Commit Graph

755 Commits

Author SHA1 Message Date
Adrian Stobbe
487fa1e397
terraform: azure node groups (#1955)
* init

* migration working

* make tf variables with default value optional in go through ptr type

* fix CI build

* pr feedback

* add azure targets tf

* skip migration for empty targets

* make instance_count optional

* change role naming to dashed + add validation

* make node_group.zones optional

* Update cli/internal/terraform/terraform/azure/main.tf

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

* malte feedback

---------

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-06-22 16:53:40 +02:00
Moritz Sanft
224c74f883
csi: aws csi driver policies (#1945)
* add required disk permissions

* update worker node policy for ebs

* Revert "update worker node policy for ebs"

This reverts commit 9c24d374e0b30bc8970e00978462fb36ee6acd4f.

* attach aws managed role instead

* add TODO comment

* remove duplicate role attachment

* Update cli/internal/terraform/terraform/iam/aws/main.tf

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-22 14:15:05 +02:00
Adrian Stobbe
4546912f11
cli: upgrade apply --force skips all compatibility checks (#1940)
* use force to skip compatibility and upgrade in progress check

* update doc

* fix tests

* add force check for helm and k8s

* add no-op check

* fix errors as
2023-06-21 15:49:42 +02:00
Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp (#1916)
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again

There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
Moritz Sanft
b25228d175
cli: store upgrade files in versioned folders (#1929)
* upgrade versioning

* dont pass upgrade kind as boolean

* whitespace

* fix godot lint check

* clarify upgrade check directory suffix

* cli: dry-run Terraform migrations on `upgrade check` (#1942)

* dry-run Terraform migrations on upgrade check

* clean whole upgrade dir

* clean up check workspace after planning

* fix parsing

* extend upgrade check test

* rename unused parameters

* exclude false positives in test
2023-06-21 09:22:32 +02:00
Adrian Stobbe
be4a636361
cli: improve user warning / information (#1933)
* print success

* warn when debug img but !debugCluster

* malte feedback

* rename to IsNamedLikeDebugImage
2023-06-19 16:51:39 +02:00
Malte Poll
2808012c9c
terraform: gcp node groups (#1941)
* terraform: GCP node groups

* cli: marshal GCP node groups to terraform variables

This does not have any side effects for users.
We still strictly create one control-plane and one worker group.
This is a preparation for enabling customizable node groups in the future.
2023-06-19 13:02:01 +02:00
renovate[bot]
ab52e6d4c5
fix: GCP service account creation fails sometimes (#1935)
* deps: update Terraform google to v4.69.1

* deps: tidy all modules

* add delay for service account

* deps: tidy all modules

* add delay for service account

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-16 09:37:31 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication (#1906)
* invalidate app client id field for azure and provide info

* remove TestNewWithDefaultOptions case

* fix test

* remove appClientID field

* remove client secret + rename err

* remove from docs

* otto feedback

* update docs

* delete env test in cfg since no envs set anymore

* Update dev-docs/workflows/github-actions.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* WARNING to stderr

* fix check

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
3u13r
a2c98eb1d5
Correctly deploy the AWS CCM (#1853)
* aws: stop using the imds api for tags

* aws: disable tags in imds api

* aws: only tag instances with non-lecagy tag

* bootstrapper: always let coredns run before cilium

* debugd: make debugd less noisy

* fixup fix aws imds test

* fixup unsued context

* move getting instance id to readInstanceTag
2023-06-13 09:58:39 +02:00
Adrian Stobbe
e738f15f0f
cdbg: make endpoint deployment failure more transparent (#1883)
* add retry + timeout + intercept grpc logs

* LogStateChanges inside grplog pkg

* remove retry and tj/assert

* rename nit

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* paul feedback

* return waitFn instead of WaitGroup

* Revert "return waitFn instead of WaitGroup"

This reverts commit 45700f30e341ce3af509b687febbc0125f7ddb38.

