AB#2386: TrustedLaunch support for azure attestation

* There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
2025-08-06 05:54:28 -04:00 · 2022-08-31 20:10:49 +02:00 · 2022-08-31 20:10:49 +02:00 · 405db3286e
commit 405db3286e
parent 4bfb98d35a
33 changed files with 749 additions and 431 deletions
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -84,6 +84,8 @@ const (
 	IdKeyDigestFilename = "idkeydigest"
 	// EnforceIdKeyDigestFilename is the name of the file configuring whether idkeydigest is enforced or not.
 	EnforceIdKeyDigestFilename = "enforceIdKeyDigest"
+	// AzureCVM is the name of the file indicating whether the cluster is expected to run on CVMs or not.
+	AzureCVM = "azureCVM"
 	// K8sVersion is the filename of the mapped "k8s-version" configMap file.
 	K8sVersion = "k8s-version"

@ -101,6 +103,7 @@ const (
 	KubernetesJoinTokenTTL = 15 * time.Minute
 	ConstellationNamespace = "kube-system"
 	JoinConfigMap          = "join-config"
+	InternalConfigMap      = "internal-config"

 	//
 	// Helm.