Commit Graph

97 Commits

Author SHA1 Message Date
Daniel Weiße
1e19e64fbc Dynamic grpc client credentials (#204)
* Add an aTLS wrapper for grpc credentials

* Move grpc dialers to internal and use aTLS grpc credentials

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-13 11:40:27 +02:00
Fabian Kammel
84552ca8f7 AB#2104 Feat/azure logging (#198)
implementation for azure early boot logging
2022-06-10 13:18:30 +02:00
katexochen
4d50e4c657 Refactor coordinator run function 2022-06-08 17:33:51 +02:00
Daniel Weiße
3467df6b69 Move attestation, atls and oid packages to internal directory
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-08 17:17:06 +02:00
Daniel Weiße
0941ce8c7e Allow passing nil issuer to not embed attestation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-08 17:17:06 +02:00
katexochen
180d7872dd Separate shared azure code 2022-06-08 11:59:23 +02:00
katexochen
48b4f10207 Separate shared gcp code 2022-06-08 11:53:55 +02:00
Leonard Cohnen
e5c4171a14 fix cilium encryption in gcp 2022-06-04 18:43:42 +02:00
Fabian Kammel
a15605475e AB#2104 early boot logging (#175) 2022-06-03 11:55:18 +02:00
Leonard Cohnen
791d5564ba replace flannel with cilium 2022-06-02 13:08:25 +02:00
Christoph Meyer
db5468a886 Deploy KMS server image in Constellation
Add image pull secret for ghcr.io
2022-05-31 11:13:26 +02:00
Daniel Weiße
869448c3e1 Add mutual aTLS support (#176)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-05-24 16:33:44 +02:00
Malte Poll
1331ee4077 Install kubernetes on init / join and restart kubelet after reboot
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-23 11:40:22 +02:00
Malte Poll
f67cf2d31f k8s binary components version map and install directives
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-23 11:40:22 +02:00
Malte Poll
14f6985fe3 Implement binary file installer & extractor
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-23 11:40:22 +02:00
Moritz Eckert
6dc97590fe Enable and configure k8s audit-log (#160)
* Enable and configure k8s audit-log

* Update coordinator/kubernetes/k8sapi/kubeadm_config.go

Co-authored-by: Malte Poll <mp@edgeless.systems>

* add mount point for audit log dir in kubeadm conf

* Mount audit policy into kube-apiserver static pod

* Write default auditpolicy on cluster init / cluster join

Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-05-20 17:30:37 +02:00
Nils Hanke
c9982b979c Add unit test for SSH user creation on nodes 2022-05-17 18:00:21 +02:00
Nils Hanke
ed071d389c Add SSH users on subsequent coordinators & nodes 2022-05-17 18:00:21 +02:00
Nils Hanke
68092f27dd AB#2046 : Add option to create SSH users for the first coordinator upon initialization (#133)
* Move `file`, `ssh` and `user` packages to internal
* Rename `SSHKey` to `(ssh.)UserKey`
* Rename KeyValue / Publickey to PublicKey
* Rename SSH key file from "debugd" to "ssh-keys"
* Add CreateSSHUsers function to Core
* Call CreateSSHUsers users on first control-plane node, when defined in config

Tests:
* Make StubUserCreator add entries to /etc/passwd
* Add NewLinuxUserManagerFake for unit tests
* Add unit tests & adjust existing ones to changes
2022-05-16 17:32:00 +02:00
Moritz Eckert
5ad34e0425 Apply CIS benchmark to kubelet conf
Signed-off-by: Malte Poll <mp@edgeless.systems>
Co-authored-by: Moritz Eckert <me@edgeless.systems>
2022-05-12 17:25:45 +02:00
Moritz Eckert
adda637609 Apply CIS benchmark for kubeadm clusterconf
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-12 17:25:45 +02:00
cm
c63d7126e7 AB#1943 Extract KMS package (#56)
* Extract kmsapi from coordinator

* Add kmsapi cmd server
2022-05-10 12:35:17 +02:00
Malte Poll
c9226de9ab Create kubernetes join token on demand
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-06 12:12:44 +02:00
Malte Poll
ddcb4dc95f Pin kubernetes version deployed by kubeadm init
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-05 09:15:41 +02:00
katexochen
7614c53142 Remove checks for leaking flushDaemon 2022-05-04 17:16:40 +02:00
katexochen
469b2ff46c Rename to contol plane/workers
AB#1954
2022-05-04 17:14:03 +02:00
Daniel Weiße
423e29e3ab Update to latest grpc generator
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-05-04 08:48:31 +02:00
Daniel Weiße
29206ac845 Use any instead of interface
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-05-04 08:48:31 +02:00
Malte Poll
17d73813a9 Force lowercase luks disk UUID in disk-mapper, disk-rekeying and recovery
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-05-04 08:41:32 +02:00
Daniel Weiße
10e9faab10 Remove GCP non CVMs
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-05-02 16:03:36 +02:00
Malte Poll
3817a57a83 disable tpm simulator in coordinator release binary
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-29 13:44:09 +02:00
Daniel Weiße
483f65175e Add OID doc comments
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-28 14:46:24 +02:00
Daniel Weiße
d9940fddae Only set cloud-provider as external if supported by the CSP
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-28 14:46:24 +02:00
Daniel Weiße
dcdfae141d Add qemu CSP for Coordinator
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-28 14:46:24 +02:00
Daniel Weiße
956ced6e3d Add qemu vTPM issuer and validator
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-28 14:46:24 +02:00
Malte Poll
f5aafd8178 Implement reinitialization of the coordinator after reboot
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-28 14:35:35 +02:00
Malte Poll
ffb471d023 Add GetVPNPeers pubapi endpoint
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-28 14:35:35 +02:00
Malte Poll
f827e479b1 Add VPNIP to nodestate
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-28 14:35:35 +02:00
Malte Poll
f2b3fc328b pubapi: extract StartVPNAPIServer and StartUpdateLoop as separate functions
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-28 14:35:35 +02:00
Malte Poll
77b0237dd5 extract shared grpcutil dialer from pubapi
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-04-28 14:35:35 +02:00
Thomas Tendyck
87efa50c1d clarify TestConcurrent purpose, limitations, and error expectations 2022-04-26 17:28:08 +02:00
Thomas Tendyck
2ef41d193f revert actNode in TestConcurrent 2022-04-26 17:28:08 +02:00
datosh
51068abc27 Ref/want err from err expected (#82)
consistent naming for test values using 'want' instead of 'expect/ed'
2022-04-26 16:54:05 +02:00
katexochen
482f675dac Capitalize Kubernetes 2022-04-26 12:02:17 +02:00
Benedict Schlueter
86178df205 coordinator-core: add multi coordinator Kubernetes integration (#39)
Signed-off-by: Benedict Schlueter <bs@edgeless.systems>
2022-04-25 17:39:18 +02:00
Benedict Schlueter
0ac9617dac kubernetes: support for certKey request / support for control-plane join
Signed-off-by: Benedict Schlueter <bs@edgeless.systems>
2022-04-25 17:39:18 +02:00
Benedict Schlueter
d8241a1b38 proto: add new functions / modify ActivateAsCoordinatorRequest
Signed-off-by: Benedict Schlueter <bs@edgeless.systems>
2022-04-25 17:39:18 +02:00
Daniel Weiße
e5e5161520 Move simulated TPM to own package
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-22 16:11:54 +02:00
Leonard Cohnen
2fb4c15753 remove aws nitro attestation 2022-04-21 14:50:22 +02:00
Daniel Weiße
37aff14cab AB#1903 Push keys to restarting nodes on trigger RPC
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-21 13:08:02 +02:00