mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
docs: add STACKIT
This commit is contained in:
parent
b2ab5869b3
commit
4b3d9e15a5
@ -41,6 +41,14 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
```bash
|
||||||
|
constellation config generate stackit
|
||||||
|
```
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
|
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
|
||||||
@ -109,6 +117,19 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||||||
|
|
||||||
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
|
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md).
|
||||||
|
After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`:
|
||||||
|
|
||||||
|
- `projectID`: OpenStack project id (can be found in `clouds.yaml` or `openrc` file of UAT)
|
||||||
|
- `projectName`: OpenStack project name (can be found in `clouds.yaml` or `openrc` file of UAT)
|
||||||
|
- `stackitProjectID`: STACKIT project id (can be found after login on <https://portal.stackit.cloud>)
|
||||||
|
- `username`: username of the UAT
|
||||||
|
- `password`: password of the UAT
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ Make sure the following requirements are met:
|
|||||||
* Your machine is running Linux or macOS
|
* Your machine is running Linux or macOS
|
||||||
* You have admin rights on your machine
|
* You have admin rights on your machine
|
||||||
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
* [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||||
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
|
* Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT
|
||||||
|
|
||||||
## Install the Constellation CLI
|
## Install the Constellation CLI
|
||||||
|
|
||||||
@ -291,6 +291,14 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
|
|||||||
|
|
||||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account.
|
||||||
|
The UAT already has all required permissions by default.
|
||||||
|
The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers.
|
||||||
|
Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role.
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
@ -360,6 +368,34 @@ aws configure
|
|||||||
|
|
||||||
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
|
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API).
|
||||||
|
|
||||||
|
1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API
|
||||||
|
2. Create a configuration file under `~/.config/openstack/clouds.yaml` with the credentials from the User Access Token
|
||||||
|
```yaml
|
||||||
|
clouds:
|
||||||
|
stackit:
|
||||||
|
auth:
|
||||||
|
auth_url: https://keystone.api.iaas.eu01.stackit.cloud/v3
|
||||||
|
username: REPLACE_WITH_UAT_USERNAME
|
||||||
|
password: REPLACE_WITH_UAT_PASSWORD
|
||||||
|
project_id: REPLACE_WITH_STACKIT_PROJECT_ID
|
||||||
|
project_name: REPLACE_WITH_STACKIT_PROJECT_NAME
|
||||||
|
user_domain_name: portal_mvp
|
||||||
|
project_domain_name: portal_mvp
|
||||||
|
region_name: RegionOne
|
||||||
|
identity_api_version: 3
|
||||||
|
```
|
||||||
|
3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token
|
||||||
|
4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html)
|
||||||
|
5. Create a configuration file under `~/.stackit/credentials.json`
|
||||||
|
```json
|
||||||
|
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
|
||||||
|
```
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
</tabs>
|
</tabs>
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Using Constellation via Cloud Marketplaces
|
# Using Constellation via Cloud Marketplaces
|
||||||
|
|
||||||
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||||
|
|
||||||
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
|
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
|
||||||
|
|
||||||
@ -43,6 +43,11 @@ Then, enable the use of marketplace images in your Constellation `constellation-
|
|||||||
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
|
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal.
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
|
@ -30,4 +30,4 @@ Once you have received your Enterprise License file, place it in your [Constella
|
|||||||
|
|
||||||
## CSP Marketplaces
|
## CSP Marketplaces
|
||||||
|
|
||||||
Constellation is available through the Marketplaces of AWS, Azure, and GCP. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
Constellation is available through the Marketplaces of AWS, Azure, GCP, and STACKIT. This allows you to create self-managed Constellation clusters that are billed on a pay-per-use basis (hourly, per vCPU) with your CSP account. You can still get direct support by Edgeless Systems. For more information, please [contact us](https://www.edgeless.systems/enterprise-support/).
|
||||||
|
@ -6,7 +6,7 @@ From a security perspective, Constellation implements the [Confidential Kubernet
|
|||||||
|
|
||||||
From an operational perspective, Constellation provides the following key features:
|
From an operational perspective, Constellation provides the following key features:
|
||||||
|
|
||||||
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and STACKIT. Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
|
||||||
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
* **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
|
||||||
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
* **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
|
||||||
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
* **Support for Terraform**: Constellation includes a [Terraform provider](../workflows/terraform-provider.md) that lets you manage the full lifecycle of your cluster via Terraform.
|
||||||
|
@ -35,6 +35,13 @@ constellation config generate gcp
|
|||||||
constellation config generate aws
|
constellation config generate aws
|
||||||
```
|
```
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
```bash
|
||||||
|
constellation config generate stackit
|
||||||
|
```
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
@ -67,6 +74,16 @@ If you are using the attestation variant `awsNitroTPM`, you can choose any of th
|
|||||||
|
|
||||||
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
|
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
By default, Constellation uses `m1a.8d-sev` VMs (8 vCPUs, 64 GB RAM) to create your cluster.
