Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 00:06:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
00e72db5d8
constellation/joinservice
History
Otto Bittner 7c5556864b AB#2333: Add AMD SNP-based attestation 
Currently only available on Azure CVMs.

* Get the public attestation key from the TPM.
* Get the snp report from the TPM.
* Get the VCEK and ASK certificate from the metadata api.
* Verify VCEK using hardcoded root key (ARK)
* Verify SNP report using VCEK
* Verify HCLAkPub using SNP report by comparing
AK with runtimeData
* Extend unittest

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-29 16:29:33 +02:00
..
cmd Move cloud metadata packages and kubernetes resources marshaling to internal 2022-08-29 16:07:55 +02:00
internal AB#2333: Add AMD SNP-based attestation 2022-08-29 16:29:33 +02:00
joinproto AB#2200 Merge Owner and Cluster ID (#282) 2022-07-26 10:58:39 +02:00
Dockerfile Simplify joinproto 2022-07-14 17:25:18 +02:00
README.md Simplify node lock and various small changes 2022-07-14 17:25:18 +02:00

README.md

Join Service

Implementation for Constellation's node flow to join an existing cluster.

The join service runs on each control-plane node of the Kubernetes cluster. New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over aTLS. The join service verifies the new nodes certificate and attestation statement. If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

Packages

joinproto

Proto definitions for the join service.

internal/server

The server implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the join service and joining nodes are secured using aTLS

sequenceDiagram
    participant New Node
    participant Join Service
    New Node-->>Join Service: aTLS Handshake (server side verification)
    Join Service-->>New Node: #
    New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Join Service: DiskEncryptionKey
    Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]

internal/kms

Implements interaction with Constellation's key management service. This is needed for fetching data encryption keys for joining nodes.

internal/kubeadm

Implements interaction with the Kubernetes API to create join tokens for new nodes.

internal/validator

A wrapper for the more generic atls.Validator, allowing for updates to the underlying validator without having to restart the service.

Dockerfile

export VERSION=1.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .