constellation/docs/versioned_docs/version-2.7/architecture/microservices.md
edgelessci 06bbdda9dc
docs: add release v2.7.0 (#1592)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-04-05 10:33:16 +02:00

3.8 KiB

Microservices

Constellation takes care of bootstrapping and initializing a Confidential Kubernetes cluster. During the lifetime of the cluster, it handles day 2 operations such as key management, remote attestation, and updates. These features are provided by several microservices:

The relations between microservices are shown in the following diagram:

flowchart LR
    subgraph admin [Admin's machine]
        A[Constellation CLI]
    end
    subgraph img [Constellation OS image]
        B[Constellation OS]
        C[Bootstrapper]
    end
    subgraph Kubernetes
        D[JoinService]
        E[KeyService]
        F[VerificationService]
    end
    A -- deploys -->
    B -- starts --> C
    C -- deploys --> D
    C -- deploys --> E
    C -- deploys --> F

Bootstrapper

The Bootstrapper is the first microservice launched after booting a Constellation node image. It sets up that machine as a Kubernetes node and integrates that node into the Kubernetes cluster. To this end, the Bootstrapper first downloads and verifies the Kubernetes components at the configured versions. The Bootstrapper tries to find an existing cluster and if successful, communicates with the JoinService to join the node. Otherwise, it waits for an initialization request to create a new Kubernetes cluster.

JoinService

The JoinService runs as DaemonSet on each control-plane node. New nodes (at cluster start, or later through autoscaling) send a request to the service over attested TLS (aTLS). The JoinService verifies the new node's certificate and attestation statement. If attestation is successful, the new node is supplied with an encryption key from the KeyService for its state disk, and a Kubernetes bootstrap token.

sequenceDiagram
    participant New node
    participant JoinService
    New node->>JoinService: aTLS handshake (server side verification)
    JoinService-->>New node: #
    New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    JoinService->>+KeyService: GetDataKey(DiskUUID)
    KeyService-->>-JoinService: DiskEncryptionKey
    JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ...

VerificationService

The VerificationService runs as DaemonSet on each node. It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for verifying the cluster. Read more about the hardware-based attestation feature of Constellation and how to verify a cluster on the client side.

KeyService

The KeyService runs as DaemonSet on each control-plane node. It implements the key management for the storage encryption keys in Constellation. These keys are used for the state disk of each node and the transparently encrypted storage for Kubernetes. Depending on wether the constellation-managed or user-managed mode is used, the KeyService holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively.