From 0d12e37c96993d5a4975042af95000e8dcba8f89 Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Wed, 9 Nov 2022 15:57:54 +0100 Subject: [PATCH] Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel Co-authored-by: Otto Bittner --- .golangci.yml | 3 + bootstrapper/internal/clean/clean.go | 4 ++ .../internal/initserver/initserver.go | 5 ++ .../internal/kubernetes/k8sapi/joinargs.go | 9 ++- .../internal/kubernetes/k8sapi/k8sutil.go | 6 ++ .../kubernetes/k8sapi/kubeadm_config.go | 23 +++++++ .../k8sapi/kubectl/client/client.go | 8 +++ .../kubernetes/k8sapi/kubectl/kubectl.go | 11 ++- .../k8sapi/resources/auditpolicy.go | 1 + .../k8sapi/resources/gcp_guest_agent.go | 1 + .../k8sapi/resources/konnectivity.go | 11 ++- .../resources/node_maintenance_operator.go | 2 + .../k8sapi/resources/node_operator.go | 2 + .../k8sapi/resources/verification.go | 3 + bootstrapper/internal/logging/logger.go | 3 + cli/internal/cloudcmd/validators.go | 3 + cli/internal/cmd/config.go | 2 + cli/internal/helm/loader.go | 9 ++- cli/internal/terraform/terraform.go | 2 +- cli/internal/terraform/variables.go | 2 +- debugd/internal/debugd/constants.go | 1 + debugd/internal/debugd/deploy/service.go | 7 ++ .../metadata/cloudprovider/cloudprovider.go | 3 + .../debugd/metadata/fallback/fallback.go | 8 +-- disk-mapper/internal/setup/setup.go | 3 + hack/azure-snp-report-verify/verify.go | 2 + hack/build-manifest/azure/client.go | 3 + hack/build-manifest/azure/options.go | 10 ++- hack/build-manifest/gcp/client.go | 4 ++ hack/build-manifest/gcp/options.go | 6 +- hack/build-manifest/main.go | 1 + hack/build-manifest/manifest.go | 5 ++ hack/image-measurement/server/server.go | 5 ++ hack/pcr-reader/main.go | 1 + hack/pseudo-version/internal/git/git.go | 3 + hack/qemu-metadata-api/server/server.go | 3 + .../virtwrapper/virtwrapper.go | 5 ++ internal/atls/atls.go | 2 + internal/attestation/aws/issuer.go | 1 + internal/attestation/azure/snp/README.md | 19 +++++ internal/attestation/azure/snp/validator.go | 3 + internal/cloud/azure/logger.go | 2 + internal/cloud/cloudprovider/cloudprovider.go | 5 ++ internal/cloud/gcp/logger.go | 1 + internal/cloud/gcpshared/serviceaccountkey.go | 1 + internal/cloud/metadata/metadata.go | 2 + internal/cloud/vmtype/vmtype.go | 3 + internal/config/config.go | 4 ++ internal/config/images_oss.go | 4 +- internal/config/instancetypes/aws.go | 3 +- internal/config/measurements.go | 1 + internal/constants/constants.go | 69 ++++++++++++------- internal/crds/crds.go | 8 +++ internal/crypto/crypto.go | 1 + internal/deploy/helm/helm.go | 1 + internal/file/file.go | 7 +- .../grpc/atlscredentials/atlscredentials.go | 7 ++ internal/license/checker_oss.go | 2 + internal/license/file.go | 1 + internal/license/license.go | 4 ++ internal/logger/cmdline.go | 1 + internal/oid/oid.go | 2 +- internal/retry/retry.go | 1 + internal/role/role.go | 6 +- internal/role/role_string.go | 5 +- internal/role/role_test.go | 12 ---- internal/versions/versions.go | 37 +++++++--- joinservice/internal/server/server.go | 1 + kms/setup/setup.go | 2 + .../internal/azure/client/scalinggroup.go | 2 +- .../internal/constants/constants.go | 10 ++- .../internal/gcp/client/api.go | 2 + .../internal/gcp/client/scalinggroup.go | 2 +- verify/server/server.go | 1 + 74 files changed, 337 insertions(+), 78 deletions(-) create mode 100644 internal/attestation/azure/snp/README.md diff --git a/.golangci.yml b/.golangci.yml index 6a6b1f5a2..6bb45a11d 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -35,6 +35,9 @@ linters: issues: max-issues-per-linter: 0 max-same-issues: 20 + include: + - EXC0012 + - EXC0014 linters-settings: errcheck: diff --git a/bootstrapper/internal/clean/clean.go b/bootstrapper/internal/clean/clean.go index 795300ee7..a82dbca4d 100644 --- a/bootstrapper/internal/clean/clean.go +++ b/bootstrapper/internal/clean/clean.go @@ -10,6 +10,10 @@ import ( "sync" ) +// Cleaner can be used to stop a list of services gracefully. +// To register an arbitrary amount of stoppers either use New or With. +// Start needs to be called to ready the Cleaner, then Clean will activate it. +// Done can be used to wait for Cleaner to run all registered stoppers. type Cleaner struct { stoppers []stopper stopC chan struct{} diff --git a/bootstrapper/internal/initserver/initserver.go b/bootstrapper/internal/initserver/initserver.go index 741ea6c91..7b3f78fa7 100644 --- a/bootstrapper/internal/initserver/initserver.go +++ b/bootstrapper/internal/initserver/initserver.go @@ -172,12 +172,15 @@ func (s *Server) setupDisk(masterSecret, salt []byte) error { return s.disk.UpdatePassphrase(string(diskKey)) } +// IssuerWrapper adds VM type context to an issuer to distinguish between +// confidential and trusted launch VMs. type IssuerWrapper struct { atls.Issuer vmType vmtype.VMType idkeydigest []byte } +// NewIssuerWrapper creates a new issuer with VM type context. func NewIssuerWrapper(issuer atls.Issuer, vmType vmtype.VMType, idkeydigest []byte) IssuerWrapper { return IssuerWrapper{ Issuer: issuer, @@ -186,10 +189,12 @@ func NewIssuerWrapper(issuer atls.Issuer, vmType vmtype.VMType, idkeydigest []by } } +// VMType returns the VM type. func (i *IssuerWrapper) VMType() vmtype.VMType { return i.vmType } +// IDKeyDigest returns the ID key digest. func (i *IssuerWrapper) IDKeyDigest() []byte { return i.idkeydigest } diff --git a/bootstrapper/internal/kubernetes/k8sapi/joinargs.go b/bootstrapper/internal/kubernetes/k8sapi/joinargs.go index e96a241f6..2d7203d6e 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/joinargs.go +++ b/bootstrapper/internal/kubernetes/k8sapi/joinargs.go @@ -14,10 +14,13 @@ import ( kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" ) +// ParseJoinCommand parses API server endpoint, token and CA cert hash from +// provided kubeadm join shell command, and returns it as a BootstrapTokenDiscovery. +// +// Expected format: +// kubeadm join [API_SERVER_ENDPOINT] --token [TOKEN] --discovery-token-ca-cert-hash [DISCOVERY_TOKEN_CA_CERT_HASH] --control-plane +// . func ParseJoinCommand(joinCommand string) (*kubeadm.BootstrapTokenDiscovery, error) { - // Format: - // kubeadm join [API_SERVER_ENDPOINT] --token [TOKEN] --discovery-token-ca-cert-hash [DISCOVERY_TOKEN_CA_CERT_HASH] --control-plane - // split and verify that this is a kubeadm join command argv, err := shlex.Split(joinCommand) if err != nil { diff --git a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go index 854a4948f..448c134ad 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go @@ -112,6 +112,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, version versions return enableSystemdUnit(ctx, kubeletServicePath) } +// InitCluster instruments kubeadm to initialize the K8s cluster. func (k *KubernetesUtil) InitCluster( ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger, ) error { @@ -242,10 +243,12 @@ func (k *KubernetesUtil) prepareControlPlaneForKonnectivity(ctx context.Context, return nil } +// SetupKonnectivity uses kubectl client to apply the provided konnectivity daemon set. func (k *KubernetesUtil) SetupKonnectivity(kubectl Client, konnectivityAgentsDaemonSet kubernetes.Marshaler) error { return kubectl.Apply(konnectivityAgentsDaemonSet, true) } +// SetupPodNetworkInput holds all configuration options to setup the pod network. type SetupPodNetworkInput struct { CloudProvider string NodeName string @@ -339,6 +342,7 @@ func (k *KubernetesUtil) SetupVerificationService(kubectl Client, verificationSe return kubectl.Apply(verificationServiceConfiguration, true) } +// SetupOperatorLifecycleManager deploys operator lifecycle manager. func (k *KubernetesUtil) SetupOperatorLifecycleManager(ctx context.Context, kubectl Client, olmCRDs, olmConfiguration kubernetes.Marshaler, crdNames []string) error { if err := kubectl.Apply(olmCRDs, true); err != nil { return fmt.Errorf("applying OLM CRDs: %w", err) @@ -351,10 +355,12 @@ func (k *KubernetesUtil) SetupOperatorLifecycleManager(ctx context.Context, kube return kubectl.Apply(olmConfiguration, true) } +// SetupNodeMaintenanceOperator deploys node maintenance operator. func (k *KubernetesUtil) SetupNodeMaintenanceOperator(kubectl Client, nodeMaintenanceOperatorConfiguration kubernetes.Marshaler) error { return kubectl.Apply(nodeMaintenanceOperatorConfiguration, true) } +// SetupNodeOperator deploys node operator. func (k *KubernetesUtil) SetupNodeOperator(ctx context.Context, kubectl Client, nodeOperatorConfiguration kubernetes.Marshaler) error { return kubectl.Apply(nodeOperatorConfiguration, true) } diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index 1d872cca5..07c3ba47e 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -29,8 +29,10 @@ const ( auditPolicyPath = "/etc/kubernetes/audit-policy.yaml" ) +// KubdeadmConfiguration is used to generate kubeadm configurations. type KubdeadmConfiguration struct{} +// InitConfiguration returns a new init configuration. func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML { var cloudProvider string if externalCloudProvider { @@ -171,6 +173,7 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8 } } +// JoinConfiguration returns a new kubeadm join configuration. func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML { var cloudProvider string if externalCloudProvider { @@ -201,27 +204,33 @@ func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) Ku } } +// KubeadmJoinYAML holds configuration for kubeadm join workflow. type KubeadmJoinYAML struct { JoinConfiguration kubeadm.JoinConfiguration KubeletConfiguration kubeletconf.KubeletConfiguration } +// SetNodeName sets the node name. func (k *KubeadmJoinYAML) SetNodeName(nodeName string) { k.JoinConfiguration.NodeRegistration.Name = nodeName } +// SetAPIServerEndpoint sets the api server endpoint. func (k *KubeadmJoinYAML) SetAPIServerEndpoint(apiServerEndpoint string) { k.JoinConfiguration.Discovery.BootstrapToken.APIServerEndpoint = apiServerEndpoint } +// SetToken sets the boostrap token. func (k *KubeadmJoinYAML) SetToken(token string) { k.JoinConfiguration.Discovery.BootstrapToken.Token = token } +// AppendDiscoveryTokenCaCertHash appends another trusted discovery token CA hash. func (k *KubeadmJoinYAML) AppendDiscoveryTokenCaCertHash(discoveryTokenCaCertHash string) { k.JoinConfiguration.Discovery.BootstrapToken.CACertHashes = append(k.JoinConfiguration.Discovery.BootstrapToken.CACertHashes, discoveryTokenCaCertHash) } +// SetNodeIP sets the node IP. func (k *KubeadmJoinYAML) SetNodeIP(nodeIP string) { if k.JoinConfiguration.NodeRegistration.KubeletExtraArgs == nil { k.JoinConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"node-ip": nodeIP} @@ -230,10 +239,12 @@ func (k *KubeadmJoinYAML) SetNodeIP(nodeIP string) { } } +// SetProviderID sets the provider ID. func (k *KubeadmJoinYAML) SetProviderID(providerID string) { k.KubeletConfiguration.ProviderID = providerID } +// SetControlPlane sets the control plane with the advertised address. func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) { k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{ LocalAPIEndpoint: kubeadm.APIEndpoint{ @@ -244,21 +255,25 @@ func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) { k.JoinConfiguration.SkipPhases = []string{"control-plane-prepare/download-certs"} } +// Marshal into a k8s resource YAML. func (k *KubeadmJoinYAML) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(k) } +// Unmarshal from a k8s resource YAML. func (k *KubeadmJoinYAML) Unmarshal(yamlData []byte) (KubeadmJoinYAML, error) { var tmp KubeadmJoinYAML return tmp, kubernetes.UnmarshalK8SResources(yamlData, &tmp) } +// KubeadmInitYAML holds configuration for kubeadm init workflow. type KubeadmInitYAML struct { InitConfiguration kubeadm.InitConfiguration ClusterConfiguration kubeadm.ClusterConfiguration KubeletConfiguration kubeletconf.KubeletConfiguration } +// SetNodeName sets name of node. func (k *KubeadmInitYAML) SetNodeName(nodeName string) { k.InitConfiguration.NodeRegistration.Name = nodeName } @@ -273,6 +288,7 @@ func (k *KubeadmInitYAML) SetCertSANs(certSANs []string) { } } +// SetAPIServerAdvertiseAddress sets the advertised API server address. func (k *KubeadmInitYAML) SetAPIServerAdvertiseAddress(apiServerAdvertiseAddress string) { k.InitConfiguration.LocalAPIEndpoint.AdvertiseAddress = apiServerAdvertiseAddress } @@ -284,18 +300,22 @@ func (k *KubeadmInitYAML) SetControlPlaneEndpoint(controlPlaneEndpoint string) { } } +// SetServiceCIDR sets the CIDR of service subnet. func (k *KubeadmInitYAML) SetServiceCIDR(serviceCIDR string) { k.ClusterConfiguration.Networking.ServiceSubnet = serviceCIDR } +// SetPodNetworkCIDR sets the CIDR of pod subnet. func (k *KubeadmInitYAML) SetPodNetworkCIDR(podNetworkCIDR string) { k.ClusterConfiguration.Networking.PodSubnet = podNetworkCIDR } +// SetServiceDNSDomain sets the dns domain. func (k *KubeadmInitYAML) SetServiceDNSDomain(serviceDNSDomain string) { k.ClusterConfiguration.Networking.DNSDomain = serviceDNSDomain } +// SetNodeIP sets the node IP. func (k *KubeadmInitYAML) SetNodeIP(nodeIP string) { if k.InitConfiguration.NodeRegistration.KubeletExtraArgs == nil { k.InitConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"node-ip": nodeIP} @@ -304,6 +324,7 @@ func (k *KubeadmInitYAML) SetNodeIP(nodeIP string) { } } +// SetProviderID sets the provider ID. func (k *KubeadmInitYAML) SetProviderID(providerID string) { if k.InitConfiguration.NodeRegistration.KubeletExtraArgs == nil { k.InitConfiguration.NodeRegistration.KubeletExtraArgs = map[string]string{"provider-id": providerID} @@ -312,10 +333,12 @@ func (k *KubeadmInitYAML) SetProviderID(providerID string) { } } +// Marshal into a k8s resource YAML. func (k *KubeadmInitYAML) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(k) } +// Unmarshal from a k8s resource YAML. func (k *KubeadmInitYAML) Unmarshal(yamlData []byte) (KubeadmInitYAML, error) { var tmp KubeadmInitYAML return tmp, kubernetes.UnmarshalK8SResources(yamlData, &tmp) diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubectl/client/client.go b/bootstrapper/internal/kubernetes/k8sapi/kubectl/client/client.go index 18436077f..942821896 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubectl/client/client.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubectl/client/client.go @@ -121,6 +121,10 @@ func (c *Client) ListAllNamespaces(ctx context.Context) (*corev1.NamespaceList, return c.clientset.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) } +// AddTolerationsToDeployment adds [K8s tolerations] to the deployment, identified +// by name and namespace. +// +// [K8s tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ func (c *Client) AddTolerationsToDeployment(ctx context.Context, tolerations []corev1.Toleration, name string, namespace string) error { deployments := c.clientset.AppsV1().Deployments(namespace) @@ -143,6 +147,10 @@ func (c *Client) AddTolerationsToDeployment(ctx context.Context, tolerations []c return nil } +// AddNodeSelectorsToDeployment adds [K8s selectors] to the deployment, identified +// by name and namespace. +// +// [K8s selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ func (c *Client) AddNodeSelectorsToDeployment(ctx context.Context, selectors map[string]string, name string, namespace string) error { deployments := c.clientset.AppsV1().Deployments(namespace) diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubectl/kubectl.go b/bootstrapper/internal/kubernetes/k8sapi/kubectl/kubectl.go index dbd58881a..a508c750f 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubectl/kubectl.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubectl/kubectl.go @@ -81,6 +81,7 @@ func (k *Kubectl) SetKubeconfig(kubeconfig []byte) { k.kubeconfig = kubeconfig } +// CreateConfigMap creates the provided configmap. func (k *Kubectl) CreateConfigMap(ctx context.Context, configMap corev1.ConfigMap) error { client, err := k.clientGenerator.NewClient(k.kubeconfig) if err != nil { @@ -100,6 +101,10 @@ func (k *Kubectl) ListAllNamespaces(ctx context.Context) (*corev1.NamespaceList, return client.ListAllNamespaces(ctx) } +// AddTolerationsToDeployment adds [K8s tolerations] to the deployment, identified +// by name and namespace. +// +// [K8s tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ func (k *Kubectl) AddTolerationsToDeployment(ctx context.Context, tolerations []corev1.Toleration, name string, namespace string) error { client, err := k.clientGenerator.NewClient(k.kubeconfig) if err != nil { @@ -113,6 +118,10 @@ func (k *Kubectl) AddTolerationsToDeployment(ctx context.Context, tolerations [] return nil } +// AddNodeSelectorsToDeployment adds [K8s selectors] to the deployment, identified +// by name and namespace. +// +// [K8s selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ func (k *Kubectl) AddNodeSelectorsToDeployment(ctx context.Context, selectors map[string]string, name string, namespace string) error { client, err := k.clientGenerator.NewClient(k.kubeconfig) if err != nil { @@ -126,7 +135,7 @@ func (k *Kubectl) AddNodeSelectorsToDeployment(ctx context.Context, selectors ma return nil } -// WaitForCRD waits for a list of CRDs to be established. +// WaitForCRDs waits for a list of CRDs to be established. func (k *Kubectl) WaitForCRDs(ctx context.Context, crds []string) error { client, err := k.clientGenerator.NewClient(k.kubeconfig) if err != nil { diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go index a8e96ce29..8d3679d0a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/auditpolicy.go @@ -18,6 +18,7 @@ type AuditPolicy struct { Policy auditv1.Policy } +// NewDefaultAuditPolicy create a new default Constellation audit policty. func NewDefaultAuditPolicy() *AuditPolicy { return &AuditPolicy{ Policy: auditv1.Policy{ diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go index 5dc66a82a..bc43a1129 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go @@ -14,6 +14,7 @@ import ( meta "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// GCPGuestAgentDaemonset is a GCP Guest Agent Daemonset. type GCPGuestAgentDaemonset struct { DaemonSet apps.DaemonSet } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go index 3198ee29a..3820ac8a9 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go @@ -28,20 +28,24 @@ const ( KonnectivityKeyFilename = "/etc/kubernetes/konnectivity.key" ) +// KonnectivityAgents bundles all necessary agent deployments. type KonnectivityAgents struct { DaemonSet appsv1.DaemonSet ClusterRoleBinding rbacv1.ClusterRoleBinding ServiceAccount corev1.ServiceAccount } +// KonnectivityServerStaticPod deployment. type KonnectivityServerStaticPod struct { StaticPod corev1.Pod } +// EgressSelectorConfiguration deployment. type EgressSelectorConfiguration struct { EgressSelectorConfiguration apiserver.EgressSelectorConfiguration } +// NewKonnectivityAgents create new KonnectivityAgents. func NewKonnectivityAgents(konnectivityServerAddress string) *KonnectivityAgents { return &KonnectivityAgents{ DaemonSet: appsv1.DaemonSet{ @@ -213,6 +217,7 @@ func NewKonnectivityAgents(konnectivityServerAddress string) *KonnectivityAgents } } +// NewKonnectivityServerStaticPod create a new KonnectivityServerStaticPod. func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod { udsHostPathType := corev1.HostPathDirectoryOrCreate return &KonnectivityServerStaticPod{ @@ -333,6 +338,7 @@ func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod { } } +// NewEgressSelectorConfiguration creates a new EgressSelectorConfiguration. func NewEgressSelectorConfiguration() *EgressSelectorConfiguration { return &EgressSelectorConfiguration{ EgressSelectorConfiguration: apiserver.EgressSelectorConfiguration{ @@ -357,19 +363,22 @@ func NewEgressSelectorConfiguration() *EgressSelectorConfiguration { } } +// Marshal to Kubernetes YAML. func (v *KonnectivityAgents) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(v) } +// Marshal to Kubernetes YAML. func (v *KonnectivityServerStaticPod) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(v) } +// Marshal to Kubernetes YAML. func (v *EgressSelectorConfiguration) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(v) } -// GetCertificateRequest returns a certificate request and matching private key for the konnectivity server. +// GetKonnectivityCertificateRequest returns a certificate request and matching private key for the konnectivity server. func GetKonnectivityCertificateRequest() (certificateRequest []byte, privateKey []byte, err error) { csrTemplate := &x509.CertificateRequest{ Subject: pkix.Name{ diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/node_maintenance_operator.go b/bootstrapper/internal/kubernetes/k8sapi/resources/node_maintenance_operator.go index f2b575f2a..2bed0f358 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/node_maintenance_operator.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/node_maintenance_operator.go @@ -21,6 +21,7 @@ const ( nodeMaintenanceOperatorCatalogNamespace = "olm" ) +// NodeMaintenanceOperatorDeployment groups all deployments for node maintenance operator. type NodeMaintenanceOperatorDeployment struct { CatalogSource operatorsv1alpha1.CatalogSource OperatorGroup operatorsv1.OperatorGroup @@ -80,6 +81,7 @@ func NewNodeMaintenanceOperatorDeployment() *NodeMaintenanceOperatorDeployment { } } +// Marshal to Kubernetes YAML. func (c *NodeMaintenanceOperatorDeployment) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(c) } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go index 13b54b7bd..18c3cc9ea 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/node_operator.go @@ -30,6 +30,7 @@ var NodeOperatorCRDNames = []string{ "scalinggroups.update.edgeless.systems", } +// NodeOperatorDeployment groups all deployments for node operator. type NodeOperatorDeployment struct { CatalogSource operatorsv1alpha1.CatalogSource OperatorGroup operatorsv1.OperatorGroup @@ -93,6 +94,7 @@ func NewNodeOperatorDeployment(cloudProvider string, uid string) *NodeOperatorDe } } +// Marshal to Kubernetes YAML. func (c *NodeOperatorDeployment) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(c) } diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go index c39924911..59bcafb2f 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go @@ -21,12 +21,14 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +// VerificationDaemonset groups all k8s resources for the verification service deployment. type VerificationDaemonset struct { DaemonSet apps.DaemonSet Service k8s.Service LoadBalancer k8s.Service } +// NewVerificationDaemonSet creates a new VerificationDaemonset. func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset { var err error if strings.Contains(loadBalancerIP, ":") { @@ -188,6 +190,7 @@ func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset } } +// Marshal to Kubernetes YAML. func (v *VerificationDaemonset) Marshal() ([]byte, error) { return kubernetes.MarshalK8SResources(v) } diff --git a/bootstrapper/internal/logging/logger.go b/bootstrapper/internal/logging/logger.go index ae7de6e79..626976918 100644 --- a/bootstrapper/internal/logging/logger.go +++ b/bootstrapper/internal/logging/logger.go @@ -19,10 +19,13 @@ type CloudLogger interface { io.Closer } +// NopLogger implements CloudLogger interface, but does nothing. type NopLogger struct{} +// Disclose does nothing. func (l *NopLogger) Disclose(msg string) {} +// Close does nothing. func (l *NopLogger) Close() error { return nil } diff --git a/cli/internal/cloudcmd/validators.go b/cli/internal/cloudcmd/validators.go index 86785393e..072d1a275 100644 --- a/cli/internal/cloudcmd/validators.go +++ b/cli/internal/cloudcmd/validators.go @@ -25,6 +25,7 @@ import ( "github.com/spf13/cobra" ) +// Validator validates Platform Configuration Registers (PCRs). type Validator struct { provider cloudprovider.Provider pcrs map[uint32][]byte @@ -35,6 +36,7 @@ type Validator struct { validator atls.Validator } +// NewValidator creates a new Validator. func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Validator, error) { v := Validator{} if provider == cloudprovider.Unknown { @@ -60,6 +62,7 @@ func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Valida return &v, nil } +// UpdateInitPCRs sets the owner and cluster PCR values. func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error { if err := v.updatePCR(uint32(vtpm.PCRIndexOwnerID), ownerID); err != nil { return err diff --git a/cli/internal/cmd/config.go b/cli/internal/cmd/config.go index af0118f22..b68cb9e67 100644 --- a/cli/internal/cmd/config.go +++ b/cli/internal/cmd/config.go @@ -10,6 +10,8 @@ import ( "github.com/spf13/cobra" ) +// NewConfigCmd creates a new config parent command. Config needs another +// verb, and does nothing on its own. func NewConfigCmd() *cobra.Command { cmd := &cobra.Command{ Use: "config", diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go index 2be39c7f6..84723976c 100644 --- a/cli/internal/helm/loader.go +++ b/cli/internal/helm/loader.go @@ -32,8 +32,9 @@ import ( //go:generate ./generateCilium.sh //go:embed all:charts/* -var HelmFS embed.FS +var helmFS embed.FS +// ChartLoader loads embedded helm charts. type ChartLoader struct { joinServiceImage string kmsImage string @@ -42,6 +43,7 @@ type ChartLoader struct { autoscalerImage string } +// New creates a new ChartLoader. func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader { var ccmImage, cnmImage string switch csp { @@ -63,6 +65,7 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart } } +// Load the embedded helm charts. func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) { ciliumRelease, err := i.loadCilium(csp, conformanceMode) if err != nil { @@ -83,7 +86,7 @@ func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, mas } func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode bool) (helm.Release, error) { - chart, err := loadChartsDir(HelmFS, "charts/cilium") + chart, err := loadChartsDir(helmFS, "charts/cilium") if err != nil { return helm.Release{}, fmt.Errorf("loading cilium chart: %w", err) } @@ -124,7 +127,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, ) (helm.Release, error) { - chart, err := loadChartsDir(HelmFS, "charts/edgeless/constellation-services") + chart, err := loadChartsDir(helmFS, "charts/edgeless/constellation-services") if err != nil { return helm.Release{}, fmt.Errorf("loading constellation-services chart: %w", err) } diff --git a/cli/internal/terraform/terraform.go b/cli/internal/terraform/terraform.go index f666b268f..93f801649 100644 --- a/cli/internal/terraform/terraform.go +++ b/cli/internal/terraform/terraform.go @@ -89,7 +89,7 @@ func (c *Client) CreateCluster( return ip, nil } -// DestroyInstances destroys a Constellation cluster using Terraform. +// DestroyCluster destroys a Constellation cluster using Terraform. func (c *Client) DestroyCluster(ctx context.Context) error { return c.tf.Destroy(ctx) } diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index b8cbc0e39..099124f4b 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -39,7 +39,7 @@ func (v *CommonVariables) String() string { return b.String() } -// GCPVariables is user configuration for creating a cluster with Terraform on GCP. +// AWSVariables is user configuration for creating a cluster with Terraform on GCP. type AWSVariables struct { // CommonVariables contains common variables. CommonVariables diff --git a/debugd/internal/debugd/constants.go b/debugd/internal/debugd/constants.go index 3aa036e82..d475ee862 100644 --- a/debugd/internal/debugd/constants.go +++ b/debugd/internal/debugd/constants.go @@ -8,6 +8,7 @@ package debugd import "time" +// Debugd internal constants. const ( DebugdMetadataFlag = "constellation-debugd" GRPCTimeout = 5 * time.Minute diff --git a/debugd/internal/debugd/deploy/service.go b/debugd/internal/debugd/deploy/service.go index 4112f2c35..8c45dd568 100644 --- a/debugd/internal/debugd/deploy/service.go +++ b/debugd/internal/debugd/deploy/service.go @@ -21,14 +21,21 @@ const ( systemdUnitFolder = "/run/systemd/system" ) +// SystemdAction encodes the available actions. +// //go:generate stringer -type=SystemdAction type SystemdAction uint32 const ( + // Unknown is the default SystemdAction and does nothing. Unknown SystemdAction = iota + // Start a systemd service. Start + // Stop a systemd service. Stop + // Restart a systemd service. Restart + // Reload a systemd service. Reload ) diff --git a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go index 1f18347fa..c791dbead 100644 --- a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go +++ b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go @@ -30,12 +30,14 @@ type Fetcher struct { metaAPI providerMetadata } +// New creates a new Fetcher. func New(cloud providerMetadata) *Fetcher { return &Fetcher{ metaAPI: cloud, } } +// Role returns node role via meta data API. func (f *Fetcher) Role(ctx context.Context) (role.Role, error) { self, err := f.metaAPI.Self(ctx) if err != nil { @@ -71,6 +73,7 @@ func (f *Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) { return ips, nil } +// DiscoverLoadbalancerIP gets load balancer IP from metadata API. func (f *Fetcher) DiscoverLoadbalancerIP(ctx context.Context) (string, error) { lbEndpoint, err := f.metaAPI.GetLoadBalancerEndpoint(ctx) if err != nil { diff --git a/debugd/internal/debugd/metadata/fallback/fallback.go b/debugd/internal/debugd/metadata/fallback/fallback.go index 6e2f3ea82..c37db6b20 100644 --- a/debugd/internal/debugd/metadata/fallback/fallback.go +++ b/debugd/internal/debugd/metadata/fallback/fallback.go @@ -16,22 +16,22 @@ import ( // Fetcher implements metadata.Fetcher interface but does not actually fetch cloud provider metadata. type Fetcher struct{} +// Role for fallback fetcher does not try to fetch role. func (f Fetcher) Role(_ context.Context) (role.Role, error) { - // Fallback fetcher does not try to fetch role return role.Unknown, nil } +// DiscoverDebugdIPs for fallback fetcher does not try to discover debugd IPs. func (f Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) { - // Fallback fetcher does not try to discover debugd IPs return nil, nil } +// DiscoverLoadbalancerIP for fallback fetcher does not try to discover loadbalancer IP. func (f Fetcher) DiscoverLoadbalancerIP(ctx context.Context) (string, error) { - // Fallback fetcher does not try to discover loadbalancer IP return "", nil } +// FetchSSHKeys for fallback fetcher does not try to fetch ssh keys. func (f Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error) { - // Fallback fetcher does not try to fetch ssh keys return nil, nil } diff --git a/disk-mapper/internal/setup/setup.go b/disk-mapper/internal/setup/setup.go index c01714594..a48ce75ca 100644 --- a/disk-mapper/internal/setup/setup.go +++ b/disk-mapper/internal/setup/setup.go @@ -160,14 +160,17 @@ func (s *Manager) saveConfiguration(passphrase []byte) error { return s.config.Generate(stateDiskMappedName, s.diskPath, filepath.Join(keyPath, keyFile), cryptsetupOptions) } +// RecoveryServer interface serves a recovery server. type RecoveryServer interface { Serve(context.Context, net.Listener, string) (key, secret []byte, err error) } +// RejoinClient interface starts a rejoin client. type RejoinClient interface { Start(context.Context, string) (key, secret []byte) } +// NodeRecoverer bundles a RecoveryServer and RejoinClient. type NodeRecoverer struct { recoveryServer RecoveryServer rejoinClient RejoinClient diff --git a/hack/azure-snp-report-verify/verify.go b/hack/azure-snp-report-verify/verify.go index d7ee1cbc1..e99453a9a 100644 --- a/hack/azure-snp-report-verify/verify.go +++ b/hack/azure-snp-report-verify/verify.go @@ -23,6 +23,7 @@ import ( "gopkg.in/square/go-jose.v2/jwt" ) +// IsolationTEE describes an Azure SNP TEE. type IsolationTEE struct { IDKeyDigest string `json:"x-ms-sevsnpvm-idkeydigest"` TEESvn int `json:"x-ms-sevsnpvm-tee-svn"` @@ -32,6 +33,7 @@ type IsolationTEE struct { GuestSvn int `json:"x-ms-sevsnpvm-guestsvn"` } +// PrintSVNs prints the relevant Security Version Numbers (SVNs). func (i *IsolationTEE) PrintSVNs() { fmt.Println("\tTEE SVN:", i.TEESvn) fmt.Println("\tSNP FW SVN:", i.SNPFwSvn) diff --git a/hack/build-manifest/azure/client.go b/hack/build-manifest/azure/client.go index 2f4f9126b..c3a2351ba 100644 --- a/hack/build-manifest/azure/client.go +++ b/hack/build-manifest/azure/client.go @@ -17,12 +17,14 @@ import ( "github.com/edgelesssys/constellation/v2/internal/logger" ) +// Client for Azure Gallery API. type Client struct { log *logger.Logger opts Options versionClient *armcompute.GalleryImageVersionsClient } +// NewClient creates a new Client. func NewClient(log *logger.Logger, opts Options) *Client { log = log.Named("azure-client") @@ -43,6 +45,7 @@ func NewClient(log *logger.Logger, opts Options) *Client { } } +// FetchImages for the given client options. func (c *Client) FetchImages(ctx context.Context) (map[string]string, error) { ctx, cancel := context.WithTimeout(ctx, time.Second*5) defer cancel() diff --git a/hack/build-manifest/azure/options.go b/hack/build-manifest/azure/options.go index 9ec31309a..5040b8222 100644 --- a/hack/build-manifest/azure/options.go +++ b/hack/build-manifest/azure/options.go @@ -13,11 +13,15 @@ import ( ) const ( + // DefaultResourceGroupName to find Constellation images in. DefaultResourceGroupName = "CONSTELLATION-IMAGES" - DefaultGalleryName = "Constellation_CVM" - DefaultImageDefinition = "constellation" + // DefaultGalleryName to find Constellation images in. + DefaultGalleryName = "Constellation_CVM" + // DefaultImageDefinition to find Constellation images in. + DefaultImageDefinition = "constellation" ) +// Options for Azure Client to download image references. type Options struct { SubscriptionID string ResourceGroupName string @@ -25,6 +29,7 @@ type Options struct { ImageDefinition string } +// DefaultOptions creates an Options object with good defaults. func DefaultOptions() Options { return Options{ SubscriptionID: "", @@ -34,6 +39,7 @@ func DefaultOptions() Options { } } +// SetSubscription sets subscription from string. It expects a UUID conform value. func (o *Options) SetSubscription(sub string) error { if _, err := uuid.Parse(sub); err != nil { return fmt.Errorf("unable to set subscription: %w", err) diff --git a/hack/build-manifest/gcp/client.go b/hack/build-manifest/gcp/client.go index 0d9bb99f1..c568f3e36 100644 --- a/hack/build-manifest/gcp/client.go +++ b/hack/build-manifest/gcp/client.go @@ -16,12 +16,14 @@ import ( computepb "google.golang.org/genproto/googleapis/cloud/compute/v1" ) +// Client for GCP Image API. type Client struct { client *compute.ImagesClient log *logger.Logger opts Options } +// NewClient creates a new Client. func NewClient(ctx context.Context, log *logger.Logger, opts Options) *Client { client, err := compute.NewImagesRESTClient(ctx) if err != nil { @@ -35,10 +37,12 @@ func NewClient(ctx context.Context, log *logger.Logger, opts Options) *Client { } } +// Close the GCP client. func (c *Client) Close() error { return c.client.Close() } +// FetchImages for the given client options. func (c *Client) FetchImages(ctx context.Context) (map[string]string, error) { imgIterator := c.client.List(ctx, &computepb.ListImagesRequest{ Project: c.opts.ProjectID, diff --git a/hack/build-manifest/gcp/options.go b/hack/build-manifest/gcp/options.go index 2e01c76e4..57ad738a1 100644 --- a/hack/build-manifest/gcp/options.go +++ b/hack/build-manifest/gcp/options.go @@ -13,16 +13,20 @@ import ( ) const ( - DefaultProjectID = "constellation-images" + // DefaultProjectID for