diff --git a/cli/internal/cloudcmd/BUILD.bazel b/cli/internal/cloudcmd/BUILD.bazel index b497566af..5708506c9 100644 --- a/cli/internal/cloudcmd/BUILD.bazel +++ b/cli/internal/cloudcmd/BUILD.bazel @@ -38,6 +38,9 @@ go_library( "//internal/versions/components", "//internal/versionsapi", "//operators/constellation-node-operator/api/v1alpha1", + "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation", + "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy", + "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity", "@com_github_hashicorp_terraform_json//:terraform-json", "@com_github_spf13_cobra//:cobra", "@io_k8s_api//core/v1:core", diff --git a/cli/internal/cloudcmd/clients_test.go b/cli/internal/cloudcmd/clients_test.go index 814e4e447..d91ca03e4 100644 --- a/cli/internal/cloudcmd/clients_test.go +++ b/cli/internal/cloudcmd/clients_test.go @@ -31,6 +31,7 @@ type stubTerraformClient struct { initSecret string iamOutput terraform.IAMOutput uid string + attestationURL string tfjsonState *tfjson.State cleanUpWorkspaceCalled bool removeInstallerCalled bool @@ -46,9 +47,10 @@ type stubTerraformClient struct { func (c *stubTerraformClient) CreateCluster(ctx context.Context) (terraform.CreateOutput, error) { return terraform.CreateOutput{ - IP: c.ip, - Secret: c.initSecret, - UID: c.uid, + IP: c.ip, + Secret: c.initSecret, + UID: c.uid, + AttestationURL: c.attestationURL, }, c.createClusterErr } diff --git a/cli/internal/cloudcmd/create.go b/cli/internal/cloudcmd/create.go index a722edeff..6a427dc14 100644 --- a/cli/internal/cloudcmd/create.go +++ b/cli/internal/cloudcmd/create.go @@ -8,9 +8,11 @@ package cloudcmd import ( "context" + "encoding/base64" "errors" "fmt" "io" + "net/http" "net/url" "os" "path" @@ -18,6 +20,9 @@ import ( "runtime" "strings" + "github.com/Azure/azure-sdk-for-go/profiles/latest/attestation/attestation" + azpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/edgelesssys/constellation/v2/cli/internal/clusterid" "github.com/edgelesssys/constellation/v2/cli/internal/image" "github.com/edgelesssys/constellation/v2/cli/internal/libvirt" @@ -34,6 +39,7 @@ type Creator struct { newTerraformClient func(ctx context.Context) (terraformClient, error) newLibvirtRunner func() libvirtRunner newRawDownloader func() rawDownloader + policyPatcher PolicyPatcher } // NewCreator creates a new creator. @@ -50,6 +56,7 @@ func NewCreator(out io.Writer) *Creator { newRawDownloader: func() rawDownloader { return image.NewDownloader() }, + policyPatcher: policyPatcher{}, } } @@ -182,8 +189,7 @@ func (c *Creator) createGCP(ctx context.Context, cl terraformClient, config *con }, nil } -func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *config.Config, - insType string, controlPlaneCount, workerCount int, image string, +func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *config.Config, insType string, controlPlaneCount, workerCount int, image string, ) (idFile clusterid.File, retErr error) { vars := terraform.AzureClusterVariables{ CommonVariables: terraform.CommonVariables{ @@ -200,6 +206,7 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *c ImageID: image, ConfidentialVM: *config.Provider.Azure.ConfidentialVM, SecureBoot: *config.Provider.Azure.SecureBoot, + CreateMAA: *config.Provider.Azure.EnforceIDKeyDigest, Debug: config.IsDebugCluster(), } @@ -215,14 +222,98 @@ func (c *Creator) createAzure(ctx context.Context, cl terraformClient, config *c return clusterid.File{}, err } + if vars.CreateMAA { + // Patch the attestation policy to allow the cluster to boot while having secure boot disabled. + if err := c.policyPatcher.Patch(ctx, tfOutput.AttestationURL); err != nil { + return clusterid.File{}, err + } + } + return clusterid.File{ - CloudProvider: cloudprovider.Azure, - IP: tfOutput.IP, - InitSecret: []byte(tfOutput.Secret), - UID: tfOutput.UID, + CloudProvider: cloudprovider.Azure, + IP: tfOutput.IP, + InitSecret: []byte(tfOutput.Secret), + UID: tfOutput.UID, + AttestationURL: tfOutput.AttestationURL, }, nil } +// PolicyPatcher interacts with