Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-02 22:34:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: update Tab tags

Browse source
This commit is contained in:
Thomas Tendyck 2024-08-23 13:04:15 +02:00 committed by Thomas Tendyck
parent e90b0e5109
commit e2ee775483
197 changed files with 3640 additions and 3581 deletions
Download patch file Download diff file Expand all files Collapse all files

24
docs/versioned_docs/version-2.10/getting-started/first-steps-local.md
View file

@ -45,8 +45,8 @@ sudo iptables -P FORWARD ACCEPT
## Create a cluster
<tabs groupId="csp">
<tabItem value="mini" label="MiniConstellation">
<Tabs groupId="csp">
<TabItem value="mini" label="MiniConstellation">
<!-- vale off -->
With the `constellation mini` command, you can deploy and test Constellation locally. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/).
@ -74,8 +74,8 @@ constellation mini up
This will configure your current directory as the [workspace](../architecture/orchestration.md#workspaces) for this cluster.
All `constellation` commands concerning this cluster need to be issued from this directory.
</tabItem>
<tabItem value="qemu" label="QEMU">
</TabItem>
<TabItem value="qemu" label="QEMU">
With the QEMU provider, you can create a local Constellation cluster as if it were in the cloud. The provider uses [QEMU](https://www.qemu.org/) to create multiple VMs for the cluster nodes, which interact with each other.
@ -151,8 +151,8 @@ attaching persistent storage, or autoscaling aren't available.
export KUBECONFIG="$PWD/constellation-admin.conf"
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Connect to the cluster
@ -205,8 +205,8 @@ worker-0 Ready <none> 32s v1.24.6
## Terminate your cluster
<tabs groupId="csp">
<tabItem value="mini" label="MiniConstellation">
<Tabs groupId="csp">
<TabItem value="mini" label="MiniConstellation">
Once you are done, you can clean up the created resources using the following command:
@ -217,8 +217,8 @@ constellation mini down
This will destroy your cluster and clean up your workspace.
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
</tabItem>
<tabItem value="qemu" label="QEMU">
</TabItem>
<TabItem value="qemu" label="QEMU">
Once you are done, you can clean up the created resources using the following command:
@ -246,8 +246,8 @@ Your Constellation cluster was terminated successfully.
This will destroy your cluster and clean up your workspace.
The VM image and cluster configuration file (`constellation-conf.yaml`) will be kept and may be reused to create new clusters.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Troubleshooting

