Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-30 10:38:46 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: update Tab tags

Browse source
This commit is contained in:
Thomas Tendyck 2024-08-23 13:04:15 +02:00 committed by Thomas Tendyck
parent e90b0e5109
commit e2ee775483
197 changed files with 3640 additions and 3581 deletions
Download patch file Download diff file Expand all files Collapse all files

40
docs/docs/architecture/attestation.md
View file

@ -121,8 +121,8 @@ Constellation allows to specify in the config which measurements should be enfor
Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config.
By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements.
@ -153,8 +153,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements.
This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification.
@ -184,8 +184,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements.
Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor.
@ -217,8 +217,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
Constellation uses a hypervisor-based vTPM for runtime measurements.
@ -249,16 +249,16 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
</tabs>
</TabItem>
</Tabs>
### CVM verification
To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established.
For verification of the CVM technology, Constellation may expose additional options in its config file.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs.
An SEV-SNP attestation report is used to establish trust in the VM.
@ -279,8 +279,8 @@ You may customize certain parameters for verification of the attestation stateme
This is the intermediate certificate for verifying the SEV-SNP report's signature.
If it's not specified, the CLI fetches it from the AMD key distribution server.
</tabItem>
<tabItem value="azure" label="Azure SEV-SNP">
</TabItem>
<TabItem value="azure" label="Azure SEV-SNP">
On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs.
An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM.
@ -302,8 +302,8 @@ You may customize certain parameters for verification of the attestation stateme
More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report.
You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
On GCP, AMD SEV-SNP is used to provide runtime encryption to the VMs.
An SEV-SNP attestation report is used to establish trust in the VM.
@ -324,15 +324,15 @@ You may customize certain parameters for verification of the attestation stateme
This is the intermediate certificate for verifying the SEV-SNP report's signature.
If it's not specified, the CLI fetches it from the AMD key distribution server.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs.
The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements).
There is no additional configuration available for STACKIT.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Cluster attestation

24
docs/docs/getting-started/first-steps-local.md
View file

@ -45,8 +45,8 @@ sudo iptables -P FORWARD ACCEPT
## Create a cluster
<tabs groupId="csp">
<tabItem value="mini" label="MiniConstellation">
<Tabs groupId="csp">
<TabItem value="mini" label="MiniConstellation">
<!-- vale off -->
With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/).
@ -74,8 +74,8 @@ constellation mini up
This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster.
All `constellation` commands concerning this cluster need to be issued from this directory.
</tabItem>
<tabItem value="qemu" label="QEMU">
</TabItem>
<TabItem value="qemu" label="QEMU">
With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other.
@ -145,8 +145,8 @@ attaching persistent storage, or autoscaling aren't available.
export KUBECONFIG="$PWD/constellation-admin.conf"
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Connect to the cluster
@ -199,8 +199,8 @@ worker-0 Ready <none> 32s v1.24.6
## Terminate your cluster
<tabs groupId="csp">
<tabItem value="mini" label="MiniConstellation">
<Tabs groupId="csp">
<TabItem value="mini" label="MiniConstellation">
Once you are done, you can clean up the created resources using the following command:
@ -211,8 +211,8 @@ constellation mini down
This will destroy your cluster and clean up your workspace.
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
</tabItem>
<tabItem value="qemu" label="QEMU">
</TabItem>
<TabItem value="qemu" label="QEMU">
Once you are done, you can clean up the created resources using the following command:
@ -240,8 +240,8 @@ Your Constellation cluster was terminated successfully.
This will destroy your cluster and clean up your workspace.
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Troubleshooting