|
||||||
|
Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
|
||||||
|
|
||||||
|
You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html).
|
||||||
|
|
||||||
|
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
@ -109,11 +126,13 @@ This configuration creates an additional node group `high_cpu` with a larger ins
|
|||||||
|
|
||||||
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
You can use the field `zone` to specify what availability zone nodes of the group are placed in.
|
||||||
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
On Azure, this field is empty by default and nodes are automatically spread across availability zones.
|
||||||
|
STACKIT currently only offers SEV-enabled CPUs in the `eu01-1` zone.
|
||||||
Consult the documentation of your cloud provider for more information:
|
Consult the documentation of your cloud provider for more information:
|
||||||
|
|
||||||
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
* [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/)
|
||||||
* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones)
|
* [Azure](https://azure.microsoft.com/en-us/explore/global-infrastructure/availability-zones)
|
||||||
* [GCP](https://cloud.google.com/compute/docs/regions-zones)
|
* [GCP](https://cloud.google.com/compute/docs/regions-zones)
|
||||||
|
* [STACKIT](https://docs.stackit.cloud/stackit/en/regions-and-availability-zones-75137212.html)
|
||||||
|
|
||||||
## Choosing a Kubernetes version
|
## Choosing a Kubernetes version
|
||||||
|
|
||||||
@ -191,6 +210,11 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
|
|||||||
|
|
||||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
@ -297,6 +321,11 @@ The following describes the configuration fields and how you obtain the required
|
|||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
|
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
@ -9,11 +9,11 @@ Cloud service providers (CSPs) offer their own CSI-based solutions for cloud sto
|
|||||||
## Confidential storage
|
## Confidential storage
|
||||||
|
|
||||||
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
|
Most cloud storage solutions support encryption, such as [GCE Persistent Disks (PD)](https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek).
|
||||||
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, and GCP.
|
Constellation supports the available CSI-based storage options for Kubernetes engines in AWS, Azure, GCP, and STACKIT.
|
||||||
However, their encryption takes place in the storage backend and is managed by the CSP.
|
However, their encryption takes place in the storage backend and is managed by the CSP.
|
||||||
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
|
Thus, using the default CSI drivers for these storage types means trusting the CSP with your persistent data.
|
||||||
|
|
||||||
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, and GCE PD, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
|
To address this, Constellation provides CSI drivers for AWS EBS, Azure Disk, GCE PD, and OpenStack Cinder, offering [encryption on the node level](../architecture/keys.md#storage-encryption). They enable transparent encryption for persistent volumes without needing to trust the cloud backend. Plaintext data never leaves the confidential VM context, offering you confidential storage.
|
||||||
|
|
||||||
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
|
For more details see [encrypted persistent storage](../architecture/encrypted-storage.md).
|
||||||
|
|
||||||
@ -43,6 +43,13 @@ Follow the instructions on how to [install the Constellation CSI driver](#instal
|
|||||||
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
|
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
|
||||||
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
|
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
**Constellation CSI driver for STACKIT / OpenStack Cinder**
|
||||||
|
Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster.
|
||||||
|
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information.
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
@ -140,6 +147,35 @@ Note that volume expansion isn't supported for integrity-protected disks.
|
|||||||
|
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
</tabItem>
|
||||||
|
<tabItem value="stackit" label="STACKIT">
|
||||||
|
|
||||||
|
STACKIT comes with two storage classes by default.
|
||||||
|
|
||||||
|
* `encrypted-rwo`
|
||||||
|
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
|
||||||
|
* ext-4 filesystem
|
||||||
|
* Encryption of all data written to disk
|
||||||
|
* `integrity-encrypted-rwo`
|
||||||
|
* Uses [disks of `storage_premium_perf1` type](https://docs.stackit.cloud/stackit/en/service-plans-blockstorage-75137974.html)
|
||||||
|
* ext-4 filesystem
|
||||||
|
* Encryption of all data written to disk
|
||||||
|
* Integrity protection of data written to disk
|
||||||
|
|
||||||
|
For more information on encryption algorithms and key sizes, refer to [cryptographic algorithms](../architecture/encrypted-storage.md#cryptographic-algorithms).
|
||||||
|
|
||||||
|
:::info
|
||||||
|
|
||||||
|
The default storage class is set to `encrypted-rwo` for performance reasons.
|
||||||
|
If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
|
||||||
|
|
||||||
|
Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
|
||||||
|
Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
|
||||||
|
|
||||||
|
Note that volume expansion isn't supported for integrity-protected disks.
|
||||||
|
|
||||||
|
:::
|
||||||
|
|
||||||
</tabItem>
|
</tabItem>
|
||||||
</tabs>
|
</tabs>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user