image: OpenStack vTPM (#1616)

* cli: allow vpc traffic between nodes on OpenStack * image: enable vTPM on OpenStack * cli: add create tests for OpenStack
2025-08-22 05:39:30 -04:00 · 2023-04-05 16:49:03 +02:00 · 2023-04-05 16:49:03 +02:00 · 69de06dd1f
commit 69de06dd1f
parent 509b3d5d58
15 changed files with 151 additions and 41 deletions
--- a/cli/internal/cloudcmd/create.go
+++ b/cli/internal/cloudcmd/create.go
@ -23,6 +23,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/attestation/attestation"
 	azpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+
 	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/cli/internal/image"
 	"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
--- a/cli/internal/cloudcmd/create_test.go
+++ b/cli/internal/cloudcmd/create_test.go
@ -13,14 +13,17 @@ import (
 	"runtime"
 	"testing"

+	"github.com/stretchr/testify/assert"
+
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/variant"
-	"github.com/stretchr/testify/assert"
 )

 func TestCreator(t *testing.T) {
+	// TODO(malt3): remove once OpenStack is fully supported.
+	t.Setenv("CONSTELLATION_OPENSTACK_DEV", "1")
 	failOnNonAMD64 := (runtime.GOARCH != "amd64") || (runtime.GOOS != "linux")
 	ip := "192.0.2.1"
 	someErr := errors.New("failed")
@ -110,6 +113,47 @@ func TestCreator(t *testing.T) {
 			wantRollback:          true,
 			wantTerraformRollback: true,
 		},
+		"openstack": {
+			tfClient: &stubTerraformClient{ip: ip},
+			libvirt:  &stubLibvirtRunner{},
+			provider: cloudprovider.OpenStack,
+			config: func() *config.Config {
+				cfg := config.Default()
+				cfg.Provider.OpenStack.Cloud = "testcloud"
+				return cfg
+			}(),
+		},
+		"openstack without clouds.yaml": {
+			tfClient: &stubTerraformClient{ip: ip},
+			libvirt:  &stubLibvirtRunner{},
+			provider: cloudprovider.OpenStack,
+			config:   config.Default(),
+			wantErr:  true,
+		},
+		"openstack newTerraformClient error": {
+			newTfClientErr: someErr,
+			libvirt:        &stubLibvirtRunner{},
+			provider:       cloudprovider.OpenStack,
+			config: func() *config.Config {
+				cfg := config.Default()
+				cfg.Provider.OpenStack.Cloud = "testcloud"
+				return cfg
+			}(),
+			wantErr: true,
+		},
+		"openstack create cluster error": {
+			tfClient: &stubTerraformClient{createClusterErr: someErr},
+			libvirt:  &stubLibvirtRunner{},
+			provider: cloudprovider.OpenStack,
+			config: func() *config.Config {
+				cfg := config.Default()
+				cfg.Provider.OpenStack.Cloud = "testcloud"
+				return cfg
+			}(),
+			wantErr:               true,
+			wantRollback:          true,
+			wantTerraformRollback: true,
+		},
 		"qemu": {
 			tfClient: &stubTerraformClient{ip: ip},
 			libvirt:  &stubLibvirtRunner{},
@ -152,7 +196,6 @@ func TestCreator(t *testing.T) {
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)
-
 			creator := &Creator{
 				out: &bytes.Buffer{},
 				image: &stubImageFetcher{
--- a/cli/internal/cloudcmd/validators_test.go
+++ b/cli/internal/cloudcmd/validators_test.go
@ -12,6 +12,10 @@ import (
 	"encoding/hex"
 	"testing"

+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/edgelesssys/constellation/v2/internal/atls"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
@ -22,9 +26,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/variant"
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestNewValidator(t *testing.T) {
@ -71,6 +72,16 @@ func TestNewValidator(t *testing.T) {
 				},
 			},
 		},
+		"openstack": {
+			config: &config.Config{
+				AttestationVariant: variant.QEMUVTPM{}.String(),
+				Provider: config.ProviderConfig{
+					OpenStack: &config.OpenStackConfig{
+						Measurements: testPCRs,
+					},
+				},
+			},
+		},
 		"qemu": {
 			config: &config.Config{
 				AttestationVariant: variant.QEMUVTPM{}.String(),
--- a/cli/internal/helm/loader_test.go
+++ b/cli/internal/helm/loader_test.go
@ -18,18 +18,19 @@ import (
 	"strings"
 	"testing"

-	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/config"
-	"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/engine"
+
+	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
+	"github.com/edgelesssys/constellation/v2/internal/variant"
 )

 // TestLoad checks if the serialized format that Load returns correctly preserves the dependencies of the loaded chart.
@ -97,7 +98,7 @@ func TestConstellationServices(t *testing.T) {
 		},
 		"OpenStack": {
 			config: &config.Config{
-				AttestationVariant: variant.Dummy{}.String(),
+				AttestationVariant: variant.QEMUVTPM{}.String(),
 				Provider:           config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
 			},
 			valuesModifier: prepareOpenStackValues,
--- a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml
+++ b/cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml
@ -39,7 +39,7 @@ spec:
          args:
            - --cloud-provider=OpenStack
            - --key-service-endpoint=key-service.testNamespace:9000
-            - --attestation-variant=dummy
+            - --attestation-variant=qemu-vtpm
          volumeMounts:
            - mountPath: /var/config
              name: config
--- a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/verification-service/templates/daemonset.yaml
+++ b/cli/internal/helm/testdata/OpenStack/constellation-services/charts/verification-service/templates/daemonset.yaml
@ -17,7 +17,7 @@ spec:
    spec:
      containers:
      - args:
-        - --attestation-variant=dummy
+        - --attestation-variant=qemu-vtpm
        image: verificationImage
        name: verification-service
        ports:
--- a/cli/internal/terraform/terraform/openstack/main.tf
+++ b/cli/internal/terraform/terraform/openstack/main.tf
@ -112,6 +112,20 @@ resource "openstack_compute_secgroup_v2" "vpc_secgroup" {
    self        = true
  }

+  rule {
+    from_port   = 1
+    to_port     = 65535
+    ip_protocol = "udp"
+    cidr        = local.cidr_vpc_subnet_nodes
+  }
+
+  rule {
+    from_port   = 1
+    to_port     = 65535
+    ip_protocol = "tcp"
+    cidr        = local.cidr_vpc_subnet_nodes
+  }
+
  rule {
    from_port   = local.ports_node_range_start
    to_port     = local.ports_node_range_end
@ -119,6 +133,13 @@ resource "openstack_compute_secgroup_v2" "vpc_secgroup" {
    cidr        = "0.0.0.0/0"
  }

+  rule {
+    from_port   = local.ports_node_range_start
+    to_port     = local.ports_node_range_end
+    ip_protocol = "udp"
+    cidr        = "0.0.0.0/0"
+  }
+
  dynamic "rule" {
    for_each = flatten([
      local.ports_kubernetes,