Commit Graph

335 Commits

Author SHA1 Message Date
Malte Poll
c4a3e40882 s3proxy: add new page to documentation (v2.12) 2023-10-10 18:31:02 +02:00
Malte Poll
07249b1288 docs: add note about current AWS CVM issues (v2.12) 2023-10-10 18:31:02 +02:00
malt3
34cdfdaf57 docs: add release v2.12.0 2023-10-10 18:31:02 +02:00
Otto Bittner
4ef2e289b2
s3proxy: add new page to documentation (#2417)
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <ts@edgeless.systems>
2023-10-10 15:35:23 +02:00
Thomas Tendyck
714158619a docs: add note about current AWS CVM issues 2023-10-10 12:11:52 +02:00
Moritz Sanft
005e865a13
cli: use state file on init and upgrade (#2395)
* [wip] use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

take clusterConfig from IDFile for compat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add GCP-specific values in Helm loader test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary pointer

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* write ClusterValues in one step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move stub to test file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove mention of id-file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move output to `migrateTerraform`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unconditional assignments converting from idFile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move require block in go modules file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fall back to id file on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add notice to remove Terraform state check on manual migration

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `name` field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

fix name tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return early if no Terraform diff

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return infrastructure state even if no diff exists

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add TODO to remove comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: remove id-file (#2402)

* remove id-file from `constellation create`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add file renaming to handler

* rename id-file after upgrade

* use idFile on `constellation init`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation verify`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation mini`

* remove id-file from `constellation recover`

* linter fixes

* remove id-file from `constellation terminate`

* fix initSecret type

* fix recover argument precedence

* fix terminate test

* generate

* add TODO to remove id-file removal

* Update cli/internal/cmd/init.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* fix verify arg parse logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add version test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from docs

* add file not found log

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation iam destroy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `cdbg deploy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* use state-file in CI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update orchestration docs

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-10-09 13:04:29 +02:00
Adrian Stobbe
fdd47b7a00
cli: new flag for Azure JSON output of constellation verify (#2391) 2023-10-07 16:24:29 +02:00
3u13r
6ba43b03ee
docs: add gcp permissions needed for upgrade (#2378) 2023-10-05 10:28:39 +02:00
Moritz Eckert
7c76592a08
docs: add observability page (#2384)
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-10-04 09:37:46 +02:00
Malte Poll
4a66899de8 docs: update attestation section with changes for measured boot 2023-09-27 17:58:19 +02:00
Moritz Sanft
f4b2d02194
ci: collect cluster metrics to OpenSearch (#2347)
* add Metricbeat deployment to debugd

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* set metricbeat debugd image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix k8s deployment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use 2 separate deployments

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only deploy via k8s in non-debug-images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing tilde

* remove k8s metrics

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unify flag

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: fix debugd logcollection (#2355)

* add missing keyvault access role

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump logstash image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump filebeat / metricbeat image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* log used image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use debugging image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase wait timeout for image upload

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix template locations in container

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix image version typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add filebeat / metricbeat users

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove user additions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update workflow step name

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only mount config files

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* document potential rc

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix IAM permissions in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix AWS permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing workflow input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rename action

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pin image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary workflow inputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add refStream input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove inputs.yml dep

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase system metric period

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linkchecker

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-27 16:17:31 +02:00
renovate[bot]
2829e59eef deps: update ubuntu:22.04 Docker digest to aabed32 2023-09-26 13:08:22 +02:00
edgelessci
866861491a
docs: add release v2.11.0 (#2330)
Co-authored-by: 3u13r <3u13r@users.noreply.github.com>
2023-09-14 15:54:27 +02:00
Adrian Stobbe
92726dad2a
doc: --skip-flag in the upgrade workflow (#2313)
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-09 15:26:18 +02:00
Daniel Weiße
2cb0ce0b1b
Add troubleshooting notes for manually managing helm charts (#2327)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 22:27:25 +02:00
Adrian Stobbe
5960025da7
cli: new flag to skip phases of upgrade (#2310)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-08 14:55:07 +02:00
Moritz Eckert
c7996481f2
docs: switch to native mermaid support (#2306) 2023-09-05 11:24:20 +02:00
Thomas Tendyck
5272e7c86f docs: publish fixes in performance section to 2.10 2023-08-28 10:01:15 +02:00
Adrian Stobbe
19893c565e
docs: document constellation-cluster.log file (#2285) 2023-08-25 12:50:12 +02:00
Moritz Eckert
b278b76df5
docs: add vault benchmark (#2271)
* Refactor benchmark structure
* Add vault-benchmark section
* update 2.10 docs

Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-08-24 15:52:05 +02:00
Daniel Weiße
f33cc647ed
Revert "docs: fix sigstore doc links (#2272)" (#2280)
This reverts commit ec1bba7a8b.
2023-08-24 11:12:28 +02:00
Moritz Sanft
49e5a17aec
docs: document upgrade backup files (#2275)
* document backup files on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* reword TF backup

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update upgrade.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-08-23 21:22:36 +02:00
Daniel Weiße
053aa60e47
cli: remove helm management from join-config (#2251)
* Replace UpdateAttestationConfig with ApplyJoinConfig

* Dont set up join-config over Helm, it is now only managed by our CLI directly during init and upgrade

* Remove measurementSalt and attestationConfig parsing from helm, they were only needed for the JoinConfig

* Add migration step to remove join-config from Helm management

* Update attestation config trouble shooting tip

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-23 08:14:39 +02:00
Daniel Weiße
ec1bba7a8b
docs: fix sigstore doc links (#2272)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-22 13:33:58 +02:00
3u13r
8325f99b09
deps: support Kubernetes 1.28 (#2242) 2023-08-18 11:13:24 +02:00
edgelessci
dfe7c9884b
docs: add release v2.10.0 (#2220)
* docs: add release v2.10.0

* fix link

---------

Co-authored-by: elchead <elchead@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-08-16 15:07:03 +02:00
Malte Poll
a71eaebf81
docs: update screencasts to demo node groups (#2243) 2023-08-16 13:50:31 +02:00
3u13r
310b80c0a8
docs: update sigstore links (#2225) 2023-08-14 15:52:45 +02:00
Adrian Stobbe
4788467bca
cli: upgrade uses same helm releases as init (#2177) 2023-08-11 15:18:59 +02:00
Malte Poll
e1c6c533ed
docs: document node groups and migration from old config fields (#2175) 2023-08-09 09:46:22 +02:00
Daniel Weiße
d1ace13713
cli: add --workspace flag to set base directory for Constellation workspace (#2148)
* Remove `--config` and `--master-secret` falgs

* Add `--workspace` flag

* In CLI, only work on files with paths created from `cli/internal/cmd`

* Properly print values for GCP on IAM create when not directly updating the config

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-04 13:53:51 +02:00
Malte Poll
82de0b83bd docs: remove deprecated flags from docs 2023-08-04 12:36:45 +02:00
Adrian Stobbe
a3184af7a2
cli: add iam upgrade apply (#2132)
* add new iam upgrade apply

* remove iam tf plan from upgrade apply check

* add iam migration warning to upgrade apply

* update release process

* document migration

* Apply suggestions from code review

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* add iam upgrade

* remove upgrade dir check in test

* ask only without --yes

* make iam upgrade provider specific

* test without seperate logins

* remove csi and only add conditionally

* Revert "test without seperate logins"

This reverts commit 05a12e59c9.

* fix msising cred

* support iam migration for all csps

* add iam upgrade label

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-07-26 17:29:03 +02:00
Adrian Stobbe
a87b7894db
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090)
* add current chart

add current helm chart

* disable service controller for aws ccm

* add new iam roles

* doc AWS internet LB + add to LB test

* pass clusterName to helm for AWS LB

* fix update-aws-lb chart to also include .helmignore

* move chart outside services

* working state

* add subnet tags for AWS subnet discovery

* fix .helmignore load rule with file in subdirectory

* upgrade iam profile

* revert new loader impl since cilium is not correctly loaded

* install chart if not already present during `upgrade apply`

* cleanup PR + fix build + add todos

cleanup PR + add todos

* shared helm pkg for cli install and bootstrapper

* add link to eks docs

* refactor iamMigrationCmd

* delete unused helm.symwallk

* move iammigrate to upgrade pkg

* fixup! delete unused helm.symwallk

* add to upgradecheck

* remove nodeSelector from go code (Otto)

* update iam docs and sort permission + remove duplicate roles

* fix bug in `upgrade check`

* better upgrade check output when svc version upgrade not possible

* pr feedback

* remove force flag in upgrade_test

* use upgrader.GetUpgradeID instead of extra type

* remove todos + fix check

* update doc lb (leo)

