README
ΒΆ
Always Encrypted Kubernetes
Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. For this, Constellation leverages confidential computing (see the whitepaper) and more specifically Confidential VMs.
Goals
From a security perspective, Constellation is designed to keep all data always encrypted and to prevent access from the infrastructure layer (i.e., remove the infrastructure from the TCB). This includes access from datacenter employees, privileged cloud admins, and attackers coming through the infrastructure (e.g., malicious co-tenants escalating their privileges).
From a DevOps perspective, Constellation is designed to work just like what you would expect from a modern K8s engine.
Use cases
Encrypting your K8s is good for:
- Increasing the overall security of your clusters
- Increasing the trustworthiness of your SaaS offerings
- Moving sensitive workloads from on-prem to the cloud
- Meeting regulatory requirements
Features
π Everything always encrypted
- Runtime encryption: All nodes run inside AMD SEV-based Confidential VMs (CVMs). Support for Intel TDX will be added in the future.
- Transparent encryption of network: All pod-to-pod traffic is automatically encrypted
- Transparent encryption of storage: All writes to persistent storage are automatically encrypted. This includes nodes' state disks, persistent volumes via CSI, and S3 object storage.
- Transparent key management: All cryptographic keys are managed within the confidential context
π Everything verifiable
- "Whole cluster" attestation based on the remote-attestation feature of CVMs
- Confidential computing-optimized node images; fully measured and integrity-protected
- Supply chain protection with sigstore and SLSA Level 3.
π Performance and scale
- High availability with multi-master architecture and stacked etcd topology
- Dynamic cluster autoscaling with verification and secure bootstrapping of new nodes
- Competitive performance (see K-Bench comparison with AKS and GKE)
𧩠Easy to use and integrate
- Constellation is a CNCF-certified Kubernetes. It's aligned to Kubernetes' version support policy and will likely work with your existing workloads and tools.
- Support for Azure, GCP, and AWS.
- Support for local installations with MiniConstellation.
- Support for Terraform
Getting started
If you're already familiar with Kubernetes, it's easy to get started with Constellation:
- π¦ Install the CLI or use the Terraform provider
- β¨οΈ Create a Constellation cluster in the cloud or locally
- ποΈ Run your app
Learn more: "Getting started with Constellation" videos series.
Live demos
We're running public instances of popular software on Constellation:
- Rocket.Chat: https://rocket.edgeless.systems/ (blog post)
- GitLab: https://gitlab.edgeless.systems/ (blog post)
These instances run on CVMs in Azure and Constellation keeps them end-to-end confidential.
Documentation
To learn more, see the documentation. You may want to start with one of the following sections.
- Confidential Kubernetes (Constellation vs. AKS/GKE + CVMs)
- Security benefits
- Architecture
Support
- If something doesn't work, make sure to use the latest release and check out the known issues.
- Please file an issue to get help or report a bug.
- Join the Discord to have a chat on confidential computing and Constellation.
- Visit our blog for technical deep-dives and tutorials and follow us on LinkedIn for news.
- Edgeless Systems also offers Enterprise Support.
Contributing
Refer to CONTRIBUTING.md on how to contribute. The most important points:
- Pull requests are welcome! You need to agree to our Contributor License Agreement.
- Please follow the Code of Conduct.
Warning Please report any security issue via a private GitHub vulnerability report or write to security@edgeless.systems.
License
The Constellation source code is licensed under the GNU Affero General Public License v3.0. Edgeless Systems provides pre-built and signed binaries and images for Constellation. You may use these free of charge to create and run services for internal consumption, evaluation purposes, or non-commercial use. You can find more information in the license section of the docs.
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
3rdparty
|
|
|
node-maintenance-operator/api/v1beta1
Package v1beta1 contains API Schema definitions for the nodemaintenance v1beta1 API group +kubebuilder:object:generate=true +groupName=nodemaintenance.medik8s.io
|
Package v1beta1 contains API Schema definitions for the nodemaintenance v1beta1 API group +kubebuilder:object:generate=true +groupName=nodemaintenance.medik8s.io |
|
bootstrapper
|
|
|
internal/certificate
Package certificate provides functions to create a certificate request and matching private key.
|
Package certificate provides functions to create a certificate request and matching private key. |
|
internal/clean
Package clean provides functionality to stop a list of services gracefully and synchronously.
|
Package clean provides functionality to stop a list of services gracefully and synchronously. |
|
internal/diskencryption
Package diskencryption handles interaction with a node's state disk.
|
Package diskencryption handles interaction with a node's state disk. |
|
internal/journald
Package journald provides functions to read and collect journald logs.
|
Package journald provides functions to read and collect journald logs. |
|
internal/kubernetes
Package kubernetes provides functionality to bootstrap a Kubernetes cluster, or join an exiting one.
|
Package kubernetes provides functionality to bootstrap a Kubernetes cluster, or join an exiting one. |
|
internal/kubernetes/k8sapi
Package k8sapi is used to interact with the Kubernetes API to create or update required resources.
|
Package k8sapi is used to interact with the Kubernetes API to create or update required resources. |
|
internal/kubernetes/k8sapi/resources
Package resources contains Kubernetes configs and policies for Constellation.
|
Package resources contains Kubernetes configs and policies for Constellation. |
|
internal/kubernetes/kubewaiter
Package kubewaiter is used to wait for the Kubernetes API to be available.
|
Package kubewaiter is used to wait for the Kubernetes API to be available. |
|
internal/logging
Package logging provides an interface for logging information to a non-confidential destination
|
Package logging provides an interface for logging information to a non-confidential destination |
|
internal/nodelock
Package nodelock handles locking operations on the node.
|
Package nodelock handles locking operations on the node. |
|
cmd
Package cmd is the entrypoint of the Constellation CLI.
|
Package cmd is the entrypoint of the Constellation CLI. |
|
internal/cloudcmd
Package cloudcmd provides executable commands for the CLI.
|
Package cloudcmd provides executable commands for the CLI. |
|
internal/cmd
Package cmd provides the Constellation CLI.
|
Package cmd provides the Constellation CLI. |
|
internal/cmd/pathprefix
Package pathprefix is used to print correct filepaths for a configured workspace.
|
Package pathprefix is used to print correct filepaths for a configured workspace. |
|
internal/libvirt
Package libvirt is used to start and stop containerized libvirt instances.
|
Package libvirt is used to start and stop containerized libvirt instances. |
|
internal/terraform
Package terraform handles creation/destruction of cloud and IAM resources required by Constellation using Terraform.
|
Package terraform handles creation/destruction of cloud and IAM resources required by Constellation using Terraform. |
|
csi
|
|
|
cryptmapper
Package cryptmapper provides a wrapper around libcryptsetup to manage dm-crypt volumes for CSI drivers.
|
Package cryptmapper provides a wrapper around libcryptsetup to manage dm-crypt volumes for CSI drivers. |
|
debugd
|
|
|
internal/cdbg/cmd
Package cmd contains the cdbg CLI.
|
Package cmd contains the cdbg CLI. |
|
internal/debugd
Package debugd contains internal packages for the debugd.
|
Package debugd contains internal packages for the debugd. |
|
internal/debugd/deploy
Package deploy implements deployment of binaries and services to a Constellation instance.
|
Package deploy implements deployment of binaries and services to a Constellation instance. |
|
internal/debugd/info
Package info implements the info map that is used to distribute keyβvalue pair between debugd instances.
|
Package info implements the info map that is used to distribute keyβvalue pair between debugd instances. |
|
internal/debugd/metadata
Package metadata schedules the discovery of other debugd instances to exchange settings and binaries.
|
Package metadata schedules the discovery of other debugd instances to exchange settings and binaries. |
|
internal/debugd/metadata/cloudprovider
Package cloudprovider implements a metadata service for cloud providers.
|
Package cloudprovider implements a metadata service for cloud providers. |
|
internal/debugd/metadata/fallback
Package fallback implements a fake metadata backend.
|
Package fallback implements a fake metadata backend. |
|
internal/debugd/server
Package server implements the gRPC endpoint of Constellation's debugd.
|
Package server implements the gRPC endpoint of Constellation's debugd. |
|
internal/filetransfer
Package filetransfer implements the exchange of files between cdgb <-> debugd and between debugd <-> debugd pairs.
|
Package filetransfer implements the exchange of files between cdgb <-> debugd and between debugd <-> debugd pairs. |
|
internal/filetransfer/streamer
Package streamer implements streaming of files over gRPC.
|
Package streamer implements streaming of files over gRPC. |
|
disk-mapper
|
|
|
internal/diskencryption
Package diskencryption uses libcryptsetup to format and map crypt devices.
|
Package diskencryption uses libcryptsetup to format and map crypt devices. |
|
internal/recoveryserver
Package recoveryserver implements the gRPC endpoints for recovering a restarting node.
|
Package recoveryserver implements the gRPC endpoints for recovering a restarting node. |
|
internal/rejoinclient
Package rejoinclient handles the automatic rejoining of a restarting node.
|
Package rejoinclient handles the automatic rejoining of a restarting node. |
|
internal/systemd
Package systemd configures systemd units for encrypted volumes.
|
Package systemd configures systemd units for encrypted volumes. |
|
End-to-end tests which are executed from our GitHub action pipelines.
|
End-to-end tests which are executed from our GitHub action pipelines. |
|
internal/kubectl
Provides functionality to easily interact with the K8s API, which can be used from any e2e test.
|
Provides functionality to easily interact with the K8s API, which can be used from any e2e test. |
|
internal/lb
Package lb tests that the cloud load balancer works as expected.
|
Package lb tests that the cloud load balancer works as expected. |
|
malicious-join
End-to-end test that issues various types of malicious join requests to a cluster.
|
End-to-end test that issues various types of malicious join requests to a cluster. |
|
hack
|
|
|
bazel-deps-mirror
bazel-deps-mirror adds external dependencies to edgeless systems' mirror.
|
bazel-deps-mirror adds external dependencies to edgeless systems' mirror. |
|
bazel-deps-mirror/internal/bazelfiles
package bazelfiles is used to find and handle Bazel WORKSPACE and bzl files.
|
package bazelfiles is used to find and handle Bazel WORKSPACE and bzl files. |
|
bazel-deps-mirror/internal/issues
package issues can store and report issues found during the bazel-deps-mirror process.
|
package issues can store and report issues found during the bazel-deps-mirror process. |
|
bazel-deps-mirror/internal/mirror
package mirror is used upload and download Bazel dependencies to and from a mirror.
|
package mirror is used upload and download Bazel dependencies to and from a mirror. |
|
bazel-deps-mirror/internal/rules
package rules is used find and modify Bazel rules in WORKSPACE and bzl files.
|
package rules is used find and modify Bazel rules in WORKSPACE and bzl files. |
|
cli-k8s-compatibility
cli-k8s-compatibility generates JSON output for a CLI version and its supported Kubernetes versions.
|
cli-k8s-compatibility generates JSON output for a CLI version and its supported Kubernetes versions. |
|
clidocgen
Clidocgen generates a Markdown page describing all CLI commands.
|
Clidocgen generates a Markdown page describing all CLI commands. |
|
gocoverage
gocoverage parses 'go test -cover' output and generates a simple coverage report in JSON format.
|
gocoverage parses 'go test -cover' output and generates a simple coverage report in JSON format. |
|
image-fetch
imagefetch retrieves a CSP image reference from a Constellation config in the CWD.
|
imagefetch retrieves a CSP image reference from a Constellation config in the CWD. |
|
oci-pin
oci-pin generates Go code and shasum files for OCI images.
|
oci-pin generates Go code and shasum files for OCI images. |
|
oci-pin/internal/inject
inject renders Go source files with injected pinning values.
|
inject renders Go source files with injected pinning values. |
|
oci-pin/internal/sums
sums creates and combines sha256sums files.
|
sums creates and combines sha256sums files. |
|
image
|
|
|
upload
upload uploads os images.
|
upload uploads os images. |
|
internal
|
|
|
api/client
Package client provides a client for the versions API.
|
Package client provides a client for the versions API. |
|
api/fetcher
Package fetcher implements a client for the Constellation Resource API.
|
Package fetcher implements a client for the Constellation Resource API. |
|
api/versionsapi/cli
This package provides a CLI tool to interact with the Constellation versions API.
