Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
Go to file
Daniel Weiße 0e2025b67c Add state disk volume mounter
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-11 15:41:51 +02:00
.github/workflows use manual workflow input 2022-03-24 17:23:45 +01:00
3rdparty/aws-nitro-enclaves-ffi monorepo 2022-03-22 16:09:39 +01:00
cli AB#1898 cli: fix create aws node count 2022-04-07 14:14:26 +02:00
coordinator coordinator: send additional status log messages to cli in ActivateAsCoordinator 2022-04-05 16:23:48 +02:00
debugd debugd: stop discovery loop once coordinator was downloaded successfully or coordinator binary exists 2022-04-01 16:47:18 +02:00
images/fcos update CoreOS builder pipeline to allow parallel runs 2022-04-04 14:06:23 +02:00
internal Add state disk volume mounter 2022-04-11 15:41:51 +02:00
kms Move READMEs to their own packages 2022-04-01 16:47:27 +02:00
mount Move READMEs to their own packages 2022-04-01 16:47:27 +02:00
state Add state disk volume mounter 2022-04-11 15:41:51 +02:00
test Move and fix GCP storage integration test 2022-04-01 09:41:15 +02:00
util/pcr-reader Allow waiting for multiple states (#11) 2022-03-29 09:10:22 +02:00
.dockerignore monorepo 2022-03-22 16:09:39 +01:00
.gitignore AB#1770 (semi)automatic PCR updates (#7) 2022-03-23 14:10:58 +01:00
.golangci.yml monorepo 2022-03-22 16:09:39 +01:00
CMakeLists.txt Add state disk volume mounter 2022-04-11 15:41:51 +02:00
CONTRIBUTING.md monorepo 2022-03-22 16:09:39 +01:00
Dockerfile.build monorepo 2022-03-22 16:09:39 +01:00
Dockerfile.e2e monorepo 2022-03-22 16:09:39 +01:00
go.mod cli: add output before long-running actions 2022-04-05 16:23:48 +02:00
go.sum Add Azure storage tests 2022-04-01 09:41:15 +02:00
README.md Move READMEs to their own packages 2022-04-01 16:47:27 +02:00

constellation-coordinator

Prerequisites

  • Go 1.18

Ubuntu 20.04

sudo apt install build-essential cmake libssl-dev pkg-config libcryptsetup12 libcryptsetup-dev
curl https://sh.rustup.rs -sSf | sh

Amazon Linux

sudo yum install cmake3 gcc make
curl https://sh.rustup.rs -sSf | sh

Build

mkdir build
cd build
cmake ..
make -j`nproc`

CMake build options:

Release build

This options leaves out debug symbols and turns on more compiler optimizations.

cmake -DCMAKE_BUILD_TYPE=Release ..

Static build (coordinator as static binary, no dependencies on libc or other libraries)

Install the musl-toolchain

Ubuntu / Debian:

sudo apt install -y musl-tools
rustup target add x86_64-unknown-linux-musl

From source (Amazon-Linux):

wget https://musl.libc.org/releases/musl-1.2.2.tar.gz
tar xfz musl-1.2.2.tar.gz
cd musl-1.2.2
./configure
make -j `nproc`
sudo make install
rustup target add x86_64-unknown-linux-musl

Add musl-gcc to your PATH:

export PATH=$PATH:/usr/loca/musl/bin/

Compile the coordinator

cmake -DCOORDINATOR_STATIC_MUSL=ON ..

Cloud credentials

Using the CLI or debug-CLI requires the user to make authorized API calls to the AWS or GCP API.

Google Cloud Platform (GCP)

If you are running from within a Google VM, and the VM is allowed to access the necessary APIs, no further configuration is needed.

Otherwise you have a couple options:

  1. Use the gcloud CLI tool

    gcloud auth application-default login
    

    This will ask you to log into your Google account, and then create your credentials. The Constellation CLI will automatically load these credentials when needed.

  2. Set up a service account and pass the credentials manually

    Follow Google's guide for setting up your credentials.

