Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
593253e090
constellation/joinservice
History
Malte Poll bdba9d8ba6
bazel: add build files for go (#1186) 
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
..
cmd bazel: add build files for go (#1186) 2023-03-09 15:23:42 +01:00
internal bazel: add build files for go (#1186) 2023-03-09 15:23:42 +01:00
joinproto bazel: add build files for go (#1186) 2023-03-09 15:23:42 +01:00
Dockerfile deps: update to Go 1.20.2 (#1366) 2023-03-08 10:05:36 +01:00
README.md dev-docs: Go package docs (#958) 2023-01-19 15:57:50 +01:00

README.md

Join Service

Implementation for Constellation's node flow to join an existing cluster.

The join service runs on each control-plane node of the Kubernetes cluster. New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over aTLS. The join service verifies the new nodes certificate and attestation statement. If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

Packages

joinproto

Proto definitions for the join service.

internal/server

The server implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the join service and joining nodes are secured using aTLS

sequenceDiagram
    participant New Node
    participant Join Service
    New Node-->>Join Service: aTLS Handshake (server side verification)
    Join Service-->>New Node: #
    New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Join Service: DiskEncryptionKey
    Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]

internal/kms

Implements interaction with Constellation's keyservice. This is needed for fetching data encryption keys for joining nodes.

internal/kubeadm

Implements interaction with the Kubernetes API to create join tokens for new nodes.

Dockerfile

export VERSION=0.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .