Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
Go to file
2022-05-18 18:10:57 +02:00
.github AB#2094 cloud provider specific configs (#151) 2022-05-18 11:39:14 +02:00
cli AB#2094 cloud provider specific configs (#151) 2022-05-18 11:39:14 +02:00
conformance conformance pipeline required yaml as file extension, instead of yml. (#96) 2022-04-29 12:22:19 +02:00
coordinator Add unit test for SSH user creation on nodes 2022-05-17 18:00:21 +02:00
debugd Use "new" config for YAML parsing directives 2022-05-18 10:48:52 +02:00
docs Document k8s upgrade procedure 2022-05-11 10:02:41 +02:00
hack Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
image CoreOS build pipeline: Cleanup azure disk and image after converting to SIG (#137) 2022-05-12 17:16:57 +02:00
internal AB#2098 versioned & strict yaml reading (#157) 2022-05-18 18:10:57 +02:00
kms Fix proto file generation (#155) 2022-05-17 15:02:14 +02:00
mount Add LUKS2 header size constant (#140) 2022-05-13 09:24:54 +02:00
proto Fix proto file generation (#155) 2022-05-17 15:02:14 +02:00
state AB#2046 : Add option to create SSH users for the first coordinator upon initialization (#133) 2022-05-16 17:32:00 +02:00
test AB#1943 Extract KMS package (#56) 2022-05-10 12:35:17 +02:00
.dockerignore AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
.gitignore AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
.golangci.yml monorepo 2022-03-22 16:09:39 +01:00
CMakeLists.txt disable tpm simulator in coordinator release binary 2022-04-29 13:44:09 +02:00
CONTRIBUTING.md monorepo 2022-03-22 16:09:39 +01:00
Dockerfile.build migrate coordinator build dockerfile to fedora 2022-04-29 16:35:41 +02:00
Dockerfile.e2e AB#2064 Feat/config/dev config to config (#139) 2022-05-13 11:56:43 +02:00
go.mod Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
go.sum Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
go.work Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
go.work.sum Create hack folder with independent modules (#131) 2022-05-17 11:14:23 +02:00
README.md Update authorizedKeys field names for cdbg in README 2022-05-18 10:48:52 +02:00

constellation-coordinator

Prerequisites

  • Go 1.18

Ubuntu 20.04

sudo apt install build-essential cmake libssl-dev pkg-config libcryptsetup12 libcryptsetup-dev

Build

mkdir build
cd build
cmake ..
make -j`nproc`

Cloud credentials

Using the CLI or debug-CLI requires the user to make authorized API calls to the AWS or GCP API.

Google Cloud Platform (GCP)

If you are running from within a Google VM, and the VM is allowed to access the necessary APIs, no further configuration is needed.

Otherwise you have a couple options:

  1. Use the gcloud CLI tool

    gcloud auth application-default login
    

    This will ask you to log into your Google account, and then create your credentials. The Constellation CLI will automatically load these credentials when needed.

  2. Set up a service account and pass the credentials manually

    Follow Google's guide for setting up your credentials.

Amazon Web Services (AWS)

To use the CLI with an Constellation cluster on AWS configure the following files:

$ cat ~/.aws/credentials
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
$ cat ~/.aws/config
[default]
region = us-east-2

Azure

To use the CLI with an Constellation cluster on Azure execute:

az login

Deploying a locally compiled coordinator binary

By default, constellation create ... will spawn cloud provider instances with a pre-baked coordinator binary. For testing, you can use the constellation debug daemon (debugd) to upload your local coordinator binary to running instances and to obtain SSH access. Follow this introduction on how to install and setup cdbg

debug daemon (debugd)

debugd Prerequisites

  • Go 1.18

Build debugd

mkdir -p build
go build -o build/debugd debugd/debugd/cmd/debugd/debugd.go

Build & install cdbg

The go install command for cdbg only works inside the checked out repository due to replace directives in the go.mod file.

git clone https://github.com/edgelesssys/constellation && cd constellation
go install github.com/edgelesssys/constellation/debugd/cdbg

debugd & cdbg usage

With cdbg and yq installed in your path:

  1. Write the configuration file for cdbg cdbg-conf.yaml:
    cdbg:
      authorizedKeys:
        - username: my-username
          publicKey: ssh-rsa AAAAB…LJuM=
      coordinatorPath: "./coordinator"
      systemdUnits:
        - name: some-custom.service
          contents: |-
            [Unit]
            Description=…        
    
