joinservice/

directory
v2.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 29, 2024 License: AGPL-3.0

README

Join Service

Implementation for Constellation's node flow to join an existing cluster.

The join service runs on each control-plane node of the Kubernetes cluster. New nodes (at cluster start, or later through autoscaling) send an IssueJoinTicket request to the service over aTLS. The join service verifies the new nodes certificate and attestation statement. If attestation is successful, the new node is supplied with a disk encryption key for its state disk, and a Kubernetes bootstrap token, so it may join the cluster.

Packages

joinproto

Proto definitions for the join service.

internal/server

The server implements gRPC endpoints for joining the cluster and holds the main application logic.

Connections between the join service and joining nodes are secured using aTLS

sequenceDiagram
    participant New Node
    participant Join Service
    New Node-->>Join Service: aTLS Handshake (server side verification)
    Join Service-->>New Node: #
    New Node->>+Join Service: grpc::IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
    Join Service->>+KMS: grpc::GetDataKey(DiskUUID)
    KMS->>-Join Service: DiskEncryptionKey
    Join Service->>-New Node: [DiskEncryptionKey, KubernetesJoinToken, ...]
internal/kms

Implements interaction with Constellation's keyservice. This is needed for fetching data encryption keys for joining nodes.

internal/kubeadm

Implements interaction with the Kubernetes API to create join tokens for new nodes.

Docker image

Build the image:

bazel build //joinservice/cmd:joinservice
bazel build //bazel/release:joinservice_sum
bazel build //bazel/release:joinservice_tar
bazel run //bazel/release:joinservice_push

Directories

Path Synopsis
internal
certcache
Package certcache implements an in-cluster SEV-SNP certificate cache.
Package certcache implements an in-cluster SEV-SNP certificate cache.
certcache/amdkds
The AMDKDS package implements interaction with the AMD KDS (Key Distribution Service).
The AMDKDS package implements interaction with the AMD KDS (Key Distribution Service).
kms
Package kms handles communication with Constellation's key service to request data encryption keys for new or rejoining nodes.
Package kms handles communication with Constellation's key service to request data encryption keys for new or rejoining nodes.
kubeadm
Package kubeadm handles joining of new nodes by creating Kubernetes Join Tokens.
Package kubeadm handles joining of new nodes by creating Kubernetes Join Tokens.
kubernetes
Package kubernetes interacts with the Kubernetes API to update an fetch objects related to joining nodes.
Package kubernetes interacts with the Kubernetes API to update an fetch objects related to joining nodes.
kubernetesca
kubernetesca implements a certificate authority that uses the Kubernetes root CA to sign certificates.
kubernetesca implements a certificate authority that uses the Kubernetes root CA to sign certificates.
server
Package server implements the gRPC endpoint of Constellation's node join service.
Package server implements the gRPC endpoint of Constellation's node join service.
watcher
Package watcher implements a file watcher to update an object on file changes.
Package watcher implements a file watcher to update an object on file changes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL