8.2 KiB
First steps with Constellation
The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully installed and set up Constellation, and have access to a cloud subscription.
:::tip If you don't have a cloud subscription, you can also set up a local Constellation cluster using virtualization for testing. :::
:::note If you encounter any problem with the following steps, make sure to use the latest release and check out the known issues. :::
Create a cluster
-
Create the configuration file for your cloud provider.
constellation config generate azure
constellation config generate gcp
constellation config generate aws
-
Create your IAM configuration.
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
This command creates IAM configuration on the Azure region
westus
creating a new resource groupconstellTest
and a new service principalspTest
. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.Note that CVMs are currently only supported in a few regions, check Azure's products available by region. These are:
westus
eastus
northeurope
westeurope
southeastasia
constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
This command creates IAM configuration in the GCP project
yourproject-12345
on the GCP zoneeurope-west2-a
creating a new service accountconstell-test
. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.Note that only regions offering CVMs of the
C2D
orN2D
series are supported. You can find a list of all regions in Google's documentation, which you can filter by machine typeC2D
orN2D
.constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
This command creates IAM configuration for the AWS zone
us-east-2a
using the prefixconstellTest
for all named resources being created. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.Depending on the attestation variant selected on config generation, different regions are available. AMD SEV-SNP machines (requires the default attestation variant
awsSEVSNP
) are currently available in the following regions:eu-west-1
us-east-2
You can find a list of regions that support AMD SEV-SNP in AWS's documentation.
NitroTPM machines (requires the attestation variant
awsNitroTPM
) are available in all regions. Constellation OS images are currently replicated to the following regions:eu-central-1
eu-west-1
eu-west-3
us-east-2
ap-south-1
If you require the OS image to be available in another region, let us know.
You can find a list of all regions in AWS's documentation.
:::tip To learn about all options you have for managing IAM resources and Constellation configuration, see the Configuration workflow. :::
-
Create the cluster.
constellation create
uses options set inconstellation-conf.yaml
. If you want to manually use Terraform for managing the cloud resources instead, follow the corresponding instructions in the Create workflow.:::tip
On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate.
:::
constellation create -y
This should give the following output:
$ constellation create -y Your Constellation cluster was created successfully.
-
Initialize the cluster.
constellation init
This should give the following output:
$ constellation init Your Constellation master secret was successfully written to ./constellation-mastersecret.json Note: If you just created the cluster, it can take a few minutes to connect. Initializing cluster ... Your Constellation cluster was successfully initialized. Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY= Kubernetes configuration constellation-admin.conf You can now connect to your cluster by executing: export KUBECONFIG="$PWD/constellation-admin.conf"
The cluster's identifier will be different in your output. Keep
constellation-mastersecret.json
somewhere safe. This will allow you to recover your cluster in case of a disaster.:::info
Depending on your CSP and region,
constellation init
may take 10+ minutes to complete.:::
:::note
AWS: Currently, confidential VMs may temporarily fail to boot. AWS is actively working on a solution. If creating or initializing a cluster fails, terminate the cluster and try again later. Alternatively, you can use non-confidential Nitro VMs for evaluation purposes. To do so, generate a new configuration with the
aws-nitro-tpm
attestation variant:constellation config generate aws --attestation aws-nitro-tpm
:::
-
Configure kubectl.
export KUBECONFIG="$PWD/constellation-admin.conf"
Deploy a sample application
-
Deploy the emojivoto app
kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment
-
Expose the frontend service locally
kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments kubectl -n emojivoto port-forward svc/web-svc 8080:80 & curl http://localhost:8080 kill %1
Terminate your cluster
Use the CLI to terminate your cluster. If you manually used Terraform to manage your cloud resources, follow the corresponding instructions in the Terminate workflow.
constellation terminate
This should give the following output:
$ constellation terminate
You are about to terminate a Constellation cluster.
All of its associated resources will be DESTROYED.
This action is irreversible and ALL DATA WILL BE LOST.
Do you want to continue? [y/n]:
Confirm with y
to terminate the cluster:
Terminating ...
Your Constellation cluster was terminated successfully.
Optionally, you can also delete your IAM resources.