constellation/docs/versioned_docs/version-2.12/getting-started/first-steps.md

8.2 KiB

First steps with Constellation

The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully installed and set up Constellation, and have access to a cloud subscription.

:::tip If you don't have a cloud subscription, you can also set up a local Constellation cluster using virtualization for testing. :::

:::note If you encounter any problem with the following steps, make sure to use the latest release and check out the known issues. :::

Create a cluster

  1. Create the configuration file for your cloud provider.

    constellation config generate azure
    
    constellation config generate gcp
    
    constellation config generate aws
    
  2. Create your IAM configuration.

    constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
    

    This command creates IAM configuration on the Azure region westus creating a new resource group constellTest and a new service principal spTest. It also updates the configuration file constellation-conf.yaml in your current directory with the IAM values filled in.

    Note that CVMs are currently only supported in a few regions, check Azure's products available by region. These are:

    • westus
    • eastus
    • northeurope
    • westeurope
    • southeastasia
    constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
    

    This command creates IAM configuration in the GCP project yourproject-12345 on the GCP zone europe-west2-a creating a new service account constell-test. It also updates the configuration file constellation-conf.yaml in your current directory with the IAM values filled in.

    Note that only regions offering CVMs of the C2D or N2D series are supported. You can find a list of all regions in Google's documentation, which you can filter by machine type C2D or N2D.

    constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
    

    This command creates IAM configuration for the AWS zone us-east-2a using the prefix constellTest for all named resources being created. It also updates the configuration file constellation-conf.yaml in your current directory with the IAM values filled in.

    Depending on the attestation variant selected on config generation, different regions are available. AMD SEV-SNP machines (requires the default attestation variant awsSEVSNP) are currently available in the following regions:

    • eu-west-1
    • us-east-2

    You can find a list of regions that support AMD SEV-SNP in AWS's documentation.

    NitroTPM machines (requires the attestation variant awsNitroTPM) are available in all regions. Constellation OS images are currently replicated to the following regions:

    • eu-central-1
    • eu-west-1
    • eu-west-3
    • us-east-2
    • ap-south-1

    If you require the OS image to be available in another region, let us know.

    You can find a list of all regions in AWS's documentation.

    :::tip To learn about all options you have for managing IAM resources and Constellation configuration, see the Configuration workflow. :::

  1. Create the cluster. constellation create uses options set in constellation-conf.yaml. If you want to manually use Terraform for managing the cloud resources instead, follow the corresponding instructions in the Create workflow.

    :::tip

    On Azure, you may need to wait 15+ minutes at this point for role assignments to propagate.

    :::

    constellation create -y
    

    This should give the following output:

    $ constellation create -y
    Your Constellation cluster was created successfully.
    
  2. Initialize the cluster.

    constellation init
    

    This should give the following output:

    $ constellation init
    Your Constellation master secret was successfully written to ./constellation-mastersecret.json
    Note: If you just created the cluster, it can take a few minutes to connect.
    Initializing cluster ...
    Your Constellation cluster was successfully initialized.
    
    Constellation cluster identifier  g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY=
    Kubernetes configuration          constellation-admin.conf
    
    You can now connect to your cluster by executing:
            export KUBECONFIG="$PWD/constellation-admin.conf"
    

    The cluster's identifier will be different in your output. Keep constellation-mastersecret.json somewhere safe. This will allow you to recover your cluster in case of a disaster.

    :::info

    Depending on your CSP and region, constellation init may take 10+ minutes to complete.

    :::

    :::note

    AWS: Currently, confidential VMs may temporarily fail to boot. AWS is actively working on a solution. If creating or initializing a cluster fails, terminate the cluster and try again later. Alternatively, you can use non-confidential Nitro VMs for evaluation purposes. To do so, generate a new configuration with the aws-nitro-tpm attestation variant:

    constellation config generate aws --attestation aws-nitro-tpm
    

    :::

  3. Configure kubectl.

    export KUBECONFIG="$PWD/constellation-admin.conf"
    

Deploy a sample application

  1. Deploy the emojivoto app

    kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment
    
  2. Expose the frontend service locally

    kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments
    kubectl -n emojivoto port-forward svc/web-svc 8080:80 &
    curl http://localhost:8080
    kill %1
    

Terminate your cluster

Use the CLI to terminate your cluster. If you manually used Terraform to manage your cloud resources, follow the corresponding instructions in the Terminate workflow.

constellation terminate

This should give the following output:

$ constellation terminate
You are about to terminate a Constellation cluster.
All of its associated resources will be DESTROYED.
This action is irreversible and ALL DATA WILL BE LOST.
Do you want to continue? [y/n]:

Confirm with y to terminate the cluster:

Terminating ...
Your Constellation cluster was terminated successfully.

Optionally, you can also delete your IAM resources.