Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-02 14:26:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: add release v2.14.0 (#2734)

Browse source 
Co-authored-by: burgerdev <burgerdev@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
This commit is contained in:
edgelessci 2023-12-19 17:05:40 +01:00 committed by GitHub
parent ae6b22a143
commit 6b2c00693c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
73 changed files with 8573 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

842
docs/versioned_docs/version-2.14/reference/cli.md Normal file
View file

@ -0,0 +1,842 @@
# CLI reference
<!-- This file is generated by constellation/hack/clidocgen via update-cli-reference.yml workflow. Don't edit manually. -->
Use the Constellation CLI to create and manage your clusters.
Usage:
```
constellation [command]
```
Commands:
* [config](#constellation-config): Work with the Constellation configuration file
* [generate](#constellation-config-generate): Generate a default configuration and state file
* [fetch-measurements](#constellation-config-fetch-measurements): Fetch measurements for configured cloud provider and image
* [instance-types](#constellation-config-instance-types): Print the supported instance types for all cloud providers
* [kubernetes-versions](#constellation-config-kubernetes-versions): Print the Kubernetes versions supported by this CLI
* [migrate](#constellation-config-migrate): Migrate a configuration file to a new version
* [create](#constellation-create): Create instances on a cloud platform for your Constellation cluster
* [apply](#constellation-apply): Apply a configuration to a Constellation cluster
* [mini](#constellation-mini): Manage MiniConstellation clusters
* [up](#constellation-mini-up): Create and initialize a new MiniConstellation cluster
* [down](#constellation-mini-down): Destroy a MiniConstellation cluster
* [status](#constellation-status): Show status of a Constellation cluster
* [verify](#constellation-verify): Verify the confidential properties of a Constellation cluster
* [upgrade](#constellation-upgrade): Find and apply upgrades to your Constellation cluster
* [check](#constellation-upgrade-check): Check for possible upgrades
* [apply](#constellation-upgrade-apply): Apply an upgrade to a Constellation cluster
* [recover](#constellation-recover): Recover a completely stopped Constellation cluster
* [terminate](#constellation-terminate): Terminate a Constellation cluster
* [iam](#constellation-iam): Work with the IAM configuration on your cloud provider
* [create](#constellation-iam-create): Create IAM configuration on a cloud platform for your Constellation cluster
* [aws](#constellation-iam-create-aws): Create IAM configuration on AWS for your Constellation cluster
* [azure](#constellation-iam-create-azure): Create IAM configuration on Microsoft Azure for your Constellation cluster
* [gcp](#constellation-iam-create-gcp): Create IAM configuration on GCP for your Constellation cluster
* [destroy](#constellation-iam-destroy): Destroy an IAM configuration and delete local Terraform files
* [upgrade](#constellation-iam-upgrade): Find and apply upgrades to your IAM profile
* [apply](#constellation-iam-upgrade-apply): Apply an upgrade to an IAM profile
* [version](#constellation-version): Display version of this CLI
* [init](#constellation-init): Initialize the Constellation cluster
## constellation config
Work with the Constellation configuration file
### Synopsis
Work with the Constellation configuration file.
### Options
```
-h, --help help for config
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation config generate
Generate a default configuration and state file
### Synopsis
Generate a default configuration and state file for your selected cloud provider.
```
constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]
```
### Options
```
-a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
-h, --help help for generate
-k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.27")
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation config fetch-measurements
Fetch measurements for configured cloud provider and image
### Synopsis
Fetch measurements for configured cloud provider and image.
A config needs to be generated first.
```
constellation config fetch-measurements [flags]
```
### Options
```
-h, --help help for fetch-measurements
-s, --signature-url string alternative URL to fetch measurements' signature from
-u, --url string alternative URL to fetch measurements from
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation config instance-types
Print the supported instance types for all cloud providers
### Synopsis
Print the supported instance types for all cloud providers.
```
constellation config instance-types [flags]
```
### Options
```
-h, --help help for instance-types
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation config kubernetes-versions
Print the Kubernetes versions supported by this CLI
### Synopsis
Print the Kubernetes versions supported by this CLI.
```
constellation config kubernetes-versions [flags]
```
### Options
```
-h, --help help for kubernetes-versions
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation config migrate
Migrate a configuration file to a new version
### Synopsis
Migrate a configuration file to a new version.
```
constellation config migrate [flags]
```
### Options
```
-h, --help help for migrate
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation create
Create instances on a cloud platform for your Constellation cluster
### Synopsis
Create instances on a cloud platform for your Constellation cluster.
```
constellation create [flags]
```
### Options
```
-h, --help help for create
-y, --yes create the cluster without further confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation apply
Apply a configuration to a Constellation cluster
### Synopsis
Apply a configuration to a Constellation cluster to initialize or upgrade the cluster.
```
constellation apply [flags]
```
### Options
```
--conformance enable conformance mode
-h, --help help for apply
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
--skip-helm-wait install helm charts without waiting for deployments to be ready
--skip-phases strings comma-separated list of upgrade phases to skip
one or multiple of { infrastructure | init | attestationconfig | certsans | helm | image | k8s }
-y, --yes run command without further confirmation
WARNING: the command might delete or update existing resources without additional checks. Please read the docs.
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation mini
Manage MiniConstellation clusters
### Synopsis
Manage MiniConstellation clusters.
### Options
```
-h, --help help for mini
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation mini up
Create and initialize a new MiniConstellation cluster
### Synopsis
Create and initialize a new MiniConstellation cluster.
A mini cluster consists of a single control-plane and worker node, hosted using QEMU/KVM.
```
constellation mini up [flags]
```
### Options
```
-h, --help help for up
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config (default true)
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation mini down
Destroy a MiniConstellation cluster
### Synopsis
Destroy a MiniConstellation cluster.
```
constellation mini down [flags]
```
### Options
```
-h, --help help for down
-y, --yes terminate the cluster without further confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation status
Show status of a Constellation cluster
### Synopsis
Show the status of a constellation cluster.
Shows microservice, image, and Kubernetes versions installed in the cluster. Also shows status of current version upgrades.
```
constellation status [flags]
```
### Options
```
-h, --help help for status
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation verify
Verify the confidential properties of a Constellation cluster
### Synopsis
Verify the confidential properties of a Constellation cluster.
If arguments aren't specified, values are read from `constellation-state.yaml`.
```
constellation verify [flags]
```
### Options
```
--cluster-id string expected cluster identifier
-h, --help help for verify
-e, --node-endpoint string endpoint of the node to verify, passed as HOST[:PORT]
-o, --output string print the attestation document in the output format {json|raw}
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation upgrade
Find and apply upgrades to your Constellation cluster
### Synopsis
Find and apply upgrades to your Constellation cluster.
### Options
```
-h, --help help for upgrade
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation upgrade check
Check for possible upgrades
### Synopsis
Check which upgrades can be applied to your Constellation Cluster.
```
constellation upgrade check [flags]
```
### Options
```
-h, --help help for check
--ref string the reference to use for querying new versions (default "-")
--stream string the stream to use for querying new versions (default "stable")
-u, --update-config update the specified config file with the suggested versions
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation upgrade apply
Apply an upgrade to a Constellation cluster
### Synopsis
Apply an upgrade to a Constellation cluster by applying the chosen configuration.
```
constellation upgrade apply [flags]
```
### Options
```
--conformance enable conformance mode
-h, --help help for apply
--skip-helm-wait install helm charts without waiting for deployments to be ready
--skip-phases strings comma-separated list of upgrade phases to skip
one or multiple of { infrastructure | helm | image | k8s }
-y, --yes run upgrades without further confirmation
WARNING: might delete your resources in case you are using cert-manager in your cluster. Please read the docs.
WARNING: might unintentionally overwrite measurements in the running cluster.
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation recover
Recover a completely stopped Constellation cluster
### Synopsis
Recover a Constellation cluster by sending a recovery key to an instance in the boot stage.
This is only required if instances restart without other instances available for bootstrapping.
```
constellation recover [flags]
```
### Options
```
-e, --endpoint string endpoint of the instance, passed as HOST[:PORT]
-h, --help help for recover
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation terminate
Terminate a Constellation cluster
### Synopsis
Terminate a Constellation cluster.
The cluster can't be started again, and all persistent storage will be lost.
```
constellation terminate [flags]
```
### Options
```
-h, --help help for terminate
-y, --yes terminate the cluster without further confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation iam
Work with the IAM configuration on your cloud provider
### Synopsis
Work with the IAM configuration on your cloud provider.
### Options
```
-h, --help help for iam
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation iam create
Create IAM configuration on a cloud platform for your Constellation cluster
### Synopsis
Create IAM configuration on a cloud platform for your Constellation cluster.
### Options
```
-h, --help help for create
--update-config update the config file with the specific IAM information
-y, --yes create the IAM configuration without further confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation iam create aws
Create IAM configuration on AWS for your Constellation cluster
### Synopsis
Create IAM configuration on AWS for your Constellation cluster.
```
constellation iam create aws [flags]
```
### Options
```
-h, --help help for aws
--prefix string name prefix for all resources (required)
--zone string AWS availability zone the resources will be created in, e.g., us-east-2a (required)
See the Constellation docs for a list of currently supported regions.
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation
```
## constellation iam create azure
Create IAM configuration on Microsoft Azure for your Constellation cluster
### Synopsis
Create IAM configuration on Microsoft Azure for your Constellation cluster.
```
constellation iam create azure [flags]
```
### Options
```
-h, --help help for azure
--region string region the resources will be created in, e.g., westus (required)
--resourceGroup string name prefix of the two resource groups your cluster / IAM resources will be created in (required)
--servicePrincipal string name of the service principal that will be created (required)
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation
```
## constellation iam create gcp
Create IAM configuration on GCP for your Constellation cluster
### Synopsis
Create IAM configuration on GCP for your Constellation cluster.
```
constellation iam create gcp [flags]
```
### Options
```
-h, --help help for gcp
--projectID string ID of the GCP project the configuration will be created in (required)
Find it on the welcome screen of your project: https://console.cloud.google.com/welcome
--serviceAccountID string ID for the service account that will be created (required)
Must be 6 to 30 lowercase letters, digits, or hyphens.
--zone string GCP zone the cluster will be deployed in (required)
Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
--update-config update the config file with the specific IAM information
-C, --workspace string path to the Constellation workspace
-y, --yes create the IAM configuration without further confirmation
```
## constellation iam destroy
Destroy an IAM configuration and delete local Terraform files
### Synopsis
Destroy an IAM configuration and delete local Terraform files.
```
constellation iam destroy [flags]
```
### Options
```
-h, --help help for destroy
-y, --yes destroy the IAM configuration without asking for confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation iam upgrade
Find and apply upgrades to your IAM profile
### Synopsis
Find and apply upgrades to your IAM profile.
### Options
```
-h, --help help for upgrade
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation iam upgrade apply
Apply an upgrade to an IAM profile
### Synopsis
Apply an upgrade to an IAM profile.
```
constellation iam upgrade apply [flags]
```
### Options
```
-h, --help help for apply
-y, --yes run upgrades without further confirmation
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation version
Display version of this CLI
### Synopsis
Display version of this CLI.
```
constellation version [flags]
```
### Options
```
-h, --help help for version
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```
## constellation init
Initialize the Constellation cluster
### Synopsis
Initialize the Constellation cluster.
Start your confidential Kubernetes.
```
constellation init [flags]
```
### Options
```
--conformance enable conformance mode
-h, --help help for init
--merge-kubeconfig merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config
--skip-helm-wait install helm charts without waiting for deployments to be ready
```
### Options inherited from parent commands
```
--debug enable debug logging
--force disable version compatibility checks - might result in corrupted clusters
--tf-log string Terraform log level (default "NONE")
-C, --workspace string path to the Constellation workspace
```

85
docs/versioned_docs/version-2.14/reference/migration.md Normal file
View file

@ -0,0 +1,85 @@
# Migrations
This document describes breaking changes and migrations between Constellation releases.
Use [`constellation config migrate`](./cli.md#constellation-config-migrate) to automatically update an old config file to a new format.
## Migrating from Azure's service principal authentication to managed identity authentication
- The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed.
- To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`.
- Otherwise, simply [create new Constellation IAM credentials](../workflows/config.md#creating-an-iam-configuration) and use the created UAMI.
- To migrate the authentication for an existing cluster on Azure to an UAMI with the necessary permissions:
1. Remove the `aadClientId` and `aadClientSecret` from the azureconfig secret.
2. Set `useManagedIdentityExtension` to `true` and use the `userAssignedIdentity` from the Constellation config for the value of `userAssignedIdentityID`.
3. Restart the CSI driver, cloud controller manager, cluster autoscaler, and Constellation operator pods.
## Migrating from CLI versions before 2.10
- AWS cluster upgrades require additional IAM permissions for the newly introduced `aws-load-balancer-controller`. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired.
- The global `nodeGroups` field was added.
- The fields `instanceType`, `stateDiskSizeGB`, and `stateDiskType` for each cloud provider are now part of the configuration of individual node groups.
- The `constellation create` command no longer uses the flags `--control-plane-count` and `--worker-count`. Instead, the initial node count is configured per node group in the `nodeGroups` field.
## Migrating from CLI versions before 2.9
- The `provider.azure.appClientID` and `provider.azure.clientSecretValue` fields were removed to enforce migration to managed identity authentication
## Migrating from CLI versions before 2.8
- The `measurements` field for each cloud service provider was replaced with a global `attestation` field.
- The `confidentialVM`, `idKeyDigest`, and `enforceIdKeyDigest` fields for the Azure cloud service provider were removed in favor of using the global `attestation` field.
- The optional global field `attestationVariant` was replaced by the now required `attestation` field.
## Migrating from CLI versions before 2.3
- The `sshUsers` field was deprecated in v2.2 and has been removed from the configuration in v2.3.
As an alternative for SSH, check the workflow section [Connect to nodes](../workflows/troubleshooting.md#node-shell-access).
- The `image` field for each cloud service provider has been replaced with a global `image` field. Use the following mapping to migrate your configuration:
<details>
<summary>Show all</summary>
| CSP | old image | new image |
| ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
| AWS | `ami-06b8cbf4837a0a57c` | `v2.2.2` |
| AWS | `ami-02e96dc04a9e438cd` | `v2.2.2` |
| AWS | `ami-028ead928a9034b2f` | `v2.2.2` |
| AWS | `ami-032ac10dd8d8266e3` | `v2.2.1` |
| AWS | `ami-032e0d57cc4395088` | `v2.2.1` |
| AWS | `ami-053c3e49e19b96bdd` | `v2.2.1` |
| AWS | `ami-0e27ebcefc38f648b` | `v2.2.0` |
| AWS | `ami-098cd37f66523b7c3` | `v2.2.0` |
| AWS | `ami-04a87d302e2509aad` | `v2.2.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.2` | `v2.2.2` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.2` | `v2.2.2` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.1` | `v2.2.1` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.1` | `v2.2.1` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.2.0` | `v2.2.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.2.0` | `v2.2.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.1.0` | `v2.1.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.1.0` | `v2.1.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/2.0.0` | `v2.0.0` |
| Azure | `/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.Compute/galleries/Constellation_CVM/images/constellation/versions/2.0.0` | `v2.0.0` |
| GCP | `projects/constellation-images/global/images/constellation-v2-2-2` | `v2.2.2` |
| GCP | `projects/constellation-images/global/images/constellation-v2-2-1` | `v2.2.1` |
| GCP | `projects/constellation-images/global/images/constellation-v2-2-0` | `v2.2.0` |
| GCP | `projects/constellation-images/global/images/constellation-v2-1-0` | `v2.1.0` |
| GCP | `projects/constellation-images/global/images/constellation-v2-0-0` | `v2.0.0` |
</details>
- The `enforcedMeasurements` field has been removed and merged with the `measurements` field.
- To migrate your config containing a new image (`v2.3` or greater), remove the old `measurements` and `enforcedMeasurements` entries from your config and run `constellation fetch-measurements`
- To migrate your config containing an image older than `v2.3`, remove the `enforcedMeasurements` entry and replace the entries in `measurements` as shown in the example below:
```diff
measurements:
- 0: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8=
+ 0:
+ expected: DzXCFGCNk8em5ornNZtKi+Wg6Z7qkQfs5CfE3qTkOc8=
+ warnOnly: true
- 8: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ 8:
+ expected: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ warnOnly: false
-enforcedMeasurements:
- - 8
```

