Commit Graph

112 Commits

Author SHA1 Message Date
Malte Poll
281c7c320c deps: update protobuf to v1.33.0 2024-03-06 14:50:01 +01:00
Malte Poll
522f2858c6 proto: update generated protobuf sources 2024-02-21 18:40:16 +01:00
Malte Poll
65903459a0 chore: fix unused parameter lint in new golangcilint version 2024-02-21 17:54:07 +01:00
miampf
54cce77bab
deps: convert zap to slog (#2825) 2024-02-08 14:20:01 +00:00
Markus Rudy
c020f7ac20
cleanup: various minor debugging improvements (#2889)
* ci: improve constellation_create error message

When we hit a timeout due to nodes not coming up, the actual error
message is hard to make out because it's buried in a group. With the
right formatting, the error message will be highlighted in the UI.

Another improvement is to output the state of nodes, which helps
debugging the cause of nodes not joining or not becoming ready.

* cleanup: use NodeVersionResourceName constant

... instead of literal strings.

* ci: correctly notify on e2e upgrade error

* atls: report cert extension OIDs on mismatch

If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
2024-02-02 16:46:28 +01:00
Malte Poll
3a5753045e goleak: ignore rules_go SIGTERM handler
rules_go added a SIGTERM handler that has a goroutine that survives the scope of the goleak check.
Currently, the best known workaround is to ignore this goroutine.

https://github.com/uber-go/goleak/issues/119
https://github.com/bazelbuild/rules_go/pull/3749
https://github.com/bazelbuild/rules_go/pull/3827#issuecomment-1894002120
2024-01-22 13:11:58 +01:00
renovate[bot]
37ec431fab
deps: update K8s dependencies (#2763)
* deps: update K8s dependencies

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-12-21 12:42:04 +01:00
Markus Rudy
a1dbd13f95 versions: consolidate various types of Components
There used to be three definitions of a Component type, and conversion
routines between the three. Since the use case is always the same, and
the Component semantics are defined by versions.go and the installer, it
seems appropriate to define the Component type there and import it in
the necessary places.
2023-12-11 14:26:54 +01:00
Otto Bittner
07eed0e319 attestation: use SNP-based attestation for AWS SNP 2023-11-24 15:49:48 +01:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation (#2336)
* add ASK caching in joinservice

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use cached ASK in Azure SEV-SNP attestation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update test charts

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typ

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make caching mechanism less provider-specific

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `omitempty` flag

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* frontload certificate getter

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* rename frontloaded function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass cached certificates to constructor

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix race condition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix marshalling of empty certs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unused fields in validator

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate precedence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use separate context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Remove unnecessary comment

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use background context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Use error format directive

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* `azure` -> `Azure`

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* improve error messages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add x509 -> PEM util function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use crypto util functions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate replacement logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only require ASK from certcache

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix comment typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Daniel Weiße
2049713620
internal: move watcher package from internal to joinservice (#2212)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-11 15:17:55 +02:00
Otto Bittner
1d5a8283e0
cli: use Semver type to represent microservice versions (#2125)
Previously we used strings to pass microservice versions. This invited
bugs due to missing input validation.
2023-07-25 14:20:25 +02:00
renovate[bot]
49cff0aabb
deps: update module github.com/sigstore/rekor to v1.2.2 (#2033)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-06 15:41:14 +02:00
Malte Poll
6c8dade285 bazel: always choose linux / amd64 distroless base image 2023-06-16 16:30:47 +02:00
Malte Poll
537cdbcfad bazel: trim path to *.pb.go files embedded in go libraries
See https://github.com/bazelbuild/rules_go/issues/3581 for context.
2023-06-16 16:30:47 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
renovate[bot]
2afddcb0f8
deps: update K8s dependencies (#1599)
* deps: update K8s dependencies

* deps: bump controller runtime

* chore: tidy

* bump helm and migrate controller runtime

* fix helm deprecation

---------

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-05-24 18:57:45 +02:00
renovate[bot]
fe115bdb16
deps: update module github.com/sigstore/rekor to v1.1.1 [SECURITY] (#1729)
* deps: update module github.com/sigstore/rekor to v1.1.1 [SECURITY]