Azure to update the attestation policy. +type PolicyPatcher interface { + Patch(ctx context.Context, attestationURL string) error +} + +type policyPatcher struct{} + +// Patch updates the attestation policy to the base64-encoded attestation policy JWT for the given attestation URL. +// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#next-steps +func (p policyPatcher) Patch(ctx context.Context, attestationURL string) error { + // hacky way to update the MAA attestation policy. This should be changed as soon as either the Terraform provider supports it + // or the Go SDK gets updated to a recent API version. + // https://github.com/hashicorp/terraform-provider-azurerm/issues/20804 + cred, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + return fmt.Errorf("retrieving default Azure credentials: %w", err) + } + token, err := cred.GetToken(ctx, azpolicy.TokenRequestOptions{ + Scopes: []string{"https://attest.azure.net/.default"}, + }) + if err != nil { + return fmt.Errorf("retrieving token from default Azure credentials: %w", err) + } + + client := attestation.NewPolicyClient() + + // azureGuest is the id for the "Azure VM" attestation type. Other types are documented here: + // https://learn.microsoft.com/en-us/rest/api/attestation/policy/set + req, err := client.SetPreparer(ctx, attestationURL, "azureGuest", p.encodeAttestationPolicy()) + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token.Token)) + if err != nil { + return fmt.Errorf("preparing request: %w", err) + } + + resp, err := client.Send(req) + if err != nil { + return fmt.Errorf("sending request: %w", err) + } + resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("updating attestation policy: unexpected status code: %s", resp.Status) + } + + return nil +} + +// encodeAttestationPolicy encodes the base64-encoded attestation policy in the JWS format specified here: +// https://learn.microsoft.com/en-us/azure/attestation/author-sign-policy#creating-the-policy-file-in-json-web-signature-format +func (p policyPatcher) encodeAttestationPolicy() string { + const policy = ` + version= 1.0; + authorizationrules + { + [type=="x-ms-azurevm-default-securebootkeysvalidated", value==false] => deny(); + [type=="x-ms-azurevm-debuggersdisabled", value==false] => deny(); + // The line below was edited by the Constellation CLI. Do not edit manually. + //[type=="secureboot", value==false] => deny(); + [type=="x-ms-azurevm-signingdisabled", value==false] => deny(); + [type=="x-ms-azurevm-dbvalidated", value==false] => deny(); + [type=="x-ms-azurevm-dbxvalidated", value==false] => deny(); + => permit(); + }; + issuancerules + { + };` + encodedPolicy := base64.RawURLEncoding.EncodeToString([]byte(policy)) + const header = `{"alg":"none"}` + payload := fmt.Sprintf(`{"AttestationPolicy":"%s"}`, encodedPolicy) + + encodedHeader := base64.RawURLEncoding.EncodeToString([]byte(header)) + encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(payload)) + + return fmt.Sprintf("%s.%s.", encodedHeader, encodedPayload) +} + // The azurerm Terraform provider enforces its own convention of case sensitivity for Azure URIs which Azure's API itself does not enforce or, even worse, actually returns. // Let's go loco with case insensitive Regexp here and fix the user input here to be compliant with this arbitrary design decision. var ( diff --git a/cli/internal/cloudcmd/create_test.go b/cli/internal/cloudcmd/create_test.go index 9e2e18bde..bbe40c16f 100644 --- a/cli/internal/cloudcmd/create_test.go +++ b/cli/internal/cloudcmd/create_test.go @@ -30,6 +30,7 @@ func TestCreator(t *testing.T) { libvirt *stubLibvirtRunner provider cloudprovider.Provider config *config.Config + policyPatcher *stubPolicyPatcher wantErr bool wantRollback bool // Use only together with stubClients. wantTerraformRollback bool // When libvirt fails, don't call into Terraform. @@ -53,6 +54,35 @@ func TestCreator(t *testing.T) { wantRollback: true, wantTerraformRollback: true, }, + "azure": { + tfClient: &stubTerraformClient{ip: ip}, + provider: cloudprovider.Azure, + config: config.Default(), + policyPatcher: &stubPolicyPatcher{}, + }, + "azure new policy patch error": { + tfClient: &stubTerraformClient{ip: ip}, + provider: cloudprovider.Azure, + config: config.Default(), + policyPatcher: &stubPolicyPatcher{someErr}, + wantErr: true, + }, + "azure newTerraformClient error": { + newTfClientErr: someErr, + provider: cloudprovider.Azure, + config: config.Default(), + policyPatcher: &stubPolicyPatcher{}, + wantErr: true, + }, + "azure create cluster error": { + tfClient: &stubTerraformClient{createClusterErr: someErr}, + provider: cloudprovider.Azure, + config: config.Default(), + policyPatcher: &stubPolicyPatcher{}, + wantErr: true, + wantRollback: true, + wantTerraformRollback: true, + }, "qemu": { tfClient: &stubTerraformClient{ip: ip}, libvirt: &stubLibvirtRunner{}, @@ -112,6 +142,7 @@ func TestCreator(t *testing.T) { destination: "some-destination", } }, + policyPatcher: tc.policyPatcher, } idFile, err := creator.Create(context.Background(), tc.provider, tc.config, "type", 2, 3) @@ -137,6 +168,14 @@ func TestCreator(t *testing.T) { } } +type stubPolicyPatcher struct { + patchErr error +} + +func (s stubPolicyPatcher) Patch(ctx context.Context, attestationURL string) error { + return s.patchErr +} + func TestNormalizeAzureURIs(t *testing.T) { testCases := map[string]struct { in terraform.AzureClusterVariables diff --git a/cli/internal/clusterid/id.go b/cli/internal/clusterid/id.go index 577f672e6..807844105 100644 --- a/cli/internal/clusterid/id.go +++ b/cli/internal/clusterid/id.go @@ -24,4 +24,7 @@ type File struct { IP string `json:"ip,omitempty"` // InitSecret is the secret the first Bootstrapper uses to verify the user. InitSecret []byte `json:"initsecret,omitempty"` + // AttestationURL is the URL of the attestation service. + // It is only set if the cluster is created on Azure. + AttestationURL string `json:"attestationURL,omitempty"` } diff --git a/cli/internal/terraform/terraform.go b/cli/internal/terraform/terraform.go index c3779e2f5..415a5e58e 100644 --- a/cli/internal/terraform/terraform.go +++ b/cli/internal/terraform/terraform.go @@ -128,10 +128,18 @@ func (c *Client) CreateCluster(ctx context.Context) (CreateOutput, error) { return CreateOutput{}, errors.New("invalid type in uid output: not a string") } + var attestationURL string + if attestationURLOutput, ok := tfState.Values.Outputs["attestationURL"]; ok { + if attestationURLString, ok := attestationURLOutput.Value.(string); ok { + attestationURL = attestationURLString + } + } + return CreateOutput{ - IP: ip, - Secret: secret, - UID: uid, + IP: ip, + Secret: secret, + UID: uid, + AttestationURL: attestationURL, }, nil } @@ -140,6 +148,9 @@ type CreateOutput struct { IP string Secret string UID string + // AttestationURL is the URL of the attestation provider. + // It is only set if the cluster is created on Azure. + AttestationURL string } // IAMOutput contains the output information of the Terraform IAM operations. diff --git a/cli/internal/terraform/terraform/azure/main.tf b/cli/internal/terraform/terraform/azure/main.tf index ea9ccdc47..89c108c8a 100644 --- a/cli/internal/terraform/terraform/azure/main.tf +++ b/cli/internal/terraform/terraform/azure/main.tf @@ -41,6 +41,13 @@ resource "random_password" "initSecret" { override_special = "_%@" } +resource "azurerm_attestation_provider" "attestation_provider" { + count = var.create_maa ? 1 : 0 + name = format("%sap", var.name) + resource_group_name = var.resource_group + location = var.location +} + resource "azurerm_application_insights" "insights" { name = local.name location = var.location @@ -192,16 +199,21 @@ resource "azurerm_network_security_group" "security_group" { module "scale_set_control_plane" { source = "./modules/scale_set" - name = "${local.name}-control-plane" - instance_count = var.control_plane_count - state_disk_size = var.state_disk_size - state_disk_type = var.state_disk_type - resource_group = var.resource_group - location = var.location - instance_type = var.instance_type - confidential_vm = var.confidential_vm - secure_boot = var.secure_boot - tags = merge(local.tags, { constellation-role = "control-plane" }, { constellation-init-secret-hash = local.initSecretHash }) + name = "${local.name}-control-plane" + instance_count = var.control_plane_count + state_disk_size = var.state_disk_size + state_disk_type = var.state_disk_type + resource_group = var.resource_group + location = var.location + instance_type = var.instance_type + confidential_vm = var.confidential_vm + secure_boot = var.secure_boot + tags = merge( + local.tags, + { constellation-role = "control-plane" }, + { constellation-init-secret-hash = local.initSecretHash }, + { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" }, + ) image_id = var.image_id user_assigned_identity = var.user_assigned_identity network_security_group_id = azurerm_network_security_group.security_group.id @@ -215,16 +227,21 @@ module "scale_set_control_plane" { module "scale_set_worker" { source = "./modules/scale_set" - name = "${local.name}-worker" - instance_count = var.worker_count - state_disk_size = var.state_disk_size - state_disk_type = var.state_disk_type - resource_group = var.resource_group - location = var.location - instance_type = var.instance_type - confidential_vm = var.confidential_vm - secure_boot = var.secure_boot - tags = merge(local.tags, { constellation-role = "worker" }, { constellation-init-secret-hash = local.initSecretHash }) + name = "${local.name}-worker" + instance_count = var.worker_count + state_disk_size = var.state_disk_size + state_disk_type = var.state_disk_type + resource_group = var.resource_group + location = var.location + instance_type = var.instance_type + confidential_vm = var.confidential_vm + secure_boot = var.secure_boot + tags = merge( + local.tags, + { constellation-role = "worker" }, + { constellation-init-secret-hash = local.initSecretHash }, + { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" }, + ) image_id = var.image_id user_assigned_identity = var.user_assigned_identity network_security_group_id = azurerm_network_security_group.security_group.id diff --git a/cli/internal/terraform/terraform/azure/outputs.tf b/cli/internal/terraform/terraform/azure/outputs.tf index 80172a6b8..85c985dc4 100644 --- a/cli/internal/terraform/terraform/azure/outputs.tf +++ b/cli/internal/terraform/terraform/azure/outputs.tf @@ -10,3 +10,7 @@ output "initSecret" { value = random_password.initSecret.result sensitive = true } + +output "attestationURL" { + value = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" +} diff --git a/cli/internal/terraform/terraform/azure/variables.tf b/cli/internal/terraform/terraform/azure/variables.tf index 59c062047..0d87ba765 100644 --- a/cli/internal/terraform/terraform/azure/variables.tf +++ b/cli/internal/terraform/terraform/azure/variables.tf @@ -63,6 +63,12 @@ variable "secure_boot" { description = "Whether to deploy the cluster nodes with secure boot." } +variable "create_maa" { + type = bool + default = false + description = "Whether to create a Microsoft Azure attestation provider." +} + variable "debug" { type = bool default = false diff --git a/cli/internal/terraform/terraform_test.go b/cli/internal/terraform/terraform_test.go index f6ab7580c..43f443359 100644 --- a/cli/internal/terraform/terraform_test.go +++ b/cli/internal/terraform/terraform_test.go @@ -203,7 +203,7 @@ func TestPrepareIAM(t *testing.T) { func TestCreateCluster(t *testing.T) { someErr := errors.New("failed") - newTestState := func() *tfjson.State { + newQEMUState := func() *tfjson.State { workingState := tfjson.State{ Values: &tfjson.StateValues{ Outputs: map[string]*tfjson.StateOutput{ @@ -221,6 +221,27 @@ func TestCreateCluster(t *testing.T) { } return &workingState } + newAzureState := func() *tfjson.State { + workingState := tfjson.State{ + Values: &tfjson.StateValues{ + Outputs: map[string]*tfjson.StateOutput{ + "ip": { + Value: "192.0.2.100", + }, + "initSecret": { + Value: "initSecret", + }, + "uid": { + Value: "12345abc", + }, + "attestationURL": { + Value: "https://12345.neu.attest.azure.net", + }, + }, + }, + } + return &workingState + } qemuVars := &QEMUVariables{ CommonVariables: CommonVariables{ Name: "name", @@ -241,13 +262,17 @@ func TestCreateCluster(t *testing.T) { vars Variables tf *stubTerraform fs afero.Fs - wantErr bool + // expectedAttestationURL is the expected attestation URL to be returned by + // the Terraform client. It is declared in the test case because it is + // provider-specific. + expectedAttestationURL string + wantErr bool }{ "works": { pathBase: "terraform", provider: cloudprovider.QEMU, vars: qemuVars, - tf: &stubTerraform{showState: newTestState()}, + tf: &stubTerraform{showState: newQEMUState()}, fs: afero.NewMemMapFs(), }, "init fails": { @@ -330,6 +355,42 @@ func TestCreateCluster(t *testing.T) { fs: afero.NewMemMapFs(), wantErr: true, }, + "working attestation url": { + pathBase: "terraform", + provider: cloudprovider.Azure, + vars: qemuVars, // works for mocking azure vars + tf: &stubTerraform{showState: newAzureState()}, + fs: afero.NewMemMapFs(), + expectedAttestationURL: "https://12345.neu.attest.azure.net", + }, + "no attestation url": { + pathBase: "terraform", + provider: cloudprovider.Azure, + vars: qemuVars, // works for mocking azure vars + tf: &stubTerraform{ + showState: &tfjson.State{ + Values: &tfjson.StateValues{ + Outputs: map[string]*tfjson.StateOutput{}, + }, + }, + }, + fs: afero.NewMemMapFs(), + wantErr: true, + }, + "attestation url has wrong type": { + pathBase: "terraform", + provider: cloudprovider.Azure, + vars: qemuVars, // works for mocking azure vars + tf: &stubTerraform{ + showState: &tfjson.State{ + Values: &tfjson.StateValues{ + Outputs: map[string]*tfjson.StateOutput{"attestationURL": {Value: 42}}, + }, + }, + }, + fs: afero.NewMemMapFs(), + wantErr: true, + }, } for name, tc := range testCases { @@ -355,6 +416,7 @@ func TestCreateCluster(t *testing.T) { assert.Equal("192.0.2.100", tfOutput.IP) assert.Equal("initSecret", tfOutput.Secret) assert.Equal("12345abc", tfOutput.UID) + assert.Equal(tc.expectedAttestationURL, tfOutput.AttestationURL) }) } } diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index c56be7bba..1533444f6 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -175,6 +175,8 @@ type AzureClusterVariables struct { ConfidentialVM bool // SecureBoot sets the VM to use secure boot. SecureBoot bool + // CreateMAA sets whether a Microsoft Azure attestation provider should be created. + CreateMAA bool // Debug is true if debug mode is enabled. Debug bool } @@ -191,6 +193,7 @@ func (v *AzureClusterVariables) String() string { writeLinef(b, "image_id = %q", v.ImageID) writeLinef(b, "confidential_vm = %t", v.ConfidentialVM) writeLinef(b, "secure_boot = %t", v.SecureBoot) + writeLinef(b, "create_maa = %t", v.CreateMAA) writeLinef(b, "debug = %t", v.Debug) return b.String() diff --git a/go.mod b/go.mod index 8028018f3..1426b601e 100644 --- a/go.mod +++ b/go.mod @@ -43,6 +43,7 @@ require ( cloud.google.com/go/logging v1.6.1 cloud.google.com/go/secretmanager v1.10.0 cloud.google.com/go/storage v1.28.1 + github.com/Azure/azure-sdk-for-go v68.0.0+incompatible github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.11.0 @@ -125,7 +126,6 @@ require ( cloud.google.com/go/iam v0.8.0 // indirect cloud.google.com/go/longrunning v0.3.0 // indirect code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c // indirect - github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 // indirect diff --git a/hack/go.mod b/hack/go.mod index bd9e12c9d..7e08f7254 100644 --- a/hack/go.mod +++ b/hack/go.mod @@ -50,7 +50,19 @@ require ( require ( cloud.google.com/go/compute v1.18.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect + github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/Azure/go-autorest v14.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest v0.11.28 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect + github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect + github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect + github.com/Azure/go-autorest/logger v0.2.1 // indirect + github.com/Azure/go-autorest/tracing v0.6.