24af06b02f
* deps: update Go dependencies * bazel: force Gazelle generation for xDS xDS has an upstream set of build files that makes Gazelle consider their project a whole new Bazel project, which makes Gazelle not generate any build files, even though the upstream ones aren't valid. See https://github.com/cncf/xds/issues/104. * go: update cel.dev/expr for Bazel fixes cel.dev/expr had some upstream Bazel fixes in v0.16.2 without which Gazelle doesn't work. * chore: generate * e2e: remove references to kubeProxyVersion kubeProxyVersion is deprecated as of KEP-4004. It was never being set to an accurate value before, and we only used it in the e2e test, so removing the additional check should not hurt here. See https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/4004-deprecate-kube-proxy-version * constellation-node-operator: use typed rate-limiter The untyped rate-limiter was deprecated in favor of a generic one that can just be instantiated to `any` to achieve the previous behaviour. * Advertise ALPN settings in NextProtos required by gRPC Signed-off-by: Daniel Weiße <dw@edgeless.systems> * atls: add nextProtos nextProtos (for ALPN) is now required by gRPC, so add it. * go: add cri-client replace * deps: tidy all modules --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: edgelessci <edgelessci@users.noreply.github.com> |
||
---|---|---|
.. | ||
cmd/bootstrapper | ||
initproto | ||
internal | ||
bootstrapping_arch.svg | ||
README.md |
Bootstrapper
The bootstrapper integrates the instance it is running on as node into the Kubernetes cluster. It is running on every new instance that is created.
The bootstrapper has two active components:
Init Flow
The InitServer is a gRPC server that is listening for initialization requests. The first instance needs to be initialized by the user, see the initproto for a description of the initialization protocol. The client that talks to this server is part of Constellation's CLI.
On an initialization request, the InitServer initializes a new Kubernetes cluster, essentially
calling the InitCluster function of our Kubernetes library, which does a kubeadm init
.
Join Flow
The JoinClient is a gRPC client that tries to connect to a JoinService of an already existing cluster. The JoinService validates the instance using aTLS. For details on the used protocol, see the joinservice package.
If the JoinService successfully verifies the instance, it issues a join ticket. The JoinClient then
joins the cluster by calling the kubeadm join
command, using the token and other needed information
from the join ticket.
Synchronization, state machine, lifetime
The bootstrapper is automatically started on every new instance. Both InitServer and JoinClient are started and running in parallel. At some point during either the initialization or the join, a shared lock between the two components is acquired. This lock is used as point of no return. It is a state machine with two states (unlocked, locked) and a single transition from unlocked to locked. There is no way to unlock the node afterward (see nodelock package).
After the bootstrapping, the bootstrapper is stopped.