Commit Graph

805 Commits

Author SHA1 Message Date
Daniel Weiße
b3c734b804
helm: re-enable timeout flag (#2658)
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-29 14:55:10 +01:00
katexochen
e06848c68a image: update measurements and image version 2023-11-29 08:45:52 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Thomas Tendyck
960118dc00 config: remove AWS SNP warning 2023-11-28 14:26:40 +01:00
derpsteb
bff65d563b image: update measurements and image version 2023-11-27 10:57:21 +01:00
Markus Rudy
42f0aa8eb1 state: fix whitespace issue in generated docs 2023-11-27 08:35:54 +01:00
Otto Bittner
46f563c7ca ci: call TCB upload step for AWS 2023-11-24 15:49:48 +01:00
Otto Bittner
257eb5370f config: only fetch TCB values from api if wanted
If no TCB value is set to `latest`, the fetcher is now no
longer called.
2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc api: add support to upload AWS TCB values
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00
Otto Bittner
4813fcfdb6 config: fetch latest AWS TCB values 2023-11-24 15:49:48 +01:00
Otto Bittner
350397923f api: refactor attestationconfigapi client/fetcher
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00
Otto Bittner
5542f9c63c api: refactor attestationcfgapi cli
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
2023-11-24 15:49:48 +01:00
Otto Bittner
84d8bd8110 verify: query vlek ASK from KDS if not set
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
2023-11-24 15:49:48 +01:00
Otto Bittner
07eed0e319 attestation: use SNP-based attestation for AWS SNP 2023-11-24 15:49:48 +01:00
Otto Bittner
cdc91b50bc verify: move CSP-specific code to internal/verify
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
2023-11-24 15:49:48 +01:00
Otto Bittner
5ce55e3449 attestation: add snp package
The package holds code shared between SNP-based
attestation implementations on AWS and Azure .
2023-11-24 15:49:48 +01:00
3u13r
635a5d2c0a
Fix Konnectivity migration (#2633)
* helm: let cilium upgrade jump minor versions

* cli: reconcile kubeadm cm to not have konnectivity
2023-11-24 12:28:37 +01:00
katexochen
949186e5d7 image: update measurements and image version 2023-11-24 12:06:03 +01:00
Moritz Sanft
c922864f30
fetcher: respect HTTP(S)_PROXY environment variable (#2635) 2023-11-23 14:42:13 +01:00
Markus Rudy
d599b80b2a license: enable Bazel-based integration testing
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
6cfc80454a license: dedicated module for integration test
The integration test for the license module depends on network
connectivity and should be Bazel-tagged as such. Since the unit tests do
not have a network dependency, we should not apply the tag to those. The
easiest way to do this in a Gazelle-compliant way is to move the
integration test into its own module.
2023-11-23 13:48:54 +01:00
Moritz Sanft
968cdc1a38
cli: move cli/internal libraries (#2623)
* cli: move internal packages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: fix buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix exclude dir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: move back libraries that will not be used by TF provider

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-22 14:52:56 +01:00
Adrian Stobbe
9af514d08e
fix panic in status cmd (#2625) 2023-11-22 08:31:37 +01:00
Daniel Weiße
35abc3c354
cli: use apply command to start mini cluster (#2551)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-20 12:10:16 +01:00
edgelessci
e51513985a
image: update measurements and image version (#2612)
Co-authored-by: daniel-weisse <daniel-weisse@users.noreply.github.com>
2023-11-17 12:49:54 +01:00
3u13r
183ce7a45a image: update measurements and image version 2023-11-16 13:50:40 +01:00
Leonard Cohnen
cfcc0898b2 helm: remove konnectivity from control-planes
This is the first step in our migration off of
konnectivity. Before node-to-node encryption
we used konnectivity to route some KubeAPI
to kubelet traffic over the pod network which then
would be encrypted.

Since we enabled node-to-node encryption this has no
security upsides anymore. Note that we still deploy
the konnectivity agents via helm and still have the
load balancer for konnectivity.

In the following releases we will remove both.
2023-11-15 19:27:33 +01:00
katexochen
648eebab24 image: update measurements and image version 2023-11-15 11:10:40 +01:00
edgelessci
246b9ce069
image: update measurements and image version (#2594)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-13 21:10:15 +01:00
edgelessci
e918a7af90
image: update measurements and image version (#2571)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-11-13 06:54:09 +01:00
Adrian Stobbe
cea6204b37
terraform: Terraform module for AWS (#2503) 2023-11-08 19:10:01 +01:00
Otto Bittner
b1b8571877 validation: use regex instead of dns lookup
Doing a DNS lookup may fail for domain names that are valid
but currently not assigned.
The old test also breaks inside the bazel sandbox.
2023-11-08 14:43:05 +01:00
Otto Bittner
8341db3c33 attestation: clear certificate cache in azure snp
The unittest was flacky as testcases with valid certs
in the getter property lead to those certs being cached
inside the trust module. Other testcases however,
may want to explicitly use invalid certs. The cache
interferes with this.

Co-authored-by: Moritz Sanft <ms@edgeless.systems>
2023-11-08 13:31:26 +01:00
katexochen
45df17d527 image: update measurements and image version 2023-11-08 11:40:07 +01:00
Daniel Weiße
32706f50f6
[Windows] cli: fix incorrect filepath separator causing upgrades to fail (#2562)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-08 10:26:02 +01:00
Moritz Sanft
744a605602
cli: state file validation (#2523)
* re-use `ReadFromFile` in `CreateOrRead`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip]: add constraints

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] error formatting

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* formatted error messages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* state file validation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* allow overriding the constraints

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dont validate on read

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add pre-create constraints

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip]

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* finish pre-init validation test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* finish post-init validation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state file validation in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix apply tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/validation/errors.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* use transformator for tests

* tidy

* use empty check directly

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update cli/internal/state/state.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/state/state.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/state/state.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/state/state.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* conditional validation per CSP

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix rebase

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add default case

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* validate state-file as last input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-11-03 15:47:03 +01:00
Adrian Stobbe
eaec73cca4
cli: fix invalid upper case name on AWS (#2546) 2023-11-03 10:09:43 +01:00
katexochen
d67f1a035f image: update measurements and image version 2023-11-03 09:04:06 +01:00
katexochen
33ff6eb5ae image: update measurements and image version 2023-11-02 13:28:49 +01:00
Daniel Weiße
625dc26644
cli: unify cloudcmd create and upgrade code (#2513)
* Unify cloudcmd create and upgrade code
* Make libvirt runner code a bit more idempotent

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-31 12:46:40 +01:00
katexochen
238a3c222b image: update measurements and image version 2023-10-30 11:23:12 +01:00
Moritz Sanft
402a8834ca
ci: add e2e test for self-managed infrastructure (#2472)
* add self-managed infra e2e test

* self-managed terminatio

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix upgrade test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix indentation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use -r when copying dir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add terraform variable parsing

* copy constellation conf

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary line breaks

* add missing value

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add image fetching for CSP

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix quoting

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing input to internal lb test

* normalize Azure URLs.. Of course

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix expressions

* initsecret to hex

* update hexdump cmd

* add build test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add node / pod cidr outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* explicitly delete the state file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing license header

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* always write all outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix list output

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove state-file and admin-conf on destroy

* dont use test payload

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] use self managed infra in manual e2e for testing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* init: always skip infrastructure phase

* patch maa in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to Constellation-created infra in e2e test

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-27 09:37:26 +02:00
Daniel Weiße
f4bfbe3564
docs: refer to apply command instead of init or upgrade apply (#2487)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-27 08:30:59 +02:00
Daniel Weiße
ec424b260d
cli: refactor terraform code to be update/create agnostic (#2501)
* Move upgrade specific functions out of Terraform module
* Always allow overwriting Terraform files
* Ensure constellation-terraform dir does not exist on create

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-26 10:55:50 +02:00
katexochen
5eb6cc6d08 image: update measurements and image version 2023-10-25 10:54:56 +02:00
renovate[bot]
06014c58ba
deps: update Kubernetes versions (#2491)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-25 10:13:42 +02:00
renovate[bot]
4afe5940b6
deps: update registry.k8s.io/provider-aws/cloud-controller-manager Docker tag to v1.28.1 (#2492)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-25 09:01:52 +02:00
Daniel Weiße
671cf36f0a
cli: common backend for init and upgrade apply commands (#2449)
* Use common 'apply' backend for init and upgrades
* Move unit tests to new apply backend
* Only perform Terraform migrations if state exists in cwd (#2457)
* Rework skipPhases logic

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-24 15:39:18 +02:00
Moritz Sanft
a104936bc6
validation: add generic validation framework (#2480)
* [wip] validation framework

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* working for shallow structs!!!

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix needle pointer deref

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix nested structs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix nested struct pointers

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix slices / arrays

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix struct parsing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* extend tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* expose API

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* extend in-package documentation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix naming

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing license headers

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* align with review

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-10-24 11:38:05 +02:00
renovate[bot]
5b70654489
deps: update ghcr.io/edgelesssys/gcp-guest-agent Docker tag to v20231016 (#2490)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-23 10:37:37 +02:00