mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-23 14:39:40 -05:00
Document exported funcs,types,interfaces and enable check. (#475)
* Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net>
This commit is contained in:
parent
c9873f2bfb
commit
0d12e37c96
@ -35,6 +35,9 @@ linters:
|
||||
issues:
|
||||
max-issues-per-linter: 0
|
||||
max-same-issues: 20
|
||||
include:
|
||||
- EXC0012
|
||||
- EXC0014
|
||||
|
||||
linters-settings:
|
||||
errcheck:
|
||||
|
@ -10,6 +10,10 @@ import (
|
||||
"sync"
|
||||
)
|
||||
|
||||
// Cleaner can be used to stop a list of services gracefully.
|
||||
// To register an arbitrary amount of stoppers either use New or With.
|
||||
// Start needs to be called to ready the Cleaner, then Clean will activate it.
|
||||
// Done can be used to wait for Cleaner to run all registered stoppers.
|
||||
type Cleaner struct {
|
||||
stoppers []stopper
|
||||
stopC chan struct{}
|
||||
|
@ -172,12 +172,15 @@ func (s *Server) setupDisk(masterSecret, salt []byte) error {
|
||||
return s.disk.UpdatePassphrase(string(diskKey))
|
||||
}
|
||||
|
||||
// IssuerWrapper adds VM type context to an issuer to distinguish between
|
||||
// confidential and trusted launch VMs.
|
||||
type IssuerWrapper struct {
|
||||
atls.Issuer
|
||||
vmType vmtype.VMType
|
||||
idkeydigest []byte
|
||||
}
|
||||
|
||||
// NewIssuerWrapper creates a new issuer with VM type context.
|
||||
func NewIssuerWrapper(issuer atls.Issuer, vmType vmtype.VMType, idkeydigest []byte) IssuerWrapper {
|
||||
return IssuerWrapper{
|
||||
Issuer: issuer,
|
||||
@ -186,10 +189,12 @@ func NewIssuerWrapper(issuer atls.Issuer, vmType vmtype.VMType, idkeydigest []by
|
||||
}
|
||||
}
|
||||
|
||||
// VMType returns the VM type.
|
||||
func (i *IssuerWrapper) VMType() vmtype.VMType {
|
||||
return i.vmType
|
||||
}
|
||||
|
||||
// IDKeyDigest returns the ID key digest.
|
||||
func (i *IssuerWrapper) IDKeyDigest() []byte {
|
||||
return i.idkeydigest
|
||||
}
|
||||
|
@ -14,10 +14,13 @@ import (
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
// ParseJoinCommand parses API server endpoint, token and CA cert hash from
|
||||
// provided kubeadm join shell command, and returns it as a BootstrapTokenDiscovery.
|
||||
//
|
||||
// Expected format:
|
||||
// kubeadm join [API_SERVER_ENDPOINT] --token [TOKEN] --discovery-token-ca-cert-hash [DISCOVERY_TOKEN_CA_CERT_HASH] --control-plane
|
||||
// .
|
||||
func ParseJoinCommand(joinCommand string) (*kubeadm.BootstrapTokenDiscovery, error) {
|
||||
// Format:
|
||||
// kubeadm join [API_SERVER_ENDPOINT] --token [TOKEN] --discovery-token-ca-cert-hash [DISCOVERY_TOKEN_CA_CERT_HASH] --control-plane
|
||||
|
||||
// split and verify that this is a kubeadm join command
|
||||
argv, err := shlex.Split(joinCommand)
|
||||
if err != nil {
|
||||
|
@ -112,6 +112,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, version versions
|
||||
return enableSystemdUnit(ctx, kubeletServicePath)
|
||||
}
|
||||
|
||||
// InitCluster instruments kubeadm to initialize the K8s cluster.
|
||||
func (k *KubernetesUtil) InitCluster(
|
||||
ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger,
|
||||
) error {
|
||||
@ -242,10 +243,12 @@ func (k *KubernetesUtil) prepareControlPlaneForKonnectivity(ctx context.Context,
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetupKonnectivity uses kubectl client to apply the provided konnectivity daemon set.
|
||||
func (k *KubernetesUtil) SetupKonnectivity(kubectl Client, konnectivityAgentsDaemonSet kubernetes.Marshaler) error {
|
||||
return kubectl.Apply(konnectivityAgentsDaemonSet, true)
|
||||
}
|
||||
|
||||
// SetupPodNetworkInput holds all configuration options to setup the pod network.
|
||||
type SetupPodNetworkInput struct {
|
||||
CloudProvider string
|
||||
NodeName string
|
||||
@ -339,6 +342,7 @@ func (k *KubernetesUtil) SetupVerificationService(kubectl Client, verificationSe
|
||||
return kubectl.Apply(verificationServiceConfiguration, true)
|
||||
}
|
||||
|
||||
// SetupOperatorLifecycleManager deploys operator lifecycle manager.
|
||||
func (k *KubernetesUtil) SetupOperatorLifecycleManager(ctx context.Context, kubectl Client, olmCRDs, olmConfiguration kubernetes.Marshaler, crdNames []string) error {
|
||||
if err := kubectl.Apply(olmCRDs, true); err != nil {
|
||||
return fmt.Errorf("applying OLM CRDs: %w", err)
|
||||
@ -351,10 +355,12 @@ func (k *KubernetesUtil) SetupOperatorLifecycleManager(ctx context.Context, kube
|
||||
return kubectl.Apply(olmConfiguration, true)
|
||||
}
|
||||
|
||||
// SetupNodeMaintenanceOperator deploys node maintenance operator.
|
||||
func (k *KubernetesUtil) SetupNodeMaintenanceOperator(kubectl Client, nodeMaintenanceOperatorConfiguration kubernetes.Marshaler) error {
|
||||
return kubectl.Apply(nodeMaintenanceOperatorConfiguration, true)
|
||||
}
|
||||
|
||||
// SetupNodeOperator deploys node operator.
|
||||
func (k *KubernetesUtil) SetupNodeOperator(ctx context.Context, kubectl Client, nodeOperatorConfiguration kubernetes.Marshaler) error {
|
||||
return kubectl.Apply(nodeOperatorConfiguration, true)
|
||||
}
|
||||
|
@ -29,8 +29,10 @@ const (
|
||||
auditPolicyPath = "/etc/kubernetes/audit-policy.yaml"
|
||||
)
|
||||
|
||||
// KubdeadmConfiguration is used to generate kubeadm configurations.
|
||||
type KubdeadmConfiguration struct{}
|
||||
|
||||
// InitConfiguration returns a new init configuration.
|
||||
func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML {
|
||||
var cloudProvider string
|
||||
if externalCloudProvider {
|
||||
@ -171,6 +173,7 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8
|
||||
}
|
||||
}
|
||||
|
||||
// JoinConfiguration returns a new kubeadm join configuration.
|
||||
func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML {
|
||||
var cloudProvider string
|
||||
if externalCloudProvider {
|
||||
@ -201,27 +204,33 @@ func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) Ku
|
||||
}
|
||||
}
|
||||
|
||||
// KubeadmJoinYAML holds configuration for kubeadm join workflow.
|
||||
type KubeadmJoinYAML struct {
|
||||
JoinConfiguration kubeadm.JoinConfiguration
|
||||
KubeletConfiguration kubeletconf.KubeletConfiguration
|
||||
}
|
||||
|
||||
// SetNodeName sets the node name.
|
||||
func (k *KubeadmJoinYAML) SetNodeName(nodeName string) {
|
||||
k.JoinConfiguration.NodeRegistration.Name = nodeName
|
||||
}
|
||||
|
||||
// SetAPIServerEndpoint sets the api server endpoint.
|
||||
func (k *KubeadmJoinYAML) SetAPIServerEndpoint(apiServerEndpoint string) {
|
||||
k.JoinConfiguration.Discovery.BootstrapToken.APIServerEndpoint = apiServerEndpoint
|
||||
}
|
||||
|
||||
// SetToken sets the boostrap token.
|
||||
func (k *KubeadmJoinYAML) SetToken(token string) {
|
||||
k.JoinConfiguration.Discovery.BootstrapToken.Token = token
|
||||
}
|
||||
|
||||
// AppendDiscoveryTokenCaCertHash appends another trusted discovery token CA hash.
|
||||
func (k *KubeadmJoinYAML) AppendDiscoveryTokenCaCertHash(discoveryTokenCaCertHash string) {
|
||||
k.JoinConfiguration.Discovery.BootstrapToken.CACertHashes = append(k.JoinConfiguration.Discovery.BootstrapToken.CACertHashes, discoveryTokenCaCertHash)
|
||||
}
|
||||
|
||||
// SetNodeIP sets the node IP.
|
||||
func (k *KubeadmJoinYAML) SetNodeIP(nodeIP string) {
|
||||
if k.JoinConfiguration.NodeRegistration.KubeletExtraArgs == nil {
|
||||
k.JoinConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"node-ip": nodeIP}
|
||||
@ -230,10 +239,12 @@ func (k *KubeadmJoinYAML) SetNodeIP(nodeIP string) {
|
||||
}
|
||||
}
|
||||
|
||||
// SetProviderID sets the provider ID.
|
||||
func (k *KubeadmJoinYAML) SetProviderID(providerID string) {
|
||||
k.KubeletConfiguration.ProviderID = providerID
|
||||
}
|
||||
|
||||
// SetControlPlane sets the control plane with the advertised address.
|
||||
func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) {
|
||||
k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{
|
||||
LocalAPIEndpoint: kubeadm.APIEndpoint{
|
||||
@ -244,21 +255,25 @@ func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) {
|
||||
k.JoinConfiguration.SkipPhases = []string{"control-plane-prepare/download-certs"}
|
||||
}
|
||||
|
||||
// Marshal into a k8s resource YAML.
|
||||
func (k *KubeadmJoinYAML) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(k)
|
||||
}
|
||||
|
||||
// Unmarshal from a k8s resource YAML.
|
||||
func (k *KubeadmJoinYAML) Unmarshal(yamlData []byte) (KubeadmJoinYAML, error) {
|
||||
var tmp KubeadmJoinYAML
|
||||
return tmp, kubernetes.UnmarshalK8SResources(yamlData, &tmp)
|
||||
}
|
||||
|
||||
// KubeadmInitYAML holds configuration for kubeadm init workflow.
|
||||
type KubeadmInitYAML struct {
|
||||
InitConfiguration kubeadm.InitConfiguration
|
||||
ClusterConfiguration kubeadm.ClusterConfiguration
|
||||
KubeletConfiguration kubeletconf.KubeletConfiguration
|
||||
}
|
||||
|
||||
// SetNodeName sets name of node.
|
||||
func (k *KubeadmInitYAML) SetNodeName(nodeName string) {
|
||||
k.InitConfiguration.NodeRegistration.Name = nodeName
|
||||
}
|
||||
@ -273,6 +288,7 @@ func (k *KubeadmInitYAML) SetCertSANs(certSANs []string) {
|
||||
}
|
||||
}
|
||||
|
||||
// SetAPIServerAdvertiseAddress sets the advertised API server address.
|
||||
func (k *KubeadmInitYAML) SetAPIServerAdvertiseAddress(apiServerAdvertiseAddress string) {
|
||||
k.InitConfiguration.LocalAPIEndpoint.AdvertiseAddress = apiServerAdvertiseAddress
|
||||
}
|
||||
@ -284,18 +300,22 @@ func (k *KubeadmInitYAML) SetControlPlaneEndpoint(controlPlaneEndpoint string) {
|
||||
}
|
||||
}
|
||||
|
||||
// SetServiceCIDR sets the CIDR of service subnet.
|
||||
func (k *KubeadmInitYAML) SetServiceCIDR(serviceCIDR string) {
|
||||
k.ClusterConfiguration.Networking.ServiceSubnet = serviceCIDR
|
||||
}
|
||||
|
||||
// SetPodNetworkCIDR sets the CIDR of pod subnet.
|
||||
func (k *KubeadmInitYAML) SetPodNetworkCIDR(podNetworkCIDR string) {
|
||||
k.ClusterConfiguration.Networking.PodSubnet = podNetworkCIDR
|
||||
}
|
||||
|
||||
// SetServiceDNSDomain sets the dns domain.
|
||||
func (k *KubeadmInitYAML) SetServiceDNSDomain(serviceDNSDomain string) {
|
||||
k.ClusterConfiguration.Networking.DNSDomain = serviceDNSDomain
|
||||
}
|
||||
|
||||
// SetNodeIP sets the node IP.
|
||||
func (k *KubeadmInitYAML) SetNodeIP(nodeIP string) {
|
||||
if k.InitConfiguration.NodeRegistration.KubeletExtraArgs == nil {
|
||||
k.InitConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"node-ip": nodeIP}
|
||||
@ -304,6 +324,7 @@ func (k *KubeadmInitYAML) SetNodeIP(nodeIP string) {
|
||||
}
|
||||
}
|
||||
|
||||
// SetProviderID sets the provider ID.
|
||||
func (k *KubeadmInitYAML) SetProviderID(providerID string) {
|
||||
if k.InitConfiguration.NodeRegistration.KubeletExtraArgs == nil {
|
||||
k.InitConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"provider-id": providerID}
|
||||
@ -312,10 +333,12 @@ func (k *KubeadmInitYAML) SetProviderID(providerID string) {
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal into a k8s resource YAML.
|
||||
func (k *KubeadmInitYAML) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(k)
|
||||
}
|
||||
|
||||
// Unmarshal from a k8s resource YAML.
|
||||
func (k *KubeadmInitYAML) Unmarshal(yamlData []byte) (KubeadmInitYAML, error) {
|
||||
var tmp KubeadmInitYAML
|
||||
return tmp, kubernetes.UnmarshalK8SResources(yamlData, &tmp)
|
||||
|
@ -121,6 +121,10 @@ func (c *Client) ListAllNamespaces(ctx context.Context) (*corev1.NamespaceList,
|
||||
return c.clientset.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
|
||||
}
|
||||
|
||||
// AddTolerationsToDeployment adds [K8s tolerations] to the deployment, identified
|
||||
// by name and namespace.
|
||||
//
|
||||
// [K8s tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
|
||||
func (c *Client) AddTolerationsToDeployment(ctx context.Context, tolerations []corev1.Toleration, name string, namespace string) error {
|
||||
deployments := c.clientset.AppsV1().Deployments(namespace)
|
||||
|
||||
@ -143,6 +147,10 @@ func (c *Client) AddTolerationsToDeployment(ctx context.Context, tolerations []c
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddNodeSelectorsToDeployment adds [K8s selectors] to the deployment, identified
|
||||
// by name and namespace.
|
||||
//
|
||||
// [K8s selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
func (c *Client) AddNodeSelectorsToDeployment(ctx context.Context, selectors map[string]string, name string, namespace string) error {
|
||||
deployments := c.clientset.AppsV1().Deployments(namespace)
|
||||
|
||||
|
@ -81,6 +81,7 @@ func (k *Kubectl) SetKubeconfig(kubeconfig []byte) {
|
||||
k.kubeconfig = kubeconfig
|
||||
}
|
||||
|
||||
// CreateConfigMap creates the provided configmap.
|
||||
func (k *Kubectl) CreateConfigMap(ctx context.Context, configMap corev1.ConfigMap) error {
|
||||
client, err := k.clientGenerator.NewClient(k.kubeconfig)
|
||||
if err != nil {
|
||||
@ -100,6 +101,10 @@ func (k *Kubectl) ListAllNamespaces(ctx context.Context) (*corev1.NamespaceList,
|
||||
return client.ListAllNamespaces(ctx)
|
||||
}
|
||||
|
||||
// AddTolerationsToDeployment adds [K8s tolerations] to the deployment, identified
|
||||
// by name and namespace.
|
||||
//
|
||||
// [K8s tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
|
||||
func (k *Kubectl) AddTolerationsToDeployment(ctx context.Context, tolerations []corev1.Toleration, name string, namespace string) error {
|
||||
client, err := k.clientGenerator.NewClient(k.kubeconfig)
|
||||
if err != nil {
|
||||
@ -113,6 +118,10 @@ func (k *Kubectl) AddTolerationsToDeployment(ctx context.Context, tolerations []
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddNodeSelectorsToDeployment adds [K8s selectors] to the deployment, identified
|
||||
// by name and namespace.
|
||||
//
|
||||
// [K8s selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
func (k *Kubectl) AddNodeSelectorsToDeployment(ctx context.Context, selectors map[string]string, name string, namespace string) error {
|
||||
client, err := k.clientGenerator.NewClient(k.kubeconfig)
|
||||
if err != nil {
|
||||
@ -126,7 +135,7 @@ func (k *Kubectl) AddNodeSelectorsToDeployment(ctx context.Context, selectors ma
|
||||
return nil
|
||||
}
|
||||
|
||||
// WaitForCRD waits for a list of CRDs to be established.
|
||||
// WaitForCRDs waits for a list of CRDs to be established.
|
||||
func (k *Kubectl) WaitForCRDs(ctx context.Context, crds []string) error {
|
||||
client, err := k.clientGenerator.NewClient(k.kubeconfig)
|
||||
if err != nil {
|
||||
|
@ -18,6 +18,7 @@ type AuditPolicy struct {
|
||||
Policy auditv1.Policy
|
||||
}
|
||||
|
||||
// NewDefaultAuditPolicy create a new default Constellation audit policty.
|
||||
func NewDefaultAuditPolicy() *AuditPolicy {
|
||||
return &AuditPolicy{
|
||||
Policy: auditv1.Policy{
|
||||
|
@ -14,6 +14,7 @@ import (
|
||||
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// GCPGuestAgentDaemonset is a GCP Guest Agent Daemonset.
|
||||
type GCPGuestAgentDaemonset struct {
|
||||
DaemonSet apps.DaemonSet
|
||||
}
|
||||
|
@ -28,20 +28,24 @@ const (
|
||||
KonnectivityKeyFilename = "/etc/kubernetes/konnectivity.key"
|
||||
)
|
||||
|
||||
// KonnectivityAgents bundles all necessary agent deployments.
