From 2ee5224033c30baa8fb88a0cd84ce4c8e51774cc Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 20 Feb 2024 11:09:37 +0100
Subject: [PATCH] docs: add STACKIT
---
docs/docs/getting-started/first-steps.md | 21 ++++++++++++
docs/docs/getting-started/install.md | 38 ++++++++++++++++++++-
docs/docs/getting-started/marketplaces.md | 7 +++-
docs/docs/overview/license.md | 2 +-
docs/docs/overview/product.md | 2 +-
docs/docs/workflows/config.md | 29 ++++++++++++++++
docs/docs/workflows/storage.md | 40 +++++++++++++++++++++--
7 files changed, 133 insertions(+), 6 deletions(-)
diff --git a/docs/docs/getting-started/first-steps.md b/docs/docs/getting-started/first-steps.md
index dc867bf77..716c24c03 100644
--- a/docs/docs/getting-started/first-steps.md
+++ b/docs/docs/getting-started/first-steps.md
@@ -41,6 +41,14 @@ If you encounter any problem with the following steps, make sure to use the [lat
+
+
+ ```bash
+ constellation config generate stackit
+ ```
+
+
+
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
@@ -109,6 +117,19 @@ If you encounter any problem with the following steps, make sure to use the [lat
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
+
+
+
+
+ To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md).
+ After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`:
+
+ - `projectID`: OpenStack project id (can be found in `clouds.yaml` or `openrc` file of UAT)
+ - `projectName`: OpenStack project name (can be found in `clouds.yaml` or `openrc` file of UAT)
+ - `stackitProjectID`: STACKIT project id (can be found after login on )
+ - `username`: username of the UAT
+ - `password`: password of the UAT
+
diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md
index f2cad8b02..8d41e3c8e 100644
--- a/docs/docs/getting-started/install.md
+++ b/docs/docs/getting-started/install.md
@@ -9,7 +9,7 @@ Make sure the following requirements are met:
* Your machine is running Linux or macOS
* You have admin rights on your machine
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
-* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
+* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
## Install the Constellation CLI
@@ -291,6 +291,14 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
+
+
+
+Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account.
+The UAT already has all required permissions by default.
+The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers.
+Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role.
+
@@ -360,6 +368,34 @@ aws configure
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
+
+
+
+You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API).
+
+1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
+2. Create a configuration file under `~/.config/openstack/clouds.yaml` with the credentials from the User Access Token
+ ```yaml
+ clouds:
+ stackit:
+ auth:
+ auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3
+ username: REPLACE_WITH_UAT_USERNAME
+ password: REPLACE_WITH_UAT_PASSWORD
+ project_id: REPLACE_WITH_STACKIT_PROJECT_ID
+ project_name: REPLACE_WITH_STACKIT_PROJECT_NAME
+ user_domain_name: portal_mvp
+ project_domain_name: portal_mvp
+ region_name: RegionOne
+ identity_api_version: 3
+ ```
+3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
+4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
+5. Create a configuration file under `~/.stackit/credentials.json`
+ ```json
+ {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
+ ```
+
diff --git a/docs/docs/getting-started/marketplaces.md b/docs/docs/getting-started/marketplaces.md
index fa4896f2a..b16d796d2 100644
--- a/docs/docs/getting-started/marketplaces.md
+++ b/docs/docs/getting-started/marketplaces.md
@@ -1,6 +1,6 @@
# Using Constellation via Cloud Marketplaces
-Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
+Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
@@ -43,6 +43,11 @@ Then, enable the use of marketplace images in your Constellation `constellation-
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
```
+
+
+
+On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal.
+
diff --git a/docs/docs/overview/license.md b/docs/docs/overview/license.md
index a5aa6b236..34122c025 100644
--- a/docs/docs/overview/license.md
+++ b/docs/docs/overview/license.md
@@ -30,4 +30,4 @@ Once you have received your Enterprise License file, place it in your [Constella
## CSP Marketplaces
-Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
+Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
diff --git a/docs/docs/overview/product.md b/docs/docs/overview/product.md
index e31a4658f..8e8ee6950 100644
--- a/docs/docs/overview/product.md
+++ b/docs/docs/overview/product.md
@@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
From an operational perspective, Constellation provides the following key features:
-* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
+* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md
index a5216510d..24b9c80ff 100644
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@@ -35,6 +35,13 @@ constellation config generate gcp
constellation config generate aws
```
+
+
+
+```bash
+constellation config generate stackit
+```
+
@@ -67,6 +74,16 @@ If you are using the attestation variant `awsNitroTPM`, you can choose any of th
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
+
+
+
+By default, Constellation uses `m1a.8d-sev` VMs (8 vCPUs, 64 GB RAM) to create your cluster.
+Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
+
+You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html).
+
+The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
+
@@ -109,11 +126,13 @@ This configuration creates an additional node group `high_cpu` with a larger ins
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
+STACKIT currently only offers SEV-enabled CPUs in the `eu01-1` zone.
Consult the documentation of your cloud provider for more information:
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones)
* [GCP](https://cloud.google.com/compute/docs/regions-zones)
+* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html)
## Choosing a Kubernetes version
@@ -191,6 +210,11 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
+
+
+
+STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
+
@@ -297,6 +321,11 @@ The following describes the configuration fields and how you obtain the required
+
+
+STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
+
+
diff --git a/docs/docs/workflows/storage.md b/docs/docs/workflows/storage.md
index 9e3d96346..1cae8dacc 100644
--- a/docs/docs/workflows/storage.md
+++ b/docs/docs/workflows/storage.md
@@ -9,11 +9,11 @@ Cloud service providers (CSPs) offer their own CSI-based solutions for cloud sto
## Confidential storage
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
-Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, and GCP.
+Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT.
However, their encryption takes place in the storage backend and is managed by the CSP.
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
-To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
+To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
@@ -43,6 +43,13 @@ Follow the instructions on how to [install the Constellation CSI driver](#instal
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
+
+
+
+**Constellation CSI driver for STACKIT / OpenStack Cinder**
+Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster.
+Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information.
+
@@ -140,6 +147,35 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
+
+
+
+STACKIT comes with two storage classes by default.
+
+* `encrypted-rwo`
+ * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
+ * ext-4 filesystem
+ * Encryption of all data written to disk
+* `integrity-encrypted-rwo`
+ * Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
+ * ext-4 filesystem
+ * Encryption of all data written to disk
+ * Integrity protection of data written to disk
+
+For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
+
+:::info
+
+The default storage class is set to `encrypted-rwo` for performance reasons.
+If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
+
+Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
+Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
+
+Note that volume expansion isn't supported for integrity-protected disks.
+
+:::
+