mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-03 02:50:03 -05:00

Go to file

ci: add e2e test for self-managed infrastructure (#2472 )

* add self-managed infra e2e test

* self-managed terminatio

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix upgrade test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix indentation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use -r when copying dir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add terraform variable parsing

* copy constellation conf

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary line breaks

* add missing value

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add image fetching for CSP

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix quoting

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing input to internal lb test

* normalize Azure URLs.. Of course

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix expressions

* initsecret to hex

* update hexdump cmd

* add build test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add node / pod cidr outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* explicitly delete the state file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing license header

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* always write all outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix list output

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove state-file and admin-conf on destroy

* dont use test payload

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] use self managed infra in manual e2e for testing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* init: always skip infrastructure phase

* patch maa in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to Constellation-created infra in e2e test

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

2023-10-27 09:37:26 +02:00

.github

ci: add e2e test for self-managed infrastructure (#2472 )

2023-10-27 09:37:26 +02:00

3rdparty

deps: update ubuntu:22.04 Docker digest to 2b7412e (#2496 )

2023-10-20 18:22:34 +02:00

bazel

deps: update module google.golang.org/grpc to v1.59.0 (#2520 )

2023-10-26 16:59:11 +02:00

bootstrapper

fix joining over lb (#2478 )

2023-10-19 16:28:07 +02:00

cli

ci: add e2e test for self-managed infrastructure (#2472 )

2023-10-27 09:37:26 +02:00

csi

csi: fix concurrent use of cryptmapper package (#2408 )

2023-10-05 11:20:22 +02:00

debugd

docs: refer to apply command instead of init or upgrade apply (#2487 )

2023-10-27 08:30:59 +02:00

dev-docs

docs: refer to apply command instead of init or upgrade apply (#2487 )

2023-10-27 08:30:59 +02:00

disk-mapper

disk-mapper: package as tar

2023-09-27 17:58:19 +02:00

docs

docs: refer to apply command instead of init or upgrade apply (#2487 )

2023-10-27 08:30:59 +02:00

e2e

docs: refer to apply command instead of init or upgrade apply (#2487 )

2023-10-27 08:30:59 +02:00

hack

ci: add e2e test for self-managed infrastructure (#2472 )

2023-10-27 09:37:26 +02:00

image

image: update locked rpms (#2498 )

2023-10-22 10:10:48 +02:00

internal

ci: add e2e test for self-managed infrastructure (#2472 )

2023-10-27 09:37:26 +02:00

joinservice

joinservice: cache certificates for Azure SEV-SNP attestation (#2336 )

2023-09-29 14:29:50 +02:00

keyservice

cli: use Semver type to represent microservice versions (#2125 )

2023-07-25 14:20:25 +02:00

measurement-reader

measurement-reader: package as tar

2023-09-27 17:58:19 +02:00

nix/shells

nix: init flake

2023-09-27 17:58:19 +02:00

operators/constellation-node-operator

docs: refer to apply command instead of init or upgrade apply (#2487 )

2023-10-27 08:30:59 +02:00

rfc

cli: use state file on init and upgrade (#2395 )

2023-10-09 13:04:29 +02:00

rpm

deps: downgrade libvirt to 8.10.0 (#1971 )

2023-06-27 11:34:07 +02:00

s3proxy

docs: extend filestash example with more regions (#2445 )

2023-10-12 14:34:51 +02:00

tools

bazel: rewrite pseudo-version stamping in bash (#2020 )

2023-07-05 14:42:18 +02:00

upgrade-agent

upgrade-agent: package as tar

2023-09-27 17:58:19 +02:00

verify

cli: use Semver type to represent microservice versions (#2125 )

2023-07-25 14:20:25 +02:00

.bazelrc

bazel: always use nix

2023-10-12 14:42:24 +02:00

.bazelversion

deps: update bazel, rules_go and gazelle (#2203 )

2023-08-10 10:52:15 +02:00

.dockerignore

ci: run versionsapi as docker action

2023-01-13 10:23:43 +01:00

.gitignore

bazel: mkosi_image rule

2023-09-27 17:58:19 +02:00

.golangci.yml

ci: add e2e-upgrade test

2023-03-23 14:57:38 +01:00

.grype.yaml

ci: ignore replaced ghsa (#1392 )

2023-03-10 11:13:05 +01:00

.lycheeignore

ci: remove Azure portal internal links from docs (#2122 )

2023-07-20 15:04:34 +02:00

.shellcheckrc

Fix shellcheck warnings

2022-11-11 13:40:13 +01:00

.vale.ini

Add docs to repo (#38 )

2022-09-02 11:52:42 +02:00

BUILD.bazel

bazel: allow custom container_prefix (#1693 )

2023-04-27 11:52:02 +02:00

CMakeLists.txt

operators: use bazel to run operator envtests

2023-08-17 10:46:45 +02:00

CODE_OF_CONDUCT.md

Ref/readme (#375 )

