Create a Confidential Kubernetes cluster

Prerequisites

In order to follow the steps described on this page, the following conditions need to be met:

• Your organization has a customer account: Create a customer account
• You have a user account: Create a user account
• You have the required permissions assigned: Assign roles to a user account
• You have a project in your customer account: Create a Project
• You have installed and set up Constellation.
• You have the User Access Token (UAT) generated during the previous step. You will need data from this token later on.

Ensure that the CLI version is the same as the image version.

Create a cluster

1. Create the configuration file and state file for STACKIT by running the following command:

   constellation config generate stackit

   A file constellation-conf.yaml like this will be created:

   version: v4 # Schema version of this configuration file.
   image: v2.16.1 # Machine image version used to create Constellation nodes.
   name: constell # Name of the cluster.
   kubernetesVersion: v1.28.5 # Kubernetes version to be installed into the cluster.
   microserviceVersion: v2.16.1 # Microservice version to be installed into the cluster. Defaults to the version of the CLI.
   debugCluster: false # DON'T USE IN PRODUCTION: enable debug mode and use debug images.
   customEndpoint: "" # Optional custom endpoint (DNS name) for the Constellation API server.
   internalLoadBalancer: false # Flag to enable/disable the internal load balancer. If enabled, the Constellation is only accessible from within the VPC.
   serviceCIDR: 10.96.0.0/12 # The Kubernetes Service CIDR to be used for the cluster. This value will only be used during the first initialization of the Constellation.
   # Supported cloud providers and their specific configurations.
   provider:
       # Configuration for OpenStack as provider.
       openstack:
           cloud: stackit # OpenStack cloud name to select from "clouds.yaml". Only required if config file for OpenStack is used. Fallback authentication uses environment variables. For details see: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html.
           cloudsYAMLPath: "" # Path to OpenStack "clouds.yaml" file. Only required if automatic detection fails.
           availabilityZone: "eu01-1" # Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html
           floatingIPPoolID: 970ace5c-458f-484a-a660-0903bcfd91ad # Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html
           stackitProjectID: "your_stackit_project_id" # STACKITProjectID is the ID of the STACKIT project where a user resides.
           regionName: RegionOne # description: |
           deployYawolLoadBalancer: true # Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol
           yawolImageID: bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be # OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol
           yawolFlavorID: 3b11b27e-6c73-470d-b595-1d85b95a8cdf # OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol
           deployCSIDriver: true # Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
   # Node groups to be created in the cluster.
   nodeGroups:
       control_plane_default:
           role: control-plane # Role of the nodes in this group. Valid values are "control-plane" and "worker".
           zone: "eu01-1" # Availability zone to place the VMs in.
           instanceType:  m1a.4cd # VM instance type to use for the nodes.
           stateDiskSizeGB: 30 # Size (in GB) of a node's disk to store the non-volatile state.
           stateDiskType: storage_premium_perf6 # Type of a node's state disk. The type influences boot time and I/O performance.
           initialCount: 1 # Number of nodes to be initially created.
       worker_default:
           role: worker # Role of the nodes in this group. Valid values are "control-plane" and "worker".
           zone: "eu01-1" # Availability zone to place the VMs in.
           instanceType:  m1a.4cd # VM instance type to use for the nodes.
           stateDiskSizeGB: 30 # Size (in GB) of a node's disk to store the non-volatile state.
           stateDiskType: storage_premium_perf6 # Type of a node's state disk. The type influences boot time and I/O performance.
           initialCount: 1 # Number of nodes to be initially created.
   # Configuration for attestation validation. This configuration provides sensible defaults for the Constellation version it was created for.
   # See the docs for an. overview on attestation: https://docs.edgeless.systems/constellation/architecture/attestation
   attestation:
       # QEMU vTPM attestation.
       qemuVTPM:
           # Expected TPM measurements.
           measurements:
               ......

2. Check if the image version used in the config file is available in the list of supported images.

3. Edit the file constellation-conf.yaml and fill in the following details in the section provider → openstack:

   • stackitProjectID: STACKIT project id (can be found after login on https://portal.stackit.cloud)
   • provider.openstack.availabilityZone: select the desired availability zone (eu01-1, eu01-2 or eu01-3)
   • nodegroups.control_plane_default.zone: select the desired availability zone (eu01-1, eu01-2 or eu01-3)
   • nodegroups.worker_default.zon: select the desired availability zone (eu01-1, eu01-2 or eu01-3)

4. Create the cluster.

   1. If you want to manually manage your cloud resources, for example by using Terraform, follow the corresponding instructions in the Create workflow.

   2. Otherwise run the command: constellation apply -y

      The command may take 10+ minutes to complete.
      The result will look similar to the following. The cluster identifier will be different.

      $ constellation apply -y
      Checking for infrastructure changes
      The following Constellation cluster will be created:
      3 control-plane node of type m1a.4cd will be created.
      1 worker node of type m1a.4cd will be created.
      Creating
      Cloud infrastructure created successfully.
      Your Constellation master secret was successfully written to "constellation-mastersecret.json"
      Connecting
      Initializing cluster
      Installing Kubernetes components
      Your Constellation cluster was successfully initialized.
      
      Constellation cluster identifier  fccb84b96ea919c926c86757595252d669300de4345f02647d47679b56842ff7
      Kubernetes configuration          constellation-admin.conf
      
      You can now connect to your cluster by executing:
              export KUBECONFIG="$PWD/constellation-admin.conf"

5. Store constellation-mastersecret.json in a safe place. This will allow you to recover your cluster in case of a disaster.

The Confidential Kubernetes cluster is now up and running.

Interact with your cluster

You now can interact with the cluster using kubectl. To do that

1. Download and install kubectl
2. export KUBECONFIG="$PWD/constellation-admin.conf"
3. Now executekubectl get nodes
   You should be able to see the nodes running in your cluster.

If you encounter any problem with the previous steps, check the Troubleshooting guide.

To dive deeper, see also the Advanced cluster configuration guide.