  2. Run constellation config generate to create a new default configuration
  3. Locate the latest debugd images for GCP and Azure
  4. Modify the constellation-conf.yaml to use an image with the debugd already included and add required firewall rules:
    # Set timestamp from cloud provider image name
    export TIMESTAMP=01234
    
    yq -i \
        ".provider.azureConfig.image = \"/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos-debugd/versions/0.0.${TIMESTAMP}\"" \
        constellation-conf.yaml
    
    yq -i \
        ".provider.gcpConfig.image = \"projects/constellation-images/global/images/constellation-coreos-debugd-${TIMESTAMP}\"" \
        constellation-conf.yaml
    
    yq -i \
        ".ingressFirewall += {
            \"name\": \"debugd\",
            \"description\": \"debugd default port\",
            \"protocol\": \"tcp\",
            \"iprange\": \"0.0.0.0/0\",
            \"fromport\": 4000,
            \"toport\": 0
        }" \
        constellation-conf.yaml
    
  5. Run constellation create […]
  6. Run cdbg deploy
  7. Run constellation init […] as usual

debugd GCP image

For GCP, run the following command to get a list of all constellation images, sorted by their creation date:

gcloud compute images list --filter="name~'constellation-.+'" --sort-by=~creationTimestamp --project constellation-images

Choose the newest debugd image with the naming scheme constellation-coreos-debugd-<timestamp>.

debugd Azure Image

For Azure, run the following command to get a list of all constellation debugd images, sorted by their creation date:

az sig image-version list --resource-group constellation-images --gallery-name Constellation --gallery-image-definition constellation-coreos-debugd --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table

Choose the newest debugd image and copy the full URI.

Local image testing with QEMU

To build our images we use the CoreOS-Assembler (COSA). COSA comes with support to test images locally. After building your image with make coreos you can run the image with make run.

Our fork adds extra utility by providing scripts to run an image in QEMU with a vTPM attached, or boot multiple VMs to simulate your own local Constellation cluster.

Begin by starting a COSA docker container

docker run -it --rm \
    --entrypoint bash \
    --device /dev/kvm \
    --device /dev/net/tun \
    --privileged \
    -v </path/to/constellation-image.qcow2>:/constellation-image.qcow2 \
    ghcr.io/edgelesssys/constellation-coreos-assembler

Run a single image

Using the run-image script we can launch a single VM with an attached vTPM. The script expects an image and a name to run. Optionally one may also provide the path to an existing state disk, if none provided a new disk will be created.

Additionally one may configure QEMU CPU (qemu -smp flag, default=2) and memory (qemu -m flag, default=2G) settings, as well as the size of the created state disk in GB (default 2) using environment variables.

To customize CPU settings use CONSTELL_CPU=[[cpus=]n][,maxcpus=maxcpus][,sockets=sockets][,dies=dies][,cores=cores][,threads=threads]
To customize memory settings use CONSTELL_MEM=[size=]megs[,slots=n,maxmem=size]
To customize state disk size use CONSTELL_STATE_SIZE=n

Use the following command to boot a VM with 2 CPUs, 2G RAM, a 4GB state disk with the image in /constellation/coreos.qcow2. Logs and state files will be written to /tmp/test-vm-01.

sudo CONSTELL_CPU=2 CONSTELL_MEM=2G CONSTELL_STATE_SIZE=4 run-image /constellation/coreos.qcow2 test-vm-01

The command will create a network bridge and add the VM to the bridge, so the host may communicate with the guest VM, as well as allowing the VM to access the internet.

Press Ctrl+A X to stop the VM, this will remove the VM from the bridge but will keep the bridge alive.

Run the following to remove the bridge.

sudo delete_network_bridge br-constell-0

Create a local cluster

Using the create-constellation script we can create multiple VMs using the same image and connected in one network.

The same environment variables as for run-image can be used to configure cpu, memory, and state disk size.

Use the following command to create a cluster of 4 VMs, where each VM has 3 CPUs, 4GB RAM and a 5GB state disk. Logs and state files will be written to /tmp/constellation.

sudo CONSTELL_CPU=3 CONSTELL_MEM=4G CONSTELL_STATE_SIZE=5 create-constellation 4 /constellation/coreos.qcow2

The command will use the run-image script launch each VM in its own tmux session. View the VMs by running the following

sudo tmux attach -t constellation-vm-<i>

Development Guides

Deployment Guides