Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-06 00:05:21 -04:00
Code Issues Projects Releases Packages Wiki Activity

support to declaratively set attestation policy

Browse source
This commit is contained in:
Moritz Sanft 2023-06-21 11:45:13 +02:00
parent b25228d175
commit dbc495f164
15 changed files with 82 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

15
cli/internal/cloudcmd/create.go
View file

@ -35,7 +35,6 @@ type Creator struct {
newTerraformClient func(ctx context.Context) (terraformClient, error)
newLibvirtRunner func() libvirtRunner
newRawDownloader func() rawDownloader
policyPatcher policyPatcher
}
// NewCreator creates a new creator.
@ -52,7 +51,6 @@ func NewCreator(out io.Writer) *Creator {
newRawDownloader: func() rawDownloader {
return imagefetcher.NewDownloader()
},
policyPatcher: NewAzurePolicyPatcher(),
}
}
@ -226,6 +224,7 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea
ImageID: opts.image,
SecureBoot: *opts.Config.Provider.Azure.SecureBoot,
CreateMAA: opts.Config.GetAttestationConfig().GetVariant().Equal(variant.AzureSEVSNP{}),
MAAPolicy: NewAzureMaaAttestationPolicy().Encode(),
Debug: opts.Config.IsDebugCluster(),
}
@ -243,13 +242,6 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea
return clusterid.File{}, err
}
if vars.CreateMAA {
// Patch the attestation policy to allow the cluster to boot while having secure boot disabled.
if err := c.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil {
return clusterid.File{}, err
}
}
return clusterid.File{
CloudProvider: cloudprovider.Azure,
IP: tfOutput.IP,
@ -259,11 +251,6 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, opts Crea
}, nil
}
// policyPatcher interacts with the CSP (currently only applies for Azure) to update the attestation policy.
type policyPatcher interface {
Patch(ctx context.Context, attestationURL string) error
}
// The azurerm Terraform provider enforces its own convention of case sensitivity for Azure URIs which Azure's API itself does not enforce or, even worse, actually returns.
// Let's go loco with case insensitive Regexp here and fix the user input here to be compliant with this arbitrary design decision.
var (