mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-30 03:31:35 -04:00
Document trusted launch on Azure (#48)
* Document trusted launch usage for Azure Signed-off-by: Fabian Kammel <fk@edgeless.systems> * there is no valid link because there is no valid release yet Signed-off-by: Fabian Kammel <fk@edgeless.systems> * fix link Signed-off-by: Fabian Kammel <fk@edgeless.systems> * fix linter issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> * improve * importAzure.sh: print final image ID Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
This commit is contained in:
Fabian Kammel
GitHub
parent
611ec25f22
commit
e3ede64ae6
6 changed files with 59 additions and 4 deletions
45
docs/docs/workflows/trusted-launch.md
Normal file
45
docs/docs/workflows/trusted-launch.md
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
# Azure trusted launch VMs
|
||||
|
||||
Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D*_v4` and `Standard_E*_v4`.
|
||||
|
||||
:::caution
|
||||
|
||||
Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md).
|
||||
For highest security, use Confidential VMs.
|
||||
|
||||
:::
|
||||
|
||||
Run `constellation config instance-types` to show all supported instance types.
|
||||
|
||||
## VM images
|
||||
|
||||
Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription.
|
||||
|
||||
The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version.
|
||||
|
||||
After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
|
||||
You can use a script to do this:
|
||||
```bash
|
||||
wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh
|
||||
chmod +x importAzure.sh
|
||||
AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
|
||||
```
|
||||
|
||||
The script creates the following resources:
|
||||
1. A new image gallery with the default name `constellation-import`
|
||||
2. A new image definition with the default name `constellation`
|
||||
3. The actual image with the provided version. In this case `2.0.0`
|
||||
|
||||
Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
|
||||
|
||||
:::info
|
||||
|
||||
The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images:
|
||||
|
||||
```shell-session
|
||||
Configured image doesn't look like a released production image. Double check image before deploying to production.
|
||||
```
|
||||
|
||||
Please ignore this warning.
|
||||
|
||||
:::
|
||||
Loading…
Add table
Add a link
Reference in a new issue