2022-08-19 14:54:11 +02:00

CODEOWNERS

cli: remove old migration steps and id-file references (#2440 )

2023-10-13 10:21:21 +02:00

CONTRIBUTING.md

dev-docs: refactor and add information for newbies (#1912 )

2023-06-19 17:39:43 +02:00

flake.lock

nix: flake update (#2488 )

2023-10-20 17:17:59 +02:00

flake.nix

nix: flake update (#2488 )

2023-10-20 17:17:59 +02:00

go.mod

deps: update module google.golang.org/grpc to v1.59.0 (#2520 )

2023-10-26 16:59:11 +02:00

go.sum

deps: update module google.golang.org/grpc to v1.59.0 (#2520 )

2023-10-26 16:59:11 +02:00

go.work

Deps: bump Go to 1.21.3 (#2450 )

2023-10-12 16:11:02 +02:00

LICENSE

add license

2022-09-05 09:17:25 +02:00

netlify.toml

Add docs to repo (#38 )

2022-09-02 11:52:42 +02:00

README.md

Update README.md

2023-10-24 10:20:16 +02:00

renovate.json5

renovate: relax rules to allow updates to minor versions (#2423 )

2023-10-11 09:53:52 +00:00

SECURITY.md

promote new github security reporting feature

2022-11-10 16:31:13 +01:00

version.txt

ci: start v2.13-pre window (#2426 )

2023-10-10 18:33:04 +02:00

WORKSPACE.bazel

image: install rpms from lockfile

2023-10-17 09:23:56 +02:00

README.md

Always Encrypted Kubernetes

Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages confidential computing (see the whitepaper) and more specifically Confidential VMs.

Goals

From a security perspective, Constellation is designed to keep all data always encrypted and to prevent access from the infrastructure layer (i.e., remove the infrastructure from the TCB). This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges).

From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern K8s engine.

Use cases

Encrypting your K8s is good for:

Increasing the overall security of your clusters
Increasing the trustworthiness of your SaaS offerings
Moving sensitive workloads from on-prem to the cloud
Meeting regulatory requirements

Features

🔒 Everything always encrypted

Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
Transparent encryption of network: All pod-to-pod traffic is automatically encrypted
Transparent encryption of storage: All writes to persistent storage are automatically encrypted. This includes nodes' state disks, persistent volumes via CSI, and S3 object storage.
Transparent key management: All cryptographic keys are managed within the confidential context

🔍 Everything verifiable

"Whole cluster" attestation based on the remote-attestation feature of CVMs
Confidential computing-optimized node images; fully measured and integrity-protected
Supply chain protection with sigstore and SLSA Level 3.

🚀 Performance and scale

High availability with multi-master architecture and stacked etcd topology
Dynamic cluster autoscaling with verification and secure bootstrapping of new nodes
Competitive performance (see K-Bench comparison with AKS and GKE)

🧩 Easy to use and integrate

Constellation is a CNCF-certified Kubernetes. It's aligned to Kubernetes' version support policy and will likely work with your existing workloads and tools.
Support for Azure, GCP, and AWS.
Support for local installations with MiniConstellation.

Getting started

If you're already familiar with Kubernetes, it's easy to get started with Constellation:

📦 Install the CLI
⌨️ Create a Constellation cluster in the cloud or locally
🏎️ Run your app

Learn more: "Getting started with Constellation" videos series.

Live demos

We're running public instances of popular software on Constellation:

Rocket.Chat: https://rocket.edgeless.systems/ (blog post)
GitLab: https://gitlab.edgeless.systems/ (blog post)

These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.

Documentation

To learn more, see the documentation. You may want to start with one of the following sections.

Confidential Kubernetes (Constellation vs. AKS/GKE + CVMs)
Security benefits
Architecture

Support

If something doesn't work, make sure to use the latest release and check out the known issues.
Please file an issue to get help or report a bug.
Join the Discord to have a chat on confidential computing and Constellation.
Visit our blog for technical deep-dives and tutorials and follow us on LinkedIn for news.
Edgeless Systems also offers Enterprise Support.

Contributing

Refer to CONTRIBUTING.md on how to contribute. The most important points:

Pull requests are welcome! You need to agree to our Contributor License Agreement.
Please follow the Code of Conduct.

Warning

Please report any security issue via a private GitHub vulnerability report or write to security@edgeless.systems.

License

The Constellation source code is licensed under the GNU Affero General Public License v3.0. Edgeless Systems provides pre-built and signed binaries and images for Constellation. You may use these free of charge to create and run services for internal consumption, evaluation purposes, or non-commercial use. You can find more information in the license section of the docs.

Description

Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.

cloud-security confidential-computing data-encryption kubernetes kubernetes-security

Readme AGPL-3.0 96 MiB

Languages

Go 83%

Starlark 8.4%

HCL 4.3%

Shell 2.4%

Smarty 1.2%

Other 0.6%