mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-12 16:09:39 -05:00
Manual client secrets on azure
This commit is contained in:
parent
1861dc2744
commit
10e5249631
@ -113,8 +113,8 @@ func (c *fakeAzureClient) CreateInstances(ctx context.Context, input azurecl.Cre
|
|||||||
func (c *fakeAzureClient) CreateServicePrincipal(ctx context.Context) (string, error) {
|
func (c *fakeAzureClient) CreateServicePrincipal(ctx context.Context) (string, error) {
|
||||||
c.adAppObjectID = "00000000-0000-0000-0000-000000000001"
|
c.adAppObjectID = "00000000-0000-0000-0000-000000000001"
|
||||||
return azureshared.ApplicationCredentials{
|
return azureshared.ApplicationCredentials{
|
||||||
ClientID: "client-id",
|
AppClientID: "client-id",
|
||||||
ClientSecret: "client-secret",
|
ClientSecretValue: "client-secret",
|
||||||
}.ToCloudServiceAccountURI(), nil
|
}.ToCloudServiceAccountURI(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -174,8 +174,8 @@ func (c *stubAzureClient) CreateInstances(ctx context.Context, input azurecl.Cre
|
|||||||
|
|
||||||
func (c *stubAzureClient) CreateServicePrincipal(ctx context.Context) (string, error) {
|
func (c *stubAzureClient) CreateServicePrincipal(ctx context.Context) (string, error) {
|
||||||
return azureshared.ApplicationCredentials{
|
return azureshared.ApplicationCredentials{
|
||||||
ClientID: "00000000-0000-0000-0000-000000000000",
|
AppClientID: "00000000-0000-0000-0000-000000000000",
|
||||||
ClientSecret: "secret",
|
ClientSecretValue: "secret",
|
||||||
}.ToCloudServiceAccountURI(), c.createServicePrincipalErr
|
}.ToCloudServiceAccountURI(), c.createServicePrincipalErr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,6 +17,7 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
||||||
"github.com/edgelesssys/constellation/cli/internal/gcp"
|
"github.com/edgelesssys/constellation/cli/internal/gcp"
|
||||||
"github.com/edgelesssys/constellation/cli/internal/helm"
|
"github.com/edgelesssys/constellation/cli/internal/helm"
|
||||||
|
"github.com/edgelesssys/constellation/internal/azureshared"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
||||||
"github.com/edgelesssys/constellation/internal/config"
|
"github.com/edgelesssys/constellation/internal/config"
|
||||||
@ -349,7 +350,13 @@ func getMarschaledServiceAccountURI(provider cloudprovider.Provider, config *con
|
|||||||
return key.ToCloudServiceAccountURI(), nil
|
return key.ToCloudServiceAccountURI(), nil
|
||||||
|
|
||||||
case cloudprovider.Azure:
|
case cloudprovider.Azure:
|
||||||
return "", fmt.Errorf("TODO")
|
creds := azureshared.ApplicationCredentials{
|
||||||
|
TenantID: config.Provider.Azure.TenantID,
|
||||||
|
AppClientID: config.Provider.Azure.AppClientID,
|
||||||
|
ClientSecretValue: config.Provider.Azure.ClientSecretValue,
|
||||||
|
Location: config.Provider.Azure.Location,
|
||||||
|
}
|
||||||
|
return creds.ToCloudServiceAccountURI(), nil
|
||||||
|
|
||||||
case cloudprovider.QEMU:
|
case cloudprovider.QEMU:
|
||||||
return "", nil // QEMU does not use service account keys
|
return "", nil // QEMU does not use service account keys
|
||||||
|
@ -89,10 +89,6 @@ func TestInitialize(t *testing.T) {
|
|||||||
"initialize some azure instances": {
|
"initialize some azure instances": {
|
||||||
state: testAzureState,
|
state: testAzureState,
|
||||||
idFile: &clusterIDsFile{IP: "192.0.2.1"},
|
idFile: &clusterIDsFile{IP: "192.0.2.1"},
|
||||||
configMutator: func(c *config.Config) {
|
|
||||||
c.Provider.Azure.ResourceGroup = "resourceGroup"
|
|
||||||
c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
|
|
||||||
},
|
|
||||||
initServerAPI: &stubInitServer{initResp: testInitResp},
|
initServerAPI: &stubInitServer{initResp: testInitResp},
|
||||||
},
|
},
|
||||||
"initialize some qemu instances": {
|
"initialize some qemu instances": {
|
||||||
@ -111,10 +107,6 @@ func TestInitialize(t *testing.T) {
|
|||||||
"initialize azure with autoscaling": {
|
"initialize azure with autoscaling": {
|
||||||
state: testAzureState,
|
state: testAzureState,
|
||||||
idFile: &clusterIDsFile{IP: "192.0.2.1"},
|
idFile: &clusterIDsFile{IP: "192.0.2.1"},
|
||||||
configMutator: func(c *config.Config) {
|
|
||||||
c.Provider.Azure.ResourceGroup = "resourceGroup"
|
|
||||||
c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
|
|
||||||
},
|
|
||||||
initServerAPI: &stubInitServer{initResp: testInitResp},
|
initServerAPI: &stubInitServer{initResp: testInitResp},
|
||||||
setAutoscaleFlag: true,
|
setAutoscaleFlag: true,
|
||||||
},
|
},
|
||||||
@ -557,6 +549,8 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
|||||||
conf.Provider.Azure.UserAssignedIdentity = "test-identity"
|
conf.Provider.Azure.UserAssignedIdentity = "test-identity"
|
||||||
conf.Provider.Azure.Image = "some/image/location"
|
conf.Provider.Azure.Image = "some/image/location"
|
||||||
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
||||||
|
conf.Provider.Azure.AppClientID = "test-client-secret-id"
|
||||||
|
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
|
||||||
conf.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
|
conf.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||||
conf.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
|
conf.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
|
@ -60,7 +60,6 @@ func TestVerify(t *testing.T) {
|
|||||||
someErr := errors.New("failed")
|
someErr := errors.New("failed")
|
||||||
|
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
setupFs func(*require.Assertions) afero.Fs
|
|
||||||
provider cloudprovider.Provider
|
provider cloudprovider.Provider
|
||||||
protoClient *stubVerifyClient
|
protoClient *stubVerifyClient
|
||||||
nodeEndpointFlag string
|
nodeEndpointFlag string
|
||||||
@ -72,7 +71,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"gcp": {
|
"gcp": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -80,7 +78,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.1:1234",
|
wantEndpoint: "192.0.2.1:1234",
|
||||||
},
|
},
|
||||||
"azure": {
|
"azure": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.Azure,
|
provider: cloudprovider.Azure,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -88,7 +85,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.1:1234",
|
wantEndpoint: "192.0.2.1:1234",
|
||||||
},
|
},
|
||||||
"default port": {
|
"default port": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: "192.0.2.1",
|
nodeEndpointFlag: "192.0.2.1",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -96,14 +92,12 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
|
wantEndpoint: "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
|
||||||
},
|
},
|
||||||
"endpoint not set": {
|
"endpoint not set": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
protoClient: &stubVerifyClient{},
|
protoClient: &stubVerifyClient{},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"endpoint from id file": {
|
"endpoint from id file": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
protoClient: &stubVerifyClient{},
|
protoClient: &stubVerifyClient{},
|
||||||
@ -111,7 +105,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
|
wantEndpoint: "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
|
||||||
},
|
},
|
||||||
"override endpoint from details file": {
|
