This is the first step in our migration off of
konnectivity. Before node-to-node encryption
we used konnectivity to route some KubeAPI
to kubelet traffic over the pod network which then
would be encrypted.
Since we enabled node-to-node encryption this has no
security upsides anymore. Note that we still deploy
the konnectivity agents via helm and still have the
load balancer for konnectivity.
In the following releases we will remove both.
The Cilium strict mode has a special mode which
loosens the security a slight bit. For compatability this
mode is enabled by default. But we don't need it for strict
node-to-node encryption. Therefore, we disable it.
The token given out by control-planes contains the node IP
as an endpoint. Since during this stage the joining node is
not connected to the WireGuard network, we cannot
communicate node-to-node. Therefore, we need to hop over the
load balancer again to have a src IP outside of the strict
range.
For the strict modes we need to dynamically use
the CIDR used in the Terraform files. Therefore,
we write them to our statefile and use them when
installing Cilium.
When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.
In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.
Therefore, we can enable this type of encryption.
* make image optional in the high level modules
* align azure variable description
* set defaults in convenience modules
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* add Azure Terraform module
* add maa-patching command to cli
* refactor release process
* factor out image fetching to own action
* add CI
* generate
* fix some unnecessary changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `constellation maa-patch` in ci
* insecure flag when using debug image
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only update maa url if existing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make node group zone optional on aws and gcp
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register updated workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Revert "[remove] register updated workflow"
This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.
* create MAA
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make maa-patching only run on azure
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* require node group zone for GCP and AWS
* remove unnecessary bazel action
* stamp version to correct file
* refer to `maa-patch` command in docs
* run Azure test in weekly e2e
* comment / naming improvements
* remove sa_account resource
* disable spellcheck ot use "URL"
* `create_maa` variable
* don't write maa url to config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to nightly image
* use input ref and stream
* fix command check
* don't set region in weekly e2e call
* patch maa if url is not empty
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `create_maa` variable
* remove binaries
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove undefined input
* replace invalid attestation URL error message
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* fix punctuation
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* skip hidden commands in clidocgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* enable spellcheck before code block
* move spellcheck trigger out of info block
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix workflow dependencies
* let image default to CLI version
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
In unit tests, NewCollector may be called on systems that do not have
"journalctl" in $PATH.
We can defer checking if the command can work by not checking cmd.Err in
the constructor.
* Add missing bazel set-up in windows e2e-failure notify
* Enable bazel caching for e2e-upgrade test
* Remove whitespace
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>