mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-28 00:49:26 -05:00
106635a9ee
* more guided UX when generating and filling in config Signed-off-by: Fabian Kammel <fk@edgeless.systems>
4.5 KiB
4.5 KiB
Configuration file
Constellation CLI reads all configuration options from constellation-conf.yaml
.
The Constellation CLI can generate a default configuration file. This should be the preferred way, so that the configuration matches the used CLI version.
A sample configuration for a Constellation cluster on Azure looks like this:
version: v1 # Schema version of this configuration file.
autoscalingNodeGroupMin: 1 # Minimum number of worker nodes in autoscaling group.
autoscalingNodeGroupMax: 10 # Maximum number of worker nodes in autoscaling group.
stateDiskSizeGB: 30 # Size (in GB) of a node's disk to store the non-volatile state.
# Ingress firewall rules for node network.
ingressFirewall:
- name: bootstrapper # Name of rule.
description: bootstrapper default port # Description for rule.
protocol: tcp # Protocol, such as 'udp' or 'tcp'.
iprange: 0.0.0.0/0 # CIDR range for which this rule is applied.
fromport: 9000 # Start port of a range.
toport: 0 # End port of a range, or 0 if a single port is given by fromport.
- name: ssh # Name of rule.
description: SSH # Description for rule.
protocol: tcp # Protocol, such as 'udp' or 'tcp'.
iprange: 0.0.0.0/0 # CIDR range for which this rule is applied.
fromport: 22 # Start port of a range.
toport: 0 # End port of a range, or 0 if a single port is given by fromport.
- name: nodeport # Name of rule.
description: NodePort # Description for rule.
protocol: tcp # Protocol, such as 'udp' or 'tcp'.
iprange: 0.0.0.0/0 # CIDR range for which this rule is applied.
fromport: 30000 # Start port of a range.
toport: 32767 # End port of a range, or 0 if a single port is given by fromport.
- name: kubernetes # Name of rule.
description: Kubernetes # Description for rule.
protocol: tcp # Protocol, such as 'udp' or 'tcp'.
iprange: 0.0.0.0/0 # CIDR range for which this rule is applied.
fromport: 6443 # Start port of a range.
toport: 0 # End port of a range, or 0 if a single port is given by fromport.
# Supported cloud providers and their specific configurations.
provider:
# Configuration for Azure as provider.
azure:
subscription: "" # Subscription ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription
tenant: "" # Tenant ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant
location: "" # Azure datacenter region to be used. See: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#azure-regions-with-availability-zones
image: /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699 # Machine image used to create Constellation nodes.
stateDiskType: StandardSSD_LRS # Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison
# Expected confidential VM measurements.
measurements:
11: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
12: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
userAssignedIdentity: "" # Authorize spawned VMs to access Azure API.
kubernetesVersion: "1.24" # Kubernetes version installed in the cluster.
# # Egress firewall rules for node network.
# egressFirewall:
# - name: rule#1 # Name of rule.
# description: the first rule # Description for rule.
# protocol: tcp # Protocol, such as 'udp' or 'tcp'.
# iprange: 0.0.0.0/0 # CIDR range for which this rule is applied.
# fromport: 443 # Start port of a range.
# toport: 443 # End port of a range, or 0 if a single port is given by fromport.
# # Create SSH users on Constellation nodes.
# sshUsers:
# - username: Alice # Username of new SSH user.
# publicKey: ssh-rsa AAAAB3NzaC...5QXHKW1rufgtJeSeJ8= alice@domain.com # Public key of new SSH user.
Required customizations
Most options of a generated configuration can be kept at their default values. However, you must edit some cloud provider options.
Azure
Set the subscription
and tenant
IDs of your subscription.
Set the userAssignedIdentity
that you created for Constellation.
GCP
Set the project
that you want to use for your Constellation cluster.