diff --git a/CODEOWNERS b/CODEOWNERS index a38778d43..66aec4566 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,41 +1,67 @@ +.golangci.yml @katexochen /3rdparty/gcp-guest-agent @malt3 /bazel @malt3 /bazel/ci @katexochen -/bazel/sh @katexochen /bazel/container @katexochen +/bazel/sh @katexochen /bootstrapper @3u13r +/cli/internal/cloudcmd @daniel-weisse +/cli/internal/clusterid @malt3 +/cli/internal/cmd/upgrade* @derpsteb +/cli/internal/featureset @malt3 /cli/internal/helm @derpsteb +/cli/internal/kubernetes @daniel-weisse /cli/internal/libvirt @daniel-weisse -/cli/internal/terraform @daniel-weisse -/cli/internal/terraform/terraform @katexochen +/cli/internal/terraform @elchead +/cli/internal/upgrade @elchead /csi @daniel-weisse /debugd @malt3 /disk-mapper @daniel-weisse /docs @thomasten -/hack/azure-jump-host @malt3 +/e2e @3u13r /hack/azure-snp-report-verify @derpsteb -/hack/configapi @elchead /hack/bazel-deps-mirror @malt3 -/hack/check-licenses.sh @thomasten +/hack/cli-k8s-compatibility @derpsteb /hack/clidocgen @thomasten +/hack/configapi @elchead /hack/fetch-broken-e2e @katexochen +/hack/oci-pin @malt3 /hack/pseudo-version @malt3 /hack/qemu-metadata-api @daniel-weisse /hack/remove-tf-providers @katexochen /hack/terraform @3u13r +/hack/tools @katexochen /image @malt3 +/internal/api @derpsteb /internal/atls @thomasten /internal/attestation @daniel-weisse +/internal/cloud @3u13r +/internal/compatibility @derpsteb /internal/config @derpsteb +/internal/containerimage @malt3 /internal/crypto @thomasten +/internal/cryptsetup @daniel-weisse +/internal/file @daniel-weisse +/internal/grpc @thomasten +/internal/imagefetcher @malt3 +/internal/installer @3u13r +/internal/kms @daniel-weisse +/internal/kubernetes @malt3 /internal/license @thomasten /internal/logger @daniel-weisse -/internal/oid @thomasten -/internal/sigstore @malt3 -/internal/api/versionsapi @katexochen +/internal/nodestate @daniel-weisse +/internal/osimage @malt3 +/internal/retry @katexochen +/internal/semver @derpsteb +/internal/sigstore @elchead +/internal/staticupload @malt3 +/internal/versions @3u13r +/internal/watcher @daniel-weisse /joinservice @daniel-weisse /keyservice @daniel-weisse +/measurement-reader @daniel-weisse /operators @malt3 +/rpm @malt3 +/tools @malt3 /upgrade-agent @3u13r /verify @daniel-weisse -.golangci.yml @katexochen diff --git a/hack/azure-jump-host/README.md b/hack/azure-jump-host/README.md deleted file mode 100644 index 051313805..000000000 --- a/hack/azure-jump-host/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Creating a Jump Host for Azure - -Constellation on Azure does not allow direct access to every node. -For debugging purposes, you can create a jump host that can be used to access the nodes in your cluster. - -```shell-session -# execute the following command in your constellation workspace AFTER constellation create -"$(git rev-parse --show-toplevel)/hack/azure-jump-host/jump-host-create" -``` diff --git a/hack/azure-jump-host/jump-host-create b/hack/azure-jump-host/jump-host-create deleted file mode 100755 index 0fa13d1bd..000000000 --- a/hack/azure-jump-host/jump-host-create +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -SCRIPTDIR="$(dirname -- "$(realpath "${BASH_SOURCE[0]}")")" -RG=$(jq -r .azureresourcegroup constellation-state.json) -SUBNET=$(jq -r .azuresubnet constellation-state.json) -VNET=${SUBNET%"/subnets/nodeNetwork"} -PUBKEY=$(cat ~/.ssh/id_rsa.pub) -DEPLOYMENT_NAME=jump-host -VM_NAME=jump-host - -az deployment group create \ - -o none \ - --name "${DEPLOYMENT_NAME}" \ - --resource-group "${RG}" \ - --template-file "${SCRIPTDIR}/template.json" \ - --parameters "@${SCRIPTDIR}/parameters.json" \ - --parameters "{ \"virtualNetworkId\": { \"value\": \"${VNET}\" } }" \ - --parameters "{ \"subnetRef\": { \"value\": \"${SUBNET}\" } }" \ - --parameters "{ \"adminPublicKey\": { \"value\": \"${PUBKEY}\" } }" -az deployment group wait --created --name "${DEPLOYMENT_NAME}" --resource-group "${RG}" -PUBIP=$( - az vm list-ip-addresses \ - --resource-group "${RG}" \ - --name "${VM_NAME}" \ - --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" \ - --output tsv -) -echo "Jump host created. Cleanup by deleteing the resource group." -echo "Connect to the jump host with the following command:" -echo -e "ssh azureuser@${PUBIP}\n" -echo "Expose any nodes's debugd port locally:" -echo -e "NODEIP= && \n\ - ssh -M -S debugd -fNT -L \"4000:\${NODEIP}:4000\" azureuser@${PUBIP} && \n\ - ./cdbg deploy --ips localhost && \n\ - ssh -S debugd -O exit azureuser@${PUBIP}\n" -echo "Connect to any constellation node using the following command:" -echo "ssh -J azureuser@${PUBIP} @" diff --git a/hack/azure-jump-host/parameters.json b/hack/azure-jump-host/parameters.json deleted file mode 100644 index 60ff13b23..000000000 --- a/hack/azure-jump-host/parameters.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "value": "westus" - }, - "networkInterfaceName": { - "value": "jump-host814" - }, - "networkSecurityGroupName": { - "value": "jump-host-nsg" - }, - "networkSecurityGroupRules": { - "value": [ - { - "name": "SSH", - "properties": { - "priority": 300, - "protocol": "TCP", - "access": "Allow", - "direction": "Inbound", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "22" - } - } - ] - }, - "virtualNetworkId": { - "value": null - }, - "subnetRef": { - "value": null - }, - "publicIpAddressName": { - "value": "jump-host-ip" - }, - "publicIpAddressType": { - "value": "Dynamic" - }, - "publicIpAddressSku": { - "value": "Basic" - }, - "pipDeleteOption": { - "value": "Detach" - }, - "virtualMachineName": { - "value": "jump-host" - }, - "virtualMachineComputerName": { - "value": "jump-host" - }, - "osDiskType": { - "value": "Premium_LRS" - }, - "osDiskDeleteOption": { - "value": "Delete" - }, - "virtualMachineSize": { - "value": "Standard_DC2ads_v5" - }, - "nicDeleteOption": { - "value": "Detach" - }, - "adminUsername": { - "value": "azureuser" - }, - "adminPublicKey": { - "value": null - }, - "securityType": { - "value": "ConfidentialVM" - }, - "secureBoot": { - "value": true - }, - "vTPM": { - "value": true - } - } -} diff --git a/hack/azure-jump-host/template.json b/hack/azure-jump-host/template.json deleted file mode 100644 index 793aca8f0..000000000 --- a/hack/azure-jump-host/template.json +++ /dev/null @@ -1,204 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "type": "string" - }, - "networkInterfaceName": { - "type": "string" - }, - "networkSecurityGroupName": { - "type": "string" - }, - "networkSecurityGroupRules": { - "type": "array" - }, - "virtualNetworkId": { - "type": "string" - }, - "subnetRef": { - "type": "string" - }, - "publicIpAddressName": { - "type": "string" - }, - "publicIpAddressType": { - "type": "string" - }, - "publicIpAddressSku": { - "type": "string" - }, - "pipDeleteOption": { - "type": "string" - }, - "virtualMachineName": { - "type": "string" - }, - "virtualMachineComputerName": { - "type": "string" - }, - "osDiskType": { - "type": "string" - }, - "osDiskDeleteOption": { - "type": "string" - }, - "virtualMachineSize": { - "type": "string" - }, - "nicDeleteOption": { - "type": "string" - }, - "adminUsername": { - "type": "string" - }, - "adminPublicKey": { - "type": "secureString" - }, - "securityType": { - "type": "string" - }, - "secureBoot": { - "type": "bool" - }, - "vTPM": { - "type": "bool" - } - }, - "variables": { - "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", - "vnetId": "[parameters('virtualNetworkId')]", - "vnetName": "[last(split(variables('vnetId'), '/'))]" - }, - "resources": [ - { - "name": "[parameters('networkInterfaceName')]", - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2021-03-01", - "location": "[parameters('location')]", - "dependsOn": [ - "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", - "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]" - ], - "properties": { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "[parameters('subnetRef')]" - }, - "privateIPAllocationMethod": "Dynamic", - "publicIpAddress": { - "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]", - "properties": { - "deleteOption": "[parameters('pipDeleteOption')]" - } - } - } - } - ], - "networkSecurityGroup": { - "id": "[variables('nsgId')]" - } - } - }, - { - "name": "[parameters('networkSecurityGroupName')]", - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2019-02-01", - "location": "[parameters('location')]", - "properties": { - "securityRules": "[parameters('networkSecurityGroupRules')]" - } - }, - { - "name": "[parameters('publicIpAddressName')]", - "type": "Microsoft.Network/publicIpAddresses", - "apiVersion": "2020-08-01", - "location": "[parameters('location')]", - "properties": { - "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" - }, - "sku": { - "name": "[parameters('publicIpAddressSku')]" - } - }, - { - "name": "[parameters('virtualMachineName')]", - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-03-01", - "location": "[parameters('location')]", - "dependsOn": [ - "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]" - ], - "properties": { - "hardwareProfile": { - "vmSize": "[parameters('virtualMachineSize')]" - }, - "storageProfile": { - "osDisk": { - "createOption": "fromImage", - "managedDisk": { - "storageAccountType": "[parameters('osDiskType')]", - "securityProfile": { - "securityEncryptionType": "DiskWithVMGuestState" - } - }, - "deleteOption": "[parameters('osDiskDeleteOption')]" - }, - "imageReference": { - "publisher": "canonical", - "offer": "0001-com-ubuntu-confidential-vm-focal", - "sku": "20_04-lts-cvm", - "version": "latest" - } - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]", - "properties": { - "deleteOption": "[parameters('nicDeleteOption')]" - } - } - ] - }, - "osProfile": { - "computerName": "[parameters('virtualMachineComputerName')]", - "adminUsername": "[parameters('adminUsername')]", - "linuxConfiguration": { - "disablePasswordAuthentication": true, - "ssh": { - "publicKeys": [ - { - "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]", - "keyData": "[parameters('adminPublicKey')]" - } - ] - } - } - }, - "securityProfile": { - "securityType": "[parameters('securityType')]", - "uefiSettings": { - "secureBootEnabled": "[parameters('secureBoot')]", - "vTpmEnabled": "[parameters('vTPM')]" - } - }, - "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": true - } - } - } - } - ], - "outputs": { - "adminUsername": { - "type": "string", - "value": "[parameters('adminUsername')]" - } - } -} diff --git a/hack/docgen-builder/build-and-upload.sh b/hack/docgen-builder/build-and-upload.sh deleted file mode 100755 index a087d86d7..000000000 --- a/hack/docgen-builder/build-and-upload.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -# Usage: ./build-and-upload.sh [dryrun] - -set -euo pipefail -set -o errtrace -shopt -s inherit_errexit - -talosRepo="https://github.com/siderolabs/talos" -talosHash="94c24ca64e70f227da29cd02bd367d3c2701b96c" -s3CASPath="s3://cdn-constellation-backend/constellation/cas/sha256" -publicCASPath="https://cdn.confidential.cloud/constellation/cas/sha256" - -function cleanup { - echo "Cleaning up" - rm -rf "${tmpDir}" -} - -trap cleanup EXIT - -# Set flags to --dryrun if arg 1 is "dryrun" -awsFlags=() -if [[ ${1-} == "dryrun" ]]; then - awsFlags+=("--dryrun") -fi - -# Create a temp dir to work in -tmpDir=$(mktemp -d) -pushd "${tmpDir}" - -# Get the talos source code -wget -qO- "${talosRepo}/archive/${talosHash}.tar.gz" | tar -xz -cp -r "talos-${talosHash}/hack/docgen" . -pushd "docgen" - -# Build and upload the talos-docgen binary -echo -for arch in "amd64" "arm64"; do - for os in "linux" "darwin"; do - echo "Building and uploading talos-docgen-${os}-${arch}" - CGO_ENABLED="0" GOWORK="" GOOS="${os}" GOARCH="${arch}" go build -trimpath -ldflags="-buildid=" -o "talos-docgen-${os}-${arch}" . - sum=$(sha256sum "talos-docgen-${os}-${arch}" | cut -d ' ' -f1) && echo "Binary sha256sum: ${sum}" - file "talos-docgen-${os}-${arch}" - aws s3 "${awsFlags[@]}" cp "./talos-docgen-${os}-${arch}" "${s3CASPath}/${sum}" - echo - cat << EOF >> "bazelout.txt" - http_file( - name = "com_github_siderolabs_talos_hack_docgen_${os}_${arch}", - urls = [ - "${publicCASPath}/${sum}", - ], - executable = True, - sha256 = "${sum}", - ) -EOF - done -done - -# Print the bazel output -cat bazelout.txt -echo diff --git a/hack/importAzure.sh b/hack/importAzure.sh deleted file mode 100755 index f89e383bf..000000000 --- a/hack/importAzure.sh +++ /dev/null @@ -1,185 +0,0 @@ -#!/usr/bin/env bash - -# importAzure imports a downloaded Azure VM image into Azure cloud. -# Parameters are provided via environment variables. -# -# Usage: -# $ AZURE_IMAGE_VERSION=0.1.0 AZURE_RESOURCE_GROUP_NAME=constellation-images ./importAzure.sh -# Required values. -# * AZURE_RESOURCE_GROUP_NAME: (required) resource group in Azure to use. Needs to exist! -# * AZURE_IMAGE_VERSION: (required) version number used for uploaded image. .. -# Optional values. -# * AZURE_IMAGE_FILE: (optional, default: ./abcd) Path to image file to be uploaded. -# * AZURE_REGION: (optional, default: westus) Region used in Azure. -# * AZURE_GALLERY_NAME: (optional, default: constellation_import) Name for Azure shared image gallery. Will be created as part of this script. -# * AZURE_IMAGE_NAME: (optional, default: upload-target) Temporary image used for upload, must not exist. - -set -euo pipefail -shopt -s inherit_errexit - -# Required tools -if ! command -v az &> /dev/null; then - echo "az CLI could not be found" - echo "Please instal it from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli" - exit -fi -if ! command -v azcopy &> /dev/null; then - echo "azcopy could not be found" - echo "Please instal it from: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10" - exit -fi -if ! command -v jq &> /dev/null; then - echo "jq could not be found" - echo "Please instal it from: https://github.com/stedolan/jq" - exit -fi - -AZURE_IMAGE_FILE="${AZURE_IMAGE_FILE:-$(pwd)/abcd}" -AZURE_REGION="${AZURE_REGION:-westus}" -AZURE_GALLERY_NAME="${AZURE_GALLERY_NAME:-constellation_import}" -AZURE_PUBLISHER="${AZURE_PUBLISHER:-edgelesssys}" -AZURE_IMAGE_NAME="${AZURE_IMAGE_NAME:-upload-target}" -AZURE_IMAGE_OFFER="${AZURE_IMAGE_OFFER:-constellation}" -AZURE_IMAGE_DEFINITION="${AZURE_IMAGE_DEFINITION:-constellation}" -AZURE_SKU="${AZURE_SKU:-constellation}" -AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}" - -if [[ -z ${AZURE_RESOURCE_GROUP_NAME} ]]; then - echo "Please provide a value for AZURE_RESOURCE_GROUP_NAME." - exit 1 -fi - -if [[ -z ${AZURE_IMAGE_VERSION} ]]; then - echo "Please provide a value for AZURE_IMAGE_VERSION of pattern .." - exit 1 -fi - -echo "Using following settings:" -echo "AZURE_REGION=${AZURE_REGION}" -echo "AZURE_RESOURCE_GROUP_NAME=${AZURE_RESOURCE_GROUP_NAME}" -echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" -echo "AZURE_IMAGE_FILE=${AZURE_IMAGE_FILE}" -echo "AZURE_IMAGE_NAME=${AZURE_IMAGE_NAME}" -echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_OFFER}" -echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" -echo "AZURE_IMAGE_VERSION=${AZURE_IMAGE_VERSION}" -echo "AZURE_PUBLISHER=${AZURE_PUBLISHER}" -echo "AZURE_SKU=${AZURE_SKU}" -echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" -echo "" - -read -r -p "Continue (y/n)?" choice -case "${choice}" in -y | Y) echo "Starting import..." ;; -n | N) - echo "Abort!" - exit 1 - ;; -*) - echo "invalid" - exit 1 - ;; -esac - -echo "Preparing to upload '${AZURE_IMAGE_FILE} to Azure." - -SIZE=$(wc -c "${AZURE_IMAGE_FILE}" | cut -d " " -f1) -echo "Size is ${SIZE} bytes." - -echo "Creating disk (${AZURE_IMAGE_NAME}) as import target." -az disk create \ - -n "${AZURE_IMAGE_NAME}" \ - -g "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - --hyper-v-generation V2 \ - --os-type Linux \ - --for-upload \ - -upload-size-bytes "${SIZE}" \ - --sku standard_lrs -echo "Waiting for disk to be created." -az disk wait --created -n "${AZURE_IMAGE_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" -echo "Retrieving disk ID." -AZURE_DISK_ID=$( - az disk list \ - --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \ - --output json | - jq -r -) -echo "Disk ID is ${AZURE_DISK_ID}" - -echo "Generating SAS URL for authorized upload." -AZURE_SAS_URL=$( - az disk grant-access \ - -n "${AZURE_IMAGE_NAME}" \ - -g "${AZURE_RESOURCE_GROUP_NAME}" \ - --access-level Write \ - --duration-in-seconds 86400 | - jq -r .accessSas -) -echo "Uploading image file to Azure disk." -azcopy copy "${AZURE_IMAGE_FILE}" "${AZURE_SAS_URL}" --blob-type PageBlob -echo "Finalizing upload." -az disk revoke-access -n "${AZURE_IMAGE_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" - -echo "Creating Azure image." -az image create \ - -g "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - -n "${AZURE_IMAGE_NAME}" \ - --hyper-v-generation V2 \ - --os-type Linux \ - --source "${AZURE_DISK_ID}" -echo "Creating Azure Shared Image Gallery." -az sig create \ - -l "${AZURE_REGION}" \ - --gallery-name "${AZURE_GALLERY_NAME}" \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" -echo "Creating Image Definition." -az sig image-definition create \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - --gallery-name "${AZURE_GALLERY_NAME}" \ - --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ - --publisher "${AZURE_PUBLISHER}" \ - --offer "${AZURE_IMAGE_OFFER}" --sku "${AZURE_SKU}" \ - --os-type Linux \ - --os-state generalized \ - --hyper-v-generation V2 \ - --features SecurityType="${AZURE_SECURITY_TYPE}" -echo "Retrieving temporary image ID." -AZURE_IMAGE_ID=$( - az image list \ - --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \ - --output json | jq -r -) - -echo "Creating final image version." -az sig image-version create \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - --gallery-name "${AZURE_GALLERY_NAME}" \ - --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ - --gallery-image-version "${AZURE_IMAGE_VERSION}" \ - --target-regions "${AZURE_REGION}" \ - --replica-count 1 \ - --managed-image "${AZURE_IMAGE_ID}" - -echo "Cleaning up ephemeral resources." -az image delete --ids "${AZURE_IMAGE_ID}" -az disk delete -y --ids "${AZURE_DISK_ID}" - -IMAGE_VERSION=$( - az sig image-version show \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ - --gallery-name "${AZURE_GALLERY_NAME}" \ - --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ - --gallery-image-version "${AZURE_IMAGE_VERSION}" \ - -o tsv \ - --query id -) -echo "Image ID is ${IMAGE_VERSION}" - -# # Cleanup all -# az sig image-version delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --gallery-image-version ${AZURE_IMAGE_VERSION} --gallery-name ${AZURE_GALLERY_NAME} -# az sig image-definition delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} -# az sig delete --resource-group ${AZURE_RESOURCE_GROUP_NAME} --gallery-name ${AZURE_GALLERY_NAME}