docs: add STACKIT

This commit is contained in:
Malte Poll 2024-02-20 11:09:37 +01:00
parent b2ab5869b3
commit 4b3d9e15a5
7 changed files with 133 additions and 6 deletions

View File

@ -41,6 +41,14 @@ If you encounter any problem with the following steps, make sure to use the [lat
</tabItem>
<tabItem value="stackit" label="STACKIT">
```bash
constellation config generate stackit
```
</tabItem>
</tabs>
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
@ -109,6 +117,19 @@ If you encounter any problem with the following steps, make sure to use the [lat
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
</tabItem>
<tabItem value="stackit" label="STACKIT">
To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md).
After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`:
- `projectID`: OpenStack project id (can be found in `clouds.yaml` or `openrc` file of UAT)
- `projectName`: OpenStack project name (can be found in `clouds.yaml` or `openrc` file of UAT)
- `stackitProjectID`: STACKIT project id (can be found after login on <https://portal.stackit.cloud>)
- `username`: username of the UAT
- `password`: password of the UAT
</tabItem>
</tabs>

View File

@ -9,7 +9,7 @@ Make sure the following requirements are met:
* Your machine is running Linux or macOS
* You have admin rights on your machine
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
## Install the Constellation CLI
@ -291,6 +291,14 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
</tabItem>
<tabItem value="stackit" label="STACKIT">
Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account.
The UAT already has all required permissions by default.
The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers.
Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role.
</tabItem>
</tabs>
@ -360,6 +368,34 @@ aws configure
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
</tabItem>
<tabItem value="stackit" label="STACKIT">
You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API).
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
2. Create a configuration file under `~/.config/openstack/clouds.yaml` with the credentials from the User Access Token
```yaml
clouds:
stackit:
auth:
auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3
username: REPLACE_WITH_UAT_USERNAME
password: REPLACE_WITH_UAT_PASSWORD
project_id: REPLACE_WITH_STACKIT_PROJECT_ID
project_name: REPLACE_WITH_STACKIT_PROJECT_NAME
user_domain_name: portal_mvp
project_domain_name: portal_mvp
region_name: RegionOne
identity_api_version: 3
```
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
5. Create a configuration file under `~/.stackit/credentials.json`
```json
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
```
</tabItem>
</tabs>

View File

@ -1,6 +1,6 @@
# Using Constellation via Cloud Marketplaces
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
@ -43,6 +43,11 @@ Then, enable the use of marketplace images in your Constellation `constellation-
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
```
</tabItem>
<tabItem value="stackit" label="STACKIT">
On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal.
</tabItem>
</tabs>

View File

@ -30,4 +30,4 @@ Once you have received your Enterprise License file, place it in your [Constella
## CSP Marketplaces
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).

View File

@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
From an operational perspective, Constellation provides the following key features:
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.

View File

@ -35,6 +35,13 @@ constellation config generate gcp
constellation config generate aws
```
</tabItem>
<tabItem value="stackit" label="STACKIT">
```bash
constellation config generate stackit
```
</tabItem>
</tabs>
@ -67,6 +74,16 @@ If you are using the attestation variant `awsNitroTPM`, you can choose any of th
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
</tabItem>
<tabItem value="stackit" label="STACKIT">
By default, Constellation uses `m1a.8d-sev` VMs (8 vCPUs, 64 GB RAM) to create your cluster.
Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html).
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
</tabItem>
</tabs>
@ -109,11 +126,13 @@ This configuration creates an additional node group `high_cpu` with a larger ins
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
STACKIT currently only offers SEV-enabled CPUs in the `eu01-1` zone.
Consult the documentation of your cloud provider for more information:
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones)
* [GCP](https://cloud.google.com/compute/docs/regions-zones)
* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html)
## Choosing a Kubernetes version
@ -191,6 +210,11 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
</tabItem>
<tabItem value="stackit" label="STACKIT">
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
</tabItem>
</tabs>
@ -297,6 +321,11 @@ The following describes the configuration fields and how you obtain the required
</tabItem>
<tabItem value="stackit" label="STACKIT">
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
</tabItem>
</tabs>
</details>

View File

@ -9,11 +9,11 @@ Cloud service providers (CSPs) offer their own CSI-based solutions for cloud sto
## Confidential storage
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, and GCP.
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT.
However, their encryption takes place in the storage backend and is managed by the CSP.
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
@ -43,6 +43,13 @@ Follow the instructions on how to [install the Constellation CSI driver](#instal
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
</tabItem>
<tabItem value="stackit" label="STACKIT">
**Constellation CSI driver for STACKIT / OpenStack Cinder**
Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information.
</tabItem>
</tabs>
@ -140,6 +147,35 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="stackit" label="STACKIT">
STACKIT comes with two storage classes by default.
* `encrypted-rwo`
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
* ext-4 filesystem
* Encryption of all data written to disk
* `integrity-encrypted-rwo`
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
* ext-4 filesystem
* Encryption of all data written to disk
* Integrity protection of data written to disk
For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
:::info
The default storage class is set to `encrypted-rwo` for performance reasons.
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
</tabs>