Markus Rudy
a3de1d95d9
helm: deprioritize Cilium tc filters
...
By default, Cilium's tc filters are added add the highest priority,
which makes it impossible to add any tc filters of our own (because the
Cilium eBPF programs don't return to the filter chain).
Two near-future use cases that would benefit from this:
* Network testing could add counting filters to interfaces and observe
e.g. violations of encryption policy.
* The VPN Helm chart could add a filter policy that drops packets on the
"physical" interface before they can leak to the CSP.
2023-12-05 09:52:52 +01:00
Malte Poll
5e2cad34c9
image: update Linux to 6.1.64 ( #2677 )
...
Changelogs:
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.63
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.64
2023-12-05 09:35:48 +01:00
Moritz Sanft
17aecaaf5f
constellation-lib: refactor init RPC to be shared ( #2665 )
...
* constellation-lib: refactor init RPC
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: pass io.Writer for collecting logs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: add init test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: bin dialer to struct
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: set service CIDR on init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-12-04 13:40:24 +01:00
3u13r
db49093da7
ci: export constellation with absolute path ( #2675 )
2023-12-04 13:18:13 +01:00
Daniel Weiße
0e91650631
cli: fix helm-timeout flags for deprecated commands ( #2676 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-04 10:14:16 +01:00
edgelessci
8bd17b995e
image: update locked rpms ( #2674 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-12-04 09:02:59 +01:00
edgelessci
c1bc7840bf
image: update measurements and image version ( #2671 )
...
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-12-01 16:14:27 +01:00
3u13r
63cdd03d09
Make Kubernetes serviceCIDR configurable in config ( #2660 )
...
* config: pass serviceCIDR to kubeadm init
* terraform: add serviceCIDR
2023-12-01 14:39:05 +01:00
Adrian Stobbe
c2d1a7b7fb
ref: decouple helm from config ( #2669 )
2023-12-01 12:51:51 +01:00
edgelessci
8532d1ff02
image: update measurements and image version ( #2668 )
...
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-12-01 09:36:26 +01:00
Malte Poll
432c4294c5
bazel: remove unused go_ld_test
...
This was an attempt to make unit tests work where we linked against libraries and ld from Fedora.
This is no longer needed.
2023-12-01 09:35:33 +01:00
Malte Poll
4ca88cd779
bazel: remove bazeldnf and pinned rpms
2023-12-01 09:35:33 +01:00
Malte Poll
5c19b2c27b
bazel: add cross compiler for darwin
...
This allows cross compiling from aarch64-darwin to x86_64-linux.
It is required for building Go binaries on macos that target Linux and have CGO enabled.
2023-12-01 09:35:33 +01:00
Malte Poll
bd3430fcf0
image: provide runtime dependencies of cryptsetup in OS image.
...
This adds nix store paths to the initrd and sysroot of bootable Fedora images.
2023-12-01 09:35:33 +01:00
Malte Poll
ee3ff9ac01
bazel: use patched RPATH in bootstrapper and disk-mapper binaries
2023-12-01 09:35:33 +01:00
Malte Poll
e0739a67f9
bazel: use cryptsetup from nix
2023-12-01 09:35:33 +01:00
Malte Poll
cd6e03049a
libvirt: build containerized libvirt as nix container image
2023-12-01 09:35:33 +01:00
Malte Poll
fb735419ac
bazel: provide runtime dependencies of libvirt where needed
...
This adds nix store paths to container images that have binaries linking
against libvirt from nix.
2023-12-01 09:35:33 +01:00
Malte Poll
361b409eb2
bazel: use libvirt from nix
2023-12-01 09:35:33 +01:00
Malte Poll
c5acb18c2b
bazel: use openssl for selected target platform
2023-12-01 09:35:33 +01:00
Malte Poll
9be252fccb
bazel: import C libraries from nix as cc_libary
...
This also includes aliases to select the correct library based on the target platform.
2023-12-01 09:35:33 +01:00
Malte Poll
e895aa5495
nix: add derivations for C library dependencies
...
Cryptsetup and libvirt are new.
OpenSSL was moved with the rest.
The dynamic libaries cryptsetup and libvirt also ship a file called closure.tar,
that contains the transitive closure for all of their dependencies.
This tar file can be used as a container image layer or added to a bootable OS image
to provide the runtime dependencies required for dynamic linking.
Additionally, they ship a `rpath` file. This can be used together with patchelf to
fix the RPATH of binaries produced by Bazel.
2023-12-01 09:35:33 +01:00
Malte Poll
e174c4dfe1
bazel: add patchelf rule
...
This rule allows overwriting a binaries' rpath.
This is required to use binaries built by Bazel that link against cc_library
targets from nix (like `/nix/store/<hash>/lib/*.so`).
2023-12-01 09:35:33 +01:00
Malte Poll
45879c7360
bazel: use pure Go platform where possible
...
Before, we specified that the platform has glibc 2.23 under /usr/lib.
This is technically not important for statically linked Go binaries.
2023-12-01 09:35:33 +01:00
Malte Poll
cbe08597c3
bazel: define common platforms for multi-platform builds
...
Default platform for targeting Constellation OS images with nix and cgo:
//bazel/platforms:constellation_os
Other target platforms with nix and cgo:
//bazel/platforms:aarch64-darwin_nix
//bazel/platforms:aarch64-linux_nix
//bazel/platforms:x86_64-darwin_nix
//bazel/platforms:x86_64-linux_nix
Pure go platforms (no cgo, statically linked)
//bazel/platforms:go-pure_aarch64-darwin
//bazel/platforms:go-pure_aarch64-linux
//bazel/platforms:go-pure_x86_64-darwin
//bazel/platforms:go-pure_x86_64-linux
2023-12-01 09:35:33 +01:00
Daniel Weiße
a9cc9d8bbc
Create Kubernetes clients from bytes instead of filepath ( #2663 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-01 09:00:44 +01:00
Moritz Sanft
4d6a7fa759
license: refactor license check to be agnostic of input ( #2659 )
...
* license: refactor license check to be agnostic of input
* license: remove unused code
* cli: only check license file in enterprise version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix enterprise CLI build
* bazel: add keep directive
* Update internal/constellation/apply.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* license: check for return value
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-01 08:37:52 +01:00
Markus Rudy
381c546c88
rfc: fix path
2023-12-01 08:15:11 +01:00
Markus Rudy
b6fd1787f7
rfc: trusted k8s images ( #2648 )
...
* rfc: trusted k8s images
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-30 16:33:44 +01:00
Daniel Weiße
581ae0f92a
cli: fix renamed flag for mini-constellation ( #2662 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-30 10:12:51 +01:00
Daniel Weiße
b3c734b804
helm: re-enable timeout flag ( #2658 )
...
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-29 14:55:10 +01:00
katexochen
e06848c68a
image: update measurements and image version
2023-11-29 08:45:52 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source ( #2640 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Moritz Sanft
03c5692fdd
ci: use given image if set ( #2655 )
...
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-28 14:34:02 +01:00
Daniel Weiße
ca89a31f46
ci: only run verify with JSON output on v2.14 or newer ( #2649 )
...
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:31:27 +01:00
Thomas Tendyck
960118dc00
config: remove AWS SNP warning
2023-11-28 14:26:40 +01:00
Daniel Weiße
3bc25cdd8f
ci: add notify hook to Terraform module test ( #2653 )
...
* Enable notification on tf module e2e test failure
* Dont try to change fields with no value
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:14:18 +01:00
Daniel Weiße
43f47cc5c5
ci: fix service accounts introduced by merge ( #2652 )
...
* Fix service accounts introduced my merge
* Remove GCP_E2E_PROJECT placeholders
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 10:54:58 +01:00
Daniel Weiße
45f6eec0d0
ci: add missing shell in notify action ( #2646 )
...
* Add missing shell
* Remove old teams notify action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-28 09:41:01 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI ( #2629 )
...
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-27 13:04:41 +01:00
Adrian Stobbe
98673b0983
ci: only generate lock files where provider is used ( #2636 )
2023-11-27 12:16:45 +01:00
derpsteb
bff65d563b
image: update measurements and image version
2023-11-27 10:57:21 +01:00
edgelessci
2fc82874b7
image: update locked rpms ( #2645 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-27 09:01:16 +01:00
Moritz Sanft
34bf3ad296
terraform-provider: add image datasource ( #2642 )
...
* terraform-provider: init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: add basic docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix build steps
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: extend build process and docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dev-docs: document provider usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: upload aspect lib mirror
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: don't try to create lockfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix shellcheck issues
* bazel: separate paths to check
* terraform-provider: clean up old files
* terraform-provider: update provider resource
* terraform-provider: add image data source
* dev-docs: remove unnecessary init
* bazel: adhere to Terraform naming expectations
* terraform-provider: fix expected data type
* terraform-provider: generate docs
* terraform-provider: improve errors
* terraform-provider: add acceptance tests for data source
* terraform-provider: fix dependencies
* bazel: quote var reference
* terraform-provider: make region optional
* terraform-provider: bind imagefetcher to data source
* bazel: tidy
* terraform-provider: remove unused parameter
* terraform-provider: remove unused parameter
* terraform-provider: extend acceptance tests
* terraform-provider: allow tests to be ran without Bazel
* dev-docs: document testing
* terraform-provider: set binary path accordingly
* dev-docs: document docgen process for the provider
* bazel: run acceptance test in writable environment
* bazel: try to write to `$TMPDIR`
* terraform-provider: style nits
* terraform-provider: leave TODO
* bazel: tidy
* terraform-provider: regenerate docs
* terraform-provider: fix comment
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-27 09:00:08 +01:00
Markus Rudy
42f0aa8eb1
state: fix whitespace issue in generated docs
2023-11-27 08:35:54 +01:00
Moritz Sanft
9a62657b80
terraform-provider: init provider scaffolding ( #2632 )
...
* terraform-provider: init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: add basic docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix build steps
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: extend build process and docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dev-docs: document provider usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: upload aspect lib mirror
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: add docstring to fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: don't try to create lockfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix shellcheck issues
* bazel: separate paths to check
* bazel: explain what updating lockfiles means
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-24 15:58:21 +01:00
Otto Bittner
2b199fd9b1
docs: explain config options for AWS SNP
2023-11-24 15:49:48 +01:00
Otto Bittner
46f563c7ca
ci: call TCB upload step for AWS
2023-11-24 15:49:48 +01:00
Otto Bittner
257eb5370f
config: only fetch TCB values from api if wanted
...
If no TCB value is set to `latest`, the fetcher is now no
longer called.
2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc
api: add support to upload AWS TCB values
...
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00