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect github.com/BurntSushi/toml v1.2.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect @@ -128,6 +140,7 @@ require ( github.com/go-playground/validator/v10 v10.11.2 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/btree v1.1.2 // indirect @@ -170,6 +183,7 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.15.12 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/leodido/go-urn v1.2.2 // indirect @@ -201,6 +215,7 @@ require ( github.com/pborman/uuid v1.2.1 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pjbgf/sha1cd v0.2.3 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.14.0 // indirect diff --git a/hack/go.sum b/hack/go.sum index 5b388197f..1cb049e10 100644 --- a/hack/go.sum +++ b/hack/go.sum @@ -77,11 +77,39 @@ github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuE github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= +github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 h1:gVXuXcWd1i4C2Ruxe321aU+IKGaStvGB/S90PUPB/W8= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1/go.mod h1:DffdKW9RFqa5VgmsjUOsS7UE7eiA5iAvYUs63bhKQ0M= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 h1:T8quHYlUGyb/oqtSTwqlCr1ilJHrDv+ZtpSfo+hm1BU= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1/go.mod h1:gLa1CL2RNE4s7M3yopJ/p0iq5DdY6Yv5ZUt9MTRZOQM= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 h1:+5VZ72z0Qan5Bog5C+ZkgSqUbeVUd9wgtHOrIKuc5b8= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= +github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= +github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.21 h1:jjQnVFXPfekaqb8vIsv2G1lxshoW+oGv4MDlhRtnYZk= +github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U= +github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= +github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= +github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 h1:oPdPEZFSbl7oSPEAIPMPBMUmiL+mqgzBJwM/9qYcwNg= +github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= @@ -309,6 +337,7 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/cli v20.10.21+incompatible h1:qVkgyYUnOLQ98LtXBrwd/duVqPT2X4SHndOuGsfwyhU= github.com/docker/cli v20.10.21+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= @@ -520,6 +549,10 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -847,6 +880,7 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= @@ -1040,6 +1074,8 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pjbgf/sha1cd v0.2.3 h1:uKQP/7QOzNtKYH7UTohZLcjF5/55EnTw0jO/Ru4jZwI= github.com/pjbgf/sha1cd v0.2.3/go.mod h1:HOK9QrgzdHpbc2Kzip0Q1yi3M2MFGPADtR6HjG65m5M= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1652,6 +1688,7 @@ golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 34aec3bce..e439cd8fe 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -116,17 +116,14 @@ const ( IDKeyDigestFilename = "idkeydigests" // EnforceIDKeyDigestFilename is the name of the file configuring whether idkeydigest is enforced or not. EnforceIDKeyDigestFilename = "enforceIdKeyDigest" - // K8sVersionFieldName is the name of the of the key holding the wanted Kubernetes version. K8sVersionFieldName = "cluster-version" // ComponentsListKey is the name of the key holding the list of components in the components configMap. ComponentsListKey = "components" // NodeVersionResourceName resource name used for NodeVersion in constellation-operator and CLI. NodeVersionResourceName = "constellation-version" - // NodeKubernetesComponentsAnnotationKey is the name of the annotation holding the reference to the ConfigMap listing all K8s components. NodeKubernetesComponentsAnnotationKey = "constellation.edgeless.systems/kubernetes-components" - // JoiningNodesConfigMapName is the name of the configMap holding the joining nodes with the components hashes the node-operator should annotate the nodes with. JoiningNodesConfigMapName = "joining-nodes"