mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
Switch to Azure CVMs
This commit is contained in:
parent
29a1b5de42
commit
0892525915
@ -2,46 +2,8 @@ package azure
|
|||||||
|
|
||||||
// InstanceTypes are valid Azure instance types.
|
// InstanceTypes are valid Azure instance types.
|
||||||
var InstanceTypes = []string{
|
var InstanceTypes = []string{
|
||||||
// Trusted Launch (2nd Generation AMD EPYC 7452 or 3rd Generation EPYC 7763v processors)
|
// CVMs (3rd Generation EPYC 7763v processors)
|
||||||
// Dav4-series
|
// DCasv5-series
|
||||||
"Standard_D2a_v4",
|
|
||||||
"Standard_D4a_v4",
|
|
||||||
"Standard_D8a_v4",
|
|
||||||
"Standard_D16a_v4",
|
|
||||||
"Standard_D32a_v4",
|
|
||||||
"Standard_D48a_v4",
|
|
||||||
"Standard_D64a_v4",
|
|
||||||
"Standard_D96a_v4",
|
|
||||||
// Dasv4-series
|
|
||||||
"Standard_D2as_v4",
|
|
||||||
"Standard_D4as_v4",
|
|
||||||
"Standard_D8as_v4",
|
|
||||||
"Standard_D16as_v4",
|
|
||||||
"Standard_D32as_v4",
|
|
||||||
"Standard_D48as_v4",
|
|
||||||
"Standard_D64as_v4",
|
|
||||||
"Standard_D96as_v4",
|
|
||||||
// Eav4-series
|
|
||||||
"Standard_E2a_v4",
|
|
||||||
"Standard_E4a_v4",
|
|
||||||
"Standard_E8a_v4",
|
|
||||||
"Standard_E16a_v4",
|
|
||||||
"Standard_E32a_v4",
|
|
||||||
"Standard_E48a_v4",
|
|
||||||
"Standard_E64a_v4",
|
|
||||||
"Standard_E96a_v4",
|
|
||||||
// Easv4-series
|
|
||||||
"Standard_E2as_v4",
|
|
||||||
"Standard_E4as_v4",
|
|
||||||
"Standard_E8as_v4",
|
|
||||||
"Standard_E16as_v4",
|
|
||||||
"Standard_E20as_v4",
|
|
||||||
"Standard_E32as_v4",
|
|
||||||
"Standard_E48as_v4",
|
|
||||||
"Standard_E64as_v4",
|
|
||||||
"Standard_E96as_v4",
|
|
||||||
// CVMs (not supported yet, 3rd Generation EPYC 7763v processors)
|
|
||||||
/* // DCasv5-series
|
|
||||||
"Standard_DC2as_v5",
|
"Standard_DC2as_v5",
|
||||||
"Standard_DC4as_v5",
|
"Standard_DC4as_v5",
|
||||||
"Standard_DC8as_v5",
|
"Standard_DC8as_v5",
|
||||||
@ -78,5 +40,5 @@ var InstanceTypes = []string{
|
|||||||
"Standard_EC32ads_v5",
|
"Standard_EC32ads_v5",
|
||||||
"Standard_EC48ads_v5",
|
"Standard_EC48ads_v5",
|
||||||
"Standard_EC64ads_v5",
|
"Standard_EC64ads_v5",
|
||||||
"Standard_EC96ads_v5", */
|
"Standard_EC96ads_v5",
|
||||||
}
|
}
|
||||||
|
@ -68,6 +68,14 @@ func (s ScaleSet) Azure() armcomputev2.VirtualMachineScaleSet {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
OSDisk: &armcomputev2.VirtualMachineScaleSetOSDisk{
|
||||||
|
ManagedDisk: &armcomputev2.VirtualMachineScaleSetManagedDiskParameters{
|
||||||
|
SecurityProfile: &armcomputev2.VMDiskSecurityProfile{
|
||||||
|
SecurityEncryptionType: to.Ptr(armcomputev2.SecurityEncryptionTypesVMGuestStateOnly),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
CreateOption: to.Ptr(armcomputev2.DiskCreateOptionTypesFromImage),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
NetworkProfile: &armcomputev2.VirtualMachineScaleSetNetworkProfile{
|
NetworkProfile: &armcomputev2.VirtualMachineScaleSetNetworkProfile{
|
||||||
NetworkInterfaceConfigurations: []*armcomputev2.VirtualMachineScaleSetNetworkConfiguration{
|
NetworkInterfaceConfigurations: []*armcomputev2.VirtualMachineScaleSetNetworkConfiguration{
|
||||||
@ -103,8 +111,8 @@ func (s ScaleSet) Azure() armcomputev2.VirtualMachineScaleSet {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
SecurityProfile: &armcomputev2.SecurityProfile{
|
SecurityProfile: &armcomputev2.SecurityProfile{
|
||||||
SecurityType: to.Ptr(armcomputev2.SecurityTypesTrustedLaunch),
|
SecurityType: to.Ptr(armcomputev2.SecurityTypesConfidentialVM),
|
||||||
UefiSettings: &armcomputev2.UefiSettings{VTpmEnabled: to.Ptr(true)},
|
UefiSettings: &armcomputev2.UefiSettings{VTpmEnabled: to.Ptr(true), SecureBootEnabled: to.Ptr(false)},
|
||||||
},
|
},
|
||||||
DiagnosticsProfile: &armcomputev2.DiagnosticsProfile{
|
DiagnosticsProfile: &armcomputev2.DiagnosticsProfile{
|
||||||
BootDiagnostics: &armcomputev2.BootDiagnostics{
|
BootDiagnostics: &armcomputev2.BootDiagnostics{
|
||||||
|
@ -88,7 +88,7 @@ func TestFirewallPermissions(t *testing.T) {
|
|||||||
// Verify vTPM
|
// Verify vTPM
|
||||||
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile)
|
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile)
|
||||||
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
|
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
|
||||||
assert.Equal(armcomputev2.SecurityTypesTrustedLaunch, *scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
|
assert.Equal(armcomputev2.SecurityTypesConfidentialVM, *scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
|
||||||
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings)
|
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings)
|
||||||
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)
|
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)
|
||||||
assert.True(*scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)
|
assert.True(*scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)
|
||||||
|
@ -101,7 +101,7 @@ az image create -g ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} -n ${AZURE_IM
|
|||||||
echo "Creating Azure Shared Image Gallery."
|
echo "Creating Azure Shared Image Gallery."
|
||||||
az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME}
|
az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME}
|
||||||
echo "Creating Image Definition."
|
echo "Creating Image Definition."
|
||||||
az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=TrustedLaunch
|
az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
|
||||||
echo "Retrieving image ID."
|
echo "Retrieving image ID."
|
||||||
AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r)
|
AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r)
|
||||||
echo "Image ID is ${AZURE_IMAGE_ID}"
|
echo "Image ID is ${AZURE_IMAGE_ID}"
|
||||||
|
@ -150,7 +150,7 @@ upload-azure: $(AZURE_IMAGE_PATH)
|
|||||||
@echo "Create shared image gallery (if it does not exist yet)"
|
@echo "Create shared image gallery (if it does not exist yet)"
|
||||||
-az sig create -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --resource-group $(AZURE_RESOURCE_GROUP_NAME)
|
-az sig create -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --resource-group $(AZURE_RESOURCE_GROUP_NAME)
|
||||||
@echo "Create image definition (if it does not exist yet)"
|
@echo "Create image definition (if it does not exist yet)"
|
||||||
-az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=TrustedLaunch
|
-az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
|
||||||
az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REGION) --replica-count 1 --tags bootstrapper-sha512=$$(sha512sum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1) --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)"
|
az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REGION) --replica-count 1 --tags bootstrapper-sha512=$$(sha512sum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1) --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)"
|
||||||
@echo "Cleaning up resources"
|
@echo "Cleaning up resources"
|
||||||
az image delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME)
|
az image delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME)
|
||||||
|
@ -170,7 +170,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo
|
|||||||
|
|
||||||
// getK8sVersion reads the k8s version from a VolumeMount that is backed by the k8s-version ConfigMap.
|
// getK8sVersion reads the k8s version from a VolumeMount that is backed by the k8s-version ConfigMap.
|
||||||
func (s *Server) getK8sVersion() (string, error) {
|
func (s *Server) getK8sVersion() (string, error) {
|
||||||
fileContent, err := s.file.Read(filepath.Join(constants.ServiceBasePath, "k8s-version"))
|
fileContent, err := s.file.Read(filepath.Join(constants.ServiceBasePath, constants.K8sVersion))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("could not read k8s version file: %v", err)
|
return "", fmt.Errorf("could not read k8s version file: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -114,3 +114,8 @@ Ubuntu currently ships swtpm 0.6.3 so you need to install swtpm [from launchpad]
|
|||||||
```shell-session
|
```shell-session
|
||||||
sudo chown -R swtpm:root /var/lib/swtpm-localca
|
sudo chown -R swtpm:root /var/lib/swtpm-localca
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Misc
|
||||||
|
|
||||||
|
- List all domains: `virsh list --all`
|
||||||
|
- Destroy domain with nvram: `virsh undefine --nvram <name>`
|
||||||
|
Loading…
Reference in New Issue
Block a user