config: add attestation variant (#1413)

* Add attestation type to config (optional for now) * Get attestation variant from config in CLI * Set attestation variant for Constellation services in helm deployments * Remove AzureCVM variable from helm deployments --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-05-02 14:26:23 -04:00 · 2023-03-14 11:46:27 +01:00 · 2023-03-14 11:46:27 +01:00 · 6ea5588bdc
commit 6ea5588bdc
parent 8679988b6c
44 changed files with 379 additions and 383 deletions
--- a/internal/config/validation.go
+++ b/internal/config/validation.go
@ -20,6 +20,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/compatibility"
 	"github.com/edgelesssys/constellation/v2/internal/config/instancetypes"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/oid"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"github.com/edgelesssys/constellation/v2/internal/versionsapi"
 	ut "github.com/go-playground/universal-translator"
@ -466,3 +467,55 @@ func (c *Config) validateName(fl validator.FieldLevel) bool {
 	}
 	return len(fl.Field().String()) <= constants.ConstellationNameLength
 }
+
+func registerValidAttestVariantError(ut ut.Translator) error {
+	return ut.Add("valid_attestation_variant", `"{0}" is not a valid attestation variant for CSP {1}`, true)
+}
+
+func (c *Config) translateValidAttestVariantError(ut ut.Translator, fe validator.FieldError) string {
+	csp := c.GetProvider()
+	t, _ := ut.T("valid_attestation_variant", c.AttestationVariant, csp.String())
+	return t
+}
+
+func (c *Config) validAttestVariant(fl validator.FieldLevel) bool {
+	// TODO: v2.8: remove variant fallback and make variant a required field
+	c.addMissingVariant()
+
+	variant, err := oid.FromString(c.AttestationVariant)
+	if err != nil {
+		return false
+	}
+
+	// make sure the variant is valid for the chosen CSP
+	switch variant {
+	case oid.AWSNitroTPM{}:
+		return c.Provider.AWS != nil
+	case oid.AzureSEVSNP{}, oid.AzureTrustedLaunch{}:
+		return c.Provider.Azure != nil
+	case oid.GCPSEVES{}:
+		return c.Provider.GCP != nil
+	case oid.QEMUVTPM{}:
+		return c.Provider.QEMU != nil
+	default:
+		return false
+	}
+}
+
+func (c *Config) addMissingVariant() {
+	if c.AttestationVariant != "" {
+		return
+	}
+	fmt.Fprintln(os.Stderr, "WARNING: the config key `attestationVariant` is not set. This key will be required in the next version.")
+
+	switch c.GetProvider() {
+	case cloudprovider.AWS:
+		c.AttestationVariant = oid.AWSNitroTPM{}.String()
+	case cloudprovider.Azure:
+		c.AttestationVariant = oid.AzureTrustedLaunch{}.String()
+	case cloudprovider.GCP:
+		c.AttestationVariant = oid.GCPSEVES{}.String()
+	case cloudprovider.QEMU:
+		c.AttestationVariant = oid.QEMUVTPM{}.String()
+	}
+}