There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
* cli: move internal packages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: fix buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix exclude dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: move back libraries that will not be used by TF provider
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Allow creation of Constellation clusters using `apply` command
* Add auto-completion for `--skip-phases` flag
* Deprecate create command
* Replace all doc references to create command with apply
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This is the first step in our migration off of
konnectivity. Before node-to-node encryption
we used konnectivity to route some KubeAPI
to kubelet traffic over the pod network which then
would be encrypted.
Since we enabled node-to-node encryption this has no
security upsides anymore. Note that we still deploy
the konnectivity agents via helm and still have the
load balancer for konnectivity.
In the following releases we will remove both.
The Cilium strict mode has a special mode which
loosens the security a slight bit. For compatability this
mode is enabled by default. But we don't need it for strict
node-to-node encryption. Therefore, we disable it.
For the strict modes we need to dynamically use
the CIDR used in the Terraform files. Therefore,
we write them to our statefile and use them when
installing Cilium.
When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.
In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.
Therefore, we can enable this type of encryption.
* add Azure Terraform module
* add maa-patching command to cli
* refactor release process
* factor out image fetching to own action
* add CI
* generate
* fix some unnecessary changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `constellation maa-patch` in ci
* insecure flag when using debug image
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only update maa url if existing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make node group zone optional on aws and gcp
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register updated workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Revert "[remove] register updated workflow"
This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.
* create MAA
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make maa-patching only run on azure
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* require node group zone for GCP and AWS
* remove unnecessary bazel action
* stamp version to correct file
* refer to `maa-patch` command in docs
* run Azure test in weekly e2e
* comment / naming improvements
* remove sa_account resource
* disable spellcheck ot use "URL"
* `create_maa` variable
* don't write maa url to config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to nightly image
* use input ref and stream
* fix command check
* don't set region in weekly e2e call
* patch maa if url is not empty
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `create_maa` variable
* remove binaries
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove undefined input
* replace invalid attestation URL error message
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* fix punctuation
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* skip hidden commands in clidocgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* enable spellcheck before code block
* move spellcheck trigger out of info block
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix workflow dependencies
* let image default to CLI version
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* re-use `ReadFromFile` in `CreateOrRead`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip]: add constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip] error formatting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* formatted error messages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* state file validation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* allow overriding the constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dont validate on read
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add pre-create constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip]
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* finish pre-init validation test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* finish post-init validation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state file validation in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix apply tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/validation/errors.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use transformator for tests
* tidy
* use empty check directly
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* conditional validation per CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix rebase
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add default case
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* validate state-file as last input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Remove mention of "changes below" for changes that are listed above the message
* Add a spinner for Terraform Plan action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* add self-managed infra e2e test
* self-managed terminatio
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix upgrade test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix indentation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use -r when copying dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add terraform variable parsing
* copy constellation conf
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary line breaks
* add missing value
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add image fetching for CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix quoting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing input to internal lb test
* normalize Azure URLs.. Of course
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix expressions
* initsecret to hex
* update hexdump cmd
* add build test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add node / pod cidr outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* explicitly delete the state file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing license header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* always write all outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix list output
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove state-file and admin-conf on destroy
* dont use test payload
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] use self managed infra in manual e2e for testing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* init: always skip infrastructure phase
* patch maa in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to Constellation-created infra in e2e test
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Add apply command
* Mark init and upgrade apply as deprecated
* Use apply command in CI
* Add skippable phases for attestation config and cert SANs
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Move upgrade specific functions out of Terraform module
* Always allow overwriting Terraform files
* Ensure constellation-terraform dir does not exist on create
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Use common 'apply' backend for init and upgrades
* Move unit tests to new apply backend
* Only perform Terraform migrations if state exists in cwd (#2457)
* Rework skipPhases logic
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* custom byte slice marshalling
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* byte slice compatibility
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* other byte slice compat test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing dep
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* export byte type alias
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* regenerate exported type
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* test marshal and unmarshal together
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* create state file during config generate
* use written file in `constellation create`
* document creation of state file
* remove accidentally added test
* check error when writing state file