Amazon Web Services (AWS)

To use the CLI with an Constellation cluster on AWS configure the following files:

$ cat ~/.aws/credentials
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
$ cat ~/.aws/config
[default]
region = us-east-2

Azure

To use the CLI with an Constellation cluster on Azure execute:

az login

Deploying a locally compiled coordinator binary

By default, constellation create ... will spawn cloud provider instances with a pre-baked coordinator binary. For testing, you can use the constellation debug daemon (debugd) to upload your local coordinator binary to running instances and to obtain SSH access. Follow this introduction on how to install and setup cdbg

debug daemon (debugd)

debugd Prerequisites

  • Go 1.18

Build debugd

mkdir -p build
go build -o build/debugd debugd/debugd/cmd/debugd/debugd.go

Build & install cdbg

The go install command for cdbg only works inside the checked out repository due to replace directives in the go.mod file.

git clone https://github.com/edgelesssys/constellation && cd constellation
go install github.com/edgelesssys/constellation/debugd/cdbg

debugd & cdbg usage

With cdbg installed in your path:

  1. Run constellation --dev-config /path/to/dev-config create […] while specifying a cloud-provider image with the debugd already included. See Configuration for a dev-config with a custom image and firewall rules to allow incoming connection on the debugd default port 4000.
  2. Run cdbg deploy --dev-config /path/to/dev-config
  3. Run constellation init […] as usual

debugd GCP image

For GCP, run the following command to get a list of all constellation images, sorted by their creation date:

gcloud compute images list --filter="name~'constellation-.+'" --sort-by=~creationTimestamp

Choose the newest debugd image with the naming scheme constellation-coreos-debugd-<timestamp>.

debugd Azure Image

For Azure, run the following command to get a list of all constellation debugd images, sorted by their creation date:

az sig image-version list --resource-group constellation-images --gallery-name Constellation --gallery-image-definition constellation-coreos-debugd --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table

Choose the newest debugd image and copy the full URI.

debugd Configuration

You should first locate the newest debugd image for your cloud provider (GCP, Azure).

This tool uses the dev-config file from constellation-coordinator and extends it with more fields. See this example on what the possible settings are and how to setup the constellation cli to use a cloud-provider image and firewall rules with support for debugd:

{
   "cdbg":{
      "authorized_keys":[
         {
            "user":"my-username",
            "pubkey":"ssh-rsa AAAAB…LJuM="
         }
      ],
      "coordinator_path":"/path/to/coordinator",
      "systemd_units":[
         {
            "name":"some-custom.service",
            "contents":"[Unit]\nDescription=…"
         }
      ]
   },
   "provider": {
    "gcpconfig": {
      "image": "constellation-coreos-debugd-TIMESTAMP",
      "firewallinput": {
        "Ingress": [
          {
            "Name": "coordinator",
            "Description": "Coordinator default port",
            "Protocol": "tcp",
            "Port": 9000
          },
          {
            "Name": "wireguard",
            "Description": "WireGuard default port",
            "Protocol": "udp",
            "Port": 51820
          },
          {
            "Name": "ssh",
            "Description": "SSH",
            "Protocol": "tcp",
            "Port": 22
          },
          {
            "Name": "debugd",
            "Description": "debugd default port",
            "Protocol": "tcp",
            "Port": 4000
          }
        ]
      }
    },
    "azureconfig": {
      "image": "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos-debugd/versions/0.0.TIMESTAMP",
      "networksecuritygroupinput": {
        "Ingress": [
          {
            "Name": "coordinator",
            "Description": "Coordinator default port",
            "Protocol": "tcp",
            "IPRange": "0.0.0.0/0",
            "Port": 9000
          },
          {
            "Name": "wireguard",
            "Description": "WireGuard default port",
            "Protocol": "udp",
            "IPRange": "0.0.0.0/0",
            "Port": 51820
          },
          {
            "Name": "ssh",
            "Description": "SSH",
            "Protocol": "tcp",
            "IPRange": "0.0.0.0/0",
            "Port": 22
          },
          {
            "Name": "debugd",
            "Description": "debugd default port",
            "Protocol": "tcp",
            "IPRange": "0.0.0.0/0",
            "Port": 4000
          }
        ]
      }
    }
  }
}