Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
7b00005ed6
constellation/joinservice
History
Otto Bittner 405db3286e AB#2386: TrustedLaunch support for azure attestation 
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00
..
cmd AB#2386: TrustedLaunch support for azure attestation 2022-09-05 12:03:48 +02:00
internal add license headers 2022-09-05 09:17:25 +02:00
joinproto AB#2200 Merge Owner and Cluster ID (#282) 2022-07-26 10:58:39 +02:00
Dockerfile Silence wget output 2022-09-02 15:20:25 +02:00
README.md Add docs to repo (#38) 2022-09-02 11:52:42 +02:00

README.md

Join Service

Implementation for Constellation's node flow to join an existing cluster.

The join service runs on each control-plane node of the Kubernetes cluster. New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over aTLS. The join service verifies the new nodes certificate and attestation statement. If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

Packages

joinproto

Proto definitions for the join service.

internal/server

The server implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the join service and joining nodes are secured using aTLS

sequenceDiagram
    participant New Node
    participant Join Service
    New Node-->>Join Service: aTLS Handshake (server side verification)
    Join Service-->>New Node: #
    New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Join Service: DiskEncryptionKey
    Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]

internal/kms

Implements interaction with Constellation's key management service. This is needed for fetching data encryption keys for joining nodes.

internal/kubeadm

Implements interaction with the Kubernetes API to create join tokens for new nodes.

Dockerfile

export VERSION=1.0.0
DOCKER_BUILDKIT=1 docker build --build-arg PROJECT_VERSION=${VERSION} -t ghcr.io/edgelesssys/constellation/join-service:v${VERSION} -f joinservice/Dockerfile .