40
docs/docs/getting-started/first-steps.md
View file

@ -15,41 +15,41 @@ If you encounter any problem with the following steps, make sure to use the [lat
1. Create the [configuration file](../workflows/config.md) and state file for your cloud provider. If you are following the steps of this guide, there is no need to edit the file.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
```bash
constellation config generate azure
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
```bash
constellation config generate gcp
```
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
```bash
constellation config generate stackit
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
```bash
constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
@ -76,8 +76,8 @@ If you encounter any problem with the following steps, make sure to use the [lat
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
```bash
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
@ -98,8 +98,8 @@ If you encounter any problem with the following steps, make sure to use the [lat
You can find a list of all [regions in Azure's documentation](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines&regions=all).
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
```bash
constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
@ -109,16 +109,16 @@ If you encounter any problem with the following steps, make sure to use the [lat
Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
To use Constellation on STACKIT, the cluster will use the User Access Token (UAT) that's generated [during the install step](./install.md).
After creating the accounts, fill in the STACKIT details in `constellation-conf.yaml` under `provider.openstack`:
* `stackitProjectID`: STACKIT project id (can be found after login on the [STACKIT portal](https://portal.stackit.cloud))
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::tip
To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md).

64
docs/docs/getting-started/install.md
View file

@ -22,8 +22,8 @@ If you prefer to use Terraform, you can alternatively use the [Terraform provide
The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases).
Install it with the following commands:
<tabs>
<tabItem value="linux-amd64" label="Linux (amd64)">
<Tabs>
<TabItem value="linux-amd64" label="Linux (amd64)">
1. Download the CLI:
@ -39,8 +39,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-amd64 /usr/local/bin/constellation
```
</tabItem>
<tabItem value="linux-arm64" label="Linux (arm64)">
</TabItem>
<TabItem value="linux-arm64" label="Linux (arm64)">
1. Download the CLI:
@ -56,9 +56,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
<TabItem value="darwin-arm64" label="macOS (Apple Silicon)">
1. Download the CLI:
@ -74,9 +74,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-amd64" label="macOS (Intel)">
<TabItem value="darwin-amd64" label="macOS (Intel)">
1. Download the CLI:
@ -92,9 +92,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-amd64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="windows-amd64" label="Windows (amd64)">
<TabItem value="windows-amd64" label="Windows (amd64)">
1. Download the CLI:
@ -115,8 +115,8 @@ Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgeless
5. Click `New`
6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin`
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::tip
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
@ -132,8 +132,8 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
### Required permissions
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
@ -183,8 +183,8 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
@ -226,8 +226,8 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Create a new project for Constellation or use an existing one.
Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it.
@ -312,16 +312,16 @@ Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `
Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
Constellation on STACKIT requires a User Access Token (UAT) for the OpenStack API and a STACKIT service account.
The UAT already has all required permissions by default.
The STACKIT service account needs the `editor` role to create STACKIT LoadBalancers.
Look at the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) on how to create the service account and assign the role.
</tabItem>
</tabs>
</TabItem>
</Tabs>
### Authentication
@ -331,8 +331,8 @@ You need to authenticate with your CSP. The following lists the required steps f
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
:::
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
**Testing**
@ -348,8 +348,8 @@ aws configure
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
**Testing**
@ -365,8 +365,8 @@ az login
Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli).
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
**Testing**
@ -389,8 +389,8 @@ Use one of the following options on a trusted machine:
Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API).
@ -420,9 +420,9 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se
{"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"}
```
</tabItem>
</TabItem>
</tabs>
</Tabs>
## Next steps

20
docs/docs/getting-started/marketplaces.md
View file

@ -4,8 +4,8 @@ Constellation is available through the Marketplaces of AWS, Azure, GCP, and STAC
This document explains how to run Constellation with the dynamically billed cloud marketplace images.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
To use Constellation's marketplace images, ensure that you are subscribed to the [marketplace offering](https://aws.amazon.com/marketplace/pp/prodview-2mbn65nv57oys) through the web portal.
@ -15,8 +15,8 @@ Then, enable the use of marketplace images in your Constellation `constellation-
yq eval -i ".provider.aws.useMarketplaceImage = true" constellation-conf.yaml
```
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
Constellation has a private marketplace plan. Please [contact us](https://www.edgeless.systems/enterprise-support/) to gain access.
@ -32,8 +32,8 @@ Then, enable the use of marketplace images in your Constellation `constellation-
yq eval -i ".provider.azure.useMarketplaceImage = true" constellation-conf.yaml
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
To use a marketplace image, ensure that the account is entitled to use marketplace images by Edgeless Systems by accepting the terms through the [web portal](https://console.cloud.google.com/marketplace/vm/config/edgeless-systems-public/constellation).
@ -43,13 +43,13 @@ Then, enable the use of marketplace images in your Constellation `constellation-
yq eval -i ".provider.gcp.useMarketplaceImage = true" constellation-conf.yaml
```
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
On STACKIT, the selected Constellation image is always a marketplace image. You can find more information on the STACKIT portal.
</tabItem>
</tabs>
</TabItem>
</Tabs>
Ensure that the cluster uses an official release image version (i.e., `.image=vX.Y.Z` in the `constellation-conf.yaml` file).

80
docs/docs/workflows/config.md
View file

@ -14,44 +14,44 @@ Before you can create your cluster, you need to configure the identity and acces
You can generate a configuration file for your CSP by using the following CLI command:
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
```bash
constellation config generate azure
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
```bash
constellation config generate gcp
```
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
```bash
constellation config generate stackit
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
This creates the file `constellation-conf.yaml` in the current directory.
## Choosing a VM type
Constellation supports the following VM types:
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster.
Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
@ -62,20 +62,20 @@ If you are using the attestation variant `awsNitroTPM`, you can choose any of th
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported.
You can also run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster.
Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file.
@ -93,8 +93,8 @@ You can choose any of the SEV-enabled instance types. You can find a list of all
The Constellation CLI can also print the supported instance types with: `constellation config instance-types`.
</tabItem>
</tabs>
</TabItem>
</Tabs>
Fill the desired VM type into the `instanceType` fields in the `constellation-conf.yml` file.
@ -153,8 +153,8 @@ See also Constellation's [Kubernetes support policy](../architecture/versions.md
You can create an IAM configuration for your cluster automatically using the `constellation iam create` command.
If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
@ -178,8 +178,8 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
@ -204,8 +204,8 @@ You can find a list of all [regions in Azure's documentation](https://azure.micr
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
@ -219,21 +219,21 @@ Note that only regions offering CVMs of the `C2D` or `N2D` series are supported.
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
</tabItem>
</tabs>
</TabItem>
</Tabs>
<details>
<summary>Alternatively, you can manually create the IAM configuration on your CSP.</summary>
The following describes the configuration fields and how you obtain the required information or create the required resources.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
@ -264,8 +264,8 @@ The following describes the configuration fields and how you obtain the required
Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`.
@ -301,8 +301,8 @@ The following describes the configuration fields and how you obtain the required
The user-assigned identity is used by instances of the cluster to access other cloud resources.
For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
* **project**: The ID of your GCP project, e.g., `constellation-129857`.
@ -326,13 +326,13 @@ The following describes the configuration fields and how you obtain the required
Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
STACKIT requires manual creation and configuration of service accounts. Look at the [first steps](../getting-started/first-steps.md) for more information.
</tabItem>
</tabs>
</TabItem>
</Tabs>
</details>
Now that you've configured your CSP, you can [create your cluster](./create.md).

12
docs/docs/workflows/create.md
View file

@ -27,8 +27,8 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
Before you create the cluster, make sure to have a [valid configuration file](./config.md).
<tabs groupId="usage">
<tabItem value="cli" label="CLI">
<Tabs groupId="usage">
<TabItem value="cli" label="CLI">
```bash
constellation apply
@ -36,8 +36,8 @@ constellation apply
`apply` stores the state of your cluster's cloud resources in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace.
</tabItem>
<tabItem value="self-managed" label="Self-managed">
</TabItem>
<TabItem value="self-managed" label="Self-managed">
Self-managed infrastructure allows for more flexibility in the setup, by separating the infrastructure setup from the Constellation cluster management.
This provides flexibility in DevOps and can meet potential regulatory requirements.
@ -77,8 +77,8 @@ With the required cloud resources set up, continue with initializing your cluste
constellation apply --skip-phases=infrastructure
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
Finally, configure `kubectl` for your cluster:

20
docs/docs/workflows/recovery.md
View file

@ -16,8 +16,8 @@ You can check the health status of the nodes via the cloud service provider (CSP
Constellation provides logging information on the boot process and status via serial console output.
In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
@ -47,8 +47,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
In the Azure portal, find the cluster's resource group.
Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-<suffix>`.
@ -82,8 +82,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
First, check that the control plane *Instance Group* has enough members in a *Ready* state.
In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `<cluster-name>-control-plane-<suffix>`.
@ -118,8 +118,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `<cluster-name>-<UID>-control-plane-<UID>-<index>` and check that enough members are in a *Running* state.
@ -149,8 +149,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Recover a cluster

40
docs/docs/workflows/scale.md
View file

@ -51,36 +51,36 @@ kubectl -n kube-system get nodes
Alternatively, you can manually scale your cluster up or down:
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
1. Go to Auto Scaling Groups and select the worker ASG to scale up.
2. Click **Edit**
3. Set the new (increased) **Desired capacity** and **Update**.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
1. Find your Constellation resource group.
2. Select the `scale-set-workers`.
3. Go to **settings** and **scaling**.
4. Set the new **instance count** and **save**.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
2. **Edit** the **worker** instance group.
3. Set the new **number of instances** and **save**.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
Dynamic cluster scaling isn't yet supported for STACKIT.
Support will be introduced in one of the upcoming releases.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Control-plane node scaling
@ -88,35 +88,35 @@ Control-plane nodes can **only be scaled manually and only scaled up**!
To increase the number of control-plane nodes, follow these steps:
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
1. Go to Auto Scaling Groups and select the control-plane ASG to scale up.
2. Click **Edit**
3. Set the new (increased) **Desired capacity** and **Update**.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
1. Find your Constellation resource group.
2. Select the `scale-set-controlplanes`.
3. Go to **settings** and **scaling**.
4. Set the new (increased) **instance count** and **save**.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
2. **Edit** the **control-plane** instance group.
3. Set the new (increased) **number of instances** and **save**.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
Dynamic cluster scaling isn't yet supported for STACKIT.
Support will be introduced in one of the upcoming releases.
</tabItem>
</tabs>
</TabItem>
</Tabs>
If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane.

