cli: support for GCP marketplace images (#2792)

* cli: support GCP marketplace images * ci: support GCP marketplace images * docs: support GCP marketplace images * bazel: generate * ci: allow GCP for mpi e2e test * Update docs/docs/overview/license.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * terraform-provider: allow GCP MPIs * terraform-provider: fix error message --------- Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2025-11-12 08:36:36 -05:00 · 2024-01-08 15:51:39 +01:00 · 2024-01-08 15:51:39 +01:00 · e691e26bd3
commit e691e26bd3
parent d3b951300d
9 changed files with 77 additions and 21 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -183,6 +183,9 @@ type GCPConfig struct {
 	// description: |
 	//   Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
 	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
+	// description: |
+	//   Use the specified GCP Marketplace image offering.
+	UseMarketplaceImage *bool `yaml:"useMarketplaceImage" validate:"omitempty"`
 }

 // OpenStackConfig holds config information for OpenStack based Constellation deployments.
@ -349,6 +352,7 @@ func Default() *Config {
 				Zone:                  "",
 				ServiceAccountKeyPath: "",
 				DeployCSIDriver:       toPtr(true),
+				UseMarketplaceImage:   toPtr(false),
 			},
 			OpenStack: &OpenStackConfig{
 				DirectDownload:          toPtr(true),
@ -699,7 +703,8 @@ func (c *Config) DeployYawolLoadBalancer() bool {

 // UseMarketplaceImage returns whether a marketplace image should be used.
 func (c *Config) UseMarketplaceImage() bool {
-	return c.Provider.Azure != nil && c.Provider.Azure.UseMarketplaceImage != nil && *c.Provider.Azure.UseMarketplaceImage
+	return (c.Provider.Azure != nil && c.Provider.Azure.UseMarketplaceImage != nil && *c.Provider.Azure.UseMarketplaceImage) ||
+		(c.Provider.GCP != nil && c.Provider.GCP.UseMarketplaceImage != nil && *c.Provider.GCP.UseMarketplaceImage)
 }

 // Validate checks the config values and returns validation errors.
--- a/internal/config/config_doc.go
+++ b/internal/config/config_doc.go
@ -229,7 +229,7 @@ func init() {
 			FieldName: "gcp",
 		},
 	}
-	GCPConfigDoc.Fields = make([]encoder.Doc, 5)
+	GCPConfigDoc.Fields = make([]encoder.Doc, 6)
 	GCPConfigDoc.Fields[0].Name = "project"
 	GCPConfigDoc.Fields[0].Type = "string"
 	GCPConfigDoc.Fields[0].Note = ""
@ -255,6 +255,11 @@ func init() {
 	GCPConfigDoc.Fields[4].Note = ""
 	GCPConfigDoc.Fields[4].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
 	GCPConfigDoc.Fields[4].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
+	GCPConfigDoc.Fields[5].Name = "useMarketplaceImage"
+	GCPConfigDoc.Fields[5].Type = "bool"
+	GCPConfigDoc.Fields[5].Note = ""
+	GCPConfigDoc.Fields[5].Description = "Use the specified GCP Marketplace image offering."
+	GCPConfigDoc.Fields[5].Comments[encoder.LineComment] = "Use the specified GCP Marketplace image offering."

 	OpenStackConfigDoc.Type = "OpenStackConfig"
 	OpenStackConfigDoc.Comments[encoder.LineComment] = "OpenStackConfig holds config information for OpenStack based Constellation deployments."
--- a/internal/imagefetcher/imagefetcher.go
+++ b/internal/imagefetcher/imagefetcher.go
@ -18,6 +18,7 @@ import (
 	"fmt"
 	"io/fs"
 	"regexp"
+	"strings"

 	"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
@ -52,10 +53,6 @@ func (f *Fetcher) FetchReference(ctx context.Context,
 		return "", fmt.Errorf("parsing config image short path: %w", err)
 	}

-	if useMarketplaceImage {
-		return buildMarketplaceImage(ver, provider)
-	}
-
 	imgInfoReq := versionsapi.ImageInfo{
 		Ref:     ver.Ref(),
 		Stream:  ver.Stream(),
@ -85,21 +82,54 @@ func (f *Fetcher) FetchReference(ctx context.Context,
 		return "", fmt.Errorf("validating image info file: %w", err)
 	}

+	if useMarketplaceImage {
+		return buildMarketplaceImage(marketplaceImagePayload{
+			ver:                ver,
+			provider:           provider,
+			attestationVariant: attestationVariant,
+			imgInfo:            imgInfo,
+			filters:            filters(provider, region),
+		})
+	}
+
 	return getReferenceFromImageInfo(provider, attestationVariant.String(), imgInfo, filters(provider, region)...)
 }

+// marketplaceImagePayload is a helper struct to pass around the required information to build a marketplace image URI.
+type marketplaceImagePayload struct {
+	ver                versionsapi.Version
+	provider           cloudprovider.Provider
+	attestationVariant variant.Variant
+	imgInfo            versionsapi.ImageInfo
+	filters            []filter
+}
+
 // buildMarketplaceImage returns a marketplace image URI for the given CSP and version.
-func buildMarketplaceImage(ver versionsapi.Version, provider cloudprovider.Provider) (string, error) {
-	sv, err := semver.New(ver.Version())
+func buildMarketplaceImage(payload marketplaceImagePayload) (string, error) {
+	sv, err := semver.New(payload.ver.Version())
 	if err != nil {
 		return "", fmt.Errorf("parsing image version: %w", err)
 	}

-	switch provider {
+	if sv.Prerelease() != "" {
+		return "", fmt.Errorf("marketplace images are not supported for prerelease versions")
+	}
+
+	switch payload.provider {
 	case cloudprovider.Azure:
+		// For Azure, multiple fields of information are required to use marketplace images,
+		// so we pack them in a custom URI.
 		return mpimage.NewAzureMarketplaceImage(sv).URI(), nil
+	case cloudprovider.GCP:
+		// For GCP, we just need to replace the GCP project name (constellation-images) to the public project that
+		// hosts the marketplace images (mpi-edgeless-systems-public).
+		imageRef, err := getReferenceFromImageInfo(payload.provider, payload.attestationVariant.String(), payload.imgInfo, payload.filters...)
+		if err != nil {
+			return "", fmt.Errorf("getting image reference: %w", err)
+		}
+		return strings.Replace(imageRef, "constellation-images", "mpi-edgeless-systems-public", 1), nil
 	default:
-		return "", fmt.Errorf("marketplace images are not supported for csp %s", provider.String())
+		return "", fmt.Errorf("marketplace images are not supported for csp %s", payload.provider.String())
 	}
 }