"override endpoint from details file": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: "192.0.2.2:1234",
|
nodeEndpointFlag: "192.0.2.2:1234",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -120,7 +113,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.2:1234",
|
wantEndpoint: "192.0.2.2:1234",
|
||||||
},
|
},
|
||||||
"invalid endpoint": {
|
"invalid endpoint": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: ":::::",
|
nodeEndpointFlag: ":::::",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -128,13 +120,11 @@ func TestVerify(t *testing.T) {
|
|||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"neither owner id nor cluster id set": {
|
"neither owner id nor cluster id set": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"use owner id from id file": {
|
"use owner id from id file": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
protoClient: &stubVerifyClient{},
|
protoClient: &stubVerifyClient{},
|
||||||
@ -142,7 +132,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantEndpoint: "192.0.2.1:1234",
|
wantEndpoint: "192.0.2.1:1234",
|
||||||
},
|
},
|
||||||
"config file not existing": {
|
"config file not existing": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
@ -150,7 +139,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"error protoClient GetState": {
|
"error protoClient GetState": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.Azure,
|
provider: cloudprovider.Azure,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -158,7 +146,6 @@ func TestVerify(t *testing.T) {
|
|||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"error protoClient GetState not rpc": {
|
"error protoClient GetState not rpc": {
|
||||||
setupFs: func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
|
|
||||||
provider: cloudprovider.Azure,
|
provider: cloudprovider.Azure,
|
||||||
nodeEndpointFlag: "192.0.2.1:1234",
|
nodeEndpointFlag: "192.0.2.1:1234",
|
||||||
ownerIDFlag: zeroBase64,
|
ownerIDFlag: zeroBase64,
|
||||||
@ -189,7 +176,7 @@ func TestVerify(t *testing.T) {
|
|||||||
if tc.nodeEndpointFlag != "" {
|
if tc.nodeEndpointFlag != "" {
|
||||||
require.NoError(cmd.Flags().Set("node-endpoint", tc.nodeEndpointFlag))
|
require.NoError(cmd.Flags().Set("node-endpoint", tc.nodeEndpointFlag))
|
||||||
}
|
}
|
||||||
fileHandler := file.NewHandler(tc.setupFs(require))
|
fileHandler := file.NewHandler(afero.NewMemMapFs())
|
||||||
|
|
||||||
config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
|
config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
|
||||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||||
|
@ -9,8 +9,8 @@ import (
|
|||||||
// It is the equivalent of a service account key in other cloud providers.
|
// It is the equivalent of a service account key in other cloud providers.
|
||||||
type ApplicationCredentials struct {
|
type ApplicationCredentials struct {
|
||||||
TenantID string
|
TenantID string
|
||||||
ClientID string
|
AppClientID string
|
||||||
ClientSecret string
|
ClientSecretValue string
|
||||||
Location string
|
Location string
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -29,8 +29,8 @@ func ApplicationCredentialsFromURI(cloudServiceAccountURI string) (ApplicationCr
|
|||||||
query := uri.Query()
|
query := uri.Query()
|
||||||
return ApplicationCredentials{
|
return ApplicationCredentials{
|
||||||
TenantID: query.Get("tenant_id"),
|
TenantID: query.Get("tenant_id"),
|
||||||
ClientID: query.Get("client_id"),
|
AppClientID: query.Get("client_id"),
|
||||||
ClientSecret: query.Get("client_secret"),
|
ClientSecretValue: query.Get("client_secret"),
|
||||||
Location: query.Get("location"),
|
Location: query.Get("location"),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
@ -39,8 +39,8 @@ func ApplicationCredentialsFromURI(cloudServiceAccountURI string) (ApplicationCr
|
|||||||
func (c ApplicationCredentials) ToCloudServiceAccountURI() string {
|
func (c ApplicationCredentials) ToCloudServiceAccountURI() string {
|
||||||
query := url.Values{}
|
query := url.Values{}
|
||||||
query.Add("tenant_id", c.TenantID)
|
query.Add("tenant_id", c.TenantID)
|
||||||
query.Add("client_id", c.ClientID)
|
query.Add("client_id", c.AppClientID)
|
||||||
query.Add("client_secret", c.ClientSecret)
|
query.Add("client_secret", c.ClientSecretValue)
|
||||||
query.Add("location", c.Location)
|
query.Add("location", c.Location)
|
||||||
uri := url.URL{
|
uri := url.URL{
|
||||||
Scheme: "serviceaccount",
|
Scheme: "serviceaccount",
|
||||||
|
@ -16,8 +16,8 @@ func TestMain(m *testing.M) {
|
|||||||
func TestApplicationCredentialsFromURI(t *testing.T) {
|
func TestApplicationCredentialsFromURI(t *testing.T) {
|
||||||
creds := ApplicationCredentials{
|
creds := ApplicationCredentials{
|
||||||
TenantID: "tenant-id",
|
TenantID: "tenant-id",
|
||||||
ClientID: "client-id",
|
AppClientID: "client-id",
|
||||||
ClientSecret: "client-secret",
|
ClientSecretValue: "client-secret",
|
||||||
Location: "location",
|
Location: "location",
|
||||||
}
|
}
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
@ -64,8 +64,8 @@ func TestToCloudServiceAccountURI(t *testing.T) {
|
|||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
key := ApplicationCredentials{
|
key := ApplicationCredentials{
|
||||||
TenantID: "tenant-id",
|
TenantID: "tenant-id",
|
||||||
ClientID: "client-id",
|
AppClientID: "client-id",
|
||||||
ClientSecret: "client-secret",
|
ClientSecretValue: "client-secret",
|
||||||
Location: "location",
|
Location: "location",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -36,8 +36,8 @@ func (a *Autoscaler) Secrets(providerID string, cloudServiceAccountURI string) (
|
|||||||
Namespace: "kube-system",
|
Namespace: "kube-system",
|
||||||
},
|
},
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
"ClientID": []byte(creds.ClientID),
|
"ClientID": []byte(creds.AppClientID),
|
||||||
"ClientSecret": []byte(creds.ClientSecret),
|
"ClientSecret": []byte(creds.ClientSecretValue),
|
||||||
"ResourceGroup": []byte(resourceGroup),
|
"ResourceGroup": []byte(resourceGroup),
|
||||||
"SubscriptionID": []byte(subscriptionID),
|
"SubscriptionID": []byte(subscriptionID),
|
||||||
"TenantID": []byte(creds.TenantID),
|
"TenantID": []byte(creds.TenantID),
|
||||||
|
@ -100,8 +100,8 @@ func (c *CloudControllerManager) Secrets(ctx context.Context, providerID string,
|
|||||||
UseInstanceMetadata: true,
|
UseInstanceMetadata: true,
|
||||||
VMType: vmType,
|
VMType: vmType,
|
||||||
Location: creds.Location,
|
Location: creds.Location,
|
||||||
AADClientID: creds.ClientID,
|
AADClientID: creds.AppClientID,
|
||||||
AADClientSecret: creds.ClientSecret,
|
AADClientSecret: creds.ClientSecretValue,
|
||||||
}
|
}
|
||||||
|
|
||||||
rawConfig, err := json.Marshal(config)
|
rawConfig, err := json.Marshal(config)
|
||||||
|
@ -149,18 +149,24 @@ type AzureConfig struct {
|
|||||||
// Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison
|
// Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison
|
||||||
StateDiskType string `yaml:"stateDiskType" validate:"oneof=Premium_LRS Premium_ZRS Standard_LRS StandardSSD_LRS StandardSSD_ZRS"`
|
StateDiskType string `yaml:"stateDiskType" validate:"oneof=Premium_LRS Premium_ZRS Standard_LRS StandardSSD_LRS StandardSSD_ZRS"`
|
||||||
// description: |
|
// description: |
|
||||||
// Expected confidential VM measurements.
