mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
docs: add STACKIT
This commit is contained in:
parent
b2ab5869b3
commit
4b3d9e15a5
@ -41,6 +41,14 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
||||
|
||||
</tabItem>
|
||||
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
```bash
|
||||
constellation config generate stackit
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
|
||||
</tabs>
|
||||
|
||||
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
|
||||
@ -109,6 +117,19 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
||||
|
||||
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
|
||||
|
||||
</tabItem>
|
||||
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md).
|
||||
After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`:
|
||||
|
||||
- `projectID`: OpenStack project id (can be found in `clouds.yaml` or `openrc` file of UAT)
|
||||
- `projectName`: OpenStack project name (can be found in `clouds.yaml` or `openrc` file of UAT)
|
||||
- `stackitProjectID`: STACKIT project id (can be found after login on <https://portal.stackit.cloud>)
|
||||
- `username`: username of the UAT
|
||||
- `password`: password of the UAT
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
||||
* Your machine is running Linux or macOS
|
||||
* You have admin rights on your machine
|
||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
|
||||
|
||||
## Install the Constellation CLI
|
||||
|
||||
@ -291,6 +291,14 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
|
||||
|
||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account.
|
||||
The UAT already has all required permissions by default.
|
||||
The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers.
|
||||
Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
@ -360,6 +368,34 @@ aws configure
|
||||
|
||||
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API).
|
||||
|
||||
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
||||
2. Create a configuration file under `~/.config/openstack/clouds.yaml` with the credentials from the User Access Token
|
||||
```yaml
|
||||
clouds:
|
||||
stackit:
|
||||
auth:
|
||||
auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3
|
||||
username: REPLACE_WITH_UAT_USERNAME
|
||||
password: REPLACE_WITH_UAT_PASSWORD
|
||||
project_id: REPLACE_WITH_STACKIT_PROJECT_ID
|
||||
project_name: REPLACE_WITH_STACKIT_PROJECT_NAME
|
||||
user_domain_name: portal_mvp
|
||||
project_domain_name: portal_mvp
|
||||
region_name: RegionOne
|
||||
identity_api_version: 3
|
||||
```
|
||||
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
||||
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
||||
5. Create a configuration file under `~/.stackit/credentials.json`
|
||||
```json
|
||||
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
|
||||
</tabs>
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Using Constellation via Cloud Marketplaces
|
||||
|
||||
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||
|
||||
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
|
||||
|
||||
@ -43,6 +43,11 @@ Then, enable the use of marketplace images in your Constellation `constellation-
|
||||
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
|
@ -30,4 +30,4 @@ Once you have received your Enterprise License file, place it in your [Constella
|
||||
|
||||
## CSP Marketplaces
|
||||
|
||||
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
||||
|
||||
From an operational perspective, Constellation provides the following key features:
|
||||
|
||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||
|
@ -35,6 +35,13 @@ constellation config generate gcp
|
||||
constellation config generate aws
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
```bash
|
||||
constellation config generate stackit
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
@ -67,6 +74,16 @@ If you are using the attestation variant `awsNitroTPM`, you can choose any of th
|
||||
|
||||
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
By default, Constellation uses `m1a.8d-sev` VMs (8 vCPUs, 64 GB RAM) to create your cluster.
|
||||
Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
|
||||
|
||||
You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html).
|
||||
|
||||
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
@ -109,11 +126,13 @@ This configuration creates an additional node group `high_cpu` with a larger ins
|
||||
|
||||
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
||||
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
||||
STACKIT currently only offers SEV-enabled CPUs in the `eu01-1` zone.
|
||||
Consult the documentation of your cloud provider for more information:
|
||||
|
||||
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
||||
* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones)
|
||||
* [GCP](https://cloud.google.com/compute/docs/regions-zones)
|
||||
* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html)
|
||||
|
||||
## Choosing a Kubernetes version
|
||||
|
||||
@ -191,6 +210,11 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
|
||||
|
||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
@ -297,6 +321,11 @@ The following describes the configuration fields and how you obtain the required
|
||||
|
||||
</tabItem>
|
||||
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</details>
|
||||
|
||||
|
@ -9,11 +9,11 @@ Cloud service providers (CSPs) offer their own CSI-based solutions for cloud sto
|
||||
## Confidential storage
|
||||
|
||||
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
|
||||
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, and GCP.
|
||||
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT.
|
||||
However, their encryption takes place in the storage backend and is managed by the CSP.
|
||||
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
|
||||
|
||||
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
|
||||
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
|
||||
|
||||
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
|
||||
|
||||
@ -43,6 +43,13 @@ Follow the instructions on how to [install the Constellation CSI driver](#instal
|
||||
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
|
||||
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
**Constellation CSI driver for STACKIT / OpenStack Cinder**
|
||||
Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster.
|
||||
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
@ -140,6 +147,35 @@ Note that volume expansion isn't supported for integrity-protected disks.
|
||||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="stackit" label="STACKIT">
|
||||
|
||||
STACKIT comes with two storage classes by default.
|
||||
|
||||
* `encrypted-rwo`
|
||||
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* `integrity-encrypted-rwo`
|
||||
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
|
||||
* ext-4 filesystem
|
||||
* Encryption of all data written to disk
|
||||
* Integrity protection of data written to disk
|
||||
|
||||
For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
|
||||
|
||||
:::info
|
||||
|
||||
The default storage class is set to `encrypted-rwo` for performance reasons.
|
||||
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
|
||||
|
||||
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
|
||||
Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
|
||||
|
||||
Note that volume expansion isn't supported for integrity-protected disks.
|
||||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user