-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite "chain of trust" section #3066
Conversation
✅ Deploy Preview for constellation-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reads much clearer now, thanks!
Not sure why vale is unhappy with "CLI's" and was happy with "CLI" before.
Maybe we need to add "CLI" to https://github.com/edgelesssys/constellation/blob/main/docs/styles/config/vocabularies/edgeless/accept.txt#L14
|
||
When a cluster is [created](../workflows/create.md), the CLI automatically verifies the runtime measurements of the *first node* using remote attestation. Based on this, the CLI and the first node set up a temporary TLS connection. This [aTLS](#attested-tls-atls) connection is used for three things: | ||
1. The CLI sends the runtime measurements for the applicable node image to the first node. | ||
2. The first node sends the [master secret](../architecture/keys.md#master-secret) of the to-be-created cluster to the CLI. The master secret is generated by the first node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this works the other way around CC @daniel-weisse.
MasterSecret uri.MasterSecret |
In the init grpc proto, this field is called kms_uri
.
constellation/bootstrapper/initproto/init.proto
Lines 17 to 18 in edc0c70
// KmsUri is an URI encoding access to the KMS service or master secret. | |
string kms_uri = 1; |
The CLI generates the master secret and sends it to the first node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Originally we generated the master secret on node, we no longer do this, so it should be
"The CLI sends the master secret to the first node"
Technically, we also send the runtime measurements to the first node later on once the Kubernetes is actually set up,.
Though at this point only a single node cluster exists, so the statement is still correct.
Its called kms_uri
in the proto definition since we encode the secret in a URI to make it compatible with a yet-to-be-implemented KMS backend to keep and manage the secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When Malte's comment is addressed: LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good otherwise
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: 3u13r <lc@edgeless.systems>
I rewrote the "Chain of trust" section to explain E2E how trust is established into a cluster. This is the first step of rewriting the entire attestation.md and potentially other parts of the docs.