Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-25 00:05:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: update Tab tags

Browse source
This commit is contained in:
Thomas Tendyck 2024-08-23 13:04:15 +02:00 committed by Thomas Tendyck
parent e90b0e5109
commit e2ee775483
197 changed files with 3640 additions and 3581 deletions
Download patch file Download diff file Expand all files Collapse all files

16
docs/versioned_docs/version-2.2/architecture/attestation.md
View file

@ -121,8 +121,8 @@ Constellation allows to specify in the config which measurements should be enfor
Enforcing non-reproducible measurements controlled by the cloud provider means that changes in these values require manual updates to the cluster's config.
By default, Constellation only enforces measurements that are stable values produced by the infrastructure or by Constellation directly.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
Constellation uses the [vTPM](https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm) feature of Azure CVMs for runtime measurements.
This vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification.
@ -152,8 +152,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Constellation uses the [vTPM](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) feature of CVMs on GCP for runtime measurements.
Note that this vTPM doesn't run inside the hardware-protected CVM context, but is emulated by the hypervisor.
@ -185,8 +185,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
Constellation uses the [vTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) (NitroTPM) feature of the [AWS Nitro System](http://aws.amazon.com/ec2/nitro/) on AWS for runtime measurements.
@ -217,8 +217,8 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Cluster attestation

40
docs/versioned_docs/version-2.2/getting-started/first-steps.md
View file

@ -11,36 +11,36 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
1. Create the configuration file for your selected cloud provider.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
```bash
constellation config generate azure
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
```bash
constellation config generate gcp
```
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
This creates the file `constellation-conf.yaml` in your current working directory.
2. Fill in your cloud provider specific information.
<tabs groupId="csp">
<tabItem value="azure" label="Azure (CLI)">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure (CLI)">
You need several resources for the cluster. You can use the following `az` script to create them:
@ -71,8 +71,8 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
Run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="azure-portal" label="Azure (Portal)">
</TabItem>
<TabItem value="azure-portal" label="Azure (Portal)">
* **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`.
@ -118,8 +118,8 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
Run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="gcp" label="GCP (CLI)">
</TabItem>
<TabItem value="gcp" label="GCP (CLI)">
You need a service account for the cluster. You can use the following `gcloud` script to create it:
@ -142,8 +142,8 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
By default, Constellation uses `n2d-standard-4` VMs (4 vCPUs, 16 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying **instanceType** in the configuration file. Supported are all machines from the N2D family with a minimum of 4 vCPUs. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="gcp-console" label="GCP (Console)">
</TabItem>
<TabItem value="gcp-console" label="GCP (Console)">
* **project**: The ID of your GCP project, e.g., `constellation-129857`.
@ -171,8 +171,8 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
Supported are all machines from the N2D family with a minimum of 4 vCPUs. It defaults to `n2d-standard-4` (4 vCPUs, 16 GB RAM), but you can use any other VMs from the same family. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
@ -211,8 +211,8 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::info

61
docs/versioned_docs/version-2.2/getting-started/install.md
View file

@ -18,8 +18,8 @@ Make sure the following requirements are met:
The CLI executable is available at [GitHub](https://github.com/edgelesssys/constellation/releases).
Install it with the following commands:
<tabs>
<tabItem value="linux-amd64" label="Linux (amd64)">
<Tabs>
<TabItem value="linux-amd64" label="Linux (amd64)">
1. Download the CLI:
@ -35,8 +35,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-amd64 /usr/local/bin/constellation
```
</tabItem>
<tabItem value="linux-arm64" label="Linux (arm64)">
</TabItem>
<TabItem value="linux-arm64" label="Linux (arm64)">
1. Download the CLI:
@ -52,9 +52,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-linux-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-arm64" label="macOS (Apple Silicon)">
<TabItem value="darwin-arm64" label="macOS (Apple Silicon)">
1. Download the CLI:
@ -70,9 +70,9 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-arm64 /usr/local/bin/constellation
```
</tabItem>
</TabItem>
<tabItem value="darwin-amd64" label="macOS (Intel)">
<TabItem value="darwin-amd64" label="macOS (Intel)">
1. Download the CLI:
@ -88,8 +88,8 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c
sudo install constellation-darwin-amd64 /usr/local/bin/constellation
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::tip
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
@ -105,14 +105,15 @@ If you don't have a cloud subscription, you can try [MiniConstellation](first-st
### Required permissions
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
The following [resource providers need to be need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Compute`
* `Microsoft.ManagedIdentity`
* `Microsoft.Network`
* `microsoft.insights`
- `Microsoft.Compute`
- `Microsoft.ManagedIdentity`
- `Microsoft.Network`
- `microsoft.insights`
By default, Constellation tries to register these automatically if they haven't been registered before.
@ -124,8 +125,8 @@ You need the following permissions for your user account:
If you don't have these permissions with scope *subscription*, ask your administrator to [create the service account and a resource group for your Constellation cluster](first-steps.md).
Your user account needs the `Contributor` permission scoped to this resource group.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
Create a new project for Constellation or use an existing one.
Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it.
@ -137,8 +138,8 @@ You need the following permissions on this project:
Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
@ -269,8 +270,8 @@ such as `PowerUserAccess`, or use the following minimal set of permissions:
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
</tabItem>
</tabs>
</TabItem>
</Tabs>
### Authentication
@ -280,8 +281,8 @@ You need to authenticate with your CSP. The following lists the required steps f
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
:::
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
**Testing**
@ -297,8 +298,8 @@ az login
Other options are described in Azure's [authentication guide](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli).
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
**Testing**
@ -321,8 +322,8 @@ Use one of the following options on a trusted machine:
Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
**Testing**
@ -338,9 +339,9 @@ aws configure
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
</tabItem>
</TabItem>
</tabs>
</Tabs>
## Next steps

16
docs/versioned_docs/version-2.2/workflows/create.md
View file

@ -19,29 +19,29 @@ This step creates the necessary resources for your cluster in your cloud environ
Generate a configuration file for your cloud service provider (CSP):
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
```bash
constellation config generate azure
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
```bash
constellation config generate gcp
```
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
</tabs>
</TabItem>
</Tabs>
This creates the file `constellation-conf.yaml` in the current directory. [Fill in your CSP-specific information](../getting-started/first-steps.md#create-a-cluster) before you continue.

