Otto Bittner
405db3286e
AB#2386: TrustedLaunch support for azure attestation
...
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42 )
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests
Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00
Nils Hanke
71fb62fe31
Remove note to instance types specifically
2022-09-05 09:36:58 +02:00
Thomas Tendyck
bd63aa3c6b
add license headers
...
sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'`
gofumpt -w .
2022-09-05 09:17:25 +02:00
Fabian Kammel
106635a9ee
Restructure config docs ( #44 )
...
* more guided UX when generating and filling in config
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-09-02 17:11:06 +02:00
Nils Hanke
c0bfb9b61e
Add 'constellation config instance-types'
2022-09-02 07:04:11 -07:00
Nils Hanke
0aefe2c0ba
Move instanceType from CLI to config
2022-09-02 07:04:11 -07:00
Moritz Eckert
b95f3dbc91
Add docs to repo ( #38 )
2022-09-02 11:52:42 +02:00
Leonard Cohnen
cce2575d68
remove broken test: create azure service account
2022-09-01 17:06:01 +02:00
Leonard Cohnen
00e72db5d8
write master secret after config verification
2022-09-01 16:43:54 +02:00
Fabian Kammel
6440904865
Ref/update cosign key ( #31 )
...
* use new cosign keypair
* use community images for production image heuristic
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-09-01 12:58:31 +02:00
3u13r
f649219cbf
Feat/cilium strict mode2.0 ( #25 )
...
* bump cilium helm charts
* integrate cilium strict mode v2
2022-08-31 15:37:07 +02:00
Otto Bittner
4adc19b7f5
AB#2350: Configurably enforce idkeydigest on Azure
...
* Add join-config entry for "enforceIdKeyDigest" bool
* Add join-config entry for "idkeydigest"
* Initially filled with TPM value from bootstrapper
* Add config entries for idkeydigest and enforceIdKeyDigest
* Extend azure attestation validator to check idkeydigest,
if configured.
* Update unittests
* Add logger to NewValidator for all CSPs
* Add csp to Updateable type
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-31 15:26:04 +02:00
katexochen
10e5249631
Manual client secrets on azure
2022-08-31 14:10:08 +02:00
katexochen
1861dc2744
Tag Azure resources with UID
2022-08-31 14:10:08 +02:00
katexochen
f15605cb45
Manually manage resource group on Azure
2022-08-31 14:10:08 +02:00
Daniel Weiße
ce02878019
AB#2308 / AB#2317 constellation upgrade plan ( #3 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-31 11:59:07 +02:00
Daniel Weiße
b27e205399
Use 4 vCPU instances by default ( #24 )
...
* Use 4 vcpu instances by default
* Remove 2 vcpu instance type option
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-31 10:33:33 +02:00
Fabian Kammel
778952e07c
AB#2287 support community image IDs ( #9 )
...
* support community image IDs
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-08-30 15:15:51 +02:00
Daniel Weiße
7c832273fd
AB#2309 constellation upgrade execute ( #2 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-29 16:49:44 +02:00
Fabian Kammel
22c912a56d
move nodestate and role
...
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-08-29 16:07:55 +02:00
Nils Hanke
6da228758c
GCP: Add more N2D VMs to supported list ( #6 )
2022-08-29 09:50:40 +02:00
Malte Poll
708c6e057e
Remove azure single instance support ( #402 )
2022-08-26 11:45:32 +02:00
Malte Poll
716ba52588
create on Azure: Allow toggling between CVMs / Trusted Launch VMs ( #401 )
2022-08-25 15:24:31 +02:00
Fabian Kammel
45beec15f5
AB#2360 enterprise build tag ( #397 )
...
* enterprise build switch to disable license checking in default (OSS) version
* remove community license quota
* empty image references on OSS build in config
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-08-25 14:06:29 +02:00
katexochen
6b1c20792a
Use the correct context package
2022-08-24 14:56:30 +02:00
katexochen
e761c9bf97
Manually manage GCP service accounts
2022-08-24 11:44:05 +02:00
Malte Poll
f9c70d5c5a
constellation create azure: use custom poller to check for scale set creation ( #394 )
...
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-08-24 11:31:43 +02:00
Daniel Weiße
d1495e9285
Fix helm csp selection ( #362 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-24 09:45:02 +02:00
katexochen
df9db94079
Add method for building resource names
2022-08-23 18:11:20 +02:00
katexochen
14ef07aca9
Add method for building resource URIs
2022-08-23 18:11:20 +02:00
katexochen
a02a46e454
Use multiple loadbalancers on GCP
2022-08-23 18:11:20 +02:00
katexochen
c954ec089f
Check for 404 errors in GCP termination
2022-08-23 18:11:20 +02:00
katexochen
9f599c3993
Remove checks for GetState/SetState
2022-08-23 18:11:20 +02:00
katexochen
f28e00659c
Use uber/multierr for error composition
2022-08-23 18:11:20 +02:00
katexochen
a859accf1f
Use id file for init ip
2022-08-23 18:11:20 +02:00
katexochen
7bbcc564bb
Refactor id file interaction
...
* Use IP instead of endpoint in clusterIDsFile
* Move and rename validateEnpoint to addPortIfMissing
* Refactor clusterIDsFile handling in verify cmd
2022-08-23 18:11:20 +02:00
katexochen
c2faa20d6e
Fix naming in state file
2022-08-23 18:11:20 +02:00
Malte Poll
e841d9201b
Use Azure CVMs in e2e tests
2022-08-19 18:22:55 +02:00
Malte Poll
5883278d4a
Enable secure boot on Azure CVMs
2022-08-19 14:39:36 +02:00
Otto Bittner
0892525915
Switch to Azure CVMs
2022-08-19 14:39:36 +02:00
Malte Poll
402fc7761b
Disable l7 proxy on QEMU ( #378 )
2022-08-19 08:44:36 +02:00
Fabian Kammel
82eb9f4544
AB#2299 License check in CLI during init ( #366 )
...
* license server interaction
* logic to read from license file
* print license information during init
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-08-16 16:06:38 +02:00
Fabian Kammel
170a8bf5e0
AB#2306 Public image sharing in Google ( #358 )
...
* document how to publicly share images in gcloud
* Write disclamer in debugd
* Add disclamer about debug images to contributing file
* Print debug banner on startup
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-08-16 15:53:54 +02:00
Daniel Weiße
ba4471a228
AB#2316 Configurable enforced PCRs ( #361 )
...
* Add warnings for non enforced, untrusted PCRs
* Fix global state in Config PCR map
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-12 15:59:45 +02:00
3u13r
9478303f80
deploy cilium via helmchart ( #321 )
2022-08-12 10:20:19 +02:00
Daniel Weiße
8f5f84deb5
AB#2305 Fix missing atls verifier in init call ( #352 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-09 14:04:40 +02:00
Daniel Weiße
60d5578475
AB#2215 Perform sanity check on GCP projectID ( #349 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-09 10:26:29 +02:00
Daniel Weiße
ab536ae3c8
AB#2278 Remove hardcoded values from config ( #346 )
...
* Update file handler to avoid incorrect usage of file.Option
* Remove hardcoded values
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-08 11:04:17 +02:00
Malte Poll
bf5816cc00
linter cleanup ( #344 )
...
* go fmt
* static check
2022-08-05 15:30:23 +02:00
Daniel Weiße
8895693ae2
AB#2251 Parallel Azure scale set creation ( #318 )
...
* Parallel Azure scale set creation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-05 10:35:38 +02:00