Constellation images. + DefaultProjectID = "constellation-images" + // DefaultImageFamily for Constellation images. DefaultImageFamily = "constellation" ) +// Options for GCP image API client. type Options struct { ProjectID string ImageFamily string Filter func(image string) (version string, err error) } +// DefaultOptions creates an Options object with good defaults. func DefaultOptions() Options { return Options{ ProjectID: DefaultProjectID, diff --git a/hack/build-manifest/main.go b/hack/build-manifest/main.go index 566014c95..a10e85c0a 100644 --- a/hack/build-manifest/main.go +++ b/hack/build-manifest/main.go @@ -18,6 +18,7 @@ import ( ) const ( + // AzureSubscriptionIDEnv environment variable to provide Azure Subscription ID with. AzureSubscriptionIDEnv = "AZURE_SUBSCRIPTION_ID" ) diff --git a/hack/build-manifest/manifest.go b/hack/build-manifest/manifest.go index 9742ec951..68c9a71ba 100644 --- a/hack/build-manifest/manifest.go +++ b/hack/build-manifest/manifest.go @@ -8,10 +8,12 @@ package main import "encoding/json" +// Manifest contains all Constellation releases. type Manifest struct { releases map[string]Images } +// Images for all supported cloud providers. type Images struct { AzureOSImage string `json:"AzureOSImage"` GCPOSImage string `json:"GCPOSImage"` @@ -50,10 +52,12 @@ func OldManifests() Manifest { } } +// MarshalJSON marshals releases to JSON. func (m *Manifest) MarshalJSON() ([]byte, error) { return json.Marshal(m.releases) } +// SetAzureImage for a given version. func (m *Manifest) SetAzureImage(version string, image string) { if release, ok := m.releases[version]; !ok { images := Images{AzureOSImage: image} @@ -64,6 +68,7 @@ func (m *Manifest) SetAzureImage(version string, image string) { } } +// SetGCPImage for a given version. func (m *Manifest) SetGCPImage(version string, image string) { if release, ok := m.releases[version]; !ok { images := Images{GCPOSImage: image} diff --git a/hack/image-measurement/server/server.go b/hack/image-measurement/server/server.go index 3f9351600..3783c3804 100644 --- a/hack/image-measurement/server/server.go +++ b/hack/image-measurement/server/server.go @@ -16,6 +16,7 @@ import ( "go.uber.org/zap" ) +// Server provides measurements. type Server struct { log *logger.Logger server http.Server @@ -23,6 +24,7 @@ type Server struct { done chan<- struct{} } +// New creates a new Server. func New(log *logger.Logger, done chan<- struct{}) *Server { return &Server{ log: log, @@ -30,6 +32,7 @@ func New(log *logger.Logger, done chan<- struct{}) *Server { } } +// ListenAndServe on given port. func (s *Server) ListenAndServe(port string) error { mux := http.NewServeMux() mux.Handle("/pcrs", http.HandlerFunc(s.logPCRs)) @@ -46,6 +49,7 @@ func (s *Server) ListenAndServe(port string) error { return s.server.Serve(lis) } +// Shutdown server. func (s *Server) Shutdown() error { return s.server.Shutdown(context.Background()) } @@ -84,6 +88,7 @@ func (s *Server) logPCRs(w http.ResponseWriter, r *http.Request) { s.done <- struct{}{} } +// GetMeasurements returns the static measurements for QEMU environment. func (s *Server) GetMeasurements() map[uint32][]byte { return s.measurements } diff --git a/hack/pcr-reader/main.go b/hack/pcr-reader/main.go index cc5ff5bd4..3bf62d0c3 100644 --- a/hack/pcr-reader/main.go +++ b/hack/pcr-reader/main.go @@ -68,6 +68,7 @@ func main() { } } +// Measurements contains all PCR values. type Measurements map[uint32][]byte var _ yaml.Marshaler = Measurements{} diff --git a/hack/pseudo-version/internal/git/git.go b/hack/pseudo-version/internal/git/git.go index 7b53c7927..34f571363 100644 --- a/hack/pseudo-version/internal/git/git.go +++ b/hack/pseudo-version/internal/git/git.go @@ -23,10 +23,12 @@ var ( tagReference = regexp.MustCompile(`^refs/tags/([^/]+)$`) ) +// Git represents a git repository. type Git struct { repo *git.Repository } +// New opens the git repository in current directory. func New() (*Git, error) { repo, err := git.PlainOpenWithOptions("", &git.PlainOpenOptions{DetectDotGit: true}) return &Git{repo: repo}, err @@ -106,6 +108,7 @@ func (g *Git) ParsedBranchName() (string, error) { return strings.TrimSuffix(branch, "-"), nil } +// BranchName of current HEAD. func (g *Git) BranchName() (string, error) { commitRef, err := g.repo.Head() if err != nil { diff --git a/hack/qemu-metadata-api/server/server.go b/hack/qemu-metadata-api/server/server.go index 8672d4a4f..90f51e98f 100644 --- a/hack/qemu-metadata-api/server/server.go +++ b/hack/qemu-metadata-api/server/server.go @@ -21,12 +21,14 @@ import ( "go.uber.org/zap" ) +// Server that provides QEMU metadata. type Server struct { log *logger.Logger virt virConnect network string } +// New creates a new Server. func New(log *logger.Logger, network string, conn virConnect) *Server { return &Server{ log: log, @@ -35,6 +37,7 @@ func New(log *logger.Logger, network string, conn virConnect) *Server { } } +// ListenAndServe on a given port. func (s *Server) ListenAndServe(port string) error { mux := http.NewServeMux() mux.Handle("/self", http.HandlerFunc(s.listSelf)) diff --git a/hack/qemu-metadata-api/virtwrapper/virtwrapper.go b/hack/qemu-metadata-api/virtwrapper/virtwrapper.go index d641b0ded..7b82ffb83 100644 --- a/hack/qemu-metadata-api/virtwrapper/virtwrapper.go +++ b/hack/qemu-metadata-api/virtwrapper/virtwrapper.go @@ -8,10 +8,12 @@ package virtwrapper import "libvirt.org/go/libvirt" +// Connect wraps a libvirt connection. type Connect struct { Conn *libvirt.Connect } +// LookupNetworkByName looks up a network by name. func (c *Connect) LookupNetworkByName(name string) (*Network, error) { net, err := c.Conn.LookupNetworkByName(name) if err != nil { @@ -20,14 +22,17 @@ func (c *Connect) LookupNetworkByName(name string) (*Network, error) { return &Network{Net: net}, nil } +// Network wraps a libvirt network. type Network struct { Net virNetwork } +// GetDHCPLeases returns the underlying DHCP leases. func (n *Network) GetDHCPLeases() ([]libvirt.NetworkDHCPLease, error) { return n.Net.GetDHCPLeases() } +// Free the network resource. func (n *Network) Free() { _ = n.Net.Free() } diff --git a/internal/atls/atls.go b/internal/atls/atls.go index 9d3ed0857..999598ce0 100644 --- a/internal/atls/atls.go +++ b/internal/atls/atls.go @@ -69,11 +69,13 @@ func CreateAttestationClientTLSConfig(issuer Issuer, validators []Validator) (*t }, nil } +// Issuer issues an attestation document. type Issuer interface { oid.Getter Issue(userData []byte, nonce []byte) (quote []byte, err error) } +// Validator is able to validate an attestation document. type Validator interface { oid.Getter Validate(attDoc []byte, nonce []byte) ([]byte, error) diff --git a/internal/attestation/aws/issuer.go b/internal/attestation/aws/issuer.go index 56c8d2992..659886b82 100644 --- a/internal/attestation/aws/issuer.go +++ b/internal/attestation/aws/issuer.go @@ -27,6 +27,7 @@ type Issuer struct { *vtpm.Issuer } +// NewIssuer creates a new OpenVTPM based issuer for AWS. func NewIssuer() *Issuer { return &Issuer{ Issuer: vtpm.NewIssuer( diff --git a/internal/attestation/azure/snp/README.md b/internal/attestation/azure/snp/README.md new file mode 100644 index 000000000..61479e52b --- /dev/null +++ b/internal/attestation/azure/snp/README.md @@ -0,0 +1,19 @@ +# SNP + +## Glosssary + +This section explains abbreviations used in SNP implementation. + +### Attestation Key (AK) + +### AMD Root Key (ARK) + +### AMD Signing Key (ASK) + +### Versioned Chip Endorsement Key (VCEK) + +For more information see [SNP WhitePaper](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) + +### Host (Hardware?) Compatibility Layer (HCL) + +No public information. Azure compute API has a field `isHostCompatibilityLayerVm`, with only a [single sentence of documentation](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows). diff --git a/internal/attestation/azure/snp/validator.go b/internal/attestation/azure/snp/validator.go index 9395ec28e..a4185d885 100644 --- a/internal/attestation/azure/snp/validator.go +++ b/internal/attestation/azure/snp/validator.go @@ -311,6 +311,9 @@ func (a *azureInstanceInfo) validateAk(runtimeDataRaw []byte, reportData []byte, return nil } +// HCLAkValidator validates an attestation key issued by the Host Compatibility Layer (HCL). +// The HCL is written by Azure, and sits between the Hypervisor and CVM OS. +// The HCL runs in the protected context of the CVM. type HCLAkValidator interface { validateAk(runtimeDataRaw []byte, reportData []byte, rsaParameters *tpm2.RSAParams) error } diff --git a/internal/cloud/azure/logger.go b/internal/cloud/azure/logger.go index 443cb3375..f4c4c85f5 100644 --- a/internal/cloud/azure/logger.go +++ b/internal/cloud/azure/logger.go @@ -14,6 +14,8 @@ import ( "github.com/microsoft/ApplicationInsights-Go/appinsights" ) +// Logger implements CloudLogger interface for Azure to Disclose early boot +// logs into Azure's App Insights service. type Logger struct { client appinsights.TelemetryClient } diff --git a/internal/cloud/cloudprovider/cloudprovider.go b/internal/cloud/cloudprovider/cloudprovider.go index 0365ff546..e578e8783 100644 --- a/internal/cloud/cloudprovider/cloudprovider.go +++ b/internal/cloud/cloudprovider/cloudprovider.go @@ -17,10 +17,15 @@ import ( type Provider uint32 const ( + // Unknown is default value for Provider. Unknown Provider = iota + // AWS is Amazon Web Services. AWS + // Azure cloud. Azure + // GCP is Google Compute Platform. GCP + // QEMU for a local emulated installation. QEMU ) diff --git a/internal/cloud/gcp/logger.go b/internal/cloud/gcp/logger.go index 50e66cf50..c366c63dd 100644 --- a/internal/cloud/gcp/logger.go +++ b/internal/cloud/gcp/logger.go @@ -15,6 +15,7 @@ import ( "cloud.google.com/go/logging" ) +// Logger logs to GCP cloud logging. Do not use to log sensitive information. type Logger struct { client *logging.Client logger *log.Logger diff --git a/internal/cloud/gcpshared/serviceaccountkey.go b/internal/cloud/gcpshared/serviceaccountkey.go index 14d250924..bb90cdde2 100644 --- a/internal/cloud/gcpshared/serviceaccountkey.go +++ b/internal/cloud/gcpshared/serviceaccountkey.go @@ -25,6 +25,7 @@ type ServiceAccountKey struct { ClientX509CertURL string `json:"client_x509_cert_url"` } +// ServiceAccountKeyFromURI parses ServiceAccountKey from URI. func ServiceAccountKeyFromURI(serviceAccountURI string) (ServiceAccountKey, error) { uri, err := url.Parse(serviceAccountURI) if err != nil { diff --git a/internal/cloud/metadata/metadata.go b/internal/cloud/metadata/metadata.go index dacad4836..daabd6a8f 100644 --- a/internal/cloud/metadata/metadata.go +++ b/internal/cloud/metadata/metadata.go @@ -35,11 +35,13 @@ type InstanceMetadata struct { AliasIPRanges []string } +// InstanceSelfer provide instance metadata about themselves. type InstanceSelfer interface { // Self retrieves the current instance. Self(ctx context.Context) (InstanceMetadata, error) } +// InstanceLister list information about instance metadata. type InstanceLister interface { // List retrieves all instances belonging to the current constellation. List(ctx context.Context) ([]InstanceMetadata, error) diff --git a/internal/cloud/vmtype/vmtype.go b/internal/cloud/vmtype/vmtype.go index 036d090e8..c2088e4fb 100644 --- a/internal/cloud/vmtype/vmtype.go +++ b/internal/cloud/vmtype/vmtype.go @@ -14,8 +14,11 @@ import "strings" type VMType uint32 const ( + // Unknown is the default value for VMType and should not be used. Unknown VMType = iota + // AzureCVM is an Azure Confidential Virtual Machine (CVM). AzureCVM + // AzureTrustedLaunch is an Azure Trusted Launch VM. AzureTrustedLaunch ) diff --git a/internal/config/config.go b/internal/config/config.go index 4be50f6d2..c93ef5074 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -28,6 +28,7 @@ import ( ) const ( + // Version1 is the first version number for Constellation config file. Version1 = "v1" ) @@ -217,6 +218,7 @@ type GCPConfig struct { EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"` } +// QEMUConfig holds config information for QEMU based Constellation deployments. type QEMUConfig struct { // description: | // Path to the image to use for the VMs. @@ -538,6 +540,7 @@ func (c *Config) Image() string { return "" } +// UpdateMeasurements overwrites measurements in config with the provided ones. func (c *Config) UpdateMeasurements(newMeasurements Measurements) { if c.Provider.AWS != nil { c.Provider.AWS.Measurements.CopyFrom(newMeasurements) @@ -612,6 +615,7 @@ func (c *Config) IsAzureNonCVM() bool { return c.Provider.Azure != nil && c.Provider.Azure.ConfidentialVM != nil && !*c.Provider.Azure.ConfidentialVM } +// EnforcesIDKeyDigest checks whether ID Key Digest should be enforced for respective cloud provider. func (c *Config) EnforcesIDKeyDigest() bool { return c.Provider.Azure != nil && c.Provider.Azure.EnforceIDKeyDigest != nil && *c.Provider.Azure.EnforceIDKeyDigest } diff --git a/internal/config/images_oss.go b/internal/config/images_oss.go index e681a1d88..f99c63933 100644 --- a/internal/config/images_oss.go +++ b/internal/config/images_oss.go @@ -9,6 +9,8 @@ SPDX-License-Identifier: AGPL-3.0-only package config const ( + // DefaultImageAzure is not set for OSS build. DefaultImageAzure = "" - DefaultImageGCP = "" + // DefaultImageGCP is not set for OSS build. + DefaultImageGCP = "" ) diff --git a/internal/config/instancetypes/aws.go b/internal/config/instancetypes/aws.go index 26f528bec..483ad743d 100644 --- a/internal/config/instancetypes/aws.go +++ b/internal/config/instancetypes/aws.go @@ -6,7 +6,8 @@ SPDX-License-Identifier: AGPL-3.0-only package instancetypes -// Derived from: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html (Last updated: October 20th, 2022). +// AWSSupportedInstanceFamilies is derived from: +// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-prerequisites.html (Last updated: October 20th, 2022). var AWSSupportedInstanceFamilies = []string{ "C5", "C5a", diff --git a/internal/config/measurements.go b/internal/config/measurements.go index a82891e3b..5c903b20e 100644 --- a/internal/config/measurements.go +++ b/internal/config/measurements.go @@ -22,6 +22,7 @@ import ( "gopkg.in/yaml.v2" ) +// Measurements are Platform Configuration Register (PCR) values. type Measurements map[uint32][]byte var ( diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 1c2346b04..1b11cb524 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -35,38 +35,54 @@ const ( // JoinServicePort is the port for reaching the join service within Kubernetes. JoinServicePort = 9090 // JoinServiceNodePort is the port for reaching the join service outside of Kubernetes. - JoinServiceNodePort = 30090 - VerifyServicePortHTTP = 8080 - VerifyServicePortGRPC = 9090 + JoinServiceNodePort = 30090 + // VerifyServicePortHTTP HTTP port for verification service. + VerifyServicePortHTTP = 8080 + // VerifyServicePortGRPC GRPC port for verification service. + VerifyServicePortGRPC = 9090 + // VerifyServiceNodePortHTTP HTTP node port for verification service. VerifyServiceNodePortHTTP = 30080 + // VerifyServiceNodePortGRPC GRPC node port for verification service. VerifyServiceNodePortGRPC = 30081 // KMSPort is the port the KMS server listens on. - KMSPort = 9000 + KMSPort = 9000 + // BootstrapperPort port of bootstrapper. BootstrapperPort = 9000 - KubernetesPort = 6443 - RecoveryPort = 9999 - EnclaveSSHPort = 2222 - SSHPort = 22 - NVMEOverTCPPort = 8009 - DebugdPort = 4000 + // KubernetesPort port for Kubernetes API. + KubernetesPort = 6443 + // RecoveryPort port for Constellation recovery server. + RecoveryPort = 9999 + // SSHPort port for SSH access. + SSHPort = 22 + // DebugdPort port for debugd process. + DebugdPort = 4000 + // KonnectivityPort port for konnectivity k8s service. KonnectivityPort = 8132 - // Default NodePort Range + // NodePortFrom start of range to use for K8s node port // https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport NodePortFrom = 30000 - NodePortTo = 32767 + // NodePortTo end of range to use for K8s node port + // https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + NodePortTo = 32767 // // Filenames. // - ClusterIDsFileName = "constellation-id.json" - ConfigFilename = "constellation-conf.yaml" - LicenseFilename = "constellation.license" - DebugdConfigFilename = "cdbg-conf.yaml" - AdminConfFilename = "constellation-admin.conf" - MasterSecretFilename = "constellation-mastersecret.json" + + // ClusterIDsFileName filename that contains Constellation clusterID and IP. + ClusterIDsFileName = "constellation-id.json" + // ConfigFilename filename of Constellation config file. + ConfigFilename = "constellation-conf.yaml" + // LicenseFilename filename of Constellation license file. + LicenseFilename = "constellation.license" + // AdminConfFilename filename of KubeConfig for admin access to Constellation. + AdminConfFilename = "constellation-admin.conf" + // MasterSecretFilename filename of Constellation mastersecret. + MasterSecretFilename = "constellation-mastersecret.json" + // ControlPlaneAdminConfFilename filepath to control plane kubernetes admin config. ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf" - KubeadmCertificateDir = "/etc/kubernetes/pki" - KubectlPath = "/run/state/bin/kubectl" + // KubectlPath path to kubectl binary. + KubectlPath = "/run/state/bin/kubectl" // // Filenames for Constellation's micro services. @@ -95,22 +111,29 @@ const ( // CLI. // + // MinControllerCount is the minimum number of control nodes. MinControllerCount = 1 - MinWorkerCount = 1 + // MinWorkerCount is the minimum number of worker nodes. + MinWorkerCount = 1 // // Kubernetes. // + // KubernetesJoinTokenTTL time to live for Kubernetes join token. KubernetesJoinTokenTTL = 15 * time.Minute + // ConstellationNamespace namespace to deploy Constellation components into. ConstellationNamespace = "kube-system" - JoinConfigMap = "join-config" - InternalConfigMap = "internal-config" + // JoinConfigMap k8s config map with node join config. + JoinConfigMap = "join-config" + // InternalConfigMap k8s config map with internal Constellation config. + InternalConfigMap = "internal-config" // // Helm. // + // HelmNamespace namespace for helm charts. HelmNamespace = "kube-system" // diff --git a/internal/crds/crds.go b/internal/crds/crds.go index c4831a544..1fc295412 100644 --- a/internal/crds/crds.go +++ b/internal/crds/crds.go @@ -9,8 +9,16 @@ package crds import _ "embed" var ( + // OLMCRDs contains olmCRDs.yaml from [OLM Release]. + // + // [OLM Release]: https://github.com/operator-framework/operator-lifecycle-manager/releases + // //go:embed olmCRDs.yaml OLMCRDs []byte + // OLM contains olm.yaml from [OLM Release]. + // + // [OLM Release]: https://github.com/operator-framework/operator-lifecycle-manager/releases + // //go:embed olmDeployment.yaml OLM []byte ) diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go index 003645e67..84a7aae8a 100644 --- a/internal/crypto/crypto.go +++ b/internal/crypto/crypto.go @@ -20,6 +20,7 @@ import ( ) const ( + // StateDiskKeyLength is key length in bytes for node state disk. StateDiskKeyLength = 32 // DerivedKeyLengthDefault is the default length in bytes for KMS derived keys. DerivedKeyLengthDefault = 32 diff --git a/internal/deploy/helm/helm.go b/internal/deploy/helm/helm.go index 69ffea5ec..7f7d21899 100644 --- a/internal/deploy/helm/helm.go +++ b/internal/deploy/helm/helm.go @@ -14,6 +14,7 @@ type Release struct { Wait bool } +// Releases bundles all helm releases to be deployed to Constellation. type Releases struct { Cilium Release ConstellationServices Release diff --git a/internal/file/file.go b/internal/file/file.go index 6abae55ca..ab08e5079 100644 --- a/internal/file/file.go +++ b/internal/file/file.go @@ -49,9 +49,12 @@ const ( ) var ( - OptNone = Option{optNone} + // OptNone is a no-op. + OptNone = Option{optNone} + // OptOverwrite overwrites an existing file. OptOverwrite = Option{optOverwrite} - OptMkdirAll = Option{optMkdirAll} + // OptMkdirAll creates the path to the file. + OptMkdirAll = Option{optMkdirAll} ) // Handler handles file interaction. diff --git a/internal/grpc/atlscredentials/atlscredentials.go b/internal/grpc/atlscredentials/atlscredentials.go index 4b0a6e19e..512c026fd 100644 --- a/internal/grpc/atlscredentials/atlscredentials.go +++ b/internal/grpc/atlscredentials/atlscredentials.go @@ -15,11 +15,13 @@ import ( "google.golang.org/grpc/credentials" ) +// Credentials for attested TLS (ATLS). type Credentials struct { issuer atls.Issuer validators []atls.Validator } +// New creates new ATLS Credentials. func New(issuer atls.Issuer, validators []atls.Validator) *Credentials { return &Credentials{ issuer: issuer, @@ -27,6 +29,7 @@ func New(issuer atls.Issuer, validators []atls.Validator) *Credentials { } } +// ClientHandshake performs the client handshake. func (c *Credentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { clientCfg, err := atls.CreateAttestationClientTLSConfig(c.issuer, c.validators) if err != nil { @@ -36,6 +39,7 @@ func (c *Credentials) ClientHandshake(ctx context.Context, authority string, raw return credentials.NewTLS(clientCfg).ClientHandshake(ctx, authority, rawConn) } +// ServerHandshake performs the server handshake. func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { serverCfg, err := atls.CreateAttestationServerTLSConfig(c.issuer, c.validators) if err != nil { @@ -45,15 +49,18 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A return credentials.NewTLS(serverCfg).ServerHandshake(rawConn) } +// Info provides information about the protocol. func (c *Credentials) Info() credentials.ProtocolInfo { return credentials.NewTLS(nil).Info() } +// Clone the credentials object. func (c *Credentials) Clone() credentials.TransportCredentials { cloned := *c return &cloned } +// OverrideServerName is not supported and will fail. func (c *Credentials) OverrideServerName(s string) error { return errors.New("cannot override server name") } diff --git a/internal/license/checker_oss.go b/internal/license/checker_oss.go index 13160c5f8..2aff1b08b 100644 --- a/internal/license/checker_oss.go +++ b/internal/license/checker_oss.go @@ -16,8 +16,10 @@ import ( "github.com/edgelesssys/constellation/v2/internal/file" ) +// Checker checks the Constellation license. type Checker struct{} +// NewChecker creates a new Checker. func NewChecker(quotaChecker QuotaChecker, fileHandler file.Handler) *Checker { return &Checker{} } diff --git a/internal/license/file.go b/internal/license/file.go index 53d2987de..97bd0b0c3 100644 --- a/internal/license/file.go +++ b/internal/license/file.go @@ -13,6 +13,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/file" ) +// FromFile reads the license from fileHandler at path and returns it as a string. func FromFile(fileHandler file.Handler, path string) (string, error) { readBytes, err := fileHandler.Read(path) if err != nil { diff --git a/internal/license/license.go b/internal/license/license.go index dc3aea7f1..64bc27052 100644 --- a/internal/license/license.go +++ b/internal/license/license.go @@ -23,11 +23,14 @@ const ( ) type ( + // Action performed by Constellation. Action string ) const ( + // Init action denotes the initialization of a Constellation cluster. Init Action = "init" + // test action is only to be used in testing. test Action = "test" ) @@ -97,6 +100,7 @@ func licenseURL() *url.URL { } } +// QuotaChecker checks the vCPU quota for a given license. type QuotaChecker interface { QuotaCheck(ctx context.Context, checkRequest QuotaCheckRequest) (QuotaCheckResponse, error) } diff --git a/internal/logger/cmdline.go b/internal/logger/cmdline.go index 6217ce3e2..4957e05ca 100644 --- a/internal/logger/cmdline.go +++ b/internal/logger/cmdline.go @@ -11,6 +11,7 @@ import ( "go.uber.org/zap/zapcore" ) +// CmdLineVerbosityDescription explains numeric log levels. const CmdLineVerbosityDescription = "log verbosity in zap logging levels. Use -1 for debug information, 0 for info, 1 for warn, 2 for error" // VerbosityFromInt converts a verbosity level from an integer to a zapcore.Level. diff --git a/internal/oid/oid.go b/internal/oid/oid.go index bd84f4c78..4d1b31bca 100644 --- a/internal/oid/oid.go +++ b/internal/oid/oid.go @@ -62,7 +62,7 @@ func (AzureSNP) OID() asn1.ObjectIdentifier { return asn1.ObjectIdentifier{1, 3, 9900, 4, 1} } -// Azure holds the OID for Azure TrustedLaunch VMs. +// AzureTrustedLaunch holds the OID for Azure TrustedLaunch VMs. type AzureTrustedLaunch struct{} // OID returns the struct's object identifier. diff --git a/internal/retry/retry.go b/internal/retry/retry.go index 8e4bd8aa6..c0d65aa01 100644 --- a/internal/retry/retry.go +++ b/internal/retry/retry.go @@ -59,6 +59,7 @@ func (r *IntervalRetrier) Do(ctx context.Context) error { } } +// Doer does something and returns an error. type Doer interface { // Do performs an operation. // diff --git a/internal/role/role.go b/internal/role/role.go index a7deeaace..fdb868cce 100644 --- a/internal/role/role.go +++ b/internal/role/role.go @@ -17,10 +17,12 @@ import ( type Role uint const ( + // Unknown is the default value for Role and should have no meaning. Unknown Role = iota + // ControlPlane declares this node as a Kubernetes control plane node. ControlPlane + // Worker declares this node as a Kubernetes worker node. Worker - Admin ) // MarshalJSON marshals the Role to JSON string. @@ -45,8 +47,6 @@ func FromString(s string) Role { return ControlPlane case "worker": return Worker - case "admin": - return Admin default: return Unknown } diff --git a/internal/role/role_string.go b/internal/role/role_string.go index dd3c90a37..17e1e006d 100644 --- a/internal/role/role_string.go +++ b/internal/role/role_string.go @@ -11,12 +11,11 @@ func _() { _ = x[Unknown-0] _ = x[ControlPlane-1] _ = x[Worker-2] - _ = x[Admin-3] } -const _Role_name = "UnknownControlPlaneWorkerAdmin" +const _Role_name = "UnknownControlPlaneWorker" -var _Role_index = [...]uint8{0, 7, 19, 25, 30} +var _Role_index = [...]uint8{0, 7, 19, 25} func (i Role) String() string { if i >= Role(len(_Role_index)-1) { diff --git a/internal/role/role_test.go b/internal/role/role_test.go index 210c9254c..8ca802345 100644 --- a/internal/role/role_test.go +++ b/internal/role/role_test.go @@ -32,10 +32,6 @@ func TestMarshal(t *testing.T) { role: Worker, wantJSON: `"Worker"`, }, - "admin role": { - role: Admin, - wantJSON: `"Admin"`, - }, "unknown role": { role: Unknown, wantJSON: `"Unknown"`, @@ -85,14 +81,6 @@ func TestUnmarshal(t *testing.T) { json: `"worker"`, wantRole: Worker, }, - "Admin can be unmarshaled": { - json: `"Admin"`, - wantRole: Admin, - }, - "lowercase admin can be unmarshaled": { - json: `"admin"`, - wantRole: Admin, - }, "other strings unmarshal to the unknown role": { json: `"anything"`, wantRole: Unknown, diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 13a979802..5a3ba4817 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -42,23 +42,37 @@ func IsPreviewK8sVersion(version ValidK8sVersion) bool { } const ( + // // Constellation images. // These images are built in a way that they support all versions currently listed in VersionConfigs. - KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container - KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container - JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22" // renovate:container - AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e" // renovate:container - KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006" // renovate:container - VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7" // renovate:container + // + + // KonnectivityAgentImage agent image for konnectivity service. + KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container + // KonnectivityServerImage server image for konnectivity service. + KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container + // JoinImage image of Constellation join service. + JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22" // renovate:container + // AccessManagerImage image of Constellation access manager. + AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e" // renovate:container + // KmsImage image of Constellation KMS server. + KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006" // renovate:container + // VerificationImage image of Constellation verification service. + VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7" // renovate:container + // GcpGuestImage image for GCP guest agent. // Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml. - GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container + GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container + // NodeOperatorCatalogImage image of node operator catalog image. NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0@sha256:543ebc67183b580cfeda9e14ff3a0c5056813847ad3605719b54d72b22427a69" // renovate:container + // NodeMaintenanceOperatorCatalogImage image of node maintenance operator catalog. // TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog // once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved. NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container + // QEMUMetadataImage image of QEMU metadata api service. QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.2.0@sha256:3c173639bbd258f56c7f4e97fa5dc7b7c63d7d45f96f7d7af5c43ed9eb2258ac" // renovate:container - LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container + // LibvirtImage image that provides libvirt. + LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container // ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images. ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.0/constellation.raw" @@ -71,15 +85,18 @@ const ( //nolint:revive V1_25 ValidK8sVersion = "1.25" + // Default k8s version deployed by Constellation. Default ValidK8sVersion = V1_24 ) var ( - NodeOperatorVersion = versionFromDockerImage(NodeOperatorCatalogImage) + // NodeOperatorVersion version of node operator. + NodeOperatorVersion = versionFromDockerImage(NodeOperatorCatalogImage) + // NodeMaintenanceOperatorVersion version of node maintenance operator. NodeMaintenanceOperatorVersion = versionFromDockerImage(NodeMaintenanceOperatorCatalogImage) ) -// versionConfigs holds download URLs for all required kubernetes components for every supported version. +// VersionConfigs holds download URLs for all required kubernetes components for every supported version. var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{ V1_23: { PatchVersion: "v1.23.13", // renovate:kubernetes-release diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index 1aedecb0b..fef3d07c2 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -149,6 +149,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi }, nil } +// IssueRejoinTicket issues a ticket for nodes to rejoin cluster. func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejoinTicketRequest) (*joinproto.IssueRejoinTicketResponse, error) { log := s.log.With(zap.String("peerAddress", grpclog.PeerAddrFromContext(ctx))) log.Infof("IssueRejoinTicket called") diff --git a/kms/setup/setup.go b/kms/setup/setup.go index e2058214f..87fa54e45 100644 --- a/kms/setup/setup.go +++ b/kms/setup/setup.go @@ -22,6 +22,7 @@ import ( "github.com/edgelesssys/constellation/v2/kms/kms/gcp" ) +// Well known endpoints for KMS services. const ( AWSKMSURI = "kms://aws?keyPolicy=%s" AzureKMSURI = "kms://azure-kms?name=%s&type=%s" @@ -34,6 +35,7 @@ const ( NoStoreURI = "storage://no-store" ) +// KMSInformation about an existing KMS. type KMSInformation struct { KMSURI string StorageURI string diff --git a/operators/constellation-node-operator/internal/azure/client/scalinggroup.go b/operators/constellation-node-operator/internal/azure/client/scalinggroup.go index f295046b5..cfcb4257f 100644 --- a/operators/constellation-node-operator/internal/azure/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/azure/client/scalinggroup.go @@ -73,7 +73,7 @@ func (c *Client) GetScalingGroupName(scalingGroupID string) (string, error) { return scaleSet, nil } -// GetScalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler. +// GetAutoscalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler. func (c *Client) GetAutoscalingGroupName(scalingGroupID string) (string, error) { return c.GetScalingGroupName(scalingGroupID) } diff --git a/operators/constellation-node-operator/internal/constants/constants.go b/operators/constellation-node-operator/internal/constants/constants.go index 80d4dd3c4..833f83233 100644 --- a/operators/constellation-node-operator/internal/constants/constants.go +++ b/operators/constellation-node-operator/internal/constants/constants.go @@ -7,8 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-only package constants const ( - AutoscalingStrategyResourceName = "autoscalingstrategy" - NodeImageResourceName = "constellation-os" + // AutoscalingStrategyResourceName resource name used for AutoscalingStrategy. + AutoscalingStrategyResourceName = "autoscalingstrategy" + // NodeImageResourceName resource name used for NodeImage. + NodeImageResourceName = "constellation-os" + // ControlPlaneScalingGroupResourceName resource name used for ControlPlaneScalingGroup. ControlPlaneScalingGroupResourceName = "scalinggroup-controlplane" - WorkerScalingGroupResourceName = "scalinggroup-worker" + // WorkerScalingGroupResourceName resource name used for WorkerScaling. + WorkerScalingGroupResourceName = "scalinggroup-worker" ) diff --git a/operators/constellation-node-operator/internal/gcp/client/api.go b/operators/constellation-node-operator/internal/gcp/client/api.go index e778dfa0b..40c12a368 100644 --- a/operators/constellation-node-operator/internal/gcp/client/api.go +++ b/operators/constellation-node-operator/internal/gcp/client/api.go @@ -56,12 +56,14 @@ type diskAPI interface { opts ...gax.CallOption) (*computepb.Disk, error) } +// Operation describes a generic protobuf operation that can be waited for. type Operation interface { Proto() *computepb.Operation Done() bool Wait(ctx context.Context, opts ...gax.CallOption) error } +// InstanceGroupManagerScopedListIterator can list the Next InstanceGroupManagersScopedListPair. type InstanceGroupManagerScopedListIterator interface { Next() (compute.InstanceGroupManagersScopedListPair, error) } diff --git a/operators/constellation-node-operator/internal/gcp/client/scalinggroup.go b/operators/constellation-node-operator/internal/gcp/client/scalinggroup.go index 7de817140..ff625ed32 100644 --- a/operators/constellation-node-operator/internal/gcp/client/scalinggroup.go +++ b/operators/constellation-node-operator/internal/gcp/client/scalinggroup.go @@ -96,7 +96,7 @@ func (c *Client) GetScalingGroupName(scalingGroupID string) (string, error) { return instanceGroupName, nil } -// GetScalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler. +// GetAutoscalingGroupName retrieves the name of a scaling group as needed by the cluster-autoscaler. func (c *Client) GetAutoscalingGroupName(scalingGroupID string) (string, error) { project, zone, instanceGroupName, err := splitInstanceGroupID(scalingGroupID) if err != nil { diff --git a/verify/server/server.go b/verify/server/server.go index b18cfbc1b..0842be892 100644 --- a/verify/server/server.go +++ b/verify/server/server.go @@ -166,6 +166,7 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) { } } +// AttestationIssuer issues an attestation document for the provided userData and nonce. type AttestationIssuer interface { Issue(userData []byte, nonce []byte) (quote []byte, err error) }