mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-02 20:16:15 -04:00
docs: update Tab tags
This commit is contained in:
parent
e90b0e5109
commit
e2ee775483
197 changed files with 3640 additions and 3581 deletions
|
@ -121,8 +121,8 @@ Constellation allows to specify in the config which measurements should be enfor
|
|||
Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config.
|
||||
By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements.
|
||||
This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification.
|
||||
|
@ -152,8 +152,8 @@ The latter means that the value can be generated offline and compared to the one
|
|||
| 15 | ClusterID | Constellation Bootstrapper | Yes |
|
||||
| 16–23 | Unused | - | - |
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements.
|
||||
Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor.
|
||||
|
@ -185,8 +185,8 @@ The latter means that the value can be generated offline and compared to the one
|
|||
| 15 | ClusterID | Constellation Bootstrapper | Yes |
|
||||
| 16–23 | Unused | - | - |
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements.
|
||||
|
||||
|
@ -217,16 +217,16 @@ The latter means that the value can be generated offline and compared to the one
|
|||
| 15 | ClusterID | Constellation Bootstrapper | Yes |
|
||||
| 16–23 | Unused | - | - |
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
### CVM verification
|
||||
|
||||
To verify the integrity of the received attestation statement, a chain of trust from the CVM technology to the interface providing the statement has to be established.
|
||||
For verification of the CVM technology, Constellation may expose additional options in its config file.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure SEV-SNP">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure SEV-SNP">
|
||||
|
||||
On Azure, AMD SEV-SNP is used to provide runtime encryption to the VMs.
|
||||
An SEV-SNP attestation report is used to establish trust in the vTPM running inside the VM.
|
||||
|
@ -248,18 +248,18 @@ You may customize certain parameters for verification of the attestation stateme
|
|||
More explicitly, it controls the verification of the `IDKeyDigest` value in the SEV-SNP attestation report.
|
||||
You can provide a list of accepted key digests and specify a policy on how this list is compared against the reported `IDKeyDigest`.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
There is no additional configuration available for GCP.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
There is no additional configuration available for AWS.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## Cluster attestation
|
||||
|
||||
|
|
|
@ -45,8 +45,8 @@ sudo iptables -P FORWARD ACCEPT
|
|||
|
||||
## Create a cluster
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="mini" label="MiniConstellation">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="mini" label="MiniConstellation">
|
||||
|
||||
<!-- vale off -->
|
||||
With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/).
|
||||
|
@ -74,8 +74,8 @@ constellation mini up
|
|||
This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster.
|
||||
All `constellation` commands concerning this cluster need to be issued from this directory.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="qemu" label="QEMU">
|
||||
</TabItem>
|
||||
<TabItem value="qemu" label="QEMU">
|
||||
|
||||
With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other.
|
||||
|
||||
|
@ -151,8 +151,8 @@ attaching persistent storage, or autoscaling aren't available.
|
|||
export KUBECONFIG="$PWD/constellation-admin.conf"
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## Connect to the cluster
|
||||
|
||||
|
@ -205,8 +205,8 @@ worker-0 Ready <none> 32s v1.24.6
|
|||
|
||||
## Terminate your cluster
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="mini" label="MiniConstellation">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="mini" label="MiniConstellation">
|
||||
|
||||
Once you are done, you can clean up the created resources using the following command:
|
||||
|
||||
|
@ -217,8 +217,8 @@ constellation mini down
|
|||
This will destroy your cluster and clean up your workspace.
|
||||
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="qemu" label="QEMU">
|
||||
</TabItem>
|
||||
<TabItem value="qemu" label="QEMU">
|
||||
|
||||
Once you are done, you can clean up the created resources using the following command:
|
||||
|
||||
|
@ -246,8 +246,8 @@ Your Constellation cluster was terminated successfully.
|
|||
This will destroy your cluster and clean up your workspace.
