constellation/internal/config/config.go

//go:generate docgen ./config.go ./config_doc.go Configuration
// This binary can be build from siderolabs/talos projects. Located at:
// https://github.com/siderolabs/talos/tree/master/hack/docgen
package config

import (
	"errors"
	"fmt"
	"io/fs"

	"github.com/edgelesssys/constellation/internal/constants"
	"github.com/edgelesssys/constellation/internal/file"
)

// Config defines configuration used by CLI.
type Config struct {
	// description: |
	//   Minimum number of nodes in autoscaling group.
	//   worker nodes.
	AutoscalingNodeGroupsMin int `yaml:"autoscalingNodeGroupsMin"`
	// description: |
	//   Maximum number of nodes in autoscaling group.
	//   worker nodes.
	AutoscalingNodeGroupsMax int `yaml:"autoscalingNodeGroupsMax"`
	// description: |
	//   Size (in GB) of data disk used for nodes.
	StateDiskSizeGB int `yaml:"stateDisksizeGB"`
	// description: |
	//   Ingress firewall rules for node network.
	IngressFirewall Firewall `yaml:"ingressFirewall,omitempty"`
	// description: |
	//   Egress firewall rules for node network.
	// examples:
	//   - value: 'Firewall{
	//     {
	//       Name: "rule#1",
	//       Description: "the first rule",
	//       Protocol: "tcp",
	//       IPRange: "0.0.0.0/0",
	//       FromPort: 443,
	//       ToPort: 443,
	//     },
	//   }'
	EgressFirewall Firewall `yaml:"egressFirewall,omitempty"`
	// description: |
	//   Supported cloud providers & their specific configurations.
	Provider ProviderConfig `yaml:"provider"`
	// description: |
	//   Create SSH users on Constellation nodes.
	// examples:
	//   - value: '[]UserKey{ { Username:  "Alice", PublicKey: "ssh-rsa AAAAB3NzaC...5QXHKW1rufgtJeSeJ8= alice@domain.com" } }'
	SSHUsers []UserKey `yaml:"sshUsers,omitempty"`
}

// UserKey describes a user that should be created with corresponding public SSH key.
type UserKey struct {
	// description: |
	//   Username of new SSH user.
	Username string `yaml:"username"`
	// description: |
	//   Public key of new SSH user.
	PublicKey string `yaml:"publicKey"`
}

type FirewallRule struct {
	// description: |
	//   Name of rule.
	Name string `yaml:"name"`
	// description: |
	//   Description for rule.
	Description string `yaml:"description"`
	// description: |
	//   Protocol, such as 'udp' or 'tcp'.
	Protocol string `yaml:"protocol"`
	// description: |
	//   CIDR range for which this rule is applied.
	IPRange string `yaml:"iprange"`
	// description: |
	//   Port of start port of a range.
	FromPort int `yaml:"fromport"`
	// description: |
	//   End port of a range, or 0 if a single port is given by FromPort.
	ToPort int `yaml:"toport"`
}

type Firewall []FirewallRule

// ProviderConfig are cloud-provider specific configuration values used by the CLI.
// Fields should remain pointer-types so custom specific configs can nil them
// if not required.
type ProviderConfig struct {
	// description: |
	//   Configuration for Azure as provider.
	Azure *AzureConfig `yaml:"azureConfig,omitempty"`
	// description: |
	//   Configuration for Google Cloud as provider.
	GCP *GCPConfig `yaml:"gcpConfig,omitempty"`
	// description: |
	//   Configuration for QEMU as provider.
	QEMU *QEMUConfig `yaml:"qemuConfig,omitempty"`
}

// AzureConfig are Azure specific configuration values used by the CLI.
type AzureConfig struct {
	// description: |
	//   Subscription ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription
	SubscriptionID string `yaml:"subscription"`
	// description: |
	//   Tenant ID of the used Azure account. See: https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant
	TenantID string `yaml:"tenant"`
	// description: |
	//   Azure datacenter region to be used. See: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#azure-regions-with-availability-zones
	Location string `yaml:"location"`
	// description: |
	//   Machine image used to create Constellation nodes.
	Image string `yaml:"image"`
	// description: |
	//   Expected confidential VM measurements.
	Measurements Measurements `yaml:"measurements"`
	// description: |
	//   Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
	UserAssignedIdentity string `yaml:"userassignedIdentity"`
}

