cli: add basic support for constellation create on OpenStack (#1283)

* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload

image/Makefile

@@ -15,7 +15,7 @@ KERNEL_DEBUG_CMDLNE              := $(if $(filter true,$(DEBUG)),constellation.d
 export INSTALL_DEBUGD            ?= $(DEBUG)
 export CONSOLE_MOTD = $(AUTOLOGIN)
 -include $(CURDIR)/config.mk
-csps := aws qemu gcp azure
+csps := aws azure gcp openstack qemu
 certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
 
 AZURE_FIXED_KERNEL_RPMS := kernel-6.1.14-200.fc37.x86_64.rpm kernel-core-6.1.14-200.fc37.x86_64.rpm kernel-modules-6.1.14-200.fc37.x86_64.rpm

image/README.md

@@ -239,6 +239,31 @@ upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
 
 </details>
 
+<details>
+<summary>OpenStack</summary>
+
+Note:
+
+> OpenStack is not one a global cloud provider, but rather a software that can be installed on-premises.
+> This means we do not upload the image to a cloud provider, but to our CDN.
+
+- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
+- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
+
+```sh
+# set these variables
+export REF= # e.g. feat-xyz (branch name encoded with dashes)
+export STREAM= # e.g. "nightly", "debug", "stable" (depends on the type of image and if it is a release)
+export IMAGE_VERSION= # e.g. v2.1.0" or output of pseudo-version tool
+export OPENSTACK_BUCKET=cdn-constellation-backend
+export OPENSTACK_BASE_URL="https://cdn.confidential.cloud"
+export OPENSTACK_IMAGE_PATH=${PWD}/mkosi.output.qemu/fedora~37/image.raw
+export OPENSTACK_JSON_OUTPUT=${PWD}/mkosi.output.qemu/fedora~37/image-upload.json
+upload/upload_openstack.sh
+```
+
+</details>
+
 <details>
 <summary>QEMU</summary>
 

image/mkosi.files/mkosi.openstack.conf

@@ -0,0 +1,7 @@
+[Output]
+KernelCommandLine=constel.csp=openstack mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0
+OutputDirectory=mkosi.output.openstack
+
+[Content]
+Autologin=yes
+Environment=CONSOLE_MOTD=true

image/upload/upload_aws.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
-if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
+if [[ -f ${CONFIG_FILE-} ]]; then
   # shellcheck source=/dev/null
   . "${CONFIG_FILE}"
 fi

image/upload/upload_azure.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
-if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
+if [[ -f ${CONFIG_FILE-} ]]; then
   # shellcheck source=/dev/null
   . "${CONFIG_FILE}"
 fi

image/upload/upload_gcp.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
-if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
+if [[ -f ${CONFIG_FILE-} ]]; then
   # shellcheck source=/dev/null
   . "${CONFIG_FILE}"
 fi

image/upload/upload_openstack.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+set -euo pipefail
+shopt -s inherit_errexit
+
+if [[ -f ${CONFIG_FILE-} ]]; then
+  # shellcheck source=/dev/null
+  . "${CONFIG_FILE}"
+fi
+
+path="constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image/csp/openstack/image.raw"
+aws s3 cp "${OPENSTACK_IMAGE_PATH}" "s3://${OPENSTACK_BUCKET}/${path}" --no-progress
+
+image_url="${OPENSTACK_BASE_URL}/${path}"
+
+json=$(jq -ncS \
+  --arg image_url "${image_url}" \
+  '{"openstack": {"sev": $image_url}}')
+echo -n "${json}" > "${OPENSTACK_JSON_OUTPUT}"

image/upload/upload_qemu.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
-if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
+if [[ -f ${CONFIG_FILE-} ]]; then
   # shellcheck source=/dev/null
   . "${CONFIG_FILE}"
 fi