* remove bootstrapper helm package

* Update cli/internal/cmd/upgradecheck.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* final nits

* add docs for e2e upgrade test setup

* Apply suggestions from code review

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/helm/loader.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/cmd/tfmigrationclient.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix daniel review

* link to the iam permissions instead of manually updating them (agreed with leo)

* disable iam upgrade in upgrade apply

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
2023-07-24 10:30:53 +02:00
Daniel Weiße
2c8c86a0cb
ci: remove Azure portal internal links from docs (#2122)
* Remove Azure internal links from docs

* Ignore Azure internal link in dev-docs

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:04:34 +02:00
Adrian Stobbe
320fd4b726
doc: add iam:DeletePolicyVersion (#2111)
* document iam:DeletePolicyVersion

* add in all doc versions
2023-07-18 10:24:52 +02:00
edgelessci
a300b453f3
docs: add release v2.9.0 (#2102) 2023-07-14 16:24:05 +02:00
Thomas Tendyck
2c1da48437 docs: publish 2023-07-10 09:08:15 +02:00
Thomas Tendyck
0aaf58b710 docs: misc fixes 2023-07-10 09:08:15 +02:00
Malte Poll
1ff40533f1
cli: add "--skip-helm-wait" flag (#2061)
* cli: add "--skip-helm-wait" flag

This flag can be used to disable the atomic and wait flags during helm install.
This is useful when debugging a failing constellation init, since the user gains access to
the cluster even when one of the deployments is never in a ready state.
2023-07-07 17:09:45 +02:00
Thomas Tendyck
492c6a7dae docs: suggest changes for first-steps-local 2023-07-07 15:35:21 +02:00
Adrian Stobbe
94b087197b
docs: how to set up MiniConstellation on Azure (#1999)
* init

* update doc

* move quick-setup to devdocs
2023-07-07 15:14:13 +02:00
Thomas Tendyck
274fed0990 cli: fix/improve some user-facing strings 2023-07-06 09:05:17 +02:00
Malte Poll
4283601433
operators: infrastructure autodiscovery (#1958)
* helm: configure GCP cloud controller manager to search in all zones of a region

See also: d716fdd452/providers/gce/gce.go (L376-L380)

* operators: add nodeGroupName to ScalingGroup CRD

NodeGroupName is the human friendly name of the node group that will be exposed to customers via the Constellation config in the future.

* operators: support simple executor / scheduler to reconcile on non-k8s resources

* operators: add new return type for ListScalingGroups to support arbitrary node groups

* operators: ListScalingGroups should return additionally created node groups on AWS

* operators: ListScalingGroups should return additionally created node groups on Azure

* operators: ListScalingGroups should return additionally created node groups on GCP

* operators: ListScalingGroups should return additionally created node groups on unsupported CSPs

* operators: implement external scaling group reconciler

This controller scans the cloud provider infrastructure and changes k8s resources accordingly.
It creates ScaleSet resources when new node groups are created and deletes them if the node groups are removed.

* operators: no longer create scale sets when the operator starts

In the future, scale sets are created dynamically.

* operators: watch for node join/leave events using a controller

* operators: deploy new controllers

* docs: update auto scaling documentation with support for node groups
2023-07-05 07:27:34 +02:00
Malte Poll
06909f8aca
docs: explain the role of PCR[10] and why it is not reproducible (#2011) 2023-07-04 16:41:01 +02:00
renovate[bot]
f8117b7223
deps: update ubuntu:22.04 Docker digest to b060fff (#2006)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-04 16:04:28 +02:00
Adrian Stobbe
e72ec60d13
config: iam create aws check zone contains availability zone (#1913)
* init

* make zone flag mandatory again

* add info about zone update + refactor

* add comment in docs about zone update

* Update cli/internal/cmd/iamcreate_test.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas feedback

* add format check to config validation

* remove TODO

* Update docs/docs/workflows/config.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas nit

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-07-04 13:55:52 +02:00
Moritz Eckert
31a22bb443
docs: enable ga and cookie banner (#1986) 2023-06-30 14:42:55 +02:00
Thomas Tendyck
54a313b247 docs: update "feature status of clouds" regarding current AWS SNP offering 2023-06-30 14:07:04 +02:00
Moritz Sanft
a587558df9
docs: document aws encrypted storage (#1974)
* document AWS encrypted storage

* dont use block express disks

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-06-30 09:06:52 +02:00
miampf
77b28cb5e7
cli: change generate-config flag to update-config flag (#1897) 2023-06-28 12:47:44 +00:00
Thomas Tendyck
46e144d19b Use term "attestation variant" consistently 2023-06-26 08:54:11 +02:00
Otto Bittner
3a7bb52560
attestation: docs and config changes for SNP attestation (#1959)
* docs: describe SEV-SNP support on AWS
* config: remove launchMeasurement

awsSEVSNP attestation config should not have this value.
It doesn't have a function yet.
2023-06-23 15:38:24 +02:00
Otto Bittner
7388240943
Revert "attestation: add SNP-based attestation for aws-sev-snp (#1916)" (#1957)
This reverts commit c7d12055d1.
2023-06-22 17:08:44 +02:00
Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp (#1916)
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again

There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication (#1906)
* invalidate app client id field for azure and provide info

* remove TestNewWithDefaultOptions case

* fix test

* remove appClientID field

* remove client secret + rename err

* remove from docs

* otto feedback

* update docs

* delete env test in cfg since no envs set anymore

* Update dev-docs/workflows/github-actions.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* WARNING to stderr

* fix check

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a cli: hide --insecure of config fetch-measurements 2023-06-09 15:07:31 +02:00
Moritz Eckert
9463d6fb27
cli: fix azure config warning message (#1902) 2023-06-09 11:16:54 +02:00
edgelessci
f43366ed89
docs: add release v2.8.0 (#1884)
* docs: add release v2.8.0
* docs: mention required AWS IAM permissions for upgrades

---------

Co-authored-by: malt3 <malt3@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-06-07 10:34:07 +02:00
3u13r
7c07e3be18
Add --insecure to config fetch-measurement (#1879)
* cli: add --insecure to fetch-measurements

* cli: rename fake to stub

* ci: upload measurements for debug images

* fix cli docs
2023-06-06 10:32:22 +02:00
Malte Poll
eb9bea1cff
docs: refine instructions for upgrade process (#1865)
Incorporate customer feedback regarding the recommended commands when upgrading a Constellation cluster.
Showing the full command "constellation upgrade check --write-config" is important to ensure only valid, safe upgrades are applied.

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-05 09:10:20 +02:00
renovate[bot]
a31c3dbbcd
deps: update ubuntu:22.04 Docker digest to 2fdb1cf (#1857)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: malt3 <mp@edgeless.systems>
2023-06-02 11:20:59 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837)
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Moritz Sanft
6d5e7e1f7c
cli: support StackIT provider on config generate (#1803)
* support stackit provider on config generate

* update cli reference

* default config values

* deploy csi driver

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2023-05-30 09:02:50 +02:00
3u13r
661f084ffa
cli: use uami for in-cluter authentication (#1820) 2023-05-26 11:45:03 +02:00
renovate[bot]
0eeb1d2ceb deps: update dependency @cmfcmf/docusaurus-search-local to v1 2023-05-24 13:47:50 +02:00
renovate[bot]
9dd428557f
deps: update dependency prism-react-renderer to v2 (#1824)
* deps: update dependency prism-react-renderer to v2

* Update docusaurus.config.js

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-05-24 13:30:14 +02:00
renovate[bot]
1ea2814fe4
deps: update dependency mermaid to v10 (#1823)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-05-24 13:10:19 +02:00
Thomas Tendyck
69464bca4b docs: publish 2023-05-23 15:51:46 +02:00
3u13r
964775c4c2
Add autoscaling and cluster upgrade support for AWS (#1758)
* aws: autoscaling and upgrades

* docs: update scaling and upgrades for AWS

* deps: pin vuln check against release
2023-05-19 13:57:31 +02:00
Adrian Stobbe
f99e06b63b
cli: new flag to set the attestation type for config generate (#1769)
* add attestation flag to specify type in config
2023-05-17 16:53:56 +02:00
miampf
e7b7a544f0
docs: add a qemu section (#1724) 2023-05-17 13:21:35 +00:00
Moritz Eckert
fd83f3439e
docs: update state of clouds (#1732)
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-05-10 10:04:20 +02:00
renovate[bot]
f3e14f2b42
deps: update ubuntu:22.04 Docker digest to ca5534a (#1744)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-05-05 14:38:11 +02:00
Paul Meyer
30cd024076
deps: add Kubernetes v1.27, remove Kubernetes v1.24 (#1669)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-05-05 13:22:53 +02:00
Malte Poll
653bf3621d image: replicate AWS images to eu-west-1 and eu-west-3 2023-05-05 12:06:44 +02:00
Daniel Weiße
c3b13178aa
docs: add short explanation on attestation config options (#1654)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-04 15:00:06 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters (#1623)
* Add attestation options to config

* Add join-config migration path for clusters with old measurement format

* Always create MAA provider for Azure SNP clusters

* Remove confidential VM option from provider in favor of attestation options

* cli: add config migrate command to handle config migration (#1678)

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Moritz Sanft
478b6ddb72
add terraform debug docs (#1627) 2023-04-21 08:43:27 +02:00
Moritz Sanft
3031d395a9
cli: force-delete Azure resource group (#1667)
* force-delete Azure resource group

* were not -> weren't

* fix typo
2023-04-19 08:30:11 +02:00
3u13r
14d26e1af4
terraform: use nat gateway on azure (#1655)
* terraform: use nat gateway on azure

* docs: add new azure permission
2023-04-17 11:00:35 +02:00
Moritz Sanft
1d0ee796e8
cli: add Terraform log support (#1620)
* add Terraform logging

* add TF logging to CLI

* fix path

* only create file if logging is enabled

* update bazel files

* register persistent flags manually

* clidocgen

* move logging code to separate file

* reword yes flag parsing error

* update bazel buildfile

* factor out log level setting
2023-04-14 14:15:07 +02:00
Moritz Eckert
af9e03f66b docs: update versioned benchmarks 2023-04-11 14:28:21 +02:00
Moritz Eckert
0b66119a41 docs: group perf graphics by csp 2023-04-11 14:28:21 +02:00
Moritz Eckert
db32251daa docs: update benchmarks with v2.6.0
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-04-11 14:28:21 +02:00
Moritz Eckert
a1f5e0e53d ci: Add tooling to create benchmark figures 2023-04-11 14:28:21 +02:00
edgelessci
06bbdda9dc
docs: add release v2.7.0 (#1592)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-04-05 10:33:16 +02:00
Moritz Sanft
e71c33c88d
cli: print attestation document with constellation verify (#1577)
* wip: verification output

* wip: Azure cert parsing

* wip: print actual PCRs

* wip: use string builder for output formatting

* compare PCR expected with actual

* tests

* change naming

* update cli reference

* update bazel buildfile

* bazel update

* change loop signature
2023-04-03 15:06:27 +02:00
Paul Meyer
176d32599f terraform: add missing permission to AWS iam
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Paul Meyer
63b07ede8a terraform: sort permissions
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Otto Bittner
c8c2953d7b cli: add status cmd
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
2023-04-03 12:03:41 +02:00
Paul Meyer
b8d6b110b1
cli: add missing -y short flag to iam create (#1572)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 17:26:14 +02:00
Moritz Sanft
1f7acf8dfb
docs: list minimal permissions for Constellation setup (#1442)
* add required Azure perms

* add minimal aws permissions

* add minimal gcp permissions

* [wip] split Azure perms by iam create/create step

* Update docs/docs/getting-started/install.md

Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>

* Update docs/docs/getting-started/install.md

Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>

* minimal gcp permissions for iam create/create step

* escape footnote bracket

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* active voice

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* link to config step

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* add predefined roles for Azure

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* add AWS and GCP predefined min roles

* add Azure attestationprovider perm

* footnote for attestation mode

* Update docs/docs/getting-started/install.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* accept superset

* fix negation

Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>

* update footnote

---------

Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-30 10:16:57 +02:00
Thomas Tendyck
6fabb2a84b docs: rearrange troubleshooting 2023-03-29 10:57:17 +02:00
Otto Bittner
861bc84f94
cli: only apply upgrades on gcp/azure (#1518)
The constellation-operator currently doesn't support the
necessary operations for AWS, OpenStack and QEMU.
2023-03-24 17:07:14 +01:00
derpsteb
870182987c docs: update cli reference 2023-03-24 08:47:53 +01:00
Otto Bittner
55067b12cd docs: explain how to change cluster measurements
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-23 18:08:18 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration (#1334)
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
renovate[bot]
79395ddd20
deps: update ubuntu:22.04 Docker digest to 7a57c69 (#1452)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:31:20 +01:00