* deps: bump oras

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-05-11 17:23:17 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters (#1623)
* Add attestation options to config

* Add join-config migration path for clusters with old measurement format

* Always create MAA provider for Azure SNP clusters

* Remove confidential VM option from provider in favor of attestation options

* cli: add config migrate command to handle config migration (#1678)

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Malte Poll
5145f806ea bazel: remove apko and Dockerfile where Bazel is used to build container images 2023-04-18 15:35:15 +02:00
Malte Poll
bd889bd6a7 bazel: convert all container images to Bazel 2023-04-18 15:35:15 +02:00
Malte Poll
2b962598bf
deps: update go to 1.20.3 (#1622) 2023-04-06 16:36:07 +02:00
Paul Meyer
399b052f9e
bazel: add protoc codegen to //:generate target (#1554)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-30 14:47:29 +02:00
renovate[bot]
6013665de1
deps: update gcr.io/distroless/static Docker digest to 8d4cc4a (#1547)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-29 14:56:07 +02:00
Daniel Weiße
99b12e4035
internal: refactor oid package to variant package (#1538)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:30:13 +02:00
Paul Meyer
e7fc541a57
bazel: add buf as protobuf formatter to //:tidy (#1511)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-23 18:08:49 +01:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
renovate[bot]
4d618a4b99
deps: update fedora:37 Docker digest (#1448)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:47:36 +01:00
renovate[bot]
a268a37d81
deps: update gcr.io/distroless/static Docker digest to 1268080 (#1449)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:30:22 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant (#1413)
* Add attestation type to config (optional for now)

* Get attestation variant from config in CLI

* Set attestation variant for Constellation services in helm deployments

* Remove AzureCVM variable from helm deployments

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Paul Meyer
ebf7dd8842 openstack: use metadata client where possible
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
74fc6239b2
deps: update to Go 1.20.2 (#1366)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 10:05:36 +01:00
renovate[bot]
57786db96b
deps: update gcr.io/distroless/static Docker digest to 20c99e5 (#1360)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-07 18:13:34 +01:00
Malte Poll
fc33a74c78
constants: make VersionInfo readonly (#1316)
The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime.
This change ensures the underlying var is private and can only be accessed by a public getter.
2023-03-01 11:55:12 +01:00
renovate[bot]
83bea18a4f
deps: update fedora:37 Docker digest (#1274)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:46:17 +01:00
renovate[bot]
2ed1707755
deps: update gcr.io/distroless/static Docker digest to 5b2fa76 (#1235)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 13:19:39 +01:00
Paul Meyer
e011a20c49 deps: update to Go 1.20
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
renovate[bot]
e600795239
deps: update gcr.io/distroless/static Docker digest to 0511233 (#1193)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-15 13:34:27 +01:00
renovate[bot]
1732795345
deps: update fedora:37 Docker digest (#1192)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-15 13:28:53 +01:00
renovate[bot]
d5f466041a
deps: update gcr.io/distroless/static Docker digest to 390b7a3 (#1139)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-03 18:06:21 +01:00
renovate[bot]
99c190a3e8
deps: update gcr.io/distroless/static Docker digest to 2019e0c (#1083)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-26 15:13:29 +01:00
Daniel Weiße
aa3ac82408
Add a bit more logging to attestation and join-service on error (#1076)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-01-26 11:24:29 +01:00
Paul Meyer
94c0184e4d ci: add workflow for proto code generation check
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-23 12:20:37 +01:00
Paul Meyer
a8cbfd848f
keyservice: use dash in container name (#1016)
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-01-20 18:51:06 +01:00
Daniel Weiße
690b50b29d
dev-docs: Go package docs (#958)
* Remove unused package

* Add Go package docs to most packages

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 15:57:50 +01:00
Otto Bittner
90b88e1cf9 kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
2023-01-16 11:56:34 +01:00
Paul Meyer
d0e9f427d1
deps: update Go to v1.19.5 (#949)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-12 13:36:17 +01:00
renovate[bot]
78fd2abc5f
Update gcr.io/distroless/static Docker digest to ea2ed73 (#920)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-01-10 07:59:58 +01:00
Leonard Cohnen
3637909a46 internal: move components into their own package 2023-01-09 12:16:54 +01:00