From e3ede64ae65dece95905b9c5bed16bef42d80040 Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Wed, 7 Sep 2022 15:05:24 +0200 Subject: [PATCH] Document trusted launch on Azure (#48) * Document trusted launch usage for Azure Signed-off-by: Fabian Kammel * there is no valid link because there is no valid release yet Signed-off-by: Fabian Kammel * fix link Signed-off-by: Fabian Kammel * fix linter issues Signed-off-by: Fabian Kammel * improve * importAzure.sh: print final image ID Signed-off-by: Fabian Kammel Co-authored-by: Thomas Tendyck --- .github/docs/release.md | 3 +- .lycheeignore | 2 ++ cli/internal/cmd/create.go | 2 +- docs/docs/workflows/trusted-launch.md | 45 +++++++++++++++++++++++++++ docs/sidebars.js | 5 +++ hack/importAzure.sh | 6 ++-- 6 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 docs/docs/workflows/trusted-launch.md diff --git a/.github/docs/release.md b/.github/docs/release.md index bc7e86b2f..c3c3a15b1 100644 --- a/.github/docs/release.md +++ b/.github/docs/release.md @@ -46,4 +46,5 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers gh workflow run release-cli.yml --ref v1.3.0 ``` * The previous step will create a draft release. Check build output for link to draft release. Review & approve. -5. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main +5. Folow [export flow](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted lanuch users. +6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main diff --git a/.lycheeignore b/.lycheeignore index 0ae3fccf2..4471ff876 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -1,3 +1,5 @@ http://localhost: https://github.com/edgelesssys/constellation- +https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md +https://public-edgeless-constellation.s3.us-east-2.amazonaws.com diff --git a/cli/internal/cmd/create.go b/cli/internal/cmd/create.go index d6e5a2d21..f80681619 100644 --- a/cli/internal/cmd/create.go +++ b/cli/internal/cmd/create.go @@ -69,7 +69,7 @@ func create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler, var printedAWarning bool if config.IsDebugImage() { - cmd.Println("Configured image does not look like a released production image. Double check image before deploying to production.") + cmd.Println("Configured image doesn't look like a released production image. Double check image before deploying to production.") printedAWarning = true } diff --git a/docs/docs/workflows/trusted-launch.md b/docs/docs/workflows/trusted-launch.md new file mode 100644 index 000000000..538db9fa3 --- /dev/null +++ b/docs/docs/workflows/trusted-launch.md @@ -0,0 +1,45 @@ +# Azure trusted launch VMs + +Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D*_v4` and `Standard_E*_v4`. + +:::caution + +Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md). +For highest security, use Confidential VMs. + +::: + +Run `constellation config instance-types` to show all supported instance types. + +## VM images + +Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription. + +The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version. + +After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image. +You can use a script to do this: +```bash +wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh +chmod +x importAzure.sh +AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh +``` + +The script creates the following resources: +1. A new image gallery with the default name `constellation-import` +2. A new image definition with the default name `constellation` +3. The actual image with the provided version. In this case `2.0.0` + +Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`. + +:::info + +The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images: + +```shell-session +Configured image doesn't look like a released production image. Double check image before deploying to production. +``` + +Please ignore this warning. + +::: diff --git a/docs/sidebars.js b/docs/sidebars.js index 4b48ba3d7..efd9e8294 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -138,6 +138,11 @@ const sidebars = { label: 'Use persistent storage', id: 'workflows/storage', }, + { + type: 'doc', + label: 'Azure trusted launch VMs', + id: 'workflows/trusted-launch', + }, { type: 'doc', label: 'Managing SSH keys', diff --git a/hack/importAzure.sh b/hack/importAzure.sh index 6fb9a4235..a5c658f98 100755 --- a/hack/importAzure.sh +++ b/hack/importAzure.sh @@ -102,9 +102,8 @@ echo "Creating Azure Shared Image Gallery." az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME} echo "Creating Image Definition." az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported -echo "Retrieving image ID." +echo "Retrieving temporary image ID." AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r) -echo "Image ID is ${AZURE_IMAGE_ID}" echo "Creating final image version." az sig image-version create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --target-regions ${AZURE_REGION} --replica-count 1 --managed-image ${AZURE_IMAGE_ID} @@ -113,6 +112,9 @@ echo "Cleaning up ephemeral resources." az image delete --ids ${AZURE_IMAGE_ID} az disk delete -y --ids ${AZURE_DISK_ID} +IMAGE_VERSION=$(az sig image-version show --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} -o tsv --query id) +echo "Image ID is ${IMAGE_VERSION}" + # # Cleanup all # az sig image-version delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --gallery-name ${AZURE_GALLERY_NAME} # az sig image-definition delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION}