Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-02 22:34:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Document trusted launch on Azure (#48)

Browse source 
* Document trusted launch usage for Azure

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

* there is no valid link because there is no valid release yet

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

* fix link

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

* fix linter issues

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

* improve

* importAzure.sh: print final image ID

Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
This commit is contained in:
Fabian Kammel 2022-09-07 15:05:24 +02:00 committed by GitHub
parent 611ec25f22
commit e3ede64ae6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 59 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/docs/release.md vendored
View file

@ -46,4 +46,5 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
gh workflow run release-cli.yml --ref v1.3.0 gh workflow run release-cli.yml --ref v1.3.0
``` ```
* The previous step will create a draft release. Check build output for link to draft release. Review & approve. * The previous step will create a draft release. Check build output for link to draft release. Review & approve.
5. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main 5. Folow [export flow](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted lanuch users.
6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main

2
.lycheeignore
View file

@ -1,3 +1,5 @@
http://localhost: http://localhost:
https://github.com/edgelesssys/constellation- https://github.com/edgelesssys/constellation-
https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md
https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md
https://public-edgeless-constellation.s3.us-east-2.amazonaws.com

2
cli/internal/cmd/create.go
View file

@ -69,7 +69,7 @@ func create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler,
var printedAWarning bool var printedAWarning bool
if config.IsDebugImage() { if config.IsDebugImage() {
cmd.Println("Configured image does not look like a released production image. Double check image before deploying to production.") cmd.Println("Configured image doesn't look like a released production image. Double check image before deploying to production.")
printedAWarning = true printedAWarning = true
} }

45
docs/docs/workflows/trusted-launch.md Normal file
View file

@ -0,0 +1,45 @@
# Azure trusted launch VMs
Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D*_v4` and `Standard_E*_v4`.
:::caution
Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md).
For highest security, use Confidential VMs.
:::
Run `constellation config instance-types` to show all supported instance types.
## VM images
Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription.
The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version.
After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
You can use a script to do this:
```bash
wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh
chmod +x importAzure.sh
AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
```
The script creates the following resources:
1. A new image gallery with the default name `constellation-import`
2. A new image definition with the default name `constellation`
3. The actual image with the provided version. In this case `2.0.0`
Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
:::info
The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images:
```shell-session
Configured image doesn't look like a released production image. Double check image before deploying to production.
```
Please ignore this warning.
:::

5
docs/sidebars.js
View file

@ -138,6 +138,11 @@ const sidebars = {
label: 'Use persistent storage', label: 'Use persistent storage',
id: 'workflows/storage', id: 'workflows/storage',
}, },
{
type: 'doc',
label: 'Azure trusted launch VMs',
id: 'workflows/trusted-launch',
},
{ {
type: 'doc', type: 'doc',
label: 'Managing SSH keys', label: 'Managing SSH keys',

6
hack/importAzure.sh
View file

@ -102,9 +102,8 @@ echo "Creating Azure Shared Image Gallery."
az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME} az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME}
echo "Creating Image Definition." echo "Creating Image Definition."
az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
echo "Retrieving image ID." echo "Retrieving temporary image ID."
AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r) AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r)
echo "Image ID is ${AZURE_IMAGE_ID}"
echo "Creating final image version." echo "Creating final image version."
az sig image-version create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --target-regions ${AZURE_REGION} --replica-count 1 --managed-image ${AZURE_IMAGE_ID} az sig image-version create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --target-regions ${AZURE_REGION} --replica-count 1 --managed-image ${AZURE_IMAGE_ID}
@ -113,6 +112,9 @@ echo "Cleaning up ephemeral resources."
az image delete --ids ${AZURE_IMAGE_ID} az image delete --ids ${AZURE_IMAGE_ID}
az disk delete -y --ids ${AZURE_DISK_ID} az disk delete -y --ids ${AZURE_DISK_ID}
IMAGE_VERSION=$(az sig image-version show --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} -o tsv --query id)
echo "Image ID is ${IMAGE_VERSION}"
# # Cleanup all # # Cleanup all
# az sig image-version delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --gallery-name ${AZURE_GALLERY_NAME} # az sig image-version delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --gallery-name ${AZURE_GALLERY_NAME}
# az sig image-definition delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} # az sig image-definition delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION}