config: add separate option for handling attestation parameters (#1623)

* Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-05-05 07:45:27 -04:00 · 2023-05-03 11:11:53 +02:00 · 2023-05-03 11:11:53 +02:00 · d7a2ddd939
commit d7a2ddd939
parent 6027b066e5
74 changed files with 1339 additions and 1282 deletions
--- a/cli/internal/kubernetes/upgrade_test.go
+++ b/cli/internal/kubernetes/upgrade_test.go
@ -252,65 +252,83 @@ func TestUpgradeNodeVersion(t *testing.T) {
 func TestUpdateMeasurements(t *testing.T) {
 	someErr := errors.New("error")
 	testCases := map[string]struct {
-		updater         *stubStableClient
-		newMeasurements measurements.M
-		wantUpdate      bool
-		wantErr         bool
+		updater    *stubStableClient
+		newConfig  config.AttestationCfg
+		wantUpdate bool
+		wantErr    bool
 	}{
 		"success": {
 			updater: &stubStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
-					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
+					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
 			},
-			newMeasurements: measurements.M{
-				0: measurements.WithAllBytes(0xBB, measurements.Enforce),
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xBB, measurements.Enforce),
+				},
 			},
 			wantUpdate: true,
 		},
 		"measurements are the same": {
 			updater: &stubStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
-					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
+					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
 			},
-			newMeasurements: measurements.M{
-				0: measurements.WithAllBytes(0xAA, measurements.Enforce),
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xAA, measurements.Enforce),
+				},
 			},
 		},
 		"setting warnOnly to true is allowed": {
 			updater: &stubStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
-					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
+					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
 			},
-			newMeasurements: measurements.M{
-				0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
+				},
 			},
 			wantUpdate: true,
 		},
 		"setting warnOnly to false is allowed": {
 			updater: &stubStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
-					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":true}}`),
+					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":true}}}`),
 				},
 			},
-			newMeasurements: measurements.M{
-				0: measurements.WithAllBytes(0xAA, measurements.Enforce),
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xAA, measurements.Enforce),
+				},
 			},
 			wantUpdate: true,
 		},
 		"getCurrent error": {
 			updater: &stubStableClient{getErr: someErr},
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xBB, measurements.Enforce),
+				},
+			},
 			wantErr: true,
 		},
 		"update error": {
 			updater: &stubStableClient{
 				configMaps: map[string]*corev1.ConfigMap{
-					constants.JoinConfigMap: newJoinConfigMap(`{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`),
+					constants.JoinConfigMap: newJoinConfigMap(`{"measurements":{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}}`),
 				},
 				updateErr: someErr,
 			},
+			newConfig: &config.GCPSEVES{
+				Measurements: measurements.M{
+					0: measurements.WithAllBytes(0xBB, measurements.Enforce),
+				},
+			},
 			wantErr: true,
 		},
 	}
@ -325,7 +343,7 @@ func TestUpdateMeasurements(t *testing.T) {
 				log:             logger.NewTest(t),
 			}

-			err := upgrader.UpdateMeasurements(context.Background(), tc.newMeasurements)
+			err := upgrader.UpdateAttestationConfig(context.Background(), tc.newConfig)
 			if tc.wantErr {
 				assert.Error(err)
 				return
@ -333,9 +351,9 @@ func TestUpdateMeasurements(t *testing.T) {

 			assert.NoError(err)
 			if tc.wantUpdate {
-				newMeasurementsJSON, err := json.Marshal(tc.newMeasurements)
+				newConfigJSON, err := json.Marshal(tc.newConfig)
 				require.NoError(t, err)
-				assert.JSONEq(string(newMeasurementsJSON), tc.updater.updatedConfigMaps[constants.JoinConfigMap].Data[constants.MeasurementsFilename])
+				assert.JSONEq(string(newConfigJSON), tc.updater.updatedConfigMaps[constants.JoinConfigMap].Data[constants.AttestationConfigFilename])
 			} else {
 				assert.Nil(tc.updater.updatedConfigMaps)
 			}
@ -468,7 +486,7 @@ func newJoinConfigMap(data string) *corev1.ConfigMap {
 			Name: constants.JoinConfigMap,
 		},
 		Data: map[string]string{
-			constants.MeasurementsFilename: data,
+			constants.AttestationConfigFilename: data,
 		},
 	}
 }