mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-28 09:44:08 -04:00
config: only allow confidential instances on stackit (#3463)
* cli: only allow confidential instances on stackit * review changes
This commit is contained in:
Mauritz Uphoff
GitHub
parent
7dc38d9ff0
commit
9124691743
2 changed files with 75 additions and 3 deletions
|
|
@ -688,67 +688,80 @@ func TestValidInstanceTypeForProvider(t *testing.T) {
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
variant variant.Variant
|
variant variant.Variant
|
||||||
instanceTypes []string
|
instanceTypes []string
|
||||||
|
providerConfig ProviderConfig
|
||||||
expectedResult bool
|
expectedResult bool
|
||||||
}{
|
}{
|
||||||
"empty all": {
|
"empty all": {
|
||||||
variant: variant.Dummy{},
|
variant: variant.Dummy{},
|
||||||
instanceTypes: []string{},
|
instanceTypes: []string{},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"empty aws": {
|
"empty aws": {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{},
|
instanceTypes: []string{},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"empty azure only CVMs": {
|
"empty azure only CVMs": {
|
||||||
variant: variant.AzureSEVSNP{},
|
variant: variant.AzureSEVSNP{},
|
||||||
instanceTypes: []string{},
|
instanceTypes: []string{},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"empty azure with non-CVMs": {
|
"empty azure with non-CVMs": {
|
||||||
variant: variant.AzureTrustedLaunch{},
|
variant: variant.AzureTrustedLaunch{},
|
||||||
instanceTypes: []string{},
|
instanceTypes: []string{},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"empty gcp": {
|
"empty gcp": {
|
||||||
variant: variant.GCPSEVES{},
|
variant: variant.GCPSEVES{},
|
||||||
instanceTypes: []string{},
|
instanceTypes: []string{},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"azure only CVMs (SNP)": {
|
"azure only CVMs (SNP)": {
|
||||||
variant: variant.AzureSEVSNP{},
|
variant: variant.AzureSEVSNP{},
|
||||||
instanceTypes: instancetypes.AzureSNPInstanceTypes,
|
instanceTypes: instancetypes.AzureSNPInstanceTypes,
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"azure only CVMs (TDX)": {
|
"azure only CVMs (TDX)": {
|
||||||
variant: variant.AzureTDX{},
|
variant: variant.AzureTDX{},
|
||||||
instanceTypes: instancetypes.AzureTDXInstanceTypes,
|
instanceTypes: instancetypes.AzureTDXInstanceTypes,
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"azure trusted launch VMs": {
|
"azure trusted launch VMs": {
|
||||||
variant: variant.AzureTrustedLaunch{},
|
variant: variant.AzureTrustedLaunch{},
|
||||||
instanceTypes: instancetypes.AzureTrustedLaunchInstanceTypes,
|
instanceTypes: instancetypes.AzureTrustedLaunchInstanceTypes,
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"gcp": {
|
"gcp": {
|
||||||
variant: variant.GCPSEVES{},
|
variant: variant.GCPSEVES{},
|
||||||
instanceTypes: instancetypes.GCPInstanceTypes,
|
instanceTypes: instancetypes.GCPInstanceTypes,
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"gcp sev-snp": {
|
"gcp sev-snp": {
|
||||||
variant: variant.GCPSEVSNP{},
|
variant: variant.GCPSEVSNP{},
|
||||||
instanceTypes: instancetypes.GCPInstanceTypes,
|
instanceTypes: instancetypes.GCPInstanceTypes,
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"put gcp when azure is set": {
|
"put gcp when azure is set": {
|
||||||
variant: variant.AzureSEVSNP{},
|
variant: variant.AzureSEVSNP{},
|
||||||
instanceTypes: instancetypes.GCPInstanceTypes,
|
instanceTypes: instancetypes.GCPInstanceTypes,
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"put azure when gcp is set": {
|
"put azure when gcp is set": {
|
||||||
variant: variant.GCPSEVES{},
|
variant: variant.GCPSEVES{},
|
||||||
instanceTypes: instancetypes.AzureSNPInstanceTypes,
|
instanceTypes: instancetypes.AzureSNPInstanceTypes,
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
// Testing every possible instance type for AWS is not feasible, so we just test a few based on known supported / unsupported families
|
// Testing every possible instance type for AWS is not feasible, so we just test a few based on known supported / unsupported families
|
||||||
// Also serves as a test for checkIfInstanceInValidAWSFamilys
|
// Also serves as a test for checkIfInstanceInValidAWSFamilys
|
||||||
|
|
@ -756,31 +769,79 @@ func TestValidInstanceTypeForProvider(t *testing.T) {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
|
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
|
||||||
expectedResult: false, // False because 2 two of the instances are not valid
|
expectedResult: false, // False because 2 two of the instances are not valid
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"aws one valid instance one with too little vCPUs": {
|
"aws one valid instance one with too little vCPUs": {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{"c5.medium"},
|
instanceTypes: []string{"c5.medium"},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"aws graviton sub-family unsupported": {
|
"aws graviton sub-family unsupported": {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{"m6g.xlarge", "r6g.2xlarge", "x2gd.xlarge", "g5g.8xlarge"},
|
instanceTypes: []string{"m6g.xlarge", "r6g.2xlarge", "x2gd.xlarge", "g5g.8xlarge"},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"aws combined two valid instances as one string": {
|
"aws combined two valid instances as one string": {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{"c5.xlarge, c5a.2xlarge"},
|
instanceTypes: []string{"c5.xlarge, c5a.2xlarge"},
|
||||||
expectedResult: false,
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"aws only CVMs": {
|
"aws only CVMs": {
|
||||||
variant: variant.AWSSEVSNP{},
|
variant: variant.AWSSEVSNP{},
|
||||||
instanceTypes: []string{"c6a.xlarge", "m6a.xlarge", "r6a.xlarge"},
|
instanceTypes: []string{"c6a.xlarge", "m6a.xlarge", "r6a.xlarge"},
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
},
|
},
|
||||||
"aws nitroTPM VMs": {
|
"aws nitroTPM VMs": {
|
||||||
variant: variant.AWSNitroTPM{},
|
variant: variant.AWSNitroTPM{},
|
||||||
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
|
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
|
||||||
expectedResult: true,
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{},
|
||||||
|
},
|
||||||
|
"stackit valid flavors": {
|
||||||
|
variant: variant.QEMUVTPM{},
|
||||||
|
instanceTypes: []string{
|
||||||
|
"m1a.2cd",
|
||||||
|
"m1a.4cd",
|
||||||
|
"m1a.8cd",
|
||||||
|
"m1a.16cd",
|
||||||
|
"m1a.30cd",
|
||||||
|
},
|
||||||
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "stackit"}},
|
||||||
|
},
|
||||||
|
"stackit not valid flavors": {
|
||||||
|
variant: variant.QEMUVTPM{},
|
||||||
|
instanceTypes: []string{
|
||||||
|
// removed the c which indicates a confidential flavor
|
||||||
|
"m1a.2d",
|
||||||
|
"m1a.4d",
|
||||||
|
"m1a.8d",
|
||||||
|
"m1a.16d",
|
||||||
|
"m1a.30d",
|
||||||
|
},
|
||||||
|
expectedResult: false,
|
||||||
|
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "stackit"}},
|
||||||
|
},
|
||||||
|
"openstack cloud named test": {
|
||||||
|
variant: variant.QEMUVTPM{},
|
||||||
|
instanceTypes: []string{
|
||||||
|
"foo.bar",
|
||||||
|
"foo.bar1",
|
||||||
|
},
|
||||||
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "test"}},
|
||||||
|
},
|
||||||
|
"Qemutdx valid instance type": {
|
||||||
|
variant: variant.QEMUTDX{},
|
||||||
|
instanceTypes: []string{
|
||||||
|
"foo.bar",
|
||||||
|
},
|
||||||
|
expectedResult: true,
|
||||||
|
providerConfig: ProviderConfig{QEMU: &QEMUConfig{}},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for name, tc := range testCases {
|
for name, tc := range testCases {
|
||||||
|
|
@ -788,7 +849,7 @@ func TestValidInstanceTypeForProvider(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
for _, instanceType := range tc.instanceTypes {
|
for _, instanceType := range tc.instanceTypes {
|
||||||
assert.Equal(
|
assert.Equal(
|
||||||
tc.expectedResult, validInstanceTypeForProvider(instanceType, tc.variant),
|
tc.expectedResult, validInstanceTypeForProvider(instanceType, tc.variant, tc.providerConfig),
|
||||||
instanceType,
|
instanceType,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -520,7 +520,7 @@ func (c *Config) translateMoreThanOneProviderError(ut ut.Translator, fe validato
|
||||||
return t
|
return t
|
||||||
}
|
}
|
||||||
|
|
||||||
func validInstanceTypeForProvider(insType string, attestation variant.Variant) bool {
|
func validInstanceTypeForProvider(insType string, attestation variant.Variant, provider ProviderConfig) bool {
|
||||||
switch attestation {
|
switch attestation {
|
||||||
case variant.AWSSEVSNP{}, variant.AWSNitroTPM{}:
|
case variant.AWSSEVSNP{}, variant.AWSNitroTPM{}:
|
||||||
return isSupportedAWSInstanceType(insType, attestation.Equal(variant.AWSNitroTPM{}))
|
return isSupportedAWSInstanceType(insType, attestation.Equal(variant.AWSNitroTPM{}))
|
||||||
|
|
@ -549,6 +549,17 @@ func validInstanceTypeForProvider(insType string, attestation variant.Variant) b
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
case variant.QEMUVTPM{}, variant.QEMUTDX{}:
|
case variant.QEMUVTPM{}, variant.QEMUTDX{}:
|
||||||
|
// only allow confidential instances on stackit cloud using QEMU vTPM
|
||||||
|
if provider.OpenStack != nil {
|
||||||
|
if cloud := provider.OpenStack.Cloud; strings.ToLower(cloud) == "stackit" {
|
||||||
|
for _, instanceType := range instancetypes.STACKITInstanceTypes {
|
||||||
|
if insType == instanceType {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
|
|
@ -789,7 +800,7 @@ func (c *Config) validateNodeGroupZoneField(fl validator.FieldLevel) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) validateInstanceType(fl validator.FieldLevel) bool {
|
func (c *Config) validateInstanceType(fl validator.FieldLevel) bool {
|
||||||
return validInstanceTypeForProvider(fl.Field().String(), c.GetAttestationConfig().GetVariant())
|
return validInstanceTypeForProvider(fl.Field().String(), c.GetAttestationConfig().GetVariant(), c.Provider)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) validateStateDiskTypeField(fl validator.FieldLevel) bool {
|
func (c *Config) validateStateDiskTypeField(fl validator.FieldLevel) bool {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue