First steps with Constellation
The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully installed and set up Constellation, and have access to a cloud subscription.
If you don't have a cloud subscription, you can also set up a local Constellation cluster using virtualization for testing.
If you encounter any problem with the following steps, make sure to use the latest release and check out the known issues.
Create a cluster
-
Create the configuration file and state file for your cloud provider.
- Azure
- GCP
- AWS
constellation config generate azure
constellation config generate gcp
constellation config generate aws
-
Create your IAM configuration.
- Azure
- GCP
- AWS
constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
This command creates IAM configuration on the Azure region
westus
creating a new resource groupconstellTest
and a new service principalspTest
. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.CVMs are available in several Azure regions. Constellation OS images are currently replicated to the following:
germanywestcentral
westus
eastus
northeurope
westeurope
southeastasia
If you require the OS image to be available in another region, let us know.
You can find a list of all regions in Azure's documentation.
constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
This command creates IAM configuration in the GCP project
yourproject-12345
on the GCP zoneeurope-west2-a
creating a new service accountconstell-test
. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.Note that only regions offering CVMs of the
C2D
orN2D
series are supported. You can find a list of all regions in Google's documentation, which you can filter by machine typeC2D
orN2D
.constellation iam create aws --zone=us-east-2a --prefix=constellTest --update-config
This command creates IAM configuration for the AWS zone
us-east-2a
using the prefixconstellTest
for all named resources being created. It also updates the configuration fileconstellation-conf.yaml
in your current directory with the IAM values filled in.Depending on the attestation variant selected on config generation, different regions are available. AMD SEV-SNP machines (requires the default attestation variant
awsSEVSNP
) are currently available in the following regions:eu-west-1
us-east-2
You can find a list of regions that support AMD SEV-SNP in AWS's documentation.
NitroTPM machines (requires the attestation variant
awsNitroTPM
) are available in all regions. Constellation OS images are currently replicated to the following regions:eu-central-1
eu-west-1
eu-west-3
us-east-2
ap-south-1
If you require the OS image to be available in another region, let us know.
You can find a list of all regions in AWS's documentation.
tipTo learn about all options you have for managing IAM resources and Constellation configuration, see the Configuration workflow.
-
Create the cluster.
constellation apply
uses options set inconstellation-conf.yaml
. If you want to manually manage your cloud resources, for example by using Terraform, follow the corresponding instructions in the Create workflow.tipOn Azure, you may need to wait 15+ minutes at this point for role assignments to propagate.
constellation apply -y
This should look similar to the following:
$ constellation apply -y
Checking for infrastructure changes
The following Constellation cluster will be created:
3 control-plane nodes of type n2d-standard-4 will be created.
1 worker node of type n2d-standard-4 will be created.
Creating
Cloud infrastructure created successfully
Your Constellation master secret was successfully written to ./constellation-mastersecret.json
Connecting
Initializing cluster
Installing Kubernetes components
Your Constellation cluster was successfully initialized.
Constellation cluster identifier g6iMP5wRU1b7mpOz2WEISlIYSfdAhB0oNaOg6XEwKFY=
Kubernetes configuration constellation-admin.conf
You can now connect to your cluster by executing:
export KUBECONFIG="$PWD/constellation-admin.conf"The cluster's identifier will be different in your output. Keep
constellation-mastersecret.json
somewhere safe. This will allow you to recover your cluster in case of a disaster.infoDepending on your CSP and region,
constellation apply
may take 10+ minutes to complete. -
Configure kubectl.
export KUBECONFIG="$PWD/constellation-admin.conf"
Deploy a sample application
-
Deploy the emojivoto app
kubectl apply -k github.com/BuoyantIO/emojivoto/kustomize/deployment
-
Expose the frontend service locally
kubectl wait --for=condition=available --timeout=60s -n emojivoto --all deployments
kubectl -n emojivoto port-forward svc/web-svc 8080:80 &
curl http://localhost:8080
kill %1