40
docs/docs/workflows/storage.md
View file

@ -21,37 +21,37 @@ For more details see [encrypted persistent storage](../architecture/encrypted-st
Constellation supports the following drivers, which offer node-level encryption and optional integrity protection.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
**Constellation CSI driver for AWS Elastic Block Store**
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
**Constellation CSI driver for Azure Disk**:
Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster.
See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information.
Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
**Constellation CSI driver for GCP Persistent Disk**:
Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
**Constellation CSI driver for STACKIT / OpenStack Cinder**
Mount [Cinder](https://docs.openstack.org/cinder/latest/) block storage volumes into your Constellation cluster.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-cloud-provider-openstack) for more information.
</tabItem>
</tabs>
</TabItem>
</Tabs>
Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.
@ -60,8 +60,8 @@ Note that in case the options above aren't a suitable solution for you, Constell
The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster.
If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
AWS comes with two storage classes by default.
@ -89,8 +89,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
Azure comes with two storage classes by default.
@ -118,8 +118,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
GCP comes with two storage classes by default.
@ -147,8 +147,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
STACKIT comes with two storage classes by default.
@ -176,8 +176,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>
1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)

12
docs/docs/workflows/terminate.md
View file

@ -16,8 +16,8 @@ All ephemeral storage and state of your cluster will be lost. Make sure any data
:::
<tabs groupId="provider">
<tabItem value="cli" label="CLI">
<Tabs groupId="provider">
<TabItem value="cli" label="CLI">
Terminate the cluster by running:
```bash
@ -40,8 +40,8 @@ resources manually. Just run the `terminate` command again afterward to continue
:::
</tabItem>
<tabItem value="terraform" label="Terraform">
</TabItem>
<TabItem value="terraform" label="Terraform">
Terminate the cluster by running:
```bash
@ -56,5 +56,5 @@ rm constellation-state.yaml constellation-admin.conf
Only the `constellation-mastersecret.json` and the configuration file remain.
</tabItem>
</tabs>
</TabItem>
</Tabs>

21
docs/docs/workflows/terraform-provider.md
View file

@ -21,8 +21,9 @@ This example shows how to set up a Constellation cluster with the reference IAM
2. Use one of the [example configurations for using the Constellation Terraform provider](https://github.com/edgelesssys/constellation/tree/main/terraform-provider-constellation/examples/full) or create a `main.tf` file and fill it with the resources you want to create. The [Constellation Terraform provider documentation](https://registry.terraform.io/providers/edgelesssys/constellation/latest) offers thorough documentation on the resources and their attributes.
3. Initialize and apply the Terraform configuration.
<tabs groupId="csp">
<tabItem value="aws" label="AWS">
<Tabs groupId="csp">
<TabItem value="aws" label="AWS">
Initialize the providers and apply the configuration.
```bash
@ -31,8 +32,8 @@ This example shows how to set up a Constellation cluster with the reference IAM
```
Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios.
</tabItem>
<tabItem value="azure" label="Azure">
</TabItem>
<TabItem value="azure" label="Azure">
When creating a cluster on Azure, you need to manually patch the policy of the MAA provider before creating the Constellation cluster, as this feature isn't available in Azure's Terraform provider yet. The Constellation CLI provides a utility for patching, but you
can also do it manually.
@ -66,8 +67,8 @@ This example shows how to set up a Constellation cluster with the reference IAM
};
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Initialize the providers and apply the configuration.
```bash
@ -76,8 +77,8 @@ This example shows how to set up a Constellation cluster with the reference IAM
```
Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios.
</tabItem>
<tabItem value="stackit" label="STACKIT">
</TabItem>
<TabItem value="stackit" label="STACKIT">
Initialize the providers and apply the configuration.
```bash
@ -86,9 +87,9 @@ This example shows how to set up a Constellation cluster with the reference IAM
```
Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios.
</tabItem>
</TabItem>
</tabs>
</Tabs>
4. Connect to the cluster.
```bash