73
docs/versioned_docs/version-2.14/reference/slsa.md Normal file
View file

@ -0,0 +1,73 @@
# Supply chain levels for software artifacts (SLSA) adoption
[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation.
:::info
SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined.
:::
## Level 1 - Adopted
**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)**
All build steps are automated via [Bazel](https://github.com/edgelesssys/constellation/tree/main/bazel/ci) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github).
**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)**
Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator).
## Level 2 - Adopted
**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)**
Constellation is hosted on GitHub using git.
**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)**
All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github).
**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)**
Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time.
**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)**
Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions.
## Level 3 - Adopted
**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)**
The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members.
**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)**
Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required.
The same holds true for changes proposed by team members. Each change to `main` needs to be proposed via a pull request and requires at least one approval.
The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy.
**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)**
All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github).
**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)**
All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow.
We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners).
**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)**
As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build.
Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs.
**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)**
As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity.
## Level 4 - In Progress
We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4.

37
docs/versioned_docs/version-2.14/reference/terraform.md Normal file
View file

@ -0,0 +1,37 @@
# Terraform usage
[Terraform](https://www.terraform.io/) is an Infrastructure as Code (IaC) framework to manage cloud resources. This page explains how Constellation uses it internally and how advanced users may manually use it to have more control over the resource creation.
:::info
Information on this page is intended for users who are familiar with Terraform.
It's not required for common usage of Constellation.
See the [Terraform documentation](https://developer.hashicorp.com/terraform/docs) if you want to learn more about it.
:::
## Terraform state files
Constellation keeps Terraform state files in subdirectories of the workspace together with the corresponding Terraform configuration files and metadata.
The subdirectories are created on the first Constellation CLI action that uses Terraform internally.
Currently, these subdirectories are:
* `constellation-terraform` - Terraform state files for the resources of the Constellation cluster
* `constellation-iam-terraform` - Terraform state files for IAM configuration
As with all commands, commands that work with these files (e.g., `apply`, `terminate`, `iam`) have to be executed from the root of the cluster's [workspace directory](../architecture/orchestration.md#workspaces). You usually don't need and shouldn't manipulate or delete the subdirectories manually.
## Interacting with Terraform manually
Manual interaction with Terraform state created by Constellation (i.e., via the Terraform CLI) should only be performed by experienced users. It may lead to unrecoverable loss of cloud resources. For the majority of users and use cases, the interaction done by the [Constellation CLI](cli.md) is sufficient.
## Terraform debugging
To debug Terraform issues, the Constellation CLI offers the `tf-log` flag. You can set it to any of [Terraform's log levels](https://developer.hashicorp.com/terraform/internals/debugging):
* `JSON` (JSON-formatted logs at `TRACE` level)
* `TRACE`
* `DEBUG`
* `INFO`
* `WARN`
* `ERROR`
The log output is written to the `terraform.log` file in the workspace directory. The output is appended to the file on each run.