* [wip] use state file in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state file in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
take clusterConfig from IDFile for compat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add GCP-specific values in Helm loader test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary pointer
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* write ClusterValues in one step
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move stub to test file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove mention of id-file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move output to `migrateTerraform`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* unconditional assignments converting from idFile
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move require block in go modules file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fall back to id file on upgrade
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add notice to remove Terraform state check on manual migration
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add `name` field
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
fix name tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* return early if no Terraform diff
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* return infrastructure state even if no diff exists
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add TODO to remove comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state-file in miniconstellation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: remove id-file (#2402)
* remove id-file from `constellation create`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add file renaming to handler
* rename id-file after upgrade
* use idFile on `constellation init`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation verify`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation mini`
* remove id-file from `constellation recover`
* linter fixes
* remove id-file from `constellation terminate`
* fix initSecret type
* fix recover argument precedence
* fix terminate test
* generate
* add TODO to remove id-file removal
* Update cli/internal/cmd/init.go
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* fix verify arg parse logic
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add version test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from docs
* add file not found log
* use state-file in miniconstellation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation iam destroy`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `cdbg deploy`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* use state-file in CI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update orchestration docs
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
Encrypt each object with a random DEK and attach
the encrypted DEK as object metadata.
Encrpt the DEK with a key from the keyservice.
All objects use the same KEK until a keyrotation
takes place.
INSECURE!
The proxy intercepts GetObject and PutObject.
A manual deployment guide is included.
The decryption only relies on a hardcoded, static key.
Do not use with sensitive data; testing only.
* Ticket to track ranged GetObject: AB#3466.
* wip: switch to attestation
* add extra comments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* MAA checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use provided functions to parse report / cert chain
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* replace `CommitedTCB` check with `LaunchTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove debug check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `LaunchTCB` == `CommitedTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* custom IdKeyDigests check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* basic test of report parsing from instance info
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* retrieve VCEK from AMD KDS
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove VCEK from `azureInstanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `go-sev-guest` TCB version type
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validation parsing test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix error message
* fix comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove certificate chain from `instanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test for idkeydigest check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: update tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] debug prints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix tests, do some clean-up
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test case for fetching error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* correct `hack` dependency
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix id key check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] comment out wip unit tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing newline
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to released version of `go-sev-guest`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add constructor test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add VMPL check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test assertions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use fork with windows fix
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use data from THIM
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update embeds
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* verify against ARK in config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* invalid ASK
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* nits
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* refactoring
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use upstream library with pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* simplify control flow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix return error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix VCEK test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* revert unintentional changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use new upstream release
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix removed AuthorKeyEn field
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix verification report printing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* refactor `debugd` file structure
* create `hack`-tool to deploy logcollection to non-debug clusters
* integrate changes into CI
* update fields
* update workflow input names
* use `working-directory`
* add opensearch creds to upgrade workflow
* make template func generic
* make templating func generic
* linebreaks
* remove magic defaults
* move `os.Exit` to main package
* make logging index configurable
* make templating generic
* remove excess brace
* update fields
* copy fields
* fix flag name
* fix linter warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* remove unused workflow inputs
* remove makefiles
* fix command
* bazel: fix output paths of container
This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* tabs -> spaces
---------
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This way it also works within the bazel container, where the symlinks
that are created won't work, as they are linking to host paths.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* deps: downgrade terraform-json to v0.15.0
terraform-exec requires a matching version of terraform json.
Since the latest released version of terraform-exec still uses terraform-json v0.15.0,
we need to stay on that version.
* cli: add "--skip-helm-wait" flag for "constellation init" to "constellation mini up"
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again
There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
* terraform: GCP node groups
* cli: marshal GCP node groups to terraform variables
This does not have any side effects for users.
We still strictly create one control-plane and one worker group.
This is a preparation for enabling customizable node groups in the future.
* add SignContent() + integrate into configAPI
* use static client for upload versions tool; fix staticupload calleeReference bug
* use version to get proper cosign pub key.
* mock fetcher in CLI tests
* only provide config.New constructor with fetcher
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
The actual python version used in bazel is hermetic after this PR.
However, we still require a host python toolchain for bootstrapping (this will be fixed soon upstream) and host wide glibc (+ libcrypt.so.1).
Required for bootstrapping bazel stamping since we cannot use "bazel build" during the workspace_status command.
Adds a small script that builds the pseudo-version tool in bazel (without stamping) and uploads it to the mirror.
On the first bazel build with stamping, the pseudo-version tool is downloaded.
* bazel-deps-mirror: upgrade command
This command can be used to upgrade a dependency.
Users are supposed to replace any upstream URLs and run the upgrade command.
It replaces the expected hash and uploads the new dep to the mirror.
Previously the content of files status and upgrade within the
cloudcmd pkg did not fit cloudcmd's pkg description.
This patch introduces a separate pkg to fix that.
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
bazel-deps-mirror is an internal tools used to upload external dependencies
that are referenced in the Bazel WORKSPACE to the Edgeless Systems' mirror.
It also normalizes deps rules.
* hack: add tool to mirror Bazel dependencies
* hack: bazel-deps-mirror tests
* bazel: add deps mirror commands
* ci: upload Bazel dependencies on renovate PRs
* update go mod
* run deps_mirror_upload
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>