// GCPConfig are GCP specific configuration values used by the CLI.
type GCPConfig struct {
	// description: |
	//   GCP project. See: https://support.google.com/googleapi/answer/7014113?hl=en
	Project string `yaml:"project"`
	// description: |
	//   GCP datacenter region. See: https://cloud.google.com/compute/docs/regions-zones#available
	Region string `yaml:"region"`
	// description: |
	//   GCP datacenter zone. See: https://cloud.google.com/compute/docs/regions-zones#available
	Zone string `yaml:"zone"`
	// description: |
	//   Machine image used to create Constellation nodes.
	Image string `yaml:"image"`
	// description: |
	//   Roles added to service account.
	ServiceAccountRoles []string `yaml:"serviceAccountRoles"`
	// description: |
	//   Measurement used to enable measured boot.
	Measurements Measurements `yaml:"measurements"`
}

type QEMUConfig struct {
	// description: |
	//   Measurement used to enable measured boot.
	Measurements Measurements `yaml:"measurements"`
}

// Default returns a struct with the default config.
func Default() *Config {
	return &Config{
		AutoscalingNodeGroupsMin: 1,
		AutoscalingNodeGroupsMax: 10,
		StateDiskSizeGB:          30,
		IngressFirewall: Firewall{
			{
				Name:        "coordinator",
				Description: "Coordinator default port",
				Protocol:    "tcp",
				IPRange:     "0.0.0.0/0",
				FromPort:    constants.CoordinatorPort,
			},
			{
				Name:        "wireguard",
				Description: "WireGuard default port",
				Protocol:    "udp",
				IPRange:     "0.0.0.0/0",
				FromPort:    constants.WireguardPort,
			},
			{
				Name:        "ssh",
				Description: "SSH",
				Protocol:    "tcp",
				IPRange:     "0.0.0.0/0",
				FromPort:    constants.SSHPort,
			},
			{
				Name:        "nodeport",
				Description: "NodePort",
				Protocol:    "tcp",
				IPRange:     "0.0.0.0/0",
				FromPort:    constants.NodePortFrom,
				ToPort:      constants.NodePortTo,
			},
		},
		Provider: ProviderConfig{
			Azure: &AzureConfig{
				SubscriptionID:       "0d202bbb-4fa7-4af8-8125-58c269a05435",
				TenantID:             "adb650a8-5da3-4b15-b4b0-3daf65ff7626",
				Location:             "North Europe",
				Image:                "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807",
				Measurements:         azurePCRs,
				UserAssignedIdentity: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/constellation-images/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-dev-identity",
			},
			GCP: &GCPConfig{
				Project: "constellation-331613",
				Region:  "europe-west3",
				Zone:    "europe-west3-b",
				Image:   "projects/constellation-images/global/images/constellation-coreos-1651150807",
				ServiceAccountRoles: []string{
					"roles/compute.instanceAdmin.v1",
					"roles/compute.networkAdmin",
					"roles/compute.securityAdmin",
					"roles/storage.admin",
					"roles/iam.serviceAccountUser",
				},
				Measurements: gcpPCRs,
			},
			QEMU: &QEMUConfig{
				Measurements: qemuPCRs,
			},
		},
	}
}

// FromFile returns config file with `name` read from `fileHandler` by parsing
// it as YAML.
// If name is empty, the default configuration is returned.
func FromFile(fileHandler file.Handler, name string) (*Config, error) {
	if name == "" {
		return Default(), nil
	}

	var emptyConf Config
	if err := fileHandler.ReadYAML(name, &emptyConf); err != nil {
		if errors.Is(err, fs.ErrNotExist) {
			return nil, fmt.Errorf("unable to find %s - use `constellation config generate` to generate it first", name)
		}
		return nil, fmt.Errorf("could not load config from file %s: %w", name, err)
	}
	return &emptyConf, nil
}