diff --git a/rfc/key-derivation.md b/rfc/001-key-derivation.md similarity index 98% rename from rfc/key-derivation.md rename to rfc/001-key-derivation.md index 1dcc10694..08fe6ea9d 100644 --- a/rfc/key-derivation.md +++ b/rfc/001-key-derivation.md @@ -1,4 +1,4 @@ -# Key derivation +# RFC 001: Key derivation To derive disk-encryption keys and other secret material in a Constellation Kubernetes cluster, we use [HKDF](https://datatracker.ietf.org/doc/html/rfc5869). diff --git a/rfc/proof-of-ownership.md b/rfc/002-proof-of-ownership.md similarity index 98% rename from rfc/proof-of-ownership.md rename to rfc/002-proof-of-ownership.md index bc941ab8e..75bf2e967 100644 --- a/rfc/proof-of-ownership.md +++ b/rfc/002-proof-of-ownership.md @@ -1,4 +1,4 @@ -# Proof of Ownership +# RFC 002: Proof of Ownership A cluster owner needs a way to prove a cluster belongs to them, while a third-party needs to be able to verify the owner's claims. For that, the owner generates a private/public key pair. diff --git a/rfc/secure-software-distribution.md b/rfc/003-secure-software-distribution.md similarity index 98% rename from rfc/secure-software-distribution.md rename to rfc/003-secure-software-distribution.md index a1b11dcb9..8199e3820 100644 --- a/rfc/secure-software-distribution.md +++ b/rfc/003-secure-software-distribution.md @@ -1,4 +1,4 @@ -# Secure Distribution of CLI & Measurements +# RFC 003: Secure Distribution of CLI & Measurements ## Goal / Motivation @@ -104,7 +104,7 @@ measurements and keep them in a file (`measurements.yaml`) compatible with our c Comments should be omitted in final file. They show why certain values might be missing. -Those measurements are signed and uploaded to AWS S3. Stored at a path matching the configured image (see [image API](image-api.md)). +Those measurements are signed and uploaded to AWS S3. Stored at a path matching the configured image (see [image API](009-image-api.md)). ```yaml csp: azure diff --git a/rfc/updates.md b/rfc/004-updates.md similarity index 99% rename from rfc/updates.md rename to rfc/004-updates.md index 7bc5e6668..e420bc9d7 100644 --- a/rfc/updates.md +++ b/rfc/004-updates.md @@ -1,4 +1,4 @@ -# Constellation updates +# RFC 004: Constellation updates Things we manage for the user: @@ -292,5 +292,5 @@ If users decide to change specific versions by changing the Kubernetes resources The compatibility information should be separated from the enforcement code. This way a minimal implementation can be created where the compatibility information is embedded into the CLI. -As a next step the information can be served through the [Constellation API](./apis.md). +As a next step the information can be served through the [Constellation API](./008-apis.md). By serving the compatibility information dynamically, faulty versions can be excluded from upgrade paths even after they have been released. diff --git a/rfc/external-kms.md b/rfc/005-external-kms.md similarity index 99% rename from rfc/external-kms.md rename to rfc/005-external-kms.md index ffb57a967..6266ab8af 100644 --- a/rfc/external-kms.md +++ b/rfc/005-external-kms.md @@ -1,4 +1,4 @@ -# External KMS +# RFC 005: External KMS Currently, Constellation only supports [Constellation-managed key management](https://docs.edgeless.systems/constellation/2.0/architecture/keys#constellation-managed-key-management). The owner provides a master secret to the cluster on initialization. diff --git a/rfc/reproducible-builds.md b/rfc/006-reproducible-builds.md similarity index 99% rename from rfc/reproducible-builds.md rename to rfc/006-reproducible-builds.md index b49416b34..fd1849c20 100644 --- a/rfc/reproducible-builds.md +++ b/rfc/006-reproducible-builds.md @@ -1,4 +1,4 @@ -# Reproducible Builds +# RFC 006: Reproducible Builds To ensure the security of constellation's supply chain, we need to make our software builds reproducible. This is the only way to ensure a verifiable path from source code to binary. diff --git a/rfc/version-api.md b/rfc/007-version-api.md similarity index 99% rename from rfc/version-api.md rename to rfc/007-version-api.md index 9c3f583db..4c3b9f656 100644 --- a/rfc/version-api.md +++ b/rfc/007-version-api.md @@ -1,4 +1,4 @@ -# Version API +# RFC 007: Version API The version API should expose easy, straightforward, extensible and forward compatible version information to the Constellation CLI (and possibly more consumers). diff --git a/rfc/apis.md b/rfc/008-apis.md similarity index 89% rename from rfc/apis.md rename to rfc/008-apis.md index 1ea71f3ab..fdcd67ee2 100644 --- a/rfc/apis.md +++ b/rfc/008-apis.md @@ -1,4 +1,4 @@ -# Constellation APIs (v1) +# RFC 008: Constellation APIs (v1) ## Base @@ -13,8 +13,8 @@ At this moment, the only valid API version is `v1`: The API version is followed by the API group. Possible values are: -- [`versions`: version information for Constellation components](version-api.md) -- [`image`: metadata for individual Constellation OS images](image-api.md) +- [`versions`: version information for Constellation components](007-version-api.md) +- [`image`: metadata for individual Constellation OS images](009-image-api.md) - `info`: image reference lookup for each cloud provider and additional metadata - `measurements`: TPM measurements for Constellation OS images - `raw`: raw OS images @@ -24,15 +24,15 @@ There may be more API groups in the future (e.g. `cli`) ## API paths overview -- [`/constellation/v1/ref//stream//versions/latest/.json`](version-api.md#latest) -- [`/constellation/v1/ref//stream//versions/major//.json`](version-api.md#major-to-minor-version-list) -- [`/constellation/v1/ref//stream//versions/minor//.json`](version-api.md#minor-to-patch-version-list) -- [`/constellation/v1/ref//stream///image/info.json`](image-api.md#image-lookup-table) -- [`/constellation/v1/ref//stream///image/sbom..json`](image-api.md) -- [`/constellation/v1/ref//stream///image/csp//measurements.json`](image-api.md) -- [`/constellation/v1/ref//stream///image/csp//measurements.json.sig`](image-api.md) -- [`/constellation/v1/ref//stream///image/csp//image.raw`](image-api.md) -- [`/constellation/v1/ref//stream///cli/info.json`](cli-api.md#cli-lookup-table) +- [`/constellation/v1/ref//stream//versions/latest/.json`](007-version-api.md#latest) +- [`/constellation/v1/ref//stream//versions/major//.json`](007-version-api.md#major-to-minor-version-list) +- [`/constellation/v1/ref//stream//versions/minor//.json`](007-version-api.md#minor-to-patch-version-list) +- [`/constellation/v1/ref//stream///image/info.json`](009-image-api.md#image-lookup-table) +- [`/constellation/v1/ref//stream///image/sbom..json`](009-image-api.md) +- [`/constellation/v1/ref//stream///image/csp//measurements.json`](009-image-api.md) +- [`/constellation/v1/ref//stream///image/csp//measurements.json.sig`](009-image-api.md) +- [`/constellation/v1/ref//stream///image/csp//image.raw`](009-image-api.md) +- [`/constellation/v1/ref//stream///cli/info.json`](010-cli-api.md#cli-lookup-table) ## API path identifiers `ref`, `stream` and `version` diff --git a/rfc/image-api.md b/rfc/009-image-api.md similarity index 99% rename from rfc/image-api.md rename to rfc/009-image-api.md index b45d713e7..b26684102 100644 --- a/rfc/image-api.md +++ b/rfc/009-image-api.md @@ -1,4 +1,4 @@ -# OS image & measurement discovery +# RFC 009: OS image & measurement discovery The Constellation OS image build pipeline generates a set of images using a chosen commit of the Constellation monorepo and a desired release version number. diff --git a/rfc/cli-api.md b/rfc/010-cli-api.md similarity index 96% rename from rfc/cli-api.md rename to rfc/010-cli-api.md index b5e503b79..8735375d3 100644 --- a/rfc/cli-api.md +++ b/rfc/010-cli-api.md @@ -1,4 +1,4 @@ -# CLI compatibility information +# RFC 010: CLI compatibility information The CLI API provides information about the compatibility of the Constellation CLI and other components of the Constellation ecosystem such as Kubernetes versions. diff --git a/rfc/attestation-config.md b/rfc/011-attestation-config.md similarity index 99% rename from rfc/attestation-config.md rename to rfc/011-attestation-config.md index a38bcee05..299d5b2df 100644 --- a/rfc/attestation-config.md +++ b/rfc/011-attestation-config.md @@ -1,4 +1,4 @@ -# Attestation configuration options +# RFC 011: Attestation configuration options To allow users more in-depth control over validating attestation statements, a separate, attestation-specific entry in the user's Constellation config file needs to be added. @@ -116,7 +116,7 @@ The value substitution is part of the unmarshalling logic. Config values are uploaded to S3 and can be accessed via HTTP. -The attestation config API uses the same CSP names as [the image API](./image-api.md#image-api-endpoints). +The attestation config API uses the same CSP names as [the image API](./009-image-api.md#image-api-endpoints). The following HTTP endpoint is available: diff --git a/rfc/canonical-endpoint-dns.md b/rfc/012-canonical-endpoint-dns.md similarity index 98% rename from rfc/canonical-endpoint-dns.md rename to rfc/012-canonical-endpoint-dns.md index 360d0cf30..cc14057fa 100644 --- a/rfc/canonical-endpoint-dns.md +++ b/rfc/012-canonical-endpoint-dns.md @@ -1,4 +1,4 @@ -# Canonical endpoint / Constellation with custom DNS name +# RFC 012: Canonical endpoint / Constellation with custom DNS name Customers may want to use a DNS name for the cluster endpoint instead of the public ip address. The public ip may be bound to a zonal loadbalancer (AWS), limiting the availability of the cluster to a single zone. diff --git a/rfc/state-file.md b/rfc/013-state-file.md similarity index 99% rename from rfc/state-file.md rename to rfc/013-state-file.md index 60b0eb4a5..0ba49b367 100644 --- a/rfc/state-file.md +++ b/rfc/013-state-file.md @@ -1,4 +1,4 @@ -# Constellation state file +# RFC 013: Constellation state file During a cluster's lifecycle, Constellation needs to keep track of multiple different values and state information of the cluster, like loadbalancer IPs or UID of the cluster. diff --git a/rfc/terraform-provider.md b/rfc/014-terraform-provider.md similarity index 99% rename from rfc/terraform-provider.md rename to rfc/014-terraform-provider.md index e176517ec..b4b7074aa 100644 --- a/rfc/terraform-provider.md +++ b/rfc/014-terraform-provider.md @@ -1,4 +1,4 @@ -# Constellation Terraform Provider +# RFC 014: Constellation Terraform Provider The Constellation Terraform Provider allows its user to manage the full lifecycle of a Constellation cluster -- namely initialization and updates (`constellation apply`) -- via Terraform.