mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-10-30 19:28:59 -04:00
11679cf1f7
* deps: update Kubernetes versions * deps: tidy all modules --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
9.3 KiB
9.3 KiB
| page_title | subcategory | description |
|---|---|---|
| constellation_cluster Resource - constellation | Resource for a Constellation cluster. |
constellation_cluster (Resource)
Resource for a Constellation cluster.
Example Usage
data "constellation_attestation" "foo" {} # Fill accordingly for the CSP and attestation variant
data "constellation_image" "bar" {} # Fill accordingly for the CSP
resource "random_bytes" "master_secret" {
length = 32
}
resource "random_bytes" "master_secret_salt" {
length = 32
}
resource "random_bytes" "measurement_salt" {
length = 32
}
resource "constellation_cluster" "azure_example" {
csp = "azure"
name = "constell"
uid = "..."
image = data.constellation_image.bar.image
attestation = data.constellation_attestation.foo.attestation
init_secret = "..."
master_secret = random_bytes.master_secret.hex
master_secret_salt = random_bytes.master_secret_salt.hex
measurement_salt = random_bytes.measurement_salt.hex
out_of_cluster_endpoint = "123.123.123.123"
kubernetes_version = "v1.2.3"
azure = {
tenant_id = "..."
subscription_id = "..."
uami_client_id = "..."
uami_resource_id = "..."
location = "..."
resource_group = "..."
load_balancer_name = "..."
network_security_group_name = "..."
}
network_config = {
ip_cidr_node = "192.168.176.0/20"
ip_cidr_service = "10.96.0.0/12"
}
}
Schema
Required
attestation(Attributes) Attestation comprises the measurements and CVM specific parameters. The output of the constellation_attestation data source provides sensible defaults. (see below for nested schema)constellation_microservice_version(String) The version of Constellation's microservices used within the cluster.csp(String) CSP (Cloud Service Provider) to use. (e.g.azure) See the full list of CSPs that Constellation supports.image(Attributes) Constellation OS Image to use on the nodes. (see below for nested schema)init_secret(String) Secret used for initialization of the cluster.kubernetes_version(String) The Kubernetes version to use for the cluster. The supported versions are [v1.30.14 v1.31.13 v1.32.9].master_secret(String) Hex-encoded 32-byte master secret for the cluster.master_secret_salt(String) Hex-encoded 32-byte master secret salt for the cluster.measurement_salt(String) Hex-encoded 32-byte measurement salt for the cluster.name(String) Name used in the cluster's named resources / cluster name.network_config(Attributes) Configuration for the cluster's network. (see below for nested schema)out_of_cluster_endpoint(String) The endpoint of the cluster. Typically, this is the public IP of a loadbalancer.uid(String) The UID of the cluster.
Optional
api_server_cert_sans(List of String) List of Subject Alternative Names (SANs) for the API server certificate. Usually, this will be the out-of-cluster endpoint and the in-cluster endpoint, if existing.azure(Attributes) Azure-specific configuration. (see below for nested schema)extra_microservices(Attributes) Extra microservice settings. (see below for nested schema)gcp(Attributes) GCP-specific configuration. (see below for nested schema)in_cluster_endpoint(String) The endpoint of the cluster. When not set, the out-of-cluster endpoint is used.license_id(String) Constellation license ID. When not set, the community license is used.openstack(Attributes) OpenStack-specific configuration. (see below for nested schema)
Read-Only
client_certificate(String) The client certificate of the cluster.client_key(String, Sensitive) The client key of the cluster.cluster_ca_certificate(String) The cluster CA certificate of the cluster.cluster_id(String) The cluster ID of the cluster.host(String) The host of the cluster.kubeconfig(String, Sensitive) The kubeconfig (file) of the cluster.owner_id(String) The owner ID of the cluster.
Nested Schema for attestation
Required:
amd_root_key(String)bootloader_version(Number)measurements(Attributes Map) (see below for nested schema)microcode_version(Number)snp_version(Number)tee_version(Number)variant(String) Attestation variant the image should work with. Can be one of:aws-sev-snpaws-nitro-tpmazure-sev-snpazure-tdxgcp-sev-snpgcp-sev-esqemu-vtpm
Optional:
azure_firmware_signer_config(Attributes) (see below for nested schema)tdx(Attributes) (see below for nested schema)
Nested Schema for attestation.measurements
Required:
expected(String)warn_only(Boolean)
Nested Schema for attestation.azure_firmware_signer_config
Optional:
accepted_key_digests(List of String)enforcement_policy(String)maa_url(String)
Nested Schema for attestation.tdx
Optional:
intel_root_key(String)mr_seam(String)pce_svn(Number)qe_svn(Number)qe_vendor_id(String)tee_tcb_svn(String)xfam(String)
Nested Schema for image
Required:
reference(String) CSP-specific unique reference to the image. The format differs per CSP.short_path(String) CSP-agnostic short path to the image. The format isvX.Y.Zfor release images andref/$GIT_REF/stream/$STREAM/$SEMANTIC_VERSIONfor pre-release images.$GIT_REFis the git reference (i.e. branch name) the image was built on, e.g.main.$STREAMis the stream the image was built on, e.g.nightly.$SEMANTIC_VERSIONis the semantic version of the image, e.g.vX.Y.ZorvX.Y.Z-pre....version(String) Semantic version of the image.
Optional:
marketplace_image(Boolean) Whether a marketplace image should be used.
Nested Schema for network_config
Required:
ip_cidr_node(String) CIDR range of the cluster's node network.ip_cidr_service(String) CIDR range of the cluster's service network.
Optional:
ip_cidr_pod(String) CIDR range of the cluster's pod network. Only required for clusters running on GCP.
Nested Schema for azure
Required:
load_balancer_name(String) Name of the Azure load balancer used by the cluster.location(String) Azure Location of the cluster.network_security_group_name(String) Name of the Azure network security group used for the cluster.resource_group(String) Name of the Azure resource group the cluster resides in.subscription_id(String) ID of the Azure subscription the cluster resides in.tenant_id(String) Tenant ID of the Azure account.uami_client_id(String) Client ID of the User assigned managed identity (UAMI) used within the cluster.uami_resource_id(String) Resource ID of the User assigned managed identity (UAMI) used within the cluster.
Nested Schema for extra_microservices
Required:
csi_driver(Boolean) Enable Constellation's encrypted CSI driver.
Nested Schema for gcp
Required:
project_id(String) ID of the GCP project the cluster resides in.service_account_key(String) Base64-encoded private key JSON object of the service account used within the cluster.
Nested Schema for openstack
Required:
cloud(String) Name of the cloud in the clouds.yaml file.floating_ip_pool_id(String) Floating IP pool to use for the VMs.network_id(String) OpenStack network ID to use for the VMs.subnet_id(String) OpenStack subnet ID to use for the VMs.
Optional:
clouds_yaml_path(String) Path to the clouds.yaml file.deploy_yawol_load_balancer(Boolean) Whether to deploy a YAWOL load balancer.yawol_flavor_id(String) OpenStack flavor used by the yawollet.yawol_image_id(String) OpenStack OS image used by the yawollet.
Import
Import is supported using the following syntax:
terraform import constellation_cluster.constellation_cluster constellation-cluster://?kubeConfig=<base64-encoded-kubeconfig>&clusterEndpoint=<cluster-endpoint>&masterSecret=<hex-encoded-mastersecret>&masterSecretSalt=<hex-encoded-mastersecret-salt>