32
docs/versioned_docs/version-2.10/getting-started/first-steps.md
View file

@ -15,39 +15,39 @@ If you encounter any problem with the following steps, make sure to use the [lat
1. Create the [configuration file](../workflows/config.md) for your cloud provider.
<tabs groupId="csp">
<Tabs groupId="csp">
<tabItem value="azure" label="Azure">
<TabItem value="azure" label="Azure">
```bash
constellation config generate azure
```
</tabItem>
</TabItem>
<tabItem value="gcp" label="GCP">
<TabItem value="gcp" label="GCP">
```bash
constellation config generate gcp
```
</tabItem>
</TabItem>
<tabItem value="aws" label="AWS">
<TabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
</TabItem>
</tabs>
</Tabs>
2. Create your [IAM configuration](../workflows/config.md#creating-an-iam-configuration).
<tabs groupId="csp">
<Tabs groupId="csp">
<tabItem value="azure" label="Azure">
<TabItem value="azure" label="Azure">
```bash
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
@ -62,9 +62,9 @@ If you encounter any problem with the following steps, make sure to use the [lat
* `westeurope`
* `southeastasia`
</tabItem>
</TabItem>
<tabItem value="gcp" label="GCP">
<TabItem value="gcp" label="GCP">
```bash
constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
@ -74,9 +74,9 @@ If you encounter any problem with the following steps, make sure to use the [lat
Note that only regions offering CVMs of the `C2D` or `N2D` series are supported. You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available), which you can filter by machine type `C2D` or `N2D`.
</tabItem>
</TabItem>
<tabItem value="aws" label="AWS">
<TabItem value="aws" label="AWS">
```bash
constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
@ -103,8 +103,8 @@ If you encounter any problem with the following steps, make sure to use the [lat
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::tip
To learn about all options you have for managing IAM resources and Constellation configuration, see the [Configuration workflow](../workflows/config.md).

229
docs/versioned_docs/version-2.10/getting-started/install.md
View file

@ -18,8 +18,8 @@ Make sure the following requirements are met:
The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases).
Install it with the following commands:
<tabs>
<tabItem value="linux-amd64" label="Linux (amd64)">
<Tabs>
<TabItem value="linux-amd64" label="Linux (amd64)">
1. Download the CLI:
@ -35,8 +35,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-amd64 /usr/local/bin/constellation
```
</tabItem>
<tabItem value="linux-arm64" label="Linux (arm64)">
</TabItem>
<TabItem value="linux-arm64" label="Linux (arm64)">
1. Download the CLI:
@ -52,9 +52,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
<TabItem value="darwin-arm64" label="macOS (Apple Silicon)">
1. Download the CLI:
@ -70,9 +70,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-amd64" label="macOS (Intel)">
<TabItem value="darwin-amd64" label="macOS (Intel)">
1. Download the CLI:
@ -88,8 +88,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-amd64 /usr/local/bin/constellation
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::tip
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
@ -105,39 +105,42 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
### Required permissions
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation`
* `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity`
* `Microsoft.Network`
- `Microsoft.Attestation`
- `Microsoft.Compute`
- `Microsoft.Insights`
- `Microsoft.ManagedIdentity`
- `Microsoft.Network`
By default, Constellation tries to register these automatically if they haven't been registered before.
To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
* `*/register/action` \[1]
* `Microsoft.Authorization/roleAssignments/*`
* `Microsoft.Authorization/roleDefinitions/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
* `Microsoft.Resources/subscriptions/resourcegroups/*`
- `*/register/action` \[1]
- `Microsoft.Authorization/roleAssignments/*`
- `Microsoft.Authorization/roleDefinitions/*`
- `Microsoft.ManagedIdentity/userAssignedIdentities/*`
- `Microsoft.Resources/subscriptions/resourcegroups/*`
The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
* `Microsoft.Network/loadBalancers/*`
* `Microsoft.Network/loadBalancers/backendAddressPools/*`
* `Microsoft.Network/networkSecurityGroups/*`
* `Microsoft.Network/publicIPAddresses/*`
* `Microsoft.Network/virtualNetworks/*`
* `Microsoft.Network/virtualNetworks/subnets/*`
* `Microsoft.Network/natGateways/*`
- `Microsoft.Attestation/attestationProviders/*`
- `Microsoft.Compute/virtualMachineScaleSets/*`
- `Microsoft.Insights/components/*`
- `Microsoft.ManagedIdentity/userAssignedIdentities/*`
- `Microsoft.Network/loadBalancers/*`
- `Microsoft.Network/loadBalancers/backendAddressPools/*`
- `Microsoft.Network/networkSecurityGroups/*`
- `Microsoft.Network/publicIPAddresses/*`
- `Microsoft.Network/virtualNetworks/*`
- `Microsoft.Network/virtualNetworks/subnets/*`
- `Microsoft.Network/natGateways/*`
The built-in `Contributor` role is a superset of these permissions.
@ -145,89 +148,91 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Create a new project for Constellation or use an existing one.
Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it.
To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
* `iam.serviceAccountKeys.create`
* `iam.serviceAccountKeys.delete`
* `iam.serviceAccountKeys.get`
* `iam.serviceAccounts.create`
* `iam.serviceAccounts.delete`
* `iam.serviceAccounts.get`
* `resourcemanager.projects.getIamPolicy`
* `resourcemanager.projects.setIamPolicy`
- `iam.serviceAccountKeys.create`
- `iam.serviceAccountKeys.delete`
- `iam.serviceAccountKeys.get`
- `iam.serviceAccounts.create`
- `iam.serviceAccounts.delete`
- `iam.serviceAccounts.get`
- `resourcemanager.projects.getIamPolicy`
- `resourcemanager.projects.setIamPolicy`
Together, the built-in roles `roles/editor` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `compute.addresses.createInternal`
* `compute.addresses.deleteInternal`
* `compute.addresses.get`
* `compute.addresses.useInternal`
* `compute.backendServices.create`
* `compute.backendServices.delete`
* `compute.backendServices.get`
* `compute.backendServices.use`
* `compute.disks.create`
* `compute.firewalls.create`
* `compute.firewalls.delete`
* `compute.firewalls.get`
* `compute.globalAddresses.create`
* `compute.globalAddresses.delete`
* `compute.globalAddresses.get`
* `compute.globalAddresses.use`
* `compute.globalForwardingRules.create`
* `compute.globalForwardingRules.delete`
* `compute.globalForwardingRules.get`
* `compute.globalForwardingRules.setLabels`
* `compute.globalOperations.get`
* `compute.healthChecks.create`
* `compute.healthChecks.delete`
* `compute.healthChecks.get`
* `compute.healthChecks.useReadOnly`
* `compute.instanceGroupManagers.create`
* `compute.instanceGroupManagers.delete`
* `compute.instanceGroupManagers.get`
* `compute.instanceGroups.create`
* `compute.instanceGroups.delete`
* `compute.instanceGroups.get`
* `compute.instanceGroups.use`
* `compute.instances.create`
* `compute.instances.setLabels`
* `compute.instances.setMetadata`
* `compute.instances.setTags`
* `compute.instanceTemplates.create`
* `compute.instanceTemplates.delete`
* `compute.instanceTemplates.get`
* `compute.instanceTemplates.useReadOnly`
* `compute.networks.create`
* `compute.networks.delete`
* `compute.networks.get`
* `compute.networks.updatePolicy`
* `compute.routers.create`
* `compute.routers.delete`
* `compute.routers.get`
* `compute.routers.update`
* `compute.subnetworks.create`
* `compute.subnetworks.delete`
* `compute.subnetworks.get`
* `compute.subnetworks.use`
* `compute.targetTcpProxies.create`
* `compute.targetTcpProxies.delete`
* `compute.targetTcpProxies.get`
* `compute.targetTcpProxies.use`
* `iam.serviceAccounts.actAs`
- `compute.addresses.createInternal`
- `compute.addresses.deleteInternal`
- `compute.addresses.get`
- `compute.addresses.useInternal`
- `compute.backendServices.create`
- `compute.backendServices.delete`
- `compute.backendServices.get`
- `compute.backendServices.use`
- `compute.disks.create`
- `compute.firewalls.create`
- `compute.firewalls.delete`
- `compute.firewalls.get`
- `compute.globalAddresses.create`
- `compute.globalAddresses.delete`
- `compute.globalAddresses.get`
- `compute.globalAddresses.use`
- `compute.globalForwardingRules.create`
- `compute.globalForwardingRules.delete`
- `compute.globalForwardingRules.get`
- `compute.globalForwardingRules.setLabels`
- `compute.globalOperations.get`
- `compute.healthChecks.create`
- `compute.healthChecks.delete`
- `compute.healthChecks.get`
- `compute.healthChecks.useReadOnly`
- `compute.instanceGroupManagers.create`
- `compute.instanceGroupManagers.delete`
- `compute.instanceGroupManagers.get`
- `compute.instanceGroups.create`
- `compute.instanceGroups.delete`
- `compute.instanceGroups.get`
- `compute.instanceGroups.use`
- `compute.instances.create`
- `compute.instances.setLabels`
- `compute.instances.setMetadata`
- `compute.instances.setTags`
- `compute.instanceTemplates.create`
- `compute.instanceTemplates.delete`
- `compute.instanceTemplates.get`
- `compute.instanceTemplates.useReadOnly`
- `compute.networks.create`
- `compute.networks.delete`
- `compute.networks.get`
- `compute.networks.updatePolicy`
- `compute.routers.create`
- `compute.routers.delete`
- `compute.routers.get`
- `compute.routers.update`
- `compute.subnetworks.create`
- `compute.subnetworks.delete`
- `compute.subnetworks.get`
- `compute.subnetworks.use`
- `compute.targetTcpProxies.create`
- `compute.targetTcpProxies.delete`
- `compute.targetTcpProxies.get`
- `compute.targetTcpProxies.use`
- `iam.serviceAccounts.actAs`
Together, the built-in roles `roles/editor`, `roles/compute.instanceAdmin` and `roles/resourcemanager.projectIamAdmin` form a superset of these permissions.
Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
@ -277,8 +282,8 @@ The built-in `PowerUserAccess` policy is a superset of these permissions.
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
</tabItem>
</tabs>
</TabItem>
</Tabs>
### Authentication
@ -288,8 +293,8 @@ You need to authenticate with your CSP. The following lists the required steps f
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
:::
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
**Testing**
@ -305,8 +310,8 @@ az login
Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli).
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
**Testing**
@ -329,8 +334,8 @@ Use one of the following options on a trusted machine:
Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
**Testing**
@ -346,9 +351,9 @@ aws configure
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
</tabItem>
</TabItem>
</tabs>
</Tabs>
## Next steps