Leonard Cohnen 2d8fcd9bf4 monorepo
Co-authored-by: Malte Poll <mp@edgeless.systems>
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
Co-authored-by: Benedict Schlueter <bs@edgeless.systems>
Co-authored-by: leongross <leon.gross@rub.de>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 16:09:39 +01:00
..
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00
2022-03-22 16:09:39 +01:00

CLI to spawn a confidential kubernetes cluster

Usage

  1. (optional) replace the responsible in cli/cmd/defaults.go with yourself.
  2. Build the CLI and authenticate with <AWS/Azure/GCP> according to the README.md.
  3. Execute constellation create <aws/azure/gcp> 2 <4xlarge|n2d-standard-2>.
  4. Execute wg genkey | tee privatekey | wg pubkey > publickey to generate a WireGuard keypair.
  5. Execute constellation init --publickey publickey. Since the CLI waits for all nodes to be ready, this step can take up to 5 minutes.
  6. Use the output from constellation init and the wireguard template below to create /etc/wireguard/wg0.conf, then execute wg-quick up wg0.
  7. Execute export KUBECONFIG=<path/to/admin.conf>.
  8. Use kubectl get nodes to inspect your cluster.
  9. Execute constellation terminate to terminate your Constellation.
[Interface]
Address = <address from the init output>
PrivateKey = <your base64 encoded private key>
ListenPort = 51820

[Peer]
PublicKey = <public key from the init output>
AllowedIPs = 10.118.0.1/32 # IP set on the peer's wg interface
Endpoint = <public IPv4 address from the activated coordinator>:51820  # address where the peer listens on
PersistentKeepalive = 10

Note: Skip the manual configuration of WireGuard by executing Step 2 as root. Then, replace steps 4 and 5 with sudo constellation init --privatekey <path/to/your/privatekey>. This will automatically configure a new WireGuard interface named wg0 with the coordinator as peer.