* log routine inside debugd constructor

* test doubles names

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* fix newDebugClient closeFn

---------

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-06-12 13:45:34 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a cli: hide --insecure of config fetch-measurements 2023-06-09 15:07:31 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00
Adrian Stobbe
d9c604ed2c
terraform: update aws to v5.1.0 (#1891) 2023-06-09 10:37:25 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
b3c052e299
operators: cleanup placeholder nodeversion (#1881)
* operators: cleanup placeholder nodeversion
* e2e: improve upgrade test portability
2023-06-06 15:22:06 +02:00
3u13r
7c07e3be18
Add --insecure to config fetch-measurement (#1879)
* cli: add --insecure to fetch-measurements

* cli: rename fake to stub

* ci: upload measurements for debug images

* fix cli docs
2023-06-06 10:32:22 +02:00
Malte Poll
439359ffbc
cli: prevent terraform apply drift when patching and re-applying existing terraform deployment (#1873)
The implementation would recreate the gcp instance template (including all instances and state disks) whenever the image tfvar changes.
Fixed by ignoring lifecycle changes on the instance templates.
Fixes 8c3b963
2023-06-05 14:52:39 +02:00
Adrian Stobbe
c446f36b0f
config: Azure SNP tool can delete specific version from attestation API (#1863)
* client supports delete version

* rename to new attestation / fetcher naming

* add delete command to upload tool

* test client delete

* bazel update

* use general client in attestation client

* Update hack/configapi/cmd/delete.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* daniel feedback

* unit test azure sev upload

* Update hack/configapi/cmd/delete.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* add client integration test

* new client cmds use apiObject

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
Otto Bittner
6bda62d397
cli: skip k8s upgrade in case of outdated version (#1864)
If an unsupported, outdated k8s patch version is used,
the user should still be able to run upgrade apply.
2023-06-05 09:13:02 +02:00
Malte Poll
7c34aef263
cli: write target k8s version to config if new version is found on upgrade check (#1862) 2023-06-02 17:19:41 +02:00
Adrian Stobbe
a813760f96
config: automatically upload new Azure SNP versions to API + sign version with release key (#1854)
* sign version with release key and remove version from fetcher interface
* extend azure-reporter GH action to upload updated version values to the Attestation API
2023-06-02 12:10:22 +02:00
Moritz Sanft
8c3b963a3f
cli: Terraform upgrades maa patching (#1821)
* patch maa after upgrade

* buildfiles

* reword comment

* remove whitespace

* temp: log measurements URL

* temp: update import

* ignore changes to attestation policies

* add issue URL

* separate output in e2e upgrade test

* use enterprise CLI for e2e test

* remove measurements print

* add license headers
2023-06-02 10:47:44 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg (#1851)
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
Adrian Stobbe
b51cc52945
config: sign Azure versions on upload & verify on fetch (#1836)
* add SignContent() + integrate into configAPI

* use static client for upload versions tool; fix staticupload calleeReference bug

* use version to get proper cosign pub key.

* mock fetcher in CLI tests

* only provide config.New constructor with fetcher

Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837)
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Malte Poll
26bc653d0e bazel: build both cli variants as part of devbuild 2023-05-31 14:00:00 +02:00
Malte Poll
c62e54831b cli: define feature set of cli editions and exit early if a feature is not supported 2023-05-31 14:00:00 +02:00
Malte Poll
8a851c8f39 cli: dynamically select signature validation pubkey for release and pre-release artifacts 2023-05-31 14:00:00 +02:00
miampf
8686c5e7e2
bootstrapper: collect journald logs on failure (#1618) 2023-05-30 11:47:36 +00:00
Malte Poll
60b125cb59
cli: add windows amd64 build target (#1835) 2023-05-30 12:02:43 +02:00
Moritz Sanft
6d5e7e1f7c
cli: support StackIT provider on config generate (#1803)
* support stackit provider on config generate

* update cli reference

* default config values

* deploy csi driver

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2023-05-30 09:02:50 +02:00
3u13r
661f084ffa
cli: use uami for in-cluter authentication (#1820) 2023-05-26 11:45:03 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00
Malte Poll
d0e53cbb59 cli: image info (v2) 2023-05-25 15:01:15 +02:00
Malte Poll
cd7b116794 cli: image measurements (v2) 2023-05-25 15:01:15 +02:00
Malte Poll
e5b394db87 cli: image measurements (v2) 2023-05-25 15:01:15 +02:00
3u13r
6062b10035
cli: split image into oss and enterprise (#1788) 2023-05-23 10:49:47 +02:00
Otto Bittner
3b3be85841 cli: fix supportedVersions during upgrade check
Previously the service version was always 0.0.0
2023-05-23 07:44:37 +02:00
Moritz Sanft
c69e6777bd
cli: Terraform migrations on upgrade (#1685)
* add terraform planning

* overwrite terraform files in upgrade workspace

* Revert "overwrite terraform files in upgrade workspace"

This reverts commit 8bdacfb8bef23ef2cdbdb06bad0855b3bbc42df0.

* prepare terraform workspace

* test upgrade integration

* print upgrade abort

* rename plan file

* write output to file

* add show plan test

* add upgrade tf workdir

* fix workspace preparing

* squash to 1 command

* test

* bazel build

* plan test

* register flag manually

* bazel tidy

* fix linter

* remove MAA variable

* fix workdir

* accept tf variables

* variable fetching

* fix resource indices

* accept Terraform targets

* refactor upgrade command

* Terraform migration apply unit test

* pass down image fetcher to test

* use new flags in e2e test

* move file name to constant

* update buildfiles

* fix version constant

* conditionally create MAA

* move interface down

* upgrade dir

* update buildfiles

* fix interface

* fix createMAA check

* fix imports

* update buildfiles

* wip: workspace backup

* copy utils

* backup upgrade workspace

* remove debug print

* replace old state after upgrade

* check if flag exists

* prepare test workspace

* remove prefix

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* respect file permissions

* refactor tf upgrader

* check workspace before upgrades

* remove temp upgrade dir after completion

* clean up workspace after abortion

* fix upgrade apply test

* fix linter

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-05-22 13:31:20 +02:00
3u13r
964775c4c2
Add autoscaling and cluster upgrade support for AWS (#1758)
* aws: autoscaling and upgrades

* docs: update scaling and upgrades for AWS

* deps: pin vuln check against release
2023-05-19 13:57:31 +02:00
3u13r
3b7bae7535
deps: bump minimum terraform version (#1797) 2023-05-18 12:59:10 +02:00
Adrian Stobbe
f99e06b63b
cli: new flag to set the attestation type for config generate (#1769)
* add attestation flag to specify type in config
2023-05-17 16:53:56 +02:00
Moritz Eckert
6252193879 cli: deploy cinder as OpenStack CSI plugin 2023-05-17 15:20:39 +02:00
Moritz Eckert
9607f01510 cli: add cinder csi helm charts 2023-05-17 15:20:39 +02:00
Daniel Weiße
1d5af5f0f4 Rebase fixes
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Nils Hanke
63d938d9a4 cli: improve error handling for validator 2023-05-17 11:37:26 +02:00
Nils Hanke
e130188ecd cli: add verify support for TDX 2023-05-17 11:37:26 +02:00
Nils Hanke
c507bd7d95 cli: Generalize PCRs to Measurements in preparation for TDX 2023-05-17 11:37:26 +02:00
Daniel Weiße
c478df36fa Add TDX bazel files
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Nils Hanke
9e987778e0 measurements: Add length field for WithAllBytes 2023-05-17 11:37:26 +02:00
Daniel Weiße
dd2da25ebe attestation: tdx issuer/validator (#1265)
* Add TDX validator

* Add TDX issuer

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Malte Poll
d104af6e51 image: support intel TDX direct linux boot under TDX OVMF 2023-05-17 11:37:26 +02:00
Malte Poll
79986a2b25 cli: implement qemu direct linux boot 2023-05-17 11:37:26 +02:00
renovate[bot]
fdcb74e171
deps: update Terraform aws to v4.67.0 (#1775)
* deps: update Terraform aws to v4.67.0

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:39:55 +02:00
renovate[bot]
6c1f7a4758
deps: update Terraform azuread to v2.39.0 (#1776)
* deps: update Terraform azuread to v2.39.0

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:15:57 +02:00
renovate[bot]
f9b4f1765d
deps: update Terraform azurerm to v3.56.0 (#1777)
* deps: update Terraform azurerm to v3.56.0

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:15:25 +02:00
renovate[bot]
fd3c93660e
deps: update Terraform google to v4.65.1 (#1778)
* deps: update Terraform google to v4.65.1

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 16:07:21 +02:00
renovate[bot]
0ce01cbad3
deps: update Terraform random to v3.5.1 (#1779)
* deps: update Terraform random to v3.5.1

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 16:01:47 +02:00
renovate[bot]
780fa9a238
deps: update Terraform google-beta to v4.64.0 (#1767)
* deps: update Terraform google-beta to v4.64.0

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 15:26:26 +02:00
renovate[bot]
87bf36d757
deps: update Terraform google to v4.64.0 (#1766)
* deps: update Terraform google to v4.64.0

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 15:11:59 +02:00
3u13r
4024b9cf71
ci: fix minicon e2e test (#1763)
* ci: push containers during minicon e2e

* cli: set testing nvram for pre images in minicon
2023-05-12 17:14:32 +02:00
renovate[bot]
81f79d943a
deps: update Terraform azurerm to v3.55.0 (#1668)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-05-08 13:43:18 +02:00
Malte Poll
6694eabebd cli: allow any well formatted zone in iam create 2023-05-05 12:06:44 +02:00
Malte Poll
653bf3621d image: replicate AWS images to eu-west-1 and eu-west-3 2023-05-05 12:06:44 +02:00
Malte Poll
56635c3993 cli: deploy yawol as OpenStack loadbalancer 2023-05-03 21:45:59 +02:00
Malte Poll
0ebe6e669d cli: add yawol helm charts 2023-05-03 21:45:59 +02:00
Otto Bittner
d5fa614df1
cli: remove ambiguity in path for CR backups (#1719)
During upgrade all custom resources are backed up to files on the
local file system. Since old versions are also backed up, we need to
reflect the version in the name.
2023-05-03 14:36:57 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters (#1623)
* Add attestation options to config

* Add join-config migration path for clusters with old measurement format

* Always create MAA provider for Azure SNP clusters

* Remove confidential VM option from provider in favor of attestation options

* cli: add config migrate command to handle config migration (#1678)

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Otto Bittner
3770cada91 cli: create namespaced folders for upgrade backups
Resource names are only unique per kind+ns. Without this patch it
might happen that there are two resources with the same name
in different namespaces. Upgrade might fail in that case.
2023-05-02 11:08:40 +02:00
Otto Bittner
4a0d531821 upgrade: fix 2.6 -> 2.7 migration for 2.7.1 patch
Also correctly set microservice version from config.
Previously the key was ignored and microservices were always
tried for an upgrade.
2023-04-28 15:48:12 +02:00
3u13r
074844d0cb
terraform: fix aws worker node permission (#1683) 2023-04-27 11:52:32 +02:00
3u13r
1bdf410b52
bazel: allow custom container_prefix (#1693)
* build: allow custom container registry

* build: fix .bazeloverwriterc import
2023-04-27 11:52:02 +02:00
Malte Poll
c11a3f4460
cli: configurable state disk type on OpenStack (#1686) 2023-04-27 09:08:43 +02:00
Malte Poll
ded8abeacc
ci: limit prefix length of AWS IAM resources (#1674) 2023-04-25 13:29:07 +02:00
Daniel Weiße
1ebc553365
kubernetes: update CSI driver versions to v1.2.0 (#1657)
* Update CSI charts

* Update CSI tests

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-21 11:03:35 +02:00
Moritz Sanft
3031d395a9
cli: force-delete Azure resource group (#1667)
* force-delete Azure resource group

* were not -> weren't

* fix typo
2023-04-19 08:30:11 +02:00
Malte Poll
5145f806ea bazel: remove apko and Dockerfile where Bazel is used to build container images 2023-04-18 15:35:15 +02:00
Malte Poll
9dfad32e33 cli: use Bazel container images 2023-04-18 15:35:15 +02:00
Malte Poll
1f81763a27 cli: convert libvirt container image to Bazel 2023-04-18 15:35:15 +02:00
3u13r
14d26e1af4
terraform: use nat gateway on azure (#1655)
* terraform: use nat gateway on azure

* docs: add new azure permission
2023-04-17 11:00:35 +02:00
Moritz Sanft
1d0ee796e8
cli: add Terraform log support (#1620)
* add Terraform logging

* add TF logging to CLI

* fix path

* only create file if logging is enabled

* update bazel files

* register persistent flags manually

* clidocgen

* move logging code to separate file

* reword yes flag parsing error

* update bazel buildfile

* factor out log level setting
2023-04-14 14:15:07 +02:00
Otto Bittner
d2967fff6b
cli: fix misleading error while applying kubernetes-only upgrade (#1630)
* The check would previously fail if e.g. `apply` did not upgrade the
image, but a new image was specified in the config. This could
happen if the specified image was too new, but a valid Kuberentes
upgrade was specified.
* ci: fix variable expansion in e2e-upgrade call
* e2e: do not verify measurement signature
2023-04-13 15:58:37 +02:00
Daniel Weiße
ec01c57661
internal: use config to create attestation validators (#1561)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-06 17:00:56 +02:00
renovate[bot]
d95a764b65
deps: update golangci/golangci-lint to v1.52.2 (#1598)
* deps: update golangci/golangci-lint to v1.52.2
* deps: tidy all modules
* fix linting issues

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-04-05 18:40:35 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM (#1616)
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
2023-04-05 16:49:03 +02:00
Moritz Sanft
e71c33c88d
cli: print attestation document with constellation verify (#1577)
* wip: verification output

* wip: Azure cert parsing

* wip: print actual PCRs

* wip: use string builder for output formatting

* compare PCR expected with actual

* tests

* change naming

* update cli reference

* update bazel buildfile

* bazel update

* change loop signature
2023-04-03 15:06:27 +02:00
Malte Poll
d15968bed7
bootstrapper: make Azure auth method configurable on cluster init (#1346)
* bootstrapper: make Azure auth method configurable on cluster init
* azure: convert uami resource ID to clientID


Co-authored-by: 3u13r <lc@edgeless.systems>
2023-04-03 15:01:25 +02:00
Moritz Sanft
46f5b1734e
cli: show available cli upgrades on upgrade check command (#1394)
* cli: upgrade check show cli upgrades

* only check compatibility for valid upgrades

* use semver.Sort

* extend unit tests

* add unit test for new compatible cli versions

* adapt to feedback

* fix rebase

* rework output

* minor -> major

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* minor -> major

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* dynamic major version

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* remove currentK8sVer argument

* bazel gen & tidy

* bazel update

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-04-03 14:31:17 +02:00
Paul Meyer
176d32599f terraform: add missing permission to AWS iam
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Paul Meyer
63b07ede8a terraform: sort permissions
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Otto Bittner
7c8215e507 cli: add kubernetes pkg to interface with cluster
Previously the content of files status and upgrade within the
cloudcmd pkg did not fit cloudcmd's pkg description.
This patch introduces a separate pkg to fix that.
2023-04-03 12:03:41 +02:00
Otto Bittner
c8c2953d7b cli: add status cmd
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
2023-04-03 12:03:41 +02:00
Daniel Weiße
62c165750f
config: remove deprecated upgradeConfig and require name and microserviceVersion fields (#1541)
* Remove deprecated fields

* Remove warning for not setting attestationVariant

* Dont write attestationVariant to config

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-31 19:19:10 +02:00
Paul Meyer
b8d6b110b1
cli: add missing -y short flag to iam create (#1572)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 17:26:14 +02:00
Paul Meyer
66ee24b5b2
cli: remove duplicated print (#1568)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 14:43:39 +02:00
Paul Meyer
909bfb9274 bazel: add go generate to //:generate target
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-29 12:51:40 -04:00
Daniel Weiße
fc0efb6309
config: deprecate confidentialVM option for Azure clusters in favor of using attestationVariant option (#1539)
* Remove confidentialVM option from azure provider config

* Fix cloudcmd creator test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 14:04:37 +02:00
Daniel Weiße
b57413cfa7
cli: set cluster's initial measurements from user's config using Helm (#1540)
* Remove using measurements from the initial control-plane node for the cluster's initial measurements

* Add using measurements from the user's config for the cluster's initial measurements to align behavior with upgrade command

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 11:16:56 +02:00
Daniel Weiße
99b12e4035
internal: refactor oid package to variant package (#1538)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:30:13 +02:00
Daniel Weiße
db5660e3d6
attestation: add context to Issue and Validate methods (#1532)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:06:10 +02:00
Otto Bittner
861bc84f94
cli: only apply upgrades on gcp/azure (#1518)
The constellation-operator currently doesn't support the
necessary operations for AWS, OpenStack and QEMU.
2023-03-24 17:07:14 +01:00
Otto Bittner
bb2b5e1bd1 cli: allow users to only upgrade measurements
In case only measurements are upgrades a confirmation is required.
Alternatively, the `yes` flag can be used.
2023-03-23 18:08:18 +01:00
Otto Bittner
c057fac315 cli: idkeycfg upgrade migration
TODO: revert this commit after v2.7 is released.
2023-03-23 14:57:38 +01:00
Otto Bittner
cac43a1dd0 ci: add e2e-upgrade test
The test is implemented as a go test.
It can be executed as a bazel target.
The general workflow is to setup a cluster,
point the test to the workspace in which to
find the kubeconfig and the constellation config
and specify a target image, k8s and
service version. The test will succeed
if it detects all target versions in the cluster
within the configured timeout.
The CI automates the above steps.
A separate workflow is introduced as there
are multiple input fields to the test.
Adding all of these to the manual e2e test
seemed confusing.

Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-03-23 14:57:38 +01:00
Leonard Cohnen
bb009e6166 remove dublicate log in miniconstellation 2023-03-23 14:55:29 +01:00
Otto Bittner
9f6e924066
cli: fix upgrade apply for image-only upgrades (#1468)
This fixes a bug where `upgrade apply` fails if only the image is
upgraded, due to mishandling of an empty configmap.
Making stubStableClient more complex is needed since it is called
with multiple configMaps now.
2023-03-22 11:53:47 +01:00
Paul Meyer
02fc3dc635
measurements: refactor validation option (#1462)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 11:47:39 +01:00
3u13r
cf9970c051
terraform: allow for multiple instance groups (#1471) 2023-03-21 22:56:03 +01:00
renovate[bot]
02a389e8c0
deps: update Terraform openstack to v1.51.1 (#1424)
* deps: update Terraform openstack to v1.51.1
* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-03-21 13:36:49 +01:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Malte Poll
8559a1ef8b helm: deploy node operator on OpenStack 2023-03-21 10:51:09 +01:00
Malte Poll
7d4ab07163 helm: add tests for AWS and OpenStack 2023-03-21 10:51:09 +01:00
Malte Poll
e5124d1a97 helm: add OpenStack charts 2023-03-21 10:51:09 +01:00
Malte Poll
f066416a43 cli: add support for constellation init on OpenStack 2023-03-21 10:51:09 +01:00
Paul Meyer
f638812143
terraform: unique Azure attestation provider name (#1472)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 10:41:48 +01:00
Otto Bittner
5a82c3cef2
cli: add attestationVariant migration (#1467)
Temporarily add the attestationVariant key to the service
values during upgrade. Normally this should not be
modified during upgrade. However, since the field is introduced
in v2.7, we need to add the field manually.
2023-03-21 10:04:48 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration (#1334)
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
Paul Meyer
05f6d1dc65
terraform: valid Azure attestation provider name (#1465)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 17:53:00 +01:00
Otto Bittner
1b12147d83
cli: minor restructuring for loading helm charts (#1441)
Use one loadRelease function instead of one function for each
release.
2023-03-20 17:05:58 +01:00
Nils Hanke
4f37fe38f9 cli: fix typo 2023-03-20 15:30:35 +01:00
Paul Meyer
a474739ab6 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 10:03:52 -04:00
Otto Bittner
9e13b0f917
cli: only create resource backups if upgrade is executed (#1437)
Previously backups were created even if no service upgrades were
executed. To allow this some things are restructured:
* new chartInfo type that holds release name, path and chart name
* upgrade execution and version validity are checked separately
2023-03-20 14:49:04 +01:00
Paul Meyer
658cac046f go: remove redundant if-err check
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Nils Hanke
822d7823f8 cli: refuse to retry init once gRPC has reached READY one time 2023-03-20 13:33:46 +01:00
Nils Hanke
77d19eb896 cli: add "Connecting" spinner state for "constellation init" 2023-03-20 13:33:46 +01:00
Moritz Sanft
f2ce9518a3
cli: support custom attestation policies for maa (#1375)
* create and update maa attestation policy

* use interface to allow unit testing

* fix test csp

* http request for policy patch

* go mod tidy

* remove hyphen

* go mod tidy

* wip: adapt to feedback

* linting fixes

* remove csp from tf call

* fix type assertion

* Add MAA URL to instance tags (#1409)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* conditionally create maa provider

* only set instance tag when maa is created

* fix azure unit test

* bazel tidy

* remove AzureCVM const

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* encode policy at runtime

* remove policy arg

* fix unit test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-20 13:33:04 +01:00
Thomas Tendyck
43fbb06426 cli: remove ctx parameter from rollbackOnError to prevent wrong use 2023-03-20 08:49:46 +01:00
renovate[bot]
4d618a4b99
deps: update fedora:37 Docker digest (#1448)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:47:36 +01:00
renovate[bot]
b03ead589f
deps: update Terraform azuread to v2.36.0 (#1421)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 14:30:17 +01:00
renovate[bot]
03d2232321
deps: update Terraform google-beta to v4.57.0 (#1423)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:43 +01:00
renovate[bot]
f8f3f00595
deps: update Terraform azurerm to v3.47.0 (#1422)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:08 +01:00
renovate[bot]
95d6618b9d
deps: update Terraform google to v4.57.0 (#1420)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 12:06:53 +01:00
renovate[bot]
0db034db5b
deps: update Terraform aws to v4.58.0 (#1419)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 11:43:52 +01:00
Malte Poll
a73cdb9b14
bazel: command to prepare development workspace (#1425)
This command symlinks all binaries into the current working directory (or the path specified by the first argument)

* bazel: command to prepare development workspace
* bazel: set malt3 as codeowner
2023-03-14 13:57:39 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant (#1413)
* Add attestation type to config (optional for now)

* Get attestation variant from config in CLI

* Set attestation variant for Constellation services in helm deployments

* Remove AzureCVM variable from helm deployments

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
Thomas Tendyck
64e1f553d1 cli: remove Edition in version command, which contains duplicate info 2023-03-10 11:36:44 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Daniel Weiße
446b77828b
cli: add missing flag to miniConstellation (#1374)
* Add missing flag to miniConstellation

* Add config merger to miniConstellation

* Soft fail if config can not be merged

* Remove config flattening

* Release spinner stop lock when stopping finished

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2023-03-08 15:48:36 +01:00
Paul Meyer
630016d1b3 openstack: use password to authenticate in cluster
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
64fc43f276
use any instead of interface{} (#1354)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 10:31:20 +01:00
Daniel Weiße
19507677c1
cli: attestation validator debug output (#1262)
* Wrote->Written

* Add Validator info logs to debug output

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-03 16:50:25 +01:00
Malte Poll
cda2669d40
cli: upgrade libtpms in libvirt container (#1338) 2023-03-03 15:07:27 +01:00
Otto Bittner
b94d23a3e8 cli: create backups before upgrading microservices 2023-03-03 15:02:22 +01:00
Otto Bittner
3cef9ee74d cli: add doc comments for helm 2023-03-03 15:02:22 +01:00
Malte Poll
8aa42e30ad
cli: set OpenStack service account credentials (#1328) 2023-03-03 10:10:36 +01:00
Malte Poll
8ad04f7dbb
cli: log grpc connection state for init call (#1324)
This is a measure to detect cases where an aTLS handshake is performed but the long running call is interrupted, leading to a retry of the init call.
Whenever the grpc connection state reaches ready, we know that the aTLS handshake has succeeded:

> READY: The channel has successfully established a connection all the way through TLS handshake (or equivalent) and protocol-level (HTTP/2, etc) handshaking, and all subsequent attempt to communicate have succeeded (or are pending without any known failure).
2023-03-03 09:38:57 +01:00
Otto Bittner
f0db5d0395
cli: restructure upgrade apply (#1319)
Applies the updated NodeVersion object with one request
instead of two. This makes sure that the first request does
not accidentially put the cluster into a "updgrade in progress"
status. Which would lead users to having to run apply twice.
2023-03-03 09:38:23 +01:00