c020f7ac20
* ci: improve constellation_create error message When we hit a timeout due to nodes not coming up, the actual error message is hard to make out because it's buried in a group. With the right formatting, the error message will be highlighted in the UI. Another improvement is to output the state of nodes, which helps debugging the cause of nodes not joining or not becoming ready. * cleanup: use NodeVersionResourceName constant ... instead of literal strings. * ci: correctly notify on e2e upgrade error * atls: report cert extension OIDs on mismatch If the certificate contains an attestation document for SEV-SNP, but the given validator is for Nitro, verifyEmbeddedReport should not claim that there is no attestation document, but that there is no _compatible_ one and what the incompatible ones were. |
||
---|---|---|
.. | ||
cmd | ||
internal | ||
joinproto | ||
README.md |
Join Service
Implementation for Constellation's node flow to join an existing cluster.
The join service runs on each control-plane node of the Kubernetes cluster. New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over aTLS. The join service verifies the new nodes certificate and attestation statement. If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.
Packages
joinproto
Proto definitions for the join service.
internal/server
The server
implements gRPC endpoints for joining the cluster and holds the main application logic.
Connections between the join service and joining nodes are secured using aTLS
sequenceDiagram
participant New Node
participant Join Service
New Node-->>Join Service: aTLS Handshake (server side verification)
Join Service-->>New Node: #
New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
KMS->>-Join Service: DiskEncryptionKey
Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
internal/kms
Implements interaction with Constellation's keyservice. This is needed for fetching data encryption keys for joining nodes.
internal/kubeadm
Implements interaction with the Kubernetes API to create join tokens for new nodes.
Docker image
Build the image:
bazel build //joinservice/cmd:joinservice
bazel build //bazel/release:joinservice_sum
bazel build //bazel/release:joinservice_tar
bazel run //bazel/release:joinservice_push