Document trusted launch on Azure (#48)

* Document trusted launch usage for Azure Signed-off-by: Fabian Kammel <fk@edgeless.systems> * there is no valid link because there is no valid release yet Signed-off-by: Fabian Kammel <fk@edgeless.systems> * fix link Signed-off-by: Fabian Kammel <fk@edgeless.systems> * fix linter issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> * improve * importAzure.sh: print final image ID Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-01-26 07:16:08 -05:00 · 2022-09-07 15:05:24 +02:00 · 2022-09-07 15:05:24 +02:00 · e3ede64ae6
commit e3ede64ae6
parent 611ec25f22
6 changed files with 59 additions and 4 deletions
--- a/.github/docs/release.md
+++ b/.github/docs/release.md
@ -46,4 +46,5 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
        gh workflow run release-cli.yml --ref v1.3.0
        ```
        * The previous step will create a draft release. Check build output for link to draft release. Review & approve.
-5. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
+5. Folow [export flow](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted lanuch users.
+6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
--- a/.lycheeignore
+++ b/.lycheeignore
@ -1,3 +1,5 @@
 http://localhost:
 https://github.com/edgelesssys/constellation-
+https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md
 https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md
+https://public-edgeless-constellation.s3.us-east-2.amazonaws.com
--- a/cli/internal/cmd/create.go
+++ b/cli/internal/cmd/create.go
@ -69,7 +69,7 @@ func create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler,

 	var printedAWarning bool
 	if config.IsDebugImage() {
-		cmd.Println("Configured image does not look like a released production image. Double check image before deploying to production.")
+		cmd.Println("Configured image doesn't look like a released production image. Double check image before deploying to production.")
 		printedAWarning = true
 	}

--- a/docs/docs/workflows/trusted-launch.md
+++ b/docs/docs/workflows/trusted-launch.md
@ -0,0 +1,45 @@
+# Azure trusted launch VMs
+
+Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D*_v4` and `Standard_E*_v4`.
+
+:::caution
+
+Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md).
+For highest security, use Confidential VMs.
+
+:::
+
+Run `constellation config instance-types` to show all supported instance types.
+
+## VM images
+
+Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription.
+
+The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version.
+
+After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
+You can use a script to do this:
+```bash
+wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh
+chmod +x importAzure.sh
+AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
+```
+
+The script creates the following resources:
+1. A new image gallery with the default name `constellation-import`
+2. A new image definition with the default name `constellation`
+3. The actual image with the provided version. In this case `2.0.0`
+
+Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
+
+:::info
+
+The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images:
+
+```shell-session
+Configured image doesn't look like a released production image. Double check image before deploying to production.
+```
+
+Please ignore this warning.
+
+:::
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -138,6 +138,11 @@ const sidebars = {
          label: 'Use persistent storage',
          id: 'workflows/storage',
        },
+        {
+          type: 'doc',
+          label: 'Azure trusted launch VMs',
+          id: 'workflows/trusted-launch',
+        },
        {
          type: 'doc',
          label: 'Managing SSH keys',
--- a/hack/importAzure.sh
+++ b/hack/importAzure.sh
@ -102,9 +102,8 @@ echo "Creating Azure Shared Image Gallery."
 az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME}
 echo "Creating Image Definition."
 az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
-echo "Retrieving image ID."
+echo "Retrieving temporary image ID."
 AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r)
-echo "Image ID is ${AZURE_IMAGE_ID}"

 echo "Creating final image version."
 az sig image-version create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --target-regions ${AZURE_REGION} --replica-count 1 --managed-image ${AZURE_IMAGE_ID}
@ -113,6 +112,9 @@ echo "Cleaning up ephemeral resources."
 az image delete --ids ${AZURE_IMAGE_ID}
 az disk delete -y --ids ${AZURE_DISK_ID}

+IMAGE_VERSION=$(az sig image-version show --resource-group ${AZURE_RESOURCE_GROUP_NAME}  --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} -o tsv --query id)
+echo "Image ID is ${IMAGE_VERSION}"
+
 # # Cleanup all
 # az sig image-version delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --gallery-name ${AZURE_GALLERY_NAME}
 # az sig image-definition delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION}