constellation/cli
2022-04-21 09:06:35 +02:00
..
azure add coordinator count to cli 2022-04-06 11:24:22 +02:00
cloud Split cmd package 2022-04-21 09:06:35 +02:00
cloudprovider Split cmd package 2022-04-21 09:06:35 +02:00
cmd Fix PCR handling 2022-04-21 09:06:35 +02:00
ec2 monorepo 2022-03-22 16:09:39 +01:00
file file handler: Add "mkdirAll" flag 2022-04-13 13:07:10 +02:00
gcp add coordinator count to cli 2022-04-06 11:24:22 +02:00
proto Fix PCR handling 2022-04-21 09:06:35 +02:00
status Fix PCR handling 2022-04-21 09:06:35 +02:00
vpn refactor cli vpn config (#46) 2022-04-12 14:20:46 +02:00
main.go monorepo 2022-03-22 16:09:39 +01:00
README.md monorepo 2022-03-22 16:09:39 +01:00

CLI to spawn a confidential kubernetes cluster

Usage

  1. (optional) replace the responsible in cli/cmd/defaults.go with yourself.
  2. Build the CLI and authenticate with <AWS/Azure/GCP> according to the README.md.
  3. Execute constellation create <aws/azure/gcp> 2 <4xlarge|n2d-standard-2>.
  4. Execute wg genkey | tee privatekey | wg pubkey > publickey to generate a WireGuard keypair.
  5. Execute constellation init --publickey publickey. Since the CLI waits for all nodes to be ready, this step can take up to 5 minutes.
  6. Use the output from constellation init and the wireguard template below to create /etc/wireguard/wg0.conf, then execute wg-quick up wg0.
  7. Execute export KUBECONFIG=<path/to/admin.conf>.
  8. Use kubectl get nodes to inspect your cluster.
  9. Execute constellation terminate to terminate your Constellation.
[Interface]
Address = <address from the init output>
PrivateKey = <your base64 encoded private key>
ListenPort = 51820

[Peer]
PublicKey = <public key from the init output>
AllowedIPs = 10.118.0.1/32 # IP set on the peer's wg interface
Endpoint = <public IPv4 address from the activated coordinator>:51820  # address where the peer listens on
PersistentKeepalive = 10

Note: Skip the manual configuration of WireGuard by executing Step 2 as root. Then, replace steps 4 and 5 with sudo constellation init --privatekey <path/to/your/privatekey>. This will automatically configure a new WireGuard interface named wg0 with the coordinator as peer.