|
|
||||||
Measurements Measurements `yaml:"measurements"`
|
|
||||||
// description: |
|
|
||||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
|
||||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
|
||||||
// description: |
|
|
||||||
// Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure
|
// Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure
|
||||||
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
|
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
|
||||||
// description: |
|
// description: |
|
||||||
// Resource group to use.
|
// Resource group to use.
|
||||||
ResourceGroup string `yaml:"resourceGroup" validate:"required"`
|
ResourceGroup string `yaml:"resourceGroup" validate:"required"`
|
||||||
// description: |
|
// description: |
|
||||||
|
// Application client ID of the Active Directory app registration.
|
||||||
|
AppClientID string `yaml:"appClientID" validate:"required"`
|
||||||
|
// description: |
|
||||||
|
// Client secret value of the Active Directory app registration credentials.
|
||||||
|
ClientSecretValue string `yaml:"clientSecretValue" validate:"required"`
|
||||||
|
// description: |
|
||||||
|
// Expected confidential VM measurements.
|
||||||
|
Measurements Measurements `yaml:"measurements"`
|
||||||
|
// description: |
|
||||||
|
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||||
|
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||||
|
// description: |
|
||||||
// Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
|
// Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
|
||||||
ConfidentialVM *bool `yaml:"confidentialVM" validate:"required"`
|
ConfidentialVM *bool `yaml:"confidentialVM" validate:"required"`
|
||||||
}
|
}
|
||||||
|
@ -199,7 +199,7 @@ func init() {
|
|||||||
FieldName: "azure",
|
FieldName: "azure",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
AzureConfigDoc.Fields = make([]encoder.Doc, 10)
|
AzureConfigDoc.Fields = make([]encoder.Doc, 12)
|
||||||
AzureConfigDoc.Fields[0].Name = "subscription"
|
AzureConfigDoc.Fields[0].Name = "subscription"
|
||||||
AzureConfigDoc.Fields[0].Type = "string"
|
AzureConfigDoc.Fields[0].Type = "string"
|
||||||
AzureConfigDoc.Fields[0].Note = ""
|
AzureConfigDoc.Fields[0].Note = ""
|
||||||
@ -225,31 +225,41 @@ func init() {
|
|||||||
AzureConfigDoc.Fields[4].Note = ""
|
AzureConfigDoc.Fields[4].Note = ""
|
||||||
AzureConfigDoc.Fields[4].Description = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
AzureConfigDoc.Fields[4].Description = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
||||||
AzureConfigDoc.Fields[4].Comments[encoder.LineComment] = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
AzureConfigDoc.Fields[4].Comments[encoder.LineComment] = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
||||||
AzureConfigDoc.Fields[5].Name = "measurements"
|
AzureConfigDoc.Fields[5].Name = "userAssignedIdentity"
|
||||||
AzureConfigDoc.Fields[5].Type = "Measurements"
|
AzureConfigDoc.Fields[5].Type = "string"
|
||||||
AzureConfigDoc.Fields[5].Note = ""
|
AzureConfigDoc.Fields[5].Note = ""
|
||||||
AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
|
AzureConfigDoc.Fields[5].Description = "Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure"
|
||||||
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure"
|
||||||
AzureConfigDoc.Fields[6].Name = "enforcedMeasurements"
|
AzureConfigDoc.Fields[6].Name = "resourceGroup"
|
||||||
AzureConfigDoc.Fields[6].Type = "[]uint32"
|
AzureConfigDoc.Fields[6].Type = "string"
|
||||||
AzureConfigDoc.Fields[6].Note = ""
|
AzureConfigDoc.Fields[6].Note = ""
|
||||||
AzureConfigDoc.Fields[6].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
AzureConfigDoc.Fields[6].Description = "Resource group to use."
|
||||||
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "Resource group to use."
|
||||||
AzureConfigDoc.Fields[7].Name = "userAssignedIdentity"
|
AzureConfigDoc.Fields[7].Name = "appClientID"
|
||||||
AzureConfigDoc.Fields[7].Type = "string"
|
AzureConfigDoc.Fields[7].Type = "string"
|
||||||
AzureConfigDoc.Fields[7].Note = ""
|
AzureConfigDoc.Fields[7].Note = ""
|
||||||
AzureConfigDoc.Fields[7].Description = "Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure"
|
AzureConfigDoc.Fields[7].Description = "Application client ID of the Active Directory app registration."
|
||||||
AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://docs.edgeless.systems/constellation/latest/#/getting-started/install?id=azure"
|
AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Application client ID of the Active Directory app registration."
|
||||||
AzureConfigDoc.Fields[8].Name = "resourceGroup"
|
AzureConfigDoc.Fields[8].Name = "clientSecretValue"
|
||||||
AzureConfigDoc.Fields[8].Type = "string"
|
AzureConfigDoc.Fields[8].Type = "string"
|
||||||
AzureConfigDoc.Fields[8].Note = ""
|
AzureConfigDoc.Fields[8].Note = ""
|
||||||
AzureConfigDoc.Fields[8].Description = "Resource group to use."
|
AzureConfigDoc.Fields[8].Description = "Client secret value of the Active Directory app registration credentials."
|
||||||
AzureConfigDoc.Fields[8].Comments[encoder.LineComment] = "Resource group to use."
|
AzureConfigDoc.Fields[8].Comments[encoder.LineComment] = "Client secret value of the Active Directory app registration credentials."
|
||||||
AzureConfigDoc.Fields[8].Name = "confidentialVM"
|
AzureConfigDoc.Fields[9].Name = "measurements"
|
||||||
AzureConfigDoc.Fields[8].Type = "bool"
|
AzureConfigDoc.Fields[9].Type = "Measurements"
|
||||||
AzureConfigDoc.Fields[8].Note = ""
|
AzureConfigDoc.Fields[9].Note = ""
|
||||||
AzureConfigDoc.Fields[8].Description = "Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
AzureConfigDoc.Fields[9].Description = "Expected confidential VM measurements."
|
||||||
AzureConfigDoc.Fields[8].Comments[encoder.LineComment] = "Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
AzureConfigDoc.Fields[9].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||||
|
AzureConfigDoc.Fields[10].Name = "enforcedMeasurements"
|
||||||
|
AzureConfigDoc.Fields[10].Type = "[]uint32"
|
||||||
|
AzureConfigDoc.Fields[10].Note = ""
|
||||||
|
AzureConfigDoc.Fields[10].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
AzureConfigDoc.Fields[10].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
AzureConfigDoc.Fields[11].Name = "confidentialVM"
|
||||||
|
AzureConfigDoc.Fields[11].Type = "bool"
|
||||||
|
AzureConfigDoc.Fields[11].Note = ""
|
||||||
|
AzureConfigDoc.Fields[11].Description = "Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||||
|
AzureConfigDoc.Fields[11].Comments[encoder.LineComment] = "Use VMs with security type Confidential VM. If set to false, Trusted Launch VMs will be used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||||
|
|
||||||
GCPConfigDoc.Type = "GCPConfig"
|
GCPConfigDoc.Type = "GCPConfig"
|
||||||
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
||||||
|
@ -13,7 +13,7 @@ import (
|
|||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
)
|
)
|
||||||
|
|
||||||
const defaultMsgCount = 9 // expect this number of error messages by default because user-specific values are not set
|
const defaultMsgCount = 12 // expect this number of error messages by default because user-specific values are not set
|
||||||
|
|
||||||
func TestMain(m *testing.M) {
|
func TestMain(m *testing.M) {
|
||||||
goleak.VerifyTestMain(m)
|
goleak.VerifyTestMain(m)
|
||||||
|
Loading…
Reference in New Issue
Block a user