @@ Use different verbosity levels during development depending on the information:
## Packages
### [activationproto](./activationproto/)
### [joinproto](./joinproto/)
Proto definitions for the activation service.
Proto definitions for the join service.
### [server](./server/)
### [internal/server](./internal/server/)
The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.
Connections between the activation service and joining nodes are secured using [aTLS](../internal/atls/README.md)
Worker nodes call the `ActivateNode` endpoint.
Connections between the join service and joining nodes are secured using [aTLS](../internal/atls/README.md)
```mermaid
sequenceDiagram
participant New Node
participant Activation Service
New Node-->>Activation Service: aTLS Handshake (server side verification)
Activation Service-->>New Node:
New Node->>+Activation Service: grpc::ActivateNode(DiskUUID)
Activation Service->>+KMS: grpc::GetDataKey(DiskUUID)
KMS->>-Activation Service: DiskEncryptionKey
Activation Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken]
participant Join Service
New Node-->>Join Service: aTLS Handshake (server side verification)
Join Service-->>New Node:
New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
KMS->>-Join Service: DiskEncryptionKey
Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
```
Control-plane nodes call the `ActivateCoordinator` endpoint.
### [kms](./kms/)
### [internal/kms](./internal/kms/)
Implements interaction with Constellation's key management service.
This is needed for fetching data encryption keys for joining nodes.
### [kubeadm](./kubeadm/)
### [internal/kubeadm](./internal/kubeadm/)
Implements interaction with the Kubernetes API to create join tokens for new nodes.
### [validator](./validator/)
### [internal/validator](./internal/validator/)
A wrapper for the more generic `atls.Validator`, allowing for updates to the underlying validator without having to restart the service.
### [watcher](./watcher/)
Uses fsnotify to wait for expected measurement updates, and updates the validator if any occur.
## [Dockerfile](./Dockerfile)
```shell
export VERSION=1.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/activation-service:v${VERSION} -f activation/Dockerfile .
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .
```

8
joinservice/cmd/main.go
View File

@ -11,10 +11,10 @@ import (
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
"github.com/edgelesssys/constellation/internal/logger"
"github.com/edgelesssys/constellation/internal/watcher"
"github.com/edgelesssys/constellation/joinservice/kms"
"github.com/edgelesssys/constellation/joinservice/kubeadm"
"github.com/edgelesssys/constellation/joinservice/kubernetesca"
"github.com/edgelesssys/constellation/joinservice/server"
"github.com/edgelesssys/constellation/joinservice/internal/kms"
"github.com/edgelesssys/constellation/joinservice/internal/kubeadm"
"github.com/edgelesssys/constellation/joinservice/internal/kubernetesca"
"github.com/edgelesssys/constellation/joinservice/internal/server"
"github.com/spf13/afero"
"go.uber.org/zap"
)

0
joinservice/kms/kms.go → joinservice/internal/kms/kms.go
View File

0
joinservice/kms/kms_test.go → joinservice/internal/kms/kms_test.go
View File

0
joinservice/kubeadm/kubeadm.go → joinservice/internal/kubeadm/kubeadm.go
View File

0
joinservice/kubeadm/kubeadm_test.go → joinservice/internal/kubeadm/kubeadm_test.go
View File

0
joinservice/kubernetesca/kubernetesca.go → joinservice/internal/kubernetesca/kubernetesca.go
View File

0
joinservice/kubernetesca/kubernetesca_test.go → joinservice/internal/kubernetesca/kubernetesca_test.go
View File

0
joinservice/server/server.go → joinservice/internal/server/server.go
View File

0
joinservice/server/server_test.go → joinservice/internal/server/server_test.go
View File