mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-03 11:50:57 -05:00
53 lines
1.8 KiB
Markdown
53 lines
1.8 KiB
Markdown
# Join Service
|
|
|
|
Implementation for Constellation's node flow to join an existing cluster.
|
|
|
|
The join service runs on each control-plane node of the Kubernetes cluster.
|
|
New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over [aTLS](../internal/atls/).
|
|
The join service verifies the new nodes certificate and attestation statement.
|
|
If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.
|
|
|
|
## Packages
|
|
|
|
### [joinproto](./joinproto/)
|
|
|
|
Proto definitions for the join service.
|
|
|
|
### [internal/server](./internal/server/)
|
|
|
|
The `server` implements gRPC endpoints for joining the cluster and holds the main application logic.
|
|
|
|
Connections between the join service and joining nodes are secured using [aTLS](../internal/atls/README.md)
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant New Node
|
|
participant Join Service
|
|
New Node-->>Join Service: aTLS Handshake (server side verification)
|
|
Join Service-->>New Node: #
|
|
New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
|
|
Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
|
|
KMS->>-Join Service: DiskEncryptionKey
|
|
Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
|
|
```
|
|
|
|
### [internal/kms](./internal/kms/)
|
|
|
|
Implements interaction with Constellation's keyservice.
|
|
This is needed for fetching data encryption keys for joining nodes.
|
|
|
|
### [internal/kubeadm](./internal/kubeadm/)
|
|
|
|
Implements interaction with the Kubernetes API to create join tokens for new nodes.
|
|
|
|
## Docker image
|
|
|
|
Build the image:
|
|
|
|
```shell
|
|
bazel build //joinservice/cmd:joinservice
|
|
bazel build //bazel/release:joinservice_sum
|
|
bazel build //bazel/release:joinservice_tar
|
|
bazel run //bazel/release:joinservice_push
|
|
```
|