From 3ccde255847f5a585feedb4181be6f7859c0d879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Mon, 24 Oct 2022 09:12:01 +0200 Subject: [PATCH] Implement minimal feature support for bootstrapper on AWS (#333) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- bootstrapper/cmd/bootstrapper/main.go | 33 +++++++++++++++- internal/attestation/vtpm/attestation.go | 6 +++ internal/cloud/aws/metadata.go | 48 ++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 1 deletion(-) diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go index 1d3316f9e..ebc2d4ba4 100644 --- a/bootstrapper/cmd/bootstrapper/main.go +++ b/bootstrapper/cmd/bootstrapper/main.go @@ -21,12 +21,14 @@ import ( "github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/k8sapi/kubectl" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/logging" "github.com/edgelesssys/constellation/v2/internal/atls" + "github.com/edgelesssys/constellation/v2/internal/attestation/aws" "github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp" "github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch" "github.com/edgelesssys/constellation/v2/internal/attestation/gcp" "github.com/edgelesssys/constellation/v2/internal/attestation/qemu" "github.com/edgelesssys/constellation/v2/internal/attestation/simulator" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" + awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws" azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" gcpcloud "github.com/edgelesssys/constellation/v2/internal/cloud/gcp" @@ -77,7 +79,36 @@ func main() { switch cloudprovider.FromString(os.Getenv(constellationCSP)) { case cloudprovider.AWS: - panic("AWS cloud provider currently unsupported") + pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.AWSPCRSelection) + if err != nil { + log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs") + } + pcrsJSON, err := json.Marshal(pcrs) + if err != nil { + log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs") + } + + issuer = initserver.NewIssuerWrapper(&aws.Issuer{}, vmtype.Unknown, nil) + + metadata, err := awscloud.New(ctx) + if err != nil { + log.With(zap.Error(err)).Fatalf("Failed to set up AWS metadata API") + } + metadataAPI = metadata + + cloudLogger, err = awscloud.NewLogger(ctx) + if err != nil { + log.With(zap.Error(err)).Fatalf("Failed to set up cloud logger") + } + + nodeManager := &awscloud.CloudNodeManager{} + cloudControllerManager := &awscloud.CloudControllerManager{} + clusterInitJoiner = kubernetes.New( + "aws", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), cloudControllerManager, + nodeManager, &gcpcloud.Autoscaler{}, metadata, pcrsJSON, helmClient, + ) + openTPM = vtpm.OpenVTPM + fs = afero.NewOsFs() case cloudprovider.GCP: pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.GCPPCRSelection) if err != nil { diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index c16c0e4e9..a4b54b75f 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -24,6 +24,12 @@ import ( ) var ( + // AWSPCRSelection are the PCR values verified for AWS Nitro TPM based Constellations. + // TODO: determine which PCRs are required. + AWSPCRSelection = tpm2.PCRSelection{ + Hash: tpm2.AlgSHA256, + PCRs: []int{}, + } // AzurePCRSelection are the PCR values verified for Azure Constellations. // PCR[0] is excluded due to changing rarely, but unpredictably. // PCR[6] is excluded due to being different for any 2 VMs. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22%3A157%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C33%2C400%2C0%5D diff --git a/internal/cloud/aws/metadata.go b/internal/cloud/aws/metadata.go index fe639367d..d7fe2433f 100644 --- a/internal/cloud/aws/metadata.go +++ b/internal/cloud/aws/metadata.go @@ -98,6 +98,54 @@ func (m *Metadata) Self(ctx context.Context) (metadata.InstanceMetadata, error) }, nil } +// GetInstance retrieves the instance with the given providerID. +func (m *Metadata) GetInstance(ctx context.Context, providerID string) (metadata.InstanceMetadata, error) { + instances, err := m.ec2.DescribeInstances(ctx, &ec2.DescribeInstancesInput{ + InstanceIds: []string{providerID}, + }) + if err != nil { + return metadata.InstanceMetadata{}, fmt.Errorf("retrieving instance: %w", err) + } + if len(instances.Reservations) == 0 { + return metadata.InstanceMetadata{}, errors.New("instance not found") + } + if len(instances.Reservations) > 1 { + return metadata.InstanceMetadata{}, errors.New("providerID matches multiple instances") + } + if len(instances.Reservations[0].Instances) == 0 { + return metadata.InstanceMetadata{}, errors.New("instance not found") + } + if len(instances.Reservations[0].Instances) > 1 { + return metadata.InstanceMetadata{}, errors.New("providerID matches multiple instances") + } + instance, err := m.convertToMetadataInstance(instances.Reservations[0].Instances) + if err != nil { + return metadata.InstanceMetadata{}, fmt.Errorf("converting instance: %w", err) + } + + return instance[0], nil +} + +// UID returns the UID of the Constellation. +func (m *Metadata) UID(ctx context.Context) (string, error) { + return readInstanceTag(ctx, m.imds, tagUID) +} + +// SupportsLoadBalancer returns true if the cloud provider supports load balancers. +func (m *Metadata) SupportsLoadBalancer() bool { + return false +} + +// GetLoadBalancerEndpoint returns the endpoint of the load balancer. +func (m *Metadata) GetLoadBalancerEndpoint(ctx context.Context) (string, error) { + panic("function *Metadata.GetLoadBalancerEndpoint not implemented") +} + +// GetSubnetworkCIDR retrieves the subnetwork CIDR from cloud provider metadata. +func (m *Metadata) GetSubnetworkCIDR(ctx context.Context) (string, error) { + panic("function *Metadata.GetSubnetworkCIDR not implemented") +} + func (m *Metadata) getAllInstancesInGroup(ctx context.Context, uid string) ([]types.Instance, error) { var instances []types.Instance instanceReq := &ec2.DescribeInstancesInput{