|
||||
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
|
|
|
@ -15,39 +15,39 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||
|
||||
1. Create the [configuration file](../workflows/config.md) for your cloud provider.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<Tabs groupId="csp">
|
||||
|
||||
<tabItem value="azure" label="Azure">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
```bash
|
||||
constellation config generate azure
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="gcp" label="GCP">
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
```bash
|
||||
constellation config generate gcp
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="aws" label="AWS">
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
```bash
|
||||
constellation config generate aws
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
</tabs>
|
||||
</Tabs>
|
||||
|
||||
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
|
||||
|
||||
<tabs groupId="csp">
|
||||
<Tabs groupId="csp">
|
||||
|
||||
<tabItem value="azure" label="Azure">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
```bash
|
||||
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
|
||||
|
@ -62,9 +62,9 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||
* `westeurope`
|
||||
* `southeastasia`
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="gcp" label="GCP">
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
```bash
|
||||
constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
|
||||
|
@ -74,9 +74,9 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||
|
||||
Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`.
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="aws" label="AWS">
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
```bash
|
||||
constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
|
||||
|
@ -103,8 +103,8 @@ If you encounter any problem with the following steps, make sure to use the [lat
|
|||
|
||||
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
:::tip
|
||||
To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md).
|
||||
|
|
|
@ -18,8 +18,8 @@ Make sure the following requirements are met:
|
|||
The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases).
|
||||
Install it with the following commands:
|
||||
|
||||
<tabs>
|
||||
<tabItem value="linux-amd64" label="Linux (amd64)">
|
||||
<Tabs>
|
||||
<TabItem value="linux-amd64" label="Linux (amd64)">
|
||||
|
||||
1. Download the CLI:
|
||||
|
||||
|
@ -35,8 +35,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||
sudo install constellation-linux-amd64 /usr/local/bin/constellation
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="linux-arm64" label="Linux (arm64)">
|
||||
</TabItem>
|
||||
<TabItem value="linux-arm64" label="Linux (arm64)">
|
||||
|
||||
1. Download the CLI:
|
||||
|
||||
|
@ -52,9 +52,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||
sudo install constellation-linux-arm64 /usr/local/bin/constellation
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||
<TabItem value="darwin-arm64" label="macOS (Apple Silicon)">
|
||||
|
||||
1. Download the CLI:
|
||||
|
||||
|
@ -70,9 +70,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="darwin-amd64" label="macOS (Intel)">
|
||||
<TabItem value="darwin-amd64" label="macOS (Intel)">
|
||||
|
||||
1. Download the CLI:
|
||||
|
||||
|
@ -88,8 +88,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
|
|||
sudo install constellation-darwin-amd64 /usr/local/bin/constellation
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
:::tip
|
||||
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
|
||||
|
@ -105,39 +105,42 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
|||
|
||||
### Required permissions
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
* `Microsoft.Network`
|
||||
|
||||
- `Microsoft.Attestation`
|
||||
- `Microsoft.Compute`
|
||||
- `Microsoft.Insights`
|
||||
- `Microsoft.ManagedIdentity`
|
||||
- `Microsoft.Network`
|
||||
|
||||
By default, Constellation tries to register these automatically if they haven't been registered before.
|
||||
|
||||
To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
|
||||
* `*/register/action` \[1]
|
||||
* `Microsoft.Authorization/roleAssignments/*`
|
||||
* `Microsoft.Authorization/roleDefinitions/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
* `Microsoft.Resources/subscriptions/resourcegroups/*`
|
||||
|
||||
- `*/register/action` \[1]
|
||||
- `Microsoft.Authorization/roleAssignments/*`
|
||||
- `Microsoft.Authorization/roleDefinitions/*`
|
||||
- `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
- `Microsoft.Resources/subscriptions/resourcegroups/*`
|
||||
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
* `Microsoft.Network/loadBalancers/*`
|
||||
* `Microsoft.Network/loadBalancers/backendAddressPools/*`
|
||||
* `Microsoft.Network/networkSecurityGroups/*`
|
||||
* `Microsoft.Network/publicIPAddresses/*`
|
||||
* `Microsoft.Network/virtualNetworks/*`
|
||||
* `Microsoft.Network/virtualNetworks/subnets/*`
|
||||
* `Microsoft.Network/natGateways/*`
|
||||
|
||||
- `Microsoft.Attestation/attestationProviders/*`
|
||||
- `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
- `Microsoft.Insights/components/*`
|
||||
- `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
- `Microsoft.Network/loadBalancers/*`
|
||||
- `Microsoft.Network/loadBalancers/backendAddressPools/*`
|
||||
- `Microsoft.Network/networkSecurityGroups/*`
|
||||
- `Microsoft.Network/publicIPAddresses/*`
|
||||
- `Microsoft.Network/virtualNetworks/*`
|
||||
- `Microsoft.Network/virtualNetworks/subnets/*`
|
||||
- `Microsoft.Network/natGateways/*`
|
||||
|
||||
The built-in `Contributor` role is a superset of these permissions.
|
||||
|
||||
|
@ -145,89 +148,91 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
|||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
Create a new project for Constellation or use an existing one.
|
||||
Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it.
|
||||
|
||||
To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
|
||||
* `iam.serviceAccountKeys.create`
|
||||
* `iam.serviceAccountKeys.delete`
|
||||
* `iam.serviceAccountKeys.get`
|
||||
* `iam.serviceAccounts.create`
|
||||
* `iam.serviceAccounts.delete`
|
||||
* `iam.serviceAccounts.get`
|
||||
* `resourcemanager.projects.getIamPolicy`
|
||||
* `resourcemanager.projects.setIamPolicy`
|
||||
|
||||
- `iam.serviceAccountKeys.create`
|
||||
- `iam.serviceAccountKeys.delete`
|
||||
- `iam.serviceAccountKeys.get`
|
||||
- `iam.serviceAccounts.create`
|
||||
- `iam.serviceAccounts.delete`
|
||||
- `iam.serviceAccounts.get`
|
||||
- `resourcemanager.projects.getIamPolicy`
|
||||
- `resourcemanager.projects.setIamPolicy`
|
||||
|
||||
Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `compute.addresses.createInternal`
|
||||
* `compute.addresses.deleteInternal`
|
||||
* `compute.addresses.get`
|
||||
* `compute.addresses.useInternal`
|
||||
* `compute.backendServices.create`
|
||||
* `compute.backendServices.delete`
|
||||
* `compute.backendServices.get`
|
||||
* `compute.backendServices.use`
|
||||
* `compute.disks.create`
|
||||
* `compute.firewalls.create`
|
||||
* `compute.firewalls.delete`
|
||||
* `compute.firewalls.get`
|
||||
* `compute.globalAddresses.create`
|
||||
* `compute.globalAddresses.delete`
|
||||
* `compute.globalAddresses.get`
|
||||
* `compute.globalAddresses.use`
|
||||
* `compute.globalForwardingRules.create`
|
||||
* `compute.globalForwardingRules.delete`
|
||||
* `compute.globalForwardingRules.get`
|
||||
* `compute.globalForwardingRules.setLabels`
|
||||
* `compute.globalOperations.get`
|
||||
* `compute.healthChecks.create`
|
||||
* `compute.healthChecks.delete`
|
||||
* `compute.healthChecks.get`
|
||||
* `compute.healthChecks.useReadOnly`
|
||||
* `compute.instanceGroupManagers.create`
|
||||
* `compute.instanceGroupManagers.delete`
|
||||
* `compute.instanceGroupManagers.get`
|
||||
* `compute.instanceGroups.create`
|
||||
* `compute.instanceGroups.delete`
|
||||
* `compute.instanceGroups.get`
|
||||
* `compute.instanceGroups.use`
|
||||
* `compute.instances.create`
|
||||
* `compute.instances.setLabels`
|
||||
* `compute.instances.setMetadata`
|
||||
* `compute.instances.setTags`
|
||||
* `compute.instanceTemplates.create`
|
||||
* `compute.instanceTemplates.delete`
|
||||
* `compute.instanceTemplates.get`
|
||||
* `compute.instanceTemplates.useReadOnly`
|
||||
* `compute.networks.create`
|
||||
* `compute.networks.delete`
|
||||
* `compute.networks.get`
|
||||
* `compute.networks.updatePolicy`
|
||||
* `compute.routers.create`
|
||||
* `compute.routers.delete`
|
||||
* `compute.routers.get`
|
||||
* `compute.routers.update`
|
||||
* `compute.subnetworks.create`
|
||||
* `compute.subnetworks.delete`
|
||||
* `compute.subnetworks.get`
|
||||
* `compute.subnetworks.use`
|
||||
* `compute.targetTcpProxies.create`
|
||||
* `compute.targetTcpProxies.delete`
|
||||
* `compute.targetTcpProxies.get`
|
||||
* `compute.targetTcpProxies.use`
|
||||
* `iam.serviceAccounts.actAs`
|
||||
|
||||
- `compute.addresses.createInternal`
|
||||
- `compute.addresses.deleteInternal`
|
||||
- `compute.addresses.get`
|
||||
- `compute.addresses.useInternal`
|
||||
- `compute.backendServices.create`
|
||||
- `compute.backendServices.delete`
|
||||
- `compute.backendServices.get`
|
||||
- `compute.backendServices.use`
|
||||
- `compute.disks.create`
|
||||
- `compute.firewalls.create`
|
||||
- `compute.firewalls.delete`
|
||||
- `compute.firewalls.get`
|
||||
- `compute.globalAddresses.create`
|
||||
- `compute.globalAddresses.delete`
|
||||
- `compute.globalAddresses.get`
|
||||
- `compute.globalAddresses.use`
|
||||
- `compute.globalForwardingRules.create`
|
||||
- `compute.globalForwardingRules.delete`
|
||||
- `compute.globalForwardingRules.get`
|
||||
- `compute.globalForwardingRules.setLabels`
|
||||
- `compute.globalOperations.get`
|
||||
- `compute.healthChecks.create`
|
||||
- `compute.healthChecks.delete`
|
||||
- `compute.healthChecks.get`
|
||||
- `compute.healthChecks.useReadOnly`
|
||||
- `compute.instanceGroupManagers.create`
|
||||
- `compute.instanceGroupManagers.delete`
|
||||
- `compute.instanceGroupManagers.get`
|
||||
- `compute.instanceGroups.create`
|
||||
- `compute.instanceGroups.delete`
|
||||
- `compute.instanceGroups.get`
|
||||
- `compute.instanceGroups.use`
|
||||
- `compute.instances.create`
|
||||
- `compute.instances.setLabels`
|
||||
- `compute.instances.setMetadata`
|
||||
- `compute.instances.setTags`
|
||||
- `compute.instanceTemplates.create`
|
||||
- `compute.instanceTemplates.delete`
|
||||
- `compute.instanceTemplates.get`
|
||||
- `compute.instanceTemplates.useReadOnly`
|
||||
- `compute.networks.create`
|
||||
- `compute.networks.delete`
|
||||
- `compute.networks.get`
|
||||
- `compute.networks.updatePolicy`
|
||||
- `compute.routers.create`
|
||||
- `compute.routers.delete`
|
||||
- `compute.routers.get`
|
||||
- `compute.routers.update`
|
||||
- `compute.subnetworks.create`
|
||||
- `compute.subnetworks.delete`
|
||||
- `compute.subnetworks.get`
|
||||
- `compute.subnetworks.use`
|
||||
- `compute.targetTcpProxies.create`
|
||||
- `compute.targetTcpProxies.delete`
|
||||
- `compute.targetTcpProxies.get`
|
||||
- `compute.targetTcpProxies.use`
|
||||
- `iam.serviceAccounts.actAs`
|
||||
|
||||
Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions.
|
||||
|
||||
Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
|
||||
|
||||
|
@ -277,8 +282,8 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
|
|||
|
||||
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
### Authentication
|
||||
|
||||
|
@ -288,8 +293,8 @@ You need to authenticate with your CSP. The following lists the required steps f
|
|||
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
|
||||
:::
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
**Testing**
|
||||
|
||||
|
@ -305,8 +310,8 @@ az login
|
|||
|
||||
Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
**Testing**
|
||||
|
||||
|
@ -329,8 +334,8 @@ Use one of the following options on a trusted machine:
|
|||
|
||||
Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
**Testing**
|
||||
|
||||
|
@ -346,9 +351,9 @@ aws configure
|
|||
|
||||
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
</tabs>
|
||||
</Tabs>
|
||||
|
||||
## Next steps
|
||||
|
||||
|
|
|
@ -14,49 +14,49 @@ Before you can create your cluster, you need to configure the identity and acces
|
|||
|
||||
You can generate a configuration file for your CSP by using the following CLI command:
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
```bash
|
||||
constellation config generate azure
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
```bash
|
||||
constellation config generate gcp
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
```bash
|
||||
constellation config generate aws
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
This creates the file `constellation-conf.yaml` in the current directory.
|
||||
|
||||
## Choosing a VM type
|
||||
|
||||
Constellation supports the following VM types:
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
By default, Constellation uses `Standard_DC4as_v5` CVMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying **instanceType** in the configuration file. For CVMs, any VM type with a minimum of 4 vCPUs from the [DCasv5 & DCadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/dcasv5-dcadsv5-series) or [ECasv5 & ECadsv5](https://docs.microsoft.com/en-us/azure/virtual-machines/ecasv5-ecadsv5-series) families is supported.
|
||||
|
||||
You can also run `constellation config instance-types` to get the list of all supported options.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying **instanceType** in the configuration file. Supported are all machines with a minimum of 4 vCPUs from the [C2D](https://cloud.google.com/compute/docs/compute-optimized-machines#c2d_machine_types) or [N2D](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) family. You can run `constellation config instance-types` to get the list of all supported options.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
By default, Constellation uses `m6a.xlarge` VMs (4 vCPUs, 16 GB RAM) to create your cluster.
|
||||
Optionally, you can switch to a different VM type by modifying **instanceType** in the configuration file.
|
||||
|
@ -75,8 +75,8 @@ AWS is currently investigating the issue.
|
|||
SNP-based attestation will be enabled as soon as a fix is verified.
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
Fill the desired VM type into the **instanceType** fields in the `constellation-conf.yml` file.
|
||||
|
||||
|
@ -133,8 +133,8 @@ See also Constellation's [Kubernetes support policy](../architecture/versions.md
|
|||
You can create an IAM configuration for your cluster automatically using the `constellation iam create` command.
|
||||
If you already have a Constellation configuration file, you can add the `--update-config` flag to the command. This writes the needed IAM fields into your configuration. Furthermore, the flag updates the zone/region of the configuration if it hasn't been set yet.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
|
||||
|
||||
|
@ -154,8 +154,8 @@ Note that CVMs are currently only supported in a few regions, check [Azure's pro
|
|||
|
||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
|
||||
|
||||
|
@ -169,8 +169,8 @@ Note that only regions offering CVMs of the `C2D` or `N2D` series are supported.
|
|||
|
||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
|
||||
|
||||
|
@ -194,16 +194,16 @@ You can find a list of all [regions in AWS's documentation](https://docs.aws.ama
|
|||
|
||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
<details>
|
||||
<summary>Alternatively, you can manually create the IAM configuration on your CSP.</summary>
|
||||
|
||||
The following describes the configuration fields and how you obtain the required information or create the required resources.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`.
|
||||
|
||||
|
@ -232,9 +232,9 @@ The following describes the configuration fields and how you obtain the required
|
|||
The user-assigned identity is used by instances of the cluster to access other cloud resources.
|
||||
For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="gcp" label="GCP">
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
* **project**: The ID of your GCP project, e.g., `constellation-129857`.
|
||||
|
||||
|
@ -258,9 +258,9 @@ The following describes the configuration fields and how you obtain the required
|
|||
|
||||
Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`.
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
<tabItem value="aws" label="AWS">
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
|
||||
|
||||
|
@ -291,9 +291,9 @@ The following describes the configuration fields and how you obtain the required
|
|||
|
||||
Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
|
||||
|
||||
</tabItem>
|
||||
</TabItem>
|
||||
|
||||
</tabs>
|
||||
</Tabs>
|
||||
</details>
|
||||
|
||||
Now that you've configured your CSP, you can [create your cluster](./create.md).
|
||||
|
|
|
@ -26,8 +26,8 @@ Before you create the cluster, make sure to have a [valid configuration file](./
|
|||
|
||||
### Create
|
||||
|
||||
<tabs groupId="provider">
|
||||
<tabItem value="cli" label="CLI">
|
||||
<Tabs groupId="provider">
|
||||
<TabItem value="cli" label="CLI">
|
||||
|
||||
```bash
|
||||
constellation create
|
||||
|
@ -35,8 +35,8 @@ constellation create
|
|||
|
||||
*create* stores your cluster's state in a [`constellation-terraform`](../architecture/orchestration.md#cluster-creation-process) directory in your workspace.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="terraform" label="Terraform">
|
||||
</TabItem>
|
||||
<TabItem value="terraform" label="Terraform">
|
||||
|
||||
Terraform allows for an easier GitOps integration as well as meeting regulatory requirements.
|
||||
Since the Constellation CLI also uses Terraform under the hood, you can reuse the same Terraform files.
|
||||
|
@ -75,8 +75,8 @@ CONSTELL_CSP=$(cat constellation-conf.yaml | yq ".provider | keys | .[0]")
|
|||
jq --null-input --arg cloudprovider "$CONSTELL_CSP" --arg ip "$CONSTELL_IP" --arg initsecret "$CONSTELL_INIT_SECRET" '{"cloudprovider":$cloudprovider,"ip":$ip,"initsecret":$initsecret}' > constellation-id.json
|
||||
```
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## The *init* step
|
||||
|
||||
|
|
|
@ -16,8 +16,8 @@ You can check the health status of the nodes via the cloud service provider (CSP
|
|||
Constellation provides logging information on the boot process and status via [cloud logging](troubleshooting.md#cloud-logging).
|
||||
In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
In the Azure portal, find the cluster's resource group.
|
||||
Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-<suffix>`.
|
||||
|
@ -51,8 +51,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
|
|||
|
||||
This means that you have to recover the node manually.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
First, check that the control plane *Instance Group* has enough members in a *Ready* state.
|
||||
In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `<cluster-name>-control-plane-<suffix>`.
|
||||
|
@ -87,8 +87,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
|
|||
|
||||
This means that you have to recover the node manually.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
|
||||
|
||||
|
@ -118,8 +118,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
|
|||
|
||||
This means that you have to recover the node manually.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## Recover a cluster
|
||||
|
||||
|
|
|
@ -51,30 +51,30 @@ kubectl -n kube-system get nodes
|
|||
|
||||
Alternatively, you can manually scale your cluster up or down:
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
1. Find your Constellation resource group.
|
||||
2. Select the `scale-set-workers`.
|
||||
3. Go to **settings** and **scaling**.
|
||||
4. Set the new **instance count** and **save**.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
|
||||
2. **Edit** the **worker** instance group.
|
||||
3. Set the new **number of instances** and **save**.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
1. Go to Auto Scaling Groups and select the worker ASG to scale up.
|
||||
2. Click **Edit**
|
||||
3. Set the new (increased) **Desired capacity** and **Update**.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
## Control-plane node scaling
|
||||
|
||||
|
@ -82,30 +82,30 @@ Control-plane nodes can **only be scaled manually and only scaled up**!
|
|||
|
||||
To increase the number of control-plane nodes, follow these steps:
|
||||
|
||||
<tabs groupId="csp">
|
||||
<Tabs groupId="csp">
|
||||
|
||||
<tabItem value="azure" label="Azure">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
1. Find your Constellation resource group.
|
||||
2. Select the `scale-set-controlplanes`.
|
||||
3. Go to **settings** and **scaling**.
|
||||
4. Set the new (increased) **instance count** and **save**.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
|
||||
2. **Edit** the **control-plane** instance group.
|
||||
3. Set the new (increased) **number of instances** and **save**.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
1. Go to Auto Scaling Groups and select the control-plane ASG to scale up.
|
||||
2. Click **Edit**
|
||||
3. Set the new (increased) **Desired capacity** and **Update**.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane.
|
||||
|
|
|
@ -21,30 +21,30 @@ For more details see [encrypted persistent storage](../architecture/encrypted-st
|
|||
|
||||
Constellation supports the following drivers, which offer node-level encryption and optional integrity protection.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
**Constellation CSI driver for Azure Disk**:
|
||||
Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster.
|
||||
See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information.
|
||||
Since Azure Disks are mounted as `ReadWriteOnce`, they're only available to a single pod.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
**Constellation CSI driver for GCP Persistent Disk**:
|
||||
Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster.
|
||||
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for more information.
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
**Constellation CSI driver for AWS Elastic Block Store**
|
||||
Mount [Elastic Block Store](https://aws.amazon.com/ebs/) storage volumes into your Constellation cluster.
|
||||
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-aws-ebs-csi-driver) for more information.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [AWS EFS](https://docs.aws.amazon.com/en_en/eks/latest/userguide/efs-csi.html), [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction), or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.
|
||||
|
||||
|
@ -53,8 +53,8 @@ Note that in case the options above aren't a suitable solution for you, Constell
|
|||
The Constellation CLI automatically installs Constellation's CSI driver for the selected CSP in your cluster.
|
||||
If you don't need a CSI driver or wish to deploy your own, you can disable the automatic installation by setting `deployCSIDriver` to `false` in your Constellation config file.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
Azure comes with two storage classes by default.
|
||||
|
||||
|
@ -82,8 +82,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
|
|||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
GCP comes with two storage classes by default.
|
||||
|
||||
|
@ -111,8 +111,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
|
|||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
AWS comes with two storage classes by default.
|
||||
|
||||
|
@ -140,8 +140,8 @@ Note that volume expansion isn't supported for integrity-protected disks.
|
|||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
1. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
|
||||
|
||||
|
|
|
@ -16,8 +16,8 @@ All ephemeral storage and state of your cluster will be lost. Make sure any data
|
|||
|
||||
:::
|
||||
|
||||
<tabs groupId="provider">
|
||||
<tabItem value="cli" label="CLI">
|
||||
<Tabs groupId="provider">
|
||||
<TabItem value="cli" label="CLI">
|
||||
Terminate the cluster by running:
|
||||
|
||||
```bash
|
||||
|
@ -40,8 +40,8 @@ resources manually. Just run the `terminate` command again afterward to continue
|
|||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="terraform" label="Terraform">
|
||||
</TabItem>
|
||||
<TabItem value="terraform" label="Terraform">
|
||||
Terminate the cluster by running:
|
||||
|
||||
```bash
|
||||
|
@ -56,5 +56,5 @@ rm constellation-id.json constellation-admin.conf
|
|||
|
||||
Only the `constellation-mastersecret.json` and the configuration file remain.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
|
@ -55,14 +55,12 @@ When in doubt, check if the encountered [issue is known](https://github.com/edge
|
|||
|
||||
:::
|
||||
|
||||
|
||||
:::tip
|
||||
|
||||
During an upgrade with modified attestation config, a backup of the current configuration is stored in the `join-config-backup` config map in the `kube-system` namespace. To restore the old attestation config after a failed upgrade, you can copy the attestation config from this resource, put it in your configuration file and retry the upgrade.
|
||||
|
||||
:::
|
||||
|
||||
|
||||
You can use the `upgrade apply` command to change measurements of a running cluster:
|
||||
|
||||
1. Modify the `measurements` key in your local `constellation-conf.yaml` to the expected values.
|
||||
|
@ -84,8 +82,8 @@ To provide information during early stages of a node's boot process, Constellati
|
|||
|
||||
You can view this information in the following places:
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure">
|
||||
<Tabs groupId="csp">
|
||||
<TabItem value="azure" label="Azure">
|
||||
|
||||
1. In your Azure subscription find the Constellation resource group.
|
||||
2. Inside the resource group find the Application Insights resource called `constellation-insights-*`.
|
||||
|
@ -95,8 +93,8 @@ You can view this information in the following places:
|
|||
|
||||
To **find the disk UUIDs** use the following query: `traces | where message contains "Disk UUID"`
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
</TabItem>
|
||||
<TabItem value="gcp" label="GCP">
|
||||
|
||||
1. Select the project that hosts Constellation.
|
||||
2. Go to the `Compute Engine` service.
|
||||
|
@ -111,16 +109,16 @@ Constellation uses the default bucket to store logs. Its [default retention peri
|
|||
|
||||
:::
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="aws" label="AWS">
|
||||
</TabItem>
|
||||
<TabItem value="aws" label="AWS">
|
||||
|
||||
1. Open [AWS CloudWatch](https://console.aws.amazon.com/cloudwatch/home)
|
||||
2. Select [Log Groups](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups)
|
||||
3. Select the log group that matches the name of your cluster.
|
||||
4. Select the log stream for control or worker type nodes.
|
||||
|
||||
</tabItem>
|
||||
</tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
### Node shell access
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue