Implement minimal feature support for bootstrapper on AWS (#333)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

bootstrapper/cmd/bootstrapper/main.go

@@ -21,12 +21,14 @@ import (
 	"github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/k8sapi/kubectl"
 	"github.com/edgelesssys/constellation/v2/bootstrapper/internal/logging"
 	"github.com/edgelesssys/constellation/v2/internal/atls"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
+	awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
 	azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	gcpcloud "github.com/edgelesssys/constellation/v2/internal/cloud/gcp"
@@ -77,7 +79,36 @@ func main() {
 
 	switch cloudprovider.FromString(os.Getenv(constellationCSP)) {
 	case cloudprovider.AWS:
-		panic("AWS cloud provider currently unsupported")
+		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.AWSPCRSelection)
+		if err != nil {
+			log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs")
+		}
+		pcrsJSON, err := json.Marshal(pcrs)
+		if err != nil {
+			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
+		}
+
+		issuer = initserver.NewIssuerWrapper(&aws.Issuer{}, vmtype.Unknown, nil)
+
+		metadata, err := awscloud.New(ctx)
+		if err != nil {
+			log.With(zap.Error(err)).Fatalf("Failed to set up AWS metadata API")
+		}
+		metadataAPI = metadata
+
+		cloudLogger, err = awscloud.NewLogger(ctx)
+		if err != nil {
+			log.With(zap.Error(err)).Fatalf("Failed to set up cloud logger")
+		}
+
+		nodeManager := &awscloud.CloudNodeManager{}
+		cloudControllerManager := &awscloud.CloudControllerManager{}
+		clusterInitJoiner = kubernetes.New(
+			"aws", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), cloudControllerManager,
+			nodeManager, &gcpcloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
+		)
+		openTPM = vtpm.OpenVTPM
+		fs = afero.NewOsFs()
 	case cloudprovider.GCP:
 		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.GCPPCRSelection)
 		if err != nil {

internal/attestation/vtpm/attestation.go

@@ -24,6 +24,12 @@ import (
 )
 
 var (
+	// AWSPCRSelection are the PCR values verified for AWS Nitro TPM based Constellations.
+	// TODO: determine which PCRs are required.
+	AWSPCRSelection = tpm2.PCRSelection{
+		Hash: tpm2.AlgSHA256,
+		PCRs: []int{},
+	}
 	// AzurePCRSelection are the PCR values verified for Azure Constellations.
 	// PCR[0] is excluded due to changing rarely, but unpredictably.
 	// PCR[6] is excluded due to being different for any 2 VMs. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22%3A157%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C33%2C400%2C0%5D

internal/cloud/aws/metadata.go

@@ -98,6 +98,54 @@ func (m *Metadata) Self(ctx context.Context) (metadata.InstanceMetadata, error)
 	}, nil
 }
 
+// GetInstance retrieves the instance with the given providerID.
+func (m *Metadata) GetInstance(ctx context.Context, providerID string) (metadata.InstanceMetadata, error) {
+	instances, err := m.ec2.DescribeInstances(ctx, &ec2.DescribeInstancesInput{
+		InstanceIds: []string{providerID},
+	})
+	if err != nil {
+		return metadata.InstanceMetadata{}, fmt.Errorf("retrieving instance: %w", err)
+	}
+	if len(instances.Reservations) == 0 {
+		return metadata.InstanceMetadata{}, errors.New("instance not found")
+	}
+	if len(instances.Reservations) > 1 {
+		return metadata.InstanceMetadata{}, errors.New("providerID matches multiple instances")
+	}
+	if len(instances.Reservations[0].Instances) == 0 {
+		return metadata.InstanceMetadata{}, errors.New("instance not found")
+	}
+	if len(instances.Reservations[0].Instances) > 1 {
+		return metadata.InstanceMetadata{}, errors.New("providerID matches multiple instances")
+	}
+	instance, err := m.convertToMetadataInstance(instances.Reservations[0].Instances)
+	if err != nil {
+		return metadata.InstanceMetadata{}, fmt.Errorf("converting instance: %w", err)
+	}
+
+	return instance[0], nil
+}
+
+// UID returns the UID of the Constellation.
+func (m *Metadata) UID(ctx context.Context) (string, error) {
+	return readInstanceTag(ctx, m.imds, tagUID)
+}
+
+// SupportsLoadBalancer returns true if the cloud provider supports load balancers.
+func (m *Metadata) SupportsLoadBalancer() bool {
+	return false
+}
+
+// GetLoadBalancerEndpoint returns the endpoint of the load balancer.
+func (m *Metadata) GetLoadBalancerEndpoint(ctx context.Context) (string, error) {
+	panic("function *Metadata.GetLoadBalancerEndpoint not implemented")
+}
+
+// GetSubnetworkCIDR retrieves the subnetwork CIDR from cloud provider metadata.
+func (m *Metadata) GetSubnetworkCIDR(ctx context.Context) (string, error) {
+	panic("function *Metadata.GetSubnetworkCIDR not implemented")
+}
+
 func (m *Metadata) getAllInstancesInGroup(ctx context.Context, uid string) ([]types.Instance, error) {
 	var instances []types.Instance
 	instanceReq := &ec2.DescribeInstancesInput{