|
This package provides a CLI tool to interact with the Constellation versions API. |
|
atls
aTLS provides config generation functions to bootstrap attested TLS connections.
|
aTLS provides config generation functions to bootstrap attested TLS connections. |
|
attestation
This package deals with the low level attestation and verification logic of Constellation nodes.
|
This package deals with the low level attestation and verification logic of Constellation nodes. |
|
attestation/aws/snp
--------- WARNING! ---------
|
--------- WARNING! --------- |
|
attestation/azure/tdx
package tdx implements attestation for TDX on Azure.
|
package tdx implements attestation for TDX on Azure. |
|
attestation/idkeydigest
Package idkeydigest provides type definitions for the `idkeydigest` value of SEV-SNP attestation.
|
Package idkeydigest provides type definitions for the `idkeydigest` value of SEV-SNP attestation. |
|
attestation/initialize
Package initialize implements functions to mark a node as initialized in the context of cluster attestation.
|
Package initialize implements functions to mark a node as initialized in the context of cluster attestation. |
|
attestation/simulator
TPM2 simulator used for unit tests.
|
TPM2 simulator used for unit tests. |
|
attestation/snp
Package SNP provides types shared by SNP-based attestation implementations.
|
Package SNP provides types shared by SNP-based attestation implementations. |
|
attestation/tdx
Package TDX implements attestation for Intel TDX.
|
Package TDX implements attestation for Intel TDX. |
|
attestation/variant
Package variant defines Attestation variants for different CSPs.
|
Package variant defines Attestation variants for different CSPs. |
|
cloud/aws
Implements interaction with the AWS API.
|
Implements interaction with the AWS API. |
|
cloud/azure
Implements interaction with the Azure API.
|
Implements interaction with the Azure API. |
|
cloud/azureshared
Package gcpshared contains code to parse and define data types relevant for Microsoft Azure.
|
Package gcpshared contains code to parse and define data types relevant for Microsoft Azure. |
|
cloud/gcp
Implements interaction with the GCP API.
|
Implements interaction with the GCP API. |
|
cloud/gcpshared
Package gcpshared contains code to parse and define data types relevant for Google Cloud Platform.
|
Package gcpshared contains code to parse and define data types relevant for Google Cloud Platform. |
|
cloud/qemu
This package provides an interface to fake a CSP API for QEMU instances.
|
This package provides an interface to fake a CSP API for QEMU instances. |
|
compatibility
Package compatibility offers helper functions for comparing and filtering versions.
|
Package compatibility offers helper functions for comparing and filtering versions. |
|
config/imageversion
Package imageversion contains the pinned container images for the config.
|
Package imageversion contains the pinned container images for the config. |
|
config/migration
Package migration contains outdated configuration formats and their migration functions.
|
Package migration contains outdated configuration formats and their migration functions. |
|
constants
Package constants contains the constants used by Constellation.
|
Package constants contains the constants used by Constellation. |
|
constellation
This package capsulates the Constellation API, which is used to manage and interact with Constellation clusters.
|
This package capsulates the Constellation API, which is used to manage and interact with Constellation clusters. |
|
constellation/featureset
package featureset provides a way to check whether a feature is enabled in the current build.
|
package featureset provides a way to check whether a feature is enabled in the current build. |
|
constellation/helm
Package helm provides a higher level interface to the Helm Go SDK.
|
Package helm provides a higher level interface to the Helm Go SDK. |
|
constellation/helm/imageversion
Package imageversion contains the pinned container images for the helm charts.
|
Package imageversion contains the pinned container images for the helm charts. |
|
constellation/kubecmd
Package kubecmd provides functions to interact with a Kubernetes cluster to the CLI.
|
Package kubecmd provides functions to interact with a Kubernetes cluster to the CLI. |
|
constellation/state
package state defines the structure of the Constellation state file.
|
package state defines the structure of the Constellation state file. |
|
containerimage
This package provides container image names, registry info and digests.
|
This package provides container image names, registry info and digests. |
|
crypto
Package crypto provides functions to for cryptography and random numbers.
|
Package crypto provides functions to for cryptography and random numbers. |
|
crypto/testvector
Package testvector provides test vectors for key derivation and crypto functions.
|
Package testvector provides test vectors for key derivation and crypto functions. |
|
cryptsetup
Package cryptsetup provides a wrapper around libcryptsetup.
|
Package cryptsetup provides a wrapper around libcryptsetup. |
|
encoding
Package encoding provides data types and functions for JSON or YAML encoding/decoding.
|
Package encoding provides data types and functions for JSON or YAML encoding/decoding. |
|
file
Package file provides functions that combine file handling, JSON marshaling and file system abstraction.
|
Package file provides functions that combine file handling, JSON marshaling and file system abstraction. |
|
grpc/atlscredentials
Package atlscredentials handles creation of TLS credentials for attested TLS (ATLS).
|
Package atlscredentials handles creation of TLS credentials for attested TLS (ATLS). |
|
grpc/dialer
Package dialer provides a grpc dialer that can be used to create grpc client connections with different levels of ATLS encryption / verification.
|
Package dialer provides a grpc dialer that can be used to create grpc client connections with different levels of ATLS encryption / verification. |
|
grpc/grpclog
grpclog provides a logging utilities for gRPC.
|
grpclog provides a logging utilities for gRPC. |
|
grpc/retry
Package retry provides functions to check if a gRPC error is retryable.
|
Package retry provides functions to check if a gRPC error is retryable. |
|
grpc/testdialer
Package testdialer provides a fake dialer for testing.
|
Package testdialer provides a fake dialer for testing. |
|
imagefetcher
Package imagefetcher provides helping wrappers around a versionsapi fetcher.
|
Package imagefetcher provides helping wrappers around a versionsapi fetcher. |
|
installer
Package installer provides functionality to install binary components of supported kubernetes versions.
|
Package installer provides functionality to install binary components of supported kubernetes versions. |
|
kms/config
Package config provides configuration constants for the KeyService.
|
Package config provides configuration constants for the KeyService. |
|
kms/kms
Package kms provides an abstract interface for Key Management Services.
|
Package kms provides an abstract interface for Key Management Services. |
|
kms/kms/aws
Package aws implements a KMS backend for AWS KMS.
|
Package aws implements a KMS backend for AWS KMS. |
|
kms/kms/azure
Package azure implements KMS backends for Azure Key Vault and Azure managed HSM.
|
Package azure implements KMS backends for Azure Key Vault and Azure managed HSM. |
|
kms/kms/cluster
Package cluster implements a KMS backend for in cluster key management.
|
Package cluster implements a KMS backend for in cluster key management. |
|
kms/kms/gcp
Package gcp implements a KMS backend for Google Cloud KMS.
|
Package gcp implements a KMS backend for Google Cloud KMS. |
|
kms/kms/internal
Package internal implements the CloudKMS interface using go-kms-wrapping.
|
Package internal implements the CloudKMS interface using go-kms-wrapping. |
|
kms/setup
Package setup provides functions to create a KMS and key store from a given URI.
|
Package setup provides functions to create a KMS and key store from a given URI. |
|
kms/storage
Package storage implements storage backends for DEKs.
|
Package storage implements storage backends for DEKs. |
|
kms/storage/awss3
Package awss3 implements a storage backend for the KMS using AWS S3: https://aws.amazon.com/s3/
|
Package awss3 implements a storage backend for the KMS using AWS S3: https://aws.amazon.com/s3/ |
|
kms/storage/azureblob
Package azureblob implements a storage backend for the KMS using Azure Blob Storage.
|
Package azureblob implements a storage backend for the KMS using Azure Blob Storage. |
|
kms/storage/gcs
Package gcs implements a storage backend for the KMS using Google Cloud Storage (GCS).
|
Package gcs implements a storage backend for the KMS using Google Cloud Storage (GCS). |
|
kms/storage/memfs
Package memfs implements a storage backend for the KMS that stores keys in memory only.
|
Package memfs implements a storage backend for the KMS that stores keys in memory only. |
|
kms/uri
Package uri provides URIs and parsing logic for KMS and storage URIs.
|
Package uri provides URIs and parsing logic for KMS and storage URIs. |
|
kubernetes
Package kubernetes provides data types and custom marshalers for Kubernetes API objects.
|
Package kubernetes provides data types and custom marshalers for Kubernetes API objects. |
|
kubernetes/kubectl
Package kubectl provides a kubectl-like interface for Kubernetes.
|
Package kubectl provides a kubectl-like interface for Kubernetes. |
|
license
Package license provides functions to check a user's Constellation license.
|
Package license provides functions to check a user's Constellation license. |
|
logger
Package logger provides helper functions that can be used in combination with slog to increase functionality or make working with slog easier.
|
Package logger provides helper functions that can be used in combination with slog to increase functionality or make working with slog easier. |
|
maa
Package maa provides an interface for interacting with an MAA service on an infrastructure level.
|
Package maa provides an interface for interacting with an MAA service on an infrastructure level. |
|
mpimage
The mpimage package provides utilities for handling CSP marketplace OS images.
|
The mpimage package provides utilities for handling CSP marketplace OS images. |
|
nodestate
Package nodestate is used to persist the state of a Constellation node to disk.
|
Package nodestate is used to persist the state of a Constellation node to disk. |
|
osimage
package osimage is used to handle osimages in the CI (uploading and maintenance).
|
package osimage is used to handle osimages in the CI (uploading and maintenance). |
|
osimage/archive
package archive is used to archive OS images in S3.
|
package archive is used to archive OS images in S3. |
|
osimage/imageinfo
package imageinfo is used to upload image info JSON files to S3.
|
package imageinfo is used to upload image info JSON files to S3. |
|
osimage/measurementsuploader
package measurementsuploader is used to upload measurements (v2) JSON files (and signatures) to S3.
|
package measurementsuploader is used to upload measurements (v2) JSON files (and signatures) to S3. |
|
osimage/nop
package nop implements a no-op for CSPs that don't require custom image upload functionality.
|
package nop implements a no-op for CSPs that don't require custom image upload functionality. |
|
osimage/secureboot
package secureboot holds secure boot configuration for image uploads.
|
package secureboot holds secure boot configuration for image uploads. |
|
osimage/uplosi
package uplosi implements uploading os images using uplosi.
|
package uplosi implements uploading os images using uplosi. |
|
retry
Package retry provides a simple interface for retrying operations.
|
Package retry provides a simple interface for retrying operations. |
|
semver
Package semver provides functionality to parse and process semantic versions, as they are used in multiple components of Constellation.
|
Package semver provides functionality to parse and process semantic versions, as they are used in multiple components of Constellation. |
|
sigstore/keyselect
Package keyselect is used to select the correct public key for signature verification.
|
Package keyselect is used to select the correct public key for signature verification. |
|
staticupload
Package staticupload provides a static file uploader/updater/remover for the CDN / static API.
|
Package staticupload provides a static file uploader/updater/remover for the CDN / static API. |
|
validation
Package validation provides a unified document validation interface for use within the Constellation CLI.
|
Package validation provides a unified document validation interface for use within the Constellation CLI. |
|
verify
Package verify provides the types for the verify report in JSON format.
|
Package verify provides the types for the verify report in JSON format. |
|
versions
Package versions defines the supported versions of Constellation components.
|
Package versions defines the supported versions of Constellation components. |
|
versions/hash-generator
hash-generator updates the binary hashes and kubeadm patches in versions.go in place.
|
hash-generator updates the binary hashes and kubeadm patches in versions.go in place. |
|
joinservice
|
|
|
internal/certcache
Package certcache implements an in-cluster SEV-SNP certificate cache.
|
Package certcache implements an in-cluster SEV-SNP certificate cache. |
|
internal/certcache/amdkds
The AMDKDS package implements interaction with the AMD KDS (Key Distribution Service).
|
The AMDKDS package implements interaction with the AMD KDS (Key Distribution Service). |
|
internal/kms
Package kms handles communication with Constellation's key service to request data encryption keys for new or rejoining nodes.
|
Package kms handles communication with Constellation's key service to request data encryption keys for new or rejoining nodes. |
|
internal/kubeadm
Package kubeadm handles joining of new nodes by creating Kubernetes Join Tokens.
|
Package kubeadm handles joining of new nodes by creating Kubernetes Join Tokens. |
|
internal/kubernetes
Package kubernetes interacts with the Kubernetes API to update an fetch objects related to joining nodes.
|
Package kubernetes interacts with the Kubernetes API to update an fetch objects related to joining nodes. |
|
internal/kubernetesca
kubernetesca implements a certificate authority that uses the Kubernetes root CA to sign certificates.
|
kubernetesca implements a certificate authority that uses the Kubernetes root CA to sign certificates. |
|
internal/server
Package server implements the gRPC endpoint of Constellation's node join service.
|
Package server implements the gRPC endpoint of Constellation's node join service. |
|
internal/watcher
Package watcher implements a file watcher to update an object on file changes.
|
Package watcher implements a file watcher to update an object on file changes. |
|
keyservice
|
|
|
internal/server
Package server implements an API to manage encryption keys.
|
Package server implements an API to manage encryption keys. |
|
measurement-reader
|
|
|
internal/sorted
Package sorted defines a type for print-friendly sorted measurements and allows sorting TPM and TDX measurements.
|
Package sorted defines a type for print-friendly sorted measurements and allows sorting TPM and TDX measurements. |
|
internal/tdx
Package tdx reads measurements from an Intel TDX guest.
|
Package tdx reads measurements from an Intel TDX guest. |
|
internal/tpm
Package tpm reads measurements from a TPM.
|
Package tpm reads measurements from a TPM. |
|
operators
|
|
|
constellation-node-operator/api/v1alpha1
Package v1alpha1 contains API Schema definitions for the update v1alpha1 API group +kubebuilder:object:generate=true +groupName=update.edgeless.systems
|
Package v1alpha1 contains API Schema definitions for the update v1alpha1 API group +kubebuilder:object:generate=true +groupName=update.edgeless.systems |
|
constellation-node-operator/internal/deploy
Package deploy provides functions to deploy initial resources for the node operator.
|
Package deploy provides functions to deploy initial resources for the node operator. |
|
constellation-node-operator/internal/executor
Package executor contains a task executor / scheduler for the constellation node operator.
|
Package executor contains a task executor / scheduler for the constellation node operator. |
|
constellation-node-operator/internal/poller
Package poller implements a poller that can be used to wait for a condition to be met.
|
Package poller implements a poller that can be used to wait for a condition to be met. |
|
constellation-node-operator/sgreconciler
Package sgreconciler contains a reconciler that reconciles on cloud provider infrastructure.
|
Package sgreconciler contains a reconciler that reconciles on cloud provider infrastructure. |
|
s3proxy
|
|
|
cmd
Package main parses command line flags and starts the s3proxy server.
|
Package main parses command line flags and starts the s3proxy server. |
|
internal/crypto
Package crypto provides encryption and decryption functions for the s3proxy.
|
Package crypto provides encryption and decryption functions for the s3proxy. |
|
internal/kms
Package kms is used to interact with the Constellation keyservice.
|
Package kms is used to interact with the Constellation keyservice. |
|
internal/router
Package router implements the main interception logic of s3proxy.
|
Package router implements the main interception logic of s3proxy. |
|
internal/s3
Package s3 implements a very thin wrapper around the AWS S3 client.
|
Package s3 implements a very thin wrapper around the AWS S3 client. |
|
internal/data
The data package implements the structures used to pass data between different resources.
|
The data package implements the structures used to pass data between different resources. |
|
internal/provider
The provider package implements the Constellation Terraform provider's "provider" resource, which is the main entrypoint for Terraform to interact with the provider.
|
The provider package implements the Constellation Terraform provider's "provider" resource, which is the main entrypoint for Terraform to interact with the provider. |
|
upgrade-agent
|
|
|
internal/server
Package server implements the gRPC server for the upgrade agent.
|
Package server implements the gRPC server for the upgrade agent. |
|
verify
|
|
|
server
Package server implements the gRPC and REST endpoints for retrieving attestation statements.
|
Package server implements the gRPC and REST endpoints for retrieving attestation statements. |
Click to show internal directories.
Click to hide internal directories.