16
docs/versioned_docs/version-2.2/workflows/recovery.md
View file

@ -16,8 +16,8 @@ You can check the health status of the nodes via the cloud service provider (CSP
Constellation provides logging information on the boot process and status via [cloud logging](troubleshooting.md#cloud-logging).
In the following, you'll find detailed descriptions for identifying clusters stuck in recovery for each CSP.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
In the Azure portal, find the cluster's resource group.
Inside the resource group, open the control plane *Virtual machine scale set* `constellation-scale-set-controlplanes-<suffix>`.
@ -51,8 +51,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
First, check that the control plane *Instance Group* has enough members in a *Ready* state.
In the GCP Console, go to **Instance Groups** and check the group for the cluster's control plane `<cluster-name>-control-plane-<suffix>`.
@ -87,8 +87,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
@ -118,8 +118,8 @@ If this fails due to an unhealthy control plane, you will see log messages simil
This means that you have to recover the node manually.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Recover a cluster

32
docs/versioned_docs/version-2.2/workflows/scale.md
View file

@ -48,23 +48,23 @@ kubectl -n kube-system get nodes
Alternatively, you can manually scale your cluster up or down:
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
1. Find your Constellation resource group.
2. Select the `scale-set-workers`.
3. Go to **settings** and **scaling**.
4. Set the new **instance count** and **save**.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
2. **Edit** the **worker** instance group.
3. Set the new **number of instances** and **save**.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
:::caution
@ -72,8 +72,8 @@ Scaling isn't yet implemented for AWS. If you require this feature, [let us know
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Control-plane node scaling
@ -81,24 +81,24 @@ Control-plane nodes can **only be scaled manually and only scaled up**!
To increase the number of control-plane nodes, follow these steps:
<tabs groupId="csp">
<Tabs groupId="csp">
<tabItem value="azure" label="Azure">
<TabItem value="azure" label="Azure">
1. Find your Constellation resource group.
2. Select the `scale-set-controlplanes`.
3. Go to **settings** and **scaling**.
4. Set the new (increased) **instance count** and **save**.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. In Compute Engine go to [Instance Groups](https://console.cloud.google.com/compute/instanceGroups/).
2. **Edit** the **control-plane** instance group.
3. Set the new (increased) **number of instances** and **save**.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
:::caution
@ -106,7 +106,7 @@ Scaling isn't yet implemented for AWS. If you require this feature, [let us know
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>
If you scale down the number of control-planes nodes, the removed nodes won't be able to exit the `etcd` cluster correctly. This will endanger the quorum that's required to run a stable Kubernetes control plane.

48
docs/versioned_docs/version-2.2/workflows/storage.md
View file

@ -21,14 +21,14 @@ For more details see [encrypted persistent storage](../architecture/encrypted-st
Constellation supports the following drivers, which offer node-level encryption and optional integrity protection.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
**Constellation CSI driver for Azure Disk**:
Mount Azure [Disk Storage](https://azure.microsoft.com/en-us/services/storage/disks/#overview) into your Constellation cluster. See the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-azuredisk-csi-driver) for more information. Since Azure Disks are mounted as ReadWriteOnce, they're only available to a single pod.
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
**Constellation CSI driver for GCP Persistent Disk**:
Mount [Persistent Disk](https://cloud.google.com/persistent-disk) block storage into your Constellation cluster.
@ -36,8 +36,8 @@ This includes support for [volume snapshots](https://cloud.google.com/kubernetes
You can use them to bring a volume back to a prior state or provision new volumes.
Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for information about the configuration.
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
:::caution
@ -47,8 +47,8 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>
Note that in case the options above aren't a suitable solution for you, Constellation is compatible with all other CSI-based storage options. For example, you can use [Azure Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) or [GCP Filestore](https://cloud.google.com/filestore) with Constellation out of the box. Constellation is just not providing transparent encryption on the node level for these storage types yet.
@ -56,8 +56,8 @@ Note that in case the options above aren't a suitable solution for you, Constell
The following installation guide gives an overview of how to securely use CSI-based cloud storage for persistent volumes in Constellation.
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
1. Install the driver:
@ -67,8 +67,8 @@ The following installation guide gives an overview of how to securely use CSI-ba
helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. Install the driver:
@ -77,8 +77,8 @@ The following installation guide gives an overview of how to securely use CSI-ba
helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
```
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
:::caution
@ -88,8 +88,8 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>
:::info
@ -160,8 +160,8 @@ The default storage class is responsible for all persistent volume claims that d
The previous instructions create a storage class with encryption enabled and sets this as the default class.
In case you wish to change it, follow the steps below:
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
1. List the storage classes in your cluster:
@ -207,8 +207,8 @@ In case you wish to change it, follow the steps below:
integrity-encrypted-rwo (default) azuredisk.csi.confidential.cloud Delete Immediate false 1d
```
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. List the storage classes in your cluster:
@ -254,8 +254,8 @@ In case you wish to change it, follow the steps below:
integrity-encrypted-rwo (default) gcp.csi.confidential.cloud Delete Immediate false 1d
```
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
:::caution
@ -265,5 +265,5 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
:::
</tabItem>
</tabs>
</TabItem>
</Tabs>

19
docs/versioned_docs/version-2.2/workflows/troubleshooting.md
View file

@ -5,6 +5,7 @@ This section aids you in finding problems when working with Constellation.
## Azure: Resource Providers can't be registered
On Azure, you may receive the following error when running `create` or `terminate` with limited IAM permissions:
```shell-session
Error: Error ensuring Resource Providers are registered.
@ -21,11 +22,13 @@ To continue, please ensure that the [required resource providers](../getting-sta
Afterward, set `ARM_SKIP_PROVIDER_REGISTRATION=true` as an environment variable and either run `create` or `terminate` again.
For example:
```bash
ARM_SKIP_PROVIDER_REGISTRATION=true constellation create --control-plane-nodes 1 --worker-nodes 2 -y
```
Or alternatively, for `terminate`:
```bash
ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate
```
@ -36,8 +39,8 @@ To provide information during early stages of the node's boot process, Constella
You can view these information in the follow places:
<tabs groupId="csp">
<tabItem value="azure" label="Azure">
<Tabs groupId="csp">
<TabItem value="azure" label="Azure">
1. In your Azure subscription find the Constellation resource group.
2. Inside the resource group find the Application Insights resource called `constellation-insights-*`.
@ -47,8 +50,8 @@ You can view these information in the follow places:
To **find the disk UUIDs** use the following query: `traces | where message contains "Disk UUID"`
</tabItem>
<tabItem value="gcp" label="GCP">
</TabItem>
<TabItem value="gcp" label="GCP">
1. Select the project that hosts Constellation.
2. Go to the `Compute Engine` service.
@ -63,16 +66,16 @@ Constellation uses the default bucket to store logs. Its [default retention peri
:::
</tabItem>
<tabItem value="aws" label="AWS">
</TabItem>
<TabItem value="aws" label="AWS">
1. Open [AWS CloudWatch](https://console.aws.amazon.com/cloudwatch/home)
2. Select [Log Groups](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups)
3. Select the log group that matches the name of your cluster.
4. Select the log stream for control or worker type nodes.
</tabItem>
</tabs>
</TabItem>
</Tabs>
## Connect to nodes via SSH