|
||||
type KonnectivityAgents struct {
|
||||
DaemonSet appsv1.DaemonSet
|
||||
ClusterRoleBinding rbacv1.ClusterRoleBinding
|
||||
ServiceAccount corev1.ServiceAccount
|
||||
}
|
||||
|
||||
// KonnectivityServerStaticPod deployment.
|
||||
type KonnectivityServerStaticPod struct {
|
||||
StaticPod corev1.Pod
|
||||
}
|
||||
|
||||
// EgressSelectorConfiguration deployment.
|
||||
type EgressSelectorConfiguration struct {
|
||||
EgressSelectorConfiguration apiserver.EgressSelectorConfiguration
|
||||
}
|
||||
|
||||
// NewKonnectivityAgents create new KonnectivityAgents.
|
||||
func NewKonnectivityAgents(konnectivityServerAddress string) *KonnectivityAgents {
|
||||
return &KonnectivityAgents{
|
||||
DaemonSet: appsv1.DaemonSet{
|
||||
@ -213,6 +217,7 @@ func NewKonnectivityAgents(konnectivityServerAddress string) *KonnectivityAgents
|
||||
}
|
||||
}
|
||||
|
||||
// NewKonnectivityServerStaticPod create a new KonnectivityServerStaticPod.
|
||||
func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod {
|
||||
udsHostPathType := corev1.HostPathDirectoryOrCreate
|
||||
return &KonnectivityServerStaticPod{
|
||||
@ -333,6 +338,7 @@ func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod {
|
||||
}
|
||||
}
|
||||
|
||||
// NewEgressSelectorConfiguration creates a new EgressSelectorConfiguration.
|
||||
func NewEgressSelectorConfiguration() *EgressSelectorConfiguration {
|
||||
return &EgressSelectorConfiguration{
|
||||
EgressSelectorConfiguration: apiserver.EgressSelectorConfiguration{
|
||||
@ -357,19 +363,22 @@ func NewEgressSelectorConfiguration() *EgressSelectorConfiguration {
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (v *KonnectivityAgents) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(v)
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (v *KonnectivityServerStaticPod) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(v)
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (v *EgressSelectorConfiguration) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(v)
|
||||
}
|
||||
|
||||
// GetCertificateRequest returns a certificate request and matching private key for the konnectivity server.
|
||||
// GetKonnectivityCertificateRequest returns a certificate request and matching private key for the konnectivity server.
|
||||
func GetKonnectivityCertificateRequest() (certificateRequest []byte, privateKey []byte, err error) {
|
||||
csrTemplate := &x509.CertificateRequest{
|
||||
Subject: pkix.Name{
|
||||
|
@ -21,6 +21,7 @@ const (
|
||||
nodeMaintenanceOperatorCatalogNamespace = "olm"
|
||||
)
|
||||
|
||||
// NodeMaintenanceOperatorDeployment groups all deployments for node maintenance operator.
|
||||
type NodeMaintenanceOperatorDeployment struct {
|
||||
CatalogSource operatorsv1alpha1.CatalogSource
|
||||
OperatorGroup operatorsv1.OperatorGroup
|
||||
@ -80,6 +81,7 @@ func NewNodeMaintenanceOperatorDeployment() *NodeMaintenanceOperatorDeployment {
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (c *NodeMaintenanceOperatorDeployment) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(c)
|
||||
}
|
||||
|
@ -30,6 +30,7 @@ var NodeOperatorCRDNames = []string{
|
||||
"scalinggroups.update.edgeless.systems",
|
||||
}
|
||||
|
||||
// NodeOperatorDeployment groups all deployments for node operator.
|
||||
type NodeOperatorDeployment struct {
|
||||
CatalogSource operatorsv1alpha1.CatalogSource
|
||||
OperatorGroup operatorsv1.OperatorGroup
|
||||
@ -93,6 +94,7 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *NodeOperatorDe
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (c *NodeOperatorDeployment) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(c)
|
||||
}
|
||||
|
@ -21,12 +21,14 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// VerificationDaemonset groups all k8s resources for the verification service deployment.
|
||||
type VerificationDaemonset struct {
|
||||
DaemonSet apps.DaemonSet
|
||||
Service k8s.Service
|
||||
LoadBalancer k8s.Service
|
||||
}
|
||||
|
||||
// NewVerificationDaemonSet creates a new VerificationDaemonset.
|
||||
func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset {
|
||||
var err error
|
||||
if strings.Contains(loadBalancerIP, ":") {
|
||||
@ -188,6 +190,7 @@ func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (v *VerificationDaemonset) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(v)
|
||||
}
|
||||
|
@ -19,10 +19,13 @@ type CloudLogger interface {
|
||||
io.Closer
|
||||
}
|
||||
|
||||
// NopLogger implements CloudLogger interface, but does nothing.
|
||||
type NopLogger struct{}
|
||||
|
||||
// Disclose does nothing.
|
||||
func (l *NopLogger) Disclose(msg string) {}
|
||||
|
||||
// Close does nothing.
|
||||
func (l *NopLogger) Close() error {
|
||||
return nil
|
||||
}
|
||||
|
@ -25,6 +25,7 @@ import (
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
// Validator validates Platform Configuration Registers (PCRs).
|
||||
type Validator struct {
|
||||
provider cloudprovider.Provider
|
||||
pcrs map[uint32][]byte
|
||||
@ -35,6 +36,7 @@ type Validator struct {
|
||||
validator atls.Validator
|
||||
}
|
||||
|
||||
// NewValidator creates a new Validator.
|
||||
func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Validator, error) {
|
||||
v := Validator{}
|
||||
if provider == cloudprovider.Unknown {
|
||||
@ -60,6 +62,7 @@ func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Valida
|
||||
return &v, nil
|
||||
}
|
||||
|
||||
// UpdateInitPCRs sets the owner and cluster PCR values.
|
||||
func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
|
||||
if err := v.updatePCR(uint32(vtpm.PCRIndexOwnerID), ownerID); err != nil {
|
||||
return err
|
||||
|
@ -10,6 +10,8 @@ import (
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
// NewConfigCmd creates a new config parent command. Config needs another
|
||||
// verb, and does nothing on its own.
|
||||
func NewConfigCmd() *cobra.Command {
|
||||
cmd := &cobra.Command{
|
||||
Use: "config",
|
||||
|
@ -32,8 +32,9 @@ import (
|
||||
//go:generate ./generateCilium.sh
|
||||
|
||||
//go:embed all:charts/*
|
||||
var HelmFS embed.FS
|
||||
var helmFS embed.FS
|
||||
|
||||
// ChartLoader loads embedded helm charts.
|
||||
type ChartLoader struct {
|
||||
joinServiceImage string
|
||||
kmsImage string
|
||||
@ -42,6 +43,7 @@ type ChartLoader struct {
|
||||
autoscalerImage string
|
||||
}
|
||||
|
||||
// New creates a new ChartLoader.
|
||||
func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader {
|
||||
var ccmImage, cnmImage string
|
||||
switch csp {
|
||||
@ -63,6 +65,7 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
|
||||
}
|
||||
}
|
||||
|
||||
// Load the embedded helm charts.
|
||||
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
|
||||
ciliumRelease, err := i.loadCilium(csp, conformanceMode)
|
||||
if err != nil {
|
||||
@ -83,7 +86,7 @@ func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, mas
|
||||
}
|
||||
|
||||
func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode bool) (helm.Release, error) {
|
||||
chart, err := loadChartsDir(HelmFS, "charts/cilium")
|
||||
chart, err := loadChartsDir(helmFS, "charts/cilium")
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("loading cilium chart: %w", err)
|
||||
}
|
||||
@ -124,7 +127,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
masterSecret []byte, salt []byte, enforcedPCRs []uint32,
|
||||
enforceIDKeyDigest bool,
|
||||
) (helm.Release, error) {
|
||||
chart, err := loadChartsDir(HelmFS, "charts/edgeless/constellation-services")
|
||||
chart, err := loadChartsDir(helmFS, "charts/edgeless/constellation-services")
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("loading constellation-services chart: %w", err)
|
||||
}
|
||||
|
@ -89,7 +89,7 @@ func (c *Client) CreateCluster(
|
||||
return ip, nil
|
||||
}
|
||||
|
||||
// DestroyInstances destroys a Constellation cluster using Terraform.
|
||||
// DestroyCluster destroys a Constellation cluster using Terraform.
|
||||
func (c *Client) DestroyCluster(ctx context.Context) error {
|
||||
return c.tf.Destroy(ctx)
|
||||
}
|
||||
|
@ -39,7 +39,7 @@ func (v *CommonVariables) String() string {
|
||||
return b.String()
|
||||
}
|
||||
|
||||
// GCPVariables is user configuration for creating a cluster with Terraform on GCP.
|
||||
// AWSVariables is user configuration for creating a cluster with Terraform on GCP.
|
||||
type AWSVariables struct {
|
||||
// CommonVariables contains common variables.
|
||||
CommonVariables
|
||||
|
@ -8,6 +8,7 @@ package debugd
|
||||
|
||||
import "time"
|
||||
|
||||
// Debugd internal constants.
|
||||
const (
|
||||
DebugdMetadataFlag = "constellation-debugd"
|
||||
GRPCTimeout = 5 * time.Minute
|
||||
|
@ -21,14 +21,21 @@ const (
|
||||
systemdUnitFolder = "/run/systemd/system"
|
||||
)
|
||||
|
||||
// SystemdAction encodes the available actions.
|
||||
//
|
||||
//go:generate stringer -type=SystemdAction
|
||||
type SystemdAction uint32
|
||||
|
||||
const (
|
||||
// Unknown is the default SystemdAction and does nothing.
|
||||
Unknown SystemdAction = iota
|
||||
// Start a systemd service.
|
||||
Start
|
||||
// Stop a systemd service.
|
||||
Stop
|
||||
// Restart a systemd service.
|
||||
Restart
|
||||
// Reload a systemd service.
|
||||
Reload
|
||||
)
|
||||
|
||||
|
@ -30,12 +30,14 @@ type Fetcher struct {
|
||||
metaAPI providerMetadata
|
||||
}
|
||||
|
||||
// New creates a new Fetcher.
|
||||
func New(cloud providerMetadata) *Fetcher {
|
||||
return &Fetcher{
|
||||
metaAPI: cloud,
|
||||
}
|
||||
}
|
||||
|
||||
// Role returns node role via meta data API.
|
||||
func (f *Fetcher) Role(ctx context.Context) (role.Role, error) {
|
||||
self, err := f.metaAPI.Self(ctx)
|
||||
if err != nil {
|
||||
@ -71,6 +73,7 @@ func (f *Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
|
||||
return ips, nil
|
||||
}
|
||||
|
||||
// DiscoverLoadbalancerIP gets load balancer IP from metadata API.
|
||||
func (f *Fetcher) DiscoverLoadbalancerIP(ctx context.Context) (string, error) {
|
||||
lbEndpoint, err := f.metaAPI.GetLoadBalancerEndpoint(ctx)
|
||||
if err != nil {
|
||||
|
@ -16,22 +16,22 @@ import (
|
||||
// Fetcher implements metadata.Fetcher interface but does not actually fetch cloud provider metadata.
|
||||
type Fetcher struct{}
|
||||
|
||||
// Role for fallback fetcher does not try to fetch role.
|
||||
func (f Fetcher) Role(_ context.Context) (role.Role, error) {
|
||||
// Fallback fetcher does not try to fetch role
|
||||
return role.Unknown, nil
|
||||
}
|
||||
|
||||
// DiscoverDebugdIPs for fallback fetcher does not try to discover debugd IPs.
|
||||
func (f Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
|
||||
// Fallback fetcher does not try to discover debugd IPs
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// DiscoverLoadbalancerIP for fallback fetcher does not try to discover loadbalancer IP.
|
||||
func (f Fetcher) DiscoverLoadbalancerIP(ctx context.Context) (string, error) {
|
||||
// Fallback fetcher does not try to discover loadbalancer IP
|
||||
return "", nil
|
||||
}
|
||||
|
||||
// FetchSSHKeys for fallback fetcher does not try to fetch ssh keys.
|
||||
func (f Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error) {
|
||||
// Fallback fetcher does not try to fetch ssh keys
|
||||
return nil, nil
|
||||
}
|
||||
|
@ -160,14 +160,17 @@ func (s *Manager) saveConfiguration(passphrase []byte) error {
|
||||
return s.config.Generate(stateDiskMappedName, s.diskPath, filepath.Join(keyPath, keyFile), cryptsetupOptions)
|
||||
}
|
||||
|
||||
// RecoveryServer interface serves a recovery server.
|
||||
type RecoveryServer interface {
|
||||
Serve(context.Context, net.Listener, string) (key, secret []byte, err error)
|
||||
}
|
||||
|
||||
// RejoinClient interface starts a rejoin client.
|
||||
type RejoinClient interface {
|
||||
Start(context.Context, string) (key, secret []byte)
|
||||
}
|
||||
|
||||
// NodeRecoverer bundles a RecoveryServer and RejoinClient.
|
||||
type NodeRecoverer struct {
|
||||
recoveryServer RecoveryServer
|
||||
rejoinClient RejoinClient
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
)
|
||||
|
||||
// IsolationTEE describes an Azure SNP TEE.
|
||||
type IsolationTEE struct {
|
||||
IDKeyDigest string `json:"x-ms-sevsnpvm-idkeydigest"`
|
||||
TEESvn int `json:"x-ms-sevsnpvm-tee-svn"`
|
||||
@ -32,6 +33,7 @@ type IsolationTEE struct {
|
||||
GuestSvn int `json:"x-ms-sevsnpvm-guestsvn"`
|
||||
}
|
||||
|
||||
// PrintSVNs prints the relevant Security Version Numbers (SVNs).
|
||||
func (i *IsolationTEE) PrintSVNs() {
|
||||
fmt.Println("\tTEE SVN:", i.TEESvn)
|
||||
fmt.Println("\tSNP FW SVN:", i.SNPFwSvn)
|
||||
|
@ -17,12 +17,14 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
)
|
||||
|
||||
// Client for Azure Gallery API.
|
||||
type Client struct {
|
||||
log *logger.Logger
|
||||
opts Options
|
||||
versionClient *armcompute.GalleryImageVersionsClient
|
||||
}
|
||||
|
||||
// NewClient creates a new Client.
|
||||
func NewClient(log *logger.Logger, opts Options) *Client {
|
||||
log = log.Named("azure-client")
|
||||
|
||||
@ -43,6 +45,7 @@ func NewClient(log *logger.Logger, opts Options) *Client {
|
||||
}
|
||||
}
|
||||
|
||||
// FetchImages for the given client options.
|
||||
func (c *Client) FetchImages(ctx context.Context) (map[string]string, error) {
|
||||
ctx, cancel := context.WithTimeout(ctx, time.Second*5)
|
||||
defer cancel()
|
||||
|
@ -13,11 +13,15 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// DefaultResourceGroupName to find Constellation images in.
|
||||
DefaultResourceGroupName = "CONSTELLATION-IMAGES"
|
||||
DefaultGalleryName = "Constellation_CVM"
|
||||
DefaultImageDefinition = "constellation"
|
||||
// DefaultGalleryName to find Constellation images in.
|
||||
DefaultGalleryName = "Constellation_CVM"
|
||||
// DefaultImageDefinition to find Constellation images in.
|
||||
DefaultImageDefinition = "constellation"
|
||||
)
|
||||
|
||||
// Options for Azure Client to download image references.
|
||||
type Options struct {
|
||||
SubscriptionID string
|
||||
ResourceGroupName string
|
||||
@ -25,6 +29,7 @@ type Options struct {
|
||||
ImageDefinition string
|
||||
}
|
||||
|
||||
// DefaultOptions creates an Options object with good defaults.
|
||||
func DefaultOptions() Options {
|
||||
return Options{
|
||||
SubscriptionID: "",
|
||||
@ -34,6 +39,7 @@ func DefaultOptions() Options {
|
||||
}
|
||||
}
|
||||
|
||||
// SetSubscription sets subscription from string. It expects a UUID conform value.
|
||||
func (o *Options) SetSubscription(sub string) error {
|
||||
if _, err := uuid.Parse(sub); err != nil {
|
||||
return fmt.Errorf("unable to set subscription: %w", err)
|
||||
|
@ -16,12 +16,14 @@ import (
|
||||
computepb "google.golang.org/genproto/googleapis/cloud/compute/v1"
|
||||
)
|
||||
|
||||
// Client for GCP Image API.
|
||||
type Client struct {
|
||||
client *compute.ImagesClient
|
||||
log *logger.Logger
|
||||
opts Options
|
||||
}
|
||||
|
||||
// NewClient creates a new Client.
|
||||
func NewClient(ctx context.Context, log *logger.Logger, opts Options) *Client {
|
||||
client, err := compute.NewImagesRESTClient(ctx)
|
||||
if err != nil {
|
||||
@ -35,10 +37,12 @@ func NewClient(ctx context.Context, log *logger.Logger, opts Options) *Client {
|
||||
}
|
||||
}
|
||||
|
||||
// Close the GCP client.
|
||||
func (c *Client) Close() error {
|
||||
return c.client.Close()
|
||||
}
|
||||
|
||||
// FetchImages for the given client options.
|
||||
func (c *Client) FetchImages(ctx context.Context) (map[string]string, error) {
|
||||
imgIterator := c.client.List(ctx, &computepb.ListImagesRequest{
|
||||
Project: c.opts.ProjectID,
|
||||
|
@ -13,16 +13,20 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
DefaultProjectID = "constellation-images"
|
||||
// DefaultProjectID for Constellation images.
|
||||
DefaultProjectID = "constellation-images"
|
||||
// DefaultImageFamily for Constellation images.
|
||||
DefaultImageFamily = "constellation"
|
||||
)
|
||||
|
||||
// Options for GCP image API client.
|
||||
type Options struct {
|
||||
ProjectID string
|
||||
ImageFamily string
|
||||
Filter func(image string) (version string, err error)
|
||||
}
|
||||
|
||||
// DefaultOptions creates an Options object with good defaults.
|
||||
func DefaultOptions() Options {
|
||||
return Options{
|
||||
ProjectID: DefaultProjectID,
|
||||
|
@ -18,6 +18,7 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// AzureSubscriptionIDEnv environment variable to provide Azure Subscription ID with.
|
||||
AzureSubscriptionIDEnv = "AZURE_SUBSCRIPTION_ID"
|
||||
)
|
||||
|
||||
|
@ -8,10 +8,12 @@ package main
|
||||
|
||||
import "encoding/json"
|
||||
|
||||
// Manifest contains all Constellation releases.
|
||||
type Manifest struct {
|
||||
releases map[string]Images
|
||||
}
|
||||
|
||||
// Images for all supported cloud providers.
|
||||
type Images struct {
|
||||
AzureOSImage string `json:"AzureOSImage"`
|
||||
GCPOSImage string `json:"GCPOSImage"`
|
||||
@ -50,10 +52,12 @@ func OldManifests() Manifest {
|
||||
}
|
||||
}
|
||||
|
||||
// MarshalJSON marshals releases to JSON.
|
||||
func (m *Manifest) MarshalJSON() ([]byte, error) {
|
||||
return json.Marshal(m.releases)
|
||||
}
|
||||
|
||||
// SetAzureImage for a given version.
|
||||
func (m *Manifest) SetAzureImage(version string, image string) {
|
||||
if release, ok := m.releases[version]; !ok {
|
||||
images := Images{AzureOSImage: image}
|
||||
@ -64,6 +68,7 @@ func (m *Manifest) SetAzureImage(version string, image string) {
|
||||
}
|
||||
}
|
||||
|
||||
// SetGCPImage for a given version.
|
||||
func (m *Manifest) SetGCPImage(version string, image string) {
|
||||
if release, ok := m.releases[version]; !ok {
|
||||
images := Images{GCPOSImage: image}
|
||||
|
@ -16,6 +16,7 @@ import (
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
// Server provides measurements.
|
||||
type Server struct {
|
||||
log *logger.Logger
|
||||
server http.Server
|
||||
@ -23,6 +24,7 @@ type Server struct {
|
||||
done chan<- struct{}
|
||||
}
|
||||
|
||||
// New creates a new Server.
|
||||
func New(log *logger.Logger, done chan<- struct{}) *Server {
|
||||
return &Server{
|
||||
log: log,
|
||||
@ -30,6 +32,7 @@ func New(log *logger.Logger, done chan<- struct{}) *Server {
|
||||
}
|
||||
}
|
||||
|
||||
// ListenAndServe on given port.
|
||||
func (s *Server) ListenAndServe(port string) error {
|
||||
mux := http.NewServeMux()
|
||||
mux.Handle("/pcrs", http.HandlerFunc(s.logPCRs))
|
||||
@ -46,6 +49,7 @@ func (s *Server) ListenAndServe(port string) error {
|
||||
return s.server.Serve(lis)
|
||||
}
|
||||
|
||||
// Shutdown server.
|
||||
func (s *Server) Shutdown() error {
|
||||
return s.server.Shutdown(context.Background())
|
||||
}
|
||||
@ -84,6 +88,7 @@ func (s *Server) logPCRs(w http.ResponseWriter, r *http.Request) {
|
||||
s.done <- struct{}{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the static measurements for QEMU environment.
|
||||
func (s *Server) GetMeasurements() map[uint32][]byte {
|
||||
return s.measurements
|
||||
}
|
||||
|
@ -68,6 +68,7 @@ func main() {
|
||||
}
|
||||
}
|
||||
|
||||
// Measurements contains all PCR values.
|
||||
type Measurements map[uint32][]byte
|
||||
|
||||
var _ yaml.Marshaler = Measurements{}
|
||||
|
@ -23,10 +23,12 @@ var (
|
||||
tagReference = regexp.MustCompile(`^refs/tags/([^/]+)$`)
|
||||
)
|
||||
|
||||
// Git represents a git repository.
|
||||
type Git struct {
|
||||
repo *git.Repository
|
||||
}
|
||||
|
||||
// New opens the git repository in current directory.
|
||||
func New() (*Git, error) {
|
||||
repo, err := git.PlainOpenWithOptions("", &git.PlainOpenOptions{DetectDotGit: true})
|
||||
return &Git{repo: repo}, err
|
||||
@ -106,6 +108,7 @@ func (g *Git) ParsedBranchName() (string, error) {
|
||||
return strings.TrimSuffix(branch, "-"), nil
|
||||
}
|
||||
|
||||
// BranchName of current HEAD.
|
||||
func (g *Git) BranchName() (string, error) {
|
||||
commitRef, err := g.repo.Head()
|
||||
if err != nil {
|
||||
|
@ -21,12 +21,14 @@ import (
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
// Server that provides QEMU metadata.
|
||||
type Server struct {
|
||||
log *logger.Logger
|
||||
virt virConnect
|
||||
network string
|
||||
}
|
||||
|
||||
// New creates a new Server.
|
||||
func New(log *logger.Logger, network string, conn virConnect) *Server {
|
||||
return &Server{
|
||||
log: log,
|
||||
@ -35,6 +37,7 @@ func New(log *logger.Logger, network string, conn virConnect) *Server {
|
||||
}
|
||||
}
|
||||
|
||||
// ListenAndServe on a given port.
|
||||
func (s *Server) ListenAndServe(port string) error {
|
||||
mux := http.NewServeMux()
|
||||
mux.Handle("/self", http.HandlerFunc(s.listSelf))
|
||||
|
@ -8,10 +8,12 @@ package virtwrapper
|
||||
|
||||
import "libvirt.org/go/libvirt"
|
||||
|
||||
// Connect wraps a libvirt connection.
|
||||
type Connect struct {
|
||||
Conn *libvirt.Connect
|
||||
}
|
||||
|
||||
// LookupNetworkByName looks up a network by name.
|
||||
func (c *Connect) LookupNetworkByName(name string) (*Network, error) {
|
||||
net, err := c.Conn.LookupNetworkByName(name)
|
||||
if err != nil {
|
||||
@ -20,14 +22,17 @@ func (c *Connect) LookupNetworkByName(name string) (*Network, error) {
|
||||
return &Network{Net: net}, nil
|
||||
}
|
||||
|
||||
// Network wraps a libvirt network.
|
||||
type Network struct {
|
||||
Net virNetwork
|
||||
}
|
||||
|
||||
// GetDHCPLeases returns the underlying DHCP leases.
|
||||
func (n *Network) GetDHCPLeases() ([]libvirt.NetworkDHCPLease, error) {
|
||||
return n.Net.GetDHCPLeases()
|
||||
}
|
||||
|
||||
// Free the network resource.
|
||||
func (n *Network) Free() {
|
||||
_ = n.Net.Free()
|
||||
}
|
||||
|
@ -69,11 +69,13 @@ func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*t
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Issuer issues an attestation document.
|
||||
type Issuer interface {
|
||||
oid.Getter
|
||||
Issue(userData []byte, nonce []byte) (quote []byte, err error)
|
||||
}
|
||||
|
||||
// Validator is able to validate an attestation document.
|
||||
type Validator interface {
|
||||
oid.Getter
|
||||
Validate(attDoc []byte, nonce []byte) ([]byte, error)
|
||||
|
@ -27,6 +27,7 @@ type Issuer struct {
|
||||
*vtpm.Issuer
|
||||
}
|
||||
|
||||
// NewIssuer creates a new OpenVTPM based issuer for AWS.
|
||||
func NewIssuer() *Issuer {
|
||||
return &Issuer{
|
||||
Issuer: vtpm.NewIssuer(
|
||||
|
19
internal/attestation/azure/snp/README.md
Normal file
19
internal/attestation/azure/snp/README.md
Normal file
@ -0,0 +1,19 @@
|
||||
# SNP
|
||||
|
||||
## Glosssary
|
||||
|
||||
This section explains abbreviations used in SNP implementation.
|
||||
|
||||
### Attestation Key (AK)
|
||||
|
||||
### AMD Root Key (ARK)
|
||||
|
||||
### AMD Signing Key (ASK)
|
||||
|
||||
### Versioned Chip Endorsement Key (VCEK)
|
||||
|
||||
For more information see [SNP WhitePaper](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf)
|
||||
|
||||
### Host (Hardware?) Compatibility Layer (HCL)
|
||||
|
||||
No public information. Azure compute API has a field `isHostCompatibilityLayerVm`, with only a [single sentence of documentation](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows).
|
@ -311,6 +311,9 @@ func (a *azureInstanceInfo) validateAk(runtimeDataRaw []byte, reportData []byte,
|
||||
return nil
|
||||
}
|
||||
|
||||
// HCLAkValidator validates an attestation key issued by the Host Compatibility Layer (HCL).
|
||||
// The HCL is written by Azure, and sits between the Hypervisor and CVM OS.
|
||||
// The HCL runs in the protected context of the CVM.
|
||||
type HCLAkValidator interface {
|
||||
validateAk(runtimeDataRaw []byte, reportData []byte, rsaParameters *tpm2.RSAParams) error
|
||||
}
|
||||
|
@ -14,6 +14,8 @@ import (
|
||||
"github.com/microsoft/ApplicationInsights-Go/appinsights"
|
||||
)
|
||||
|
||||
// Logger implements CloudLogger interface for Azure to Disclose early boot
|
||||
// logs into Azure's App Insights service.
|
||||
type Logger struct {
|
||||
client appinsights.TelemetryClient
|
||||
}
|
||||
|
@ -17,10 +17,15 @@ import (
|
||||
type Provider uint32
|
||||
|
||||
const (
|
||||
// Unknown is default value for Provider.
|
||||
Unknown Provider = iota
|
||||
// AWS is Amazon Web Services.
|
||||
AWS
|
||||
// Azure cloud.
|
||||
Azure
|
||||
// GCP is Google Compute Platform.
|
||||
GCP
|
||||
// QEMU for a local emulated installation.
|
||||
QEMU
|
||||
)
|
||||
|
||||
|
@ -15,6 +15,7 @@ import (
|
||||
"cloud.google.com/go/logging"
|
||||
)
|
||||
|
||||
// Logger logs to GCP cloud logging. Do not use to log sensitive information.
|
||||
type Logger struct {
|
||||
client *logging.Client
|
||||
logger *log.Logger
|
||||
|
@ -25,6 +25,7 @@ type ServiceAccountKey struct {
|
||||
ClientX509CertURL string `json:"client_x509_cert_url"`
|
||||
}
|
||||
|
||||
// ServiceAccountKeyFromURI parses ServiceAccountKey from URI.
|
||||
func ServiceAccountKeyFromURI(serviceAccountURI string) (ServiceAccountKey, error) {
|
||||
uri, err := url.Parse(serviceAccountURI)
|
||||
if err != nil {
|
||||
|
@ -35,11 +35,13 @@ type InstanceMetadata struct {
|
||||
AliasIPRanges []string
|
||||
}
|
||||
|
||||
// InstanceSelfer provide instance metadata about themselves.
|
||||
type InstanceSelfer interface {
|
||||
// Self retrieves the current instance.
|
||||
Self(ctx context.Context) (InstanceMetadata, error)
|
||||
}
|
||||
|
||||
// InstanceLister list information about instance metadata.
|
||||
type InstanceLister interface {
|
||||
// List retrieves all instances belonging to the current constellation.
|
||||
List(ctx context.Context) ([]InstanceMetadata, error)
|
||||
|
@ -14,8 +14,11 @@ import "strings"
|
||||
type VMType uint32
|
||||
|
||||
const (
|
||||
// Unknown is the default value for VMType and should not be used.
|
||||
Unknown VMType = iota
|
||||
// AzureCVM is an Azure Confidential Virtual Machine (CVM).
|
||||
AzureCVM
|
||||
// AzureTrustedLaunch is an Azure Trusted Launch VM.
|
||||
AzureTrustedLaunch
|
||||
)
|
||||
|
||||
|
@ -28,6 +28,7 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// Version1 is the first version number for Constellation config file.
|
||||
Version1 = "v1"
|
||||
)
|
||||
|
||||
@ -217,6 +218,7 @@ type GCPConfig struct {
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
}
|
||||
|
||||
// QEMUConfig holds config information for QEMU based Constellation deployments.
|
||||
type QEMUConfig struct {
|
||||
// description: |
|
||||
// Path to the image to use for the VMs.
|
||||
@ -538,6 +540,7 @@ func (c *Config) Image() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
// UpdateMeasurements overwrites measurements in config with the provided ones.
|
||||
func (c *Config) UpdateMeasurements(newMeasurements Measurements) {
|
||||
if c.Provider.AWS != nil {
|
||||
c.Provider.AWS.Measurements.CopyFrom(newMeasurements)
|
||||
@ -612,6 +615,7 @@ func (c *Config) IsAzureNonCVM() bool {
|
||||
return c.Provider.Azure != nil && c.Provider.Azure.ConfidentialVM != nil && !*c.Provider.Azure.ConfidentialVM
|
||||
}
|
||||
|
||||
// EnforcesIDKeyDigest checks whether ID Key Digest should be enforced for respective cloud provider.
|
||||
func (c *Config) EnforcesIDKeyDigest() bool {
|
||||
return c.Provider.Azure != nil && c.Provider.Azure.EnforceIDKeyDigest != nil && *c.Provider.Azure.EnforceIDKeyDigest
|
||||
}
|
||||
|
@ -9,6 +9,8 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
package config
|
||||
|
||||
const (
|
||||
// DefaultImageAzure is not set for OSS build.
|
||||
DefaultImageAzure = ""
|
||||
DefaultImageGCP = ""
|
||||
// DefaultImageGCP is not set for OSS build.
|
||||
DefaultImageGCP = ""
|
||||
)
|
||||
|
@ -6,7 +6,8 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
package instancetypes
|
||||
|
||||
// Derived from: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html (Last updated: October 20th, 2022).
|
||||
// AWSSupportedInstanceFamilies is derived from:
|
||||
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html (Last updated: October 20th, 2022).
|
||||
var AWSSupportedInstanceFamilies = []string{
|
||||
"C5",
|
||||
"C5a",
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
"gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
// Measurements are Platform Configuration Register (PCR) values.
|
||||
type Measurements map[uint32][]byte
|
||||
|
||||
var (
|
||||
|
@ -35,38 +35,54 @@ const (
|
||||
// JoinServicePort is the port for reaching the join service within Kubernetes.
|
||||
JoinServicePort = 9090
|
||||
// JoinServiceNodePort is the port for reaching the join service outside of Kubernetes.
|
||||
JoinServiceNodePort = 30090
|
||||
VerifyServicePortHTTP = 8080
|
||||
VerifyServicePortGRPC = 9090
|
||||
JoinServiceNodePort = 30090
|
||||
// VerifyServicePortHTTP HTTP port for verification service.
|
||||
VerifyServicePortHTTP = 8080
|
||||
// VerifyServicePortGRPC GRPC port for verification service.
|
||||
VerifyServicePortGRPC = 9090
|
||||
// VerifyServiceNodePortHTTP HTTP node port for verification service.
|
||||
VerifyServiceNodePortHTTP = 30080
|
||||
// VerifyServiceNodePortGRPC GRPC node port for verification service.
|
||||
VerifyServiceNodePortGRPC = 30081
|
||||
// KMSPort is the port the KMS server listens on.
|
||||
KMSPort = 9000
|
||||
KMSPort = 9000
|
||||
// BootstrapperPort port of bootstrapper.
|
||||
BootstrapperPort = 9000
|
||||
KubernetesPort = 6443
|
||||
RecoveryPort = 9999
|
||||
EnclaveSSHPort = 2222
|
||||
SSHPort = 22
|
||||
NVMEOverTCPPort = 8009
|
||||
DebugdPort = 4000
|
||||
// KubernetesPort port for Kubernetes API.
|
||||
KubernetesPort = 6443
|
||||
// RecoveryPort port for Constellation recovery server.
|
||||
RecoveryPort = 9999
|
||||
// SSHPort port for SSH access.
|
||||
SSHPort = 22
|
||||
// DebugdPort port for debugd process.
|
||||
DebugdPort = 4000
|
||||
// KonnectivityPort port for konnectivity k8s service.
|
||||
KonnectivityPort = 8132
|
||||
// Default NodePort Range
|
||||
// NodePortFrom start of range to use for K8s node port
|
||||
// https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
|
||||
NodePortFrom = 30000
|
||||
NodePortTo = 32767
|
||||
// NodePortTo end of range to use for K8s node port
|
||||
// https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
|
||||
NodePortTo = 32767
|
||||
|
||||
//
|
||||
// Filenames.
|
||||
//
|
||||
ClusterIDsFileName = "constellation-id.json"
|
||||
ConfigFilename = "constellation-conf.yaml"
|
||||
LicenseFilename = "constellation.license"
|
||||
DebugdConfigFilename = "cdbg-conf.yaml"
|
||||
AdminConfFilename = "constellation-admin.conf"
|
||||
MasterSecretFilename = "constellation-mastersecret.json"
|
||||
|
||||
// ClusterIDsFileName filename that contains Constellation clusterID and IP.
|
||||
ClusterIDsFileName = "constellation-id.json"
|
||||
// ConfigFilename filename of Constellation config file.
|
||||
ConfigFilename = "constellation-conf.yaml"
|
||||
// LicenseFilename filename of Constellation license file.
|
||||
LicenseFilename = "constellation.license"
|
||||
// AdminConfFilename filename of KubeConfig for admin access to Constellation.
|
||||
AdminConfFilename = "constellation-admin.conf"
|
||||
// MasterSecretFilename filename of Constellation mastersecret.
|
||||
MasterSecretFilename = "constellation-mastersecret.json"
|
||||
// ControlPlaneAdminConfFilename filepath to control plane kubernetes admin config.
|
||||
ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf"
|
||||
KubeadmCertificateDir = "/etc/kubernetes/pki"
|
||||
KubectlPath = "/run/state/bin/kubectl"
|
||||
// KubectlPath path to kubectl binary.
|
||||
KubectlPath = "/run/state/bin/kubectl"
|
||||
|
||||
//
|
||||
// Filenames for Constellation's micro services.
|
||||
@ -95,22 +111,29 @@ const (
|
||||
// CLI.
|
||||
//
|
||||
|
||||
// MinControllerCount is the minimum number of control nodes.
|
||||
MinControllerCount = 1
|
||||
MinWorkerCount = 1
|
||||
// MinWorkerCount is the minimum number of worker nodes.
|
||||
MinWorkerCount = 1
|
||||
|
||||
//
|
||||
// Kubernetes.
|
||||
//
|
||||
|
||||
// KubernetesJoinTokenTTL time to live for Kubernetes join token.
|
||||
KubernetesJoinTokenTTL = 15 * time.Minute
|
||||
// ConstellationNamespace namespace to deploy Constellation components into.
|
||||
ConstellationNamespace = "kube-system"
|
||||
JoinConfigMap = "join-config"
|
||||
InternalConfigMap = "internal-config"
|
||||
// JoinConfigMap k8s config map with node join config.
|
||||
JoinConfigMap = "join-config"
|
||||
// InternalConfigMap k8s config map with internal Constellation config.
|
||||
InternalConfigMap = "internal-config"
|
||||
|
||||
//
|
||||
// Helm.
|
||||
//
|
||||
|
||||
// HelmNamespace namespace for helm charts.
|
||||
HelmNamespace = "kube-system"
|
||||
|
||||
//
|
||||
|
@ -9,8 +9,16 @@ package crds
|
||||
import _ "embed"
|
||||
|
||||
var (
|
||||
// OLMCRDs contains olmCRDs.yaml from [OLM Release].
|
||||
//
|
||||
// [OLM Release]: https://github.com/operator-framework/operator-lifecycle-manager/releases
|
||||
//
|
||||
//go:embed olmCRDs.yaml
|
||||
OLMCRDs []byte
|
||||
// OLM contains olm.yaml from [OLM Release].
|
||||
//
|
||||
// [OLM Release]: https://github.com/operator-framework/operator-lifecycle-manager/releases
|
||||
//
|
||||
//go:embed olmDeployment.yaml
|
||||
OLM []byte
|
||||
)
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// StateDiskKeyLength is key length in bytes for node state disk.
|
||||
StateDiskKeyLength = 32
|
||||
// DerivedKeyLengthDefault is the default length in bytes for KMS derived keys.
|
||||
DerivedKeyLengthDefault = 32
|
||||
|
@ -14,6 +14,7 @@ type Release struct {
|
||||
Wait bool
|
||||
}
|
||||
|
||||
// Releases bundles all helm releases to be deployed to Constellation.
|
||||
type Releases struct {
|
||||
Cilium Release
|
||||
ConstellationServices Release
|
||||
|
@ -49,9 +49,12 @@ const (
|
||||
)
|
||||
|
||||
var (
|
||||
OptNone = Option{optNone}
|
||||
// OptNone is a no-op.
|
||||
OptNone = Option{optNone}
|
||||
// OptOverwrite overwrites an existing file.
|
||||
OptOverwrite = Option{optOverwrite}
|
||||
OptMkdirAll = Option{optMkdirAll}
|
||||
// OptMkdirAll creates the path to the file.
|
||||
OptMkdirAll = Option{optMkdirAll}
|
||||
)
|
||||
|
||||
// Handler handles file interaction.
|
||||
|
@ -15,11 +15,13 @@ import (
|
||||
"google.golang.org/grpc/credentials"
|
||||
)
|
||||
|
||||
// Credentials for attested TLS (ATLS).
|
||||
type Credentials struct {
|
||||
issuer atls.Issuer
|
||||
validators []atls.Validator
|
||||
}
|
||||
|
||||
// New creates new ATLS Credentials.
|
||||
func New(issuer atls.Issuer, validators []atls.Validator) *Credentials {
|
||||
return &Credentials{
|
||||
issuer: issuer,
|
||||
@ -27,6 +29,7 @@ func New(issuer atls.Issuer, validators []atls.Validator) *Credentials {
|
||||
}
|
||||
}
|
||||
|
||||
// ClientHandshake performs the client handshake.
|
||||
func (c *Credentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
clientCfg, err := atls.CreateAttestationClientTLSConfig(c.issuer, c.validators)
|
||||
if err != nil {
|
||||
@ -36,6 +39,7 @@ func (c *Credentials) ClientHandshake(ctx context.Context, authority string, raw
|
||||
return credentials.NewTLS(clientCfg).ClientHandshake(ctx, authority, rawConn)
|
||||
}
|
||||
|
||||
// ServerHandshake performs the server handshake.
|
||||
func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
serverCfg, err := atls.CreateAttestationServerTLSConfig(c.issuer, c.validators)
|
||||
if err != nil {
|
||||
@ -45,15 +49,18 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A
|
||||
return credentials.NewTLS(serverCfg).ServerHandshake(rawConn)
|
||||
}
|
||||
|
||||
// Info provides information about the protocol.
|
||||
func (c *Credentials) Info() credentials.ProtocolInfo {
|
||||
return credentials.NewTLS(nil).Info()
|
||||
}
|
||||
|
||||
// Clone the credentials object.
|
||||
func (c *Credentials) Clone() credentials.TransportCredentials {
|
||||
cloned := *c
|
||||
return &cloned
|
||||
}
|
||||
|
||||
// OverrideServerName is not supported and will fail.
|
||||
func (c *Credentials) OverrideServerName(s string) error {
|
||||
return errors.New("cannot override server name")
|
||||
}
|
||||
|
@ -16,8 +16,10 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
)
|
||||
|
||||
// Checker checks the Constellation license.
|
||||
type Checker struct{}
|
||||
|
||||
// NewChecker creates a new Checker.
|
||||
func NewChecker(quotaChecker QuotaChecker, fileHandler file.Handler) *Checker {
|
||||
return &Checker{}
|
||||
}
|
||||
|
@ -13,6 +13,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
)
|
||||
|
||||
// FromFile reads the license from fileHandler at path and returns it as a string.
|
||||
func FromFile(fileHandler file.Handler, path string) (string, error) {
|
||||
readBytes, err := fileHandler.Read(path)
|
||||
if err != nil {
|
||||
|
@ -23,11 +23,14 @@ const (
|
||||
)
|
||||
|
||||
type (
|
||||
// Action performed by Constellation.
|
||||
Action string
|
||||
)
|
||||
|
||||
const (
|
||||
// Init action denotes the initialization of a Constellation cluster.
|
||||
Init Action = "init"
|
||||
// test action is only to be used in testing.
|
||||
test Action = "test"
|
||||
)
|
||||
|
||||
@ -97,6 +100,7 @@ func licenseURL() *url.URL {
|
||||
}
|
||||
}
|
||||
|
||||
// QuotaChecker checks the vCPU quota for a given license.
|
||||
type QuotaChecker interface {
|
||||
QuotaCheck(ctx context.Context, checkRequest QuotaCheckRequest) (QuotaCheckResponse, error)
|
||||
}
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
"go.uber.org/zap/zapcore"
|
||||
)
|
||||
|
||||
// CmdLineVerbosityDescription explains numeric log levels.
|
||||
const CmdLineVerbosityDescription = "log verbosity in zap logging levels. Use -1 for debug information, 0 for info, 1 for warn, 2 for error"
|
||||
|
||||
// VerbosityFromInt converts a verbosity level from an integer to a zapcore.Level.
|
||||
|
@ -62,7 +62,7 @@ func (AzureSNP) OID() asn1.ObjectIdentifier {
|
||||
return asn1.ObjectIdentifier{1, 3, 9900, 4, 1}
|
||||
}
|
||||
|
||||
// Azure holds the OID for Azure TrustedLaunch VMs.
|
||||
// AzureTrustedLaunch holds the OID for Azure TrustedLaunch VMs.
|
||||
type AzureTrustedLaunch struct{}
|
||||
|
||||
// OID returns the struct's object identifier.
|
||||
|
@ -59,6 +59,7 @@ func (r *IntervalRetrier) Do(ctx context.Context) error {
|
||||
}
|
||||
}
|
||||
|
||||
// Doer does something and returns an error.
|
||||
type Doer interface {
|
||||
// Do performs an operation.
|
||||
//
|
||||
|
@ -17,10 +17,12 @@ import (
|
||||
type Role uint
|
||||
|
||||
const (
|
||||
// Unknown is the default value for Role and should have no meaning.
|
||||
Unknown Role = iota
|
||||
// ControlPlane declares this node as a Kubernetes control plane node.
|
||||
ControlPlane
|
||||
// Worker declares this node as a Kubernetes worker node.
|
||||
Worker
|
||||
Admin
|
||||
)
|
||||
|
||||
// MarshalJSON marshals the Role to JSON string.
|
||||
@ -45,8 +47,6 @@ func FromString(s string) Role {
|
||||
return ControlPlane
|
||||
case "worker":
|
||||
return Worker
|
||||
case "admin":
|
||||
return Admin
|
||||
default:
|
||||
return Unknown
|
||||
}
|
||||
|
@ -11,12 +11,11 @@ func _() {
|
||||
_ = x[Unknown-0]
|
||||
_ = x[ControlPlane-1]
|
||||
_ = x[Worker-2]
|
||||
_ = x[Admin-3]
|
||||
}
|
||||
|
||||
const _Role_name = "UnknownControlPlaneWorkerAdmin"
|
||||
const _Role_name = "UnknownControlPlaneWorker"
|
||||
|
||||
var _Role_index = [...]uint8{0, 7, 19, 25, 30}
|
||||
var _Role_index = [...]uint8{0, 7, 19, 25}
|
||||
|
||||
func (i Role) String() string {
|
||||
if i >= Role(len(_Role_index)-1) {
|
||||
|
@ -32,10 +32,6 @@ func TestMarshal(t *testing.T) {
|
||||
role: Worker,
|
||||
wantJSON: `"Worker"`,
|
||||
},
|
||||
"admin role": {
|
||||
role: Admin,
|
||||
wantJSON: `"Admin"`,
|
||||
},
|
||||
"unknown role": {
|
||||
role: Unknown,
|
||||
wantJSON: `"Unknown"`,
|
||||
@ -85,14 +81,6 @@ func TestUnmarshal(t *testing.T) {
|
||||
json: `"worker"`,
|
||||
wantRole: Worker,
|
||||
},
|
||||
"Admin can be unmarshaled": {
|
||||
json: `"Admin"`,
|
||||
wantRole: Admin,
|
||||
},
|
||||
"lowercase admin can be unmarshaled": {
|
||||
json: `"admin"`,
|
||||
wantRole: Admin,
|
||||
},
|
||||
"other strings unmarshal to the unknown role": {
|
||||
json: `"anything"`,
|
||||
wantRole: Unknown,
|
||||
|
@ -42,23 +42,37 @@ func IsPreviewK8sVersion(version ValidK8sVersion) bool {
|
||||
}
|
||||
|
||||
const (
|
||||
//
|
||||
// Constellation images.
|
||||
// These images are built in a way that they support all versions currently listed in VersionConfigs.
|
||||
KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
|
||||
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container
|
||||
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22" // renovate:container
|
||||
AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e" // renovate:container
|
||||
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006" // renovate:container
|
||||
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7" // renovate:container
|
||||
//
|
||||
|
||||
// KonnectivityAgentImage agent image for konnectivity service.
|
||||
KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
|
||||
// KonnectivityServerImage server image for konnectivity service.
|
||||
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container
|
||||
// JoinImage image of Constellation join service.
|
||||
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22" // renovate:container
|
||||
// AccessManagerImage image of Constellation access manager.
|
||||
AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e" // renovate:container
|
||||
// KmsImage image of Constellation KMS server.
|
||||
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006" // renovate:container
|
||||
// VerificationImage image of Constellation verification service.
|
||||
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7" // renovate:container
|
||||
// GcpGuestImage image for GCP guest agent.
|
||||
// Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml.
|
||||
GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container
|
||||
GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container
|
||||
// NodeOperatorCatalogImage image of node operator catalog image.
|
||||
NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0@sha256:543ebc67183b580cfeda9e14ff3a0c5056813847ad3605719b54d72b22427a69" // renovate:container
|
||||
// NodeMaintenanceOperatorCatalogImage image of node maintenance operator catalog.
|
||||
// TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog
|
||||
// once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved.
|
||||
NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container
|
||||
|
||||
// QEMUMetadataImage image of QEMU metadata api service.
|
||||
QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.2.0@sha256:3c173639bbd258f56c7f4e97fa5dc7b7c63d7d45f96f7d7af5c43ed9eb2258ac" // renovate:container
|
||||
LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container
|
||||
// LibvirtImage image that provides libvirt.
|
||||
LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container
|
||||
|
||||
// ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images.
|
||||
ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.0/constellation.raw"
|
||||
@ -71,15 +85,18 @@ const (
|
||||
//nolint:revive
|
||||
V1_25 ValidK8sVersion = "1.25"
|
||||
|
||||
// Default k8s version deployed by Constellation.
|
||||
Default ValidK8sVersion = V1_24
|
||||
)
|
||||
|
||||
var (
|
||||
NodeOperatorVersion = versionFromDockerImage(NodeOperatorCatalogImage)
|
||||
// NodeOperatorVersion version of node operator.
|
||||
NodeOperatorVersion = versionFromDockerImage(NodeOperatorCatalogImage)
|
||||
// NodeMaintenanceOperatorVersion version of node maintenance operator.
|
||||
NodeMaintenanceOperatorVersion = versionFromDockerImage(NodeMaintenanceOperatorCatalogImage)
|
||||
)
|
||||
|
||||
// versionConfigs holds download URLs for all required kubernetes components for every supported version.
|
||||
// VersionConfigs holds download URLs for all required kubernetes components for every supported version.
|
||||
var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
|
||||
V1_23: {
|
||||
PatchVersion: "v1.23.13", // renovate:kubernetes-release
|
||||
|
@ -149,6 +149,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||
}, nil
|
||||
}
|
||||
|
||||
// IssueRejoinTicket issues a ticket for nodes to rejoin cluster.
|
||||
func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejoinTicketRequest) (*joinproto.IssueRejoinTicketResponse, error) {
|
||||
log := s.log.With(zap.String("peerAddress", grpclog.PeerAddrFromContext(ctx)))
|
||||
log.Infof("IssueRejoinTicket called")
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/gcp"
|
||||
)
|
||||
|
||||
// Well known endpoints for KMS services.
|
||||
const (
|
||||
AWSKMSURI = "kms://aws?keyPolicy=%s"
|
||||
AzureKMSURI = "kms://azure-kms?name=%s&type=%s"
|
||||
@ -34,6 +35,7 @@ const (
|
||||
NoStoreURI = "storage://no-store"
|
||||
)
|
||||
|
||||
// KMSInformation about an existing KMS.
|
||||
type KMSInformation struct {
|
||||
KMSURI string
|
||||
StorageURI string
|
||||
|
@ -73,7 +73,7 @@ func (c *Client) GetScalingGroupName(scalingGroupID string) (string, error) {
|
||||
return scaleSet, nil
|
||||
}
|
||||
|
||||
// GetScalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler.
|
||||
// GetAutoscalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler.
|
||||
func (c *Client) GetAutoscalingGroupName(scalingGroupID string) (string, error) {
|
||||
return c.GetScalingGroupName(scalingGroupID)
|
||||
}
|
||||
|
@ -7,8 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
package constants
|
||||
|
||||
const (
|
||||
AutoscalingStrategyResourceName = "autoscalingstrategy"
|
||||
NodeImageResourceName = "constellation-os"
|
||||
// AutoscalingStrategyResourceName resource name used for AutoscalingStrategy.
|
||||
AutoscalingStrategyResourceName = "autoscalingstrategy"
|
||||
// NodeImageResourceName resource name used for NodeImage.
|
||||
NodeImageResourceName = "constellation-os"
|
||||
// ControlPlaneScalingGroupResourceName resource name used for ControlPlaneScalingGroup.
|
||||
ControlPlaneScalingGroupResourceName = "scalinggroup-controlplane"
|
||||
WorkerScalingGroupResourceName = "scalinggroup-worker"
|
||||
// WorkerScalingGroupResourceName resource name used for WorkerScaling.
|
||||
WorkerScalingGroupResourceName = "scalinggroup-worker"
|
||||
)
|
||||
|
@ -56,12 +56,14 @@ type diskAPI interface {
|
||||
opts ...gax.CallOption) (*computepb.Disk, error)
|
||||
}
|
||||
|
||||
// Operation describes a generic protobuf operation that can be waited for.
|
||||
type Operation interface {
|
||||
Proto() *computepb.Operation
|
||||
Done() bool
|
||||
Wait(ctx context.Context, opts ...gax.CallOption) error
|
||||
}
|
||||
|
||||
// InstanceGroupManagerScopedListIterator can list the Next InstanceGroupManagersScopedListPair.
|
||||
type InstanceGroupManagerScopedListIterator interface {
|
||||
Next() (compute.InstanceGroupManagersScopedListPair, error)
|
||||
}
|
||||
|
@ -96,7 +96,7 @@ func (c *Client) GetScalingGroupName(scalingGroupID string) (string, error) {
|
||||
return instanceGroupName, nil
|
||||
}
|
||||
|
||||
// GetScalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler.
|
||||
// GetAutoscalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler.
|
||||
func (c *Client) GetAutoscalingGroupName(scalingGroupID string) (string, error) {
|
||||
project, zone, instanceGroupName, err := splitInstanceGroupID(scalingGroupID)
|
||||
if err != nil {
|
||||
|
@ -166,6 +166,7 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
// AttestationIssuer issues an attestation document for the provided userData and nonce.
|
||||
type AttestationIssuer interface {
|
||||
Issue(userData []byte, nonce []byte) (quote []byte, err error)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user