Commit Graph

795 Commits

Author SHA1 Message Date
Adrian Stobbe
22c2a73ae2
cli: store kubernetes version as strong type in config (#2287)
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: 3u13r <lc@edgeless.systems>
2023-09-19 13:50:00 +02:00
Moritz Sanft
95cf4bdf21
cli: perform upgrades in-place in Terraform workspace (#2317)
* perform upgrades in-place in terraform workspace

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add iam upgrade apply test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make config fetcher stubbable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* change workspace restoring behaviour

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* allow overwriting existing Terraform files

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* allow overwrites of TF variables

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix iam upgrade apply

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix embed directive

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make loader test less brittle

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass upgrade ID to user

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* naming nit

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use upgradeDir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-14 11:51:20 +02:00
Daniel Weiße
2a1996dbe1
cli: check chart versions against target version in users config before upgrading (#2319)
* Check chart versions against target in users config

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Cleaner cli-config version support checking

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Return InvalidUpgradeError

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 23:09:02 +02:00
Daniel Weiße
5706e69091
Retry helm apply on any error (#2322)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 22:54:01 +02:00
3u13r
a25c90e9bb
remove deprecated constellation create flags (#2325)
* chore: clean-up TODOs

* cli: make OpenStack error explicit

* cli: remove deprecated flags

* config: require DeployCSIDriver field
2023-09-08 21:15:02 +02:00
Adrian Stobbe
5960025da7
cli: new flag to skip phases of upgrade (#2310)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-08 14:55:07 +02:00
Daniel Weiße
94a7b9e7b2
cli: save Helm charts to disk before running upgrades (#2305)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 12:02:16 +02:00
Daniel Weiße
9765003298
cli: print ordered measurements list during constellation verify (#2302)
* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 08:08:09 +02:00
Adrian Stobbe
0eb9ca2e18
move csp logic to cloudcmd (#2311) 2023-09-07 12:10:36 +02:00
Otto Bittner
6e5ba774d8 cli: disable nosmt via VMM temporarily.
AWS asked us to disable these options temporarily until they resolve
some internal issues that sometimes prevents these instances
from starting.
2023-09-05 08:23:18 +02:00
Daniel Weiße
311da4c082
cli: correctly trim white spaces for certificates in verify (#2299)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 08:30:18 +02:00
Otto Bittner
75ce11af14
cli: disable smt via cpu_options (#2291)
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
2023-09-01 11:26:21 +02:00
Daniel Weiße
ce374243ef
cli: retry join-config operations (#2290)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-29 11:40:44 +02:00
Adrian Stobbe
19893c565e
docs: document constellation-cluster.log file (#2285) 2023-08-25 12:50:12 +02:00
Adrian Stobbe
a03325466c
cli: helm install and upgrade unification (#2244) 2023-08-24 16:40:47 +02:00
Adrian Stobbe
9e79e2e0a1
cli: cleanup terraform files when create fails (#2282) 2023-08-24 16:38:02 +02:00
Daniel Weiße
47fc676927
cli: parse image and k8s versions as semver (#2235)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-23 14:37:53 +02:00
Daniel Weiße
0a911806d1
cli: remove/refactor upgrade package (#2266)
* Move IAM migration client to cloudcmd package

* Move Terraform Cluster upgrade client to cloudcmd package

* Use hcl for creating Terraform IAM variables files

* Unify terraform upgrade code

* Rename some cloudcmd files for better clarity

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-23 10:35:42 +02:00
Daniel Weiße
053aa60e47
cli: remove helm management from join-config (#2251)
* Replace UpdateAttestationConfig with ApplyJoinConfig

* Dont set up join-config over Helm, it is now only managed by our CLI directly during init and upgrade

* Remove measurementSalt and attestationConfig parsing from helm, they were only needed for the JoinConfig

* Add migration step to remove join-config from Helm management

* Update attestation config trouble shooting tip

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-23 08:14:39 +02:00
Daniel Weiße
afa7fd0edb
cli: refactor kubernetes package (#2232)
* Clean up CLI kubernetes package

* Rename CLI kubernetes pkg to kubecmd

* Unify kubernetes clients

* Refactor attestation config upgrade

* Update CODEOWNERS file

* Remove outdated GetMeasurementSalt

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-21 16:15:32 +02:00
Daniel Weiße
3bf316e28f
cli: add spinner to helm chart installation (#2270)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-21 15:12:23 +02:00
3u13r
bb654ba1ab
cli: fix incorrect actual values for constellation verify on AWS (#2265)
* cli: fix aws pcr index
2023-08-21 13:50:00 +02:00
Daniel Weiße
9477999be2
cli: clean up terraform package (#2256)
* Clean up Terraform pkg

* Add note to Terraform migration functions expecting to be run on initialized workspace

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-21 10:26:53 +02:00
renovate[bot]
ae7888a13f
deps: update Terraform azuread to v2.41.0 (#2254)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-17 10:29:49 +02:00
Adrian Stobbe
ca47d26634
cli: fix upgrade by passing placeholder values for images (#2250)
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-08-17 07:16:09 +02:00
Thomas Tendyck
587ae6a575
deps: limit Terraform version to FOSS releases (#2241)
* deps: limit Terraform version to FOSS releases

* fix: enforce upper version constraint

---------

Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-08-16 23:25:53 +02:00
Daniel Weiße
c2bb884a04
cli: fix incorrect file path for master secret during upgrades when using workspace flag (#2249)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-16 15:38:40 +02:00
Adrian Stobbe
5574092bcf
ref: update code for 2.11 (#2239)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-08-16 11:34:58 +02:00
Daniel Weiße
ed0bfd9d41
cli: move helm and terraform out of kubernetes package (#2222)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-16 09:59:32 +02:00
Adrian Stobbe
0332a3645f
cli: update join-config manually during upgrade (#2229)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-08-15 13:58:04 +02:00
3u13r
c597ffb1cf
upgrade: don't pass vm image (#2211) 2023-08-14 15:16:07 +02:00
Adrian Stobbe
58e9906811
only allow chart upgrades with greater version (#2224) 2023-08-14 15:08:25 +02:00
3u13r
8c321ec1ab
cli: add role to aws instance name (#2130) 2023-08-14 13:42:20 +02:00
Adrian Stobbe
1af13878a0
fix configmap backup during upgrade (#2219) 2023-08-14 09:16:46 +02:00
Adrian Stobbe
4788467bca
cli: upgrade uses same helm releases as init (#2177) 2023-08-11 15:18:59 +02:00
Daniel Weiße
0e73e625d1
cli: don't refer to a message below, as it was printed above (#2216)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-11 14:35:25 +02:00
Daniel Weiße
dcd1c8bd1e Fix CSI chart version not being compared to CLI version
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-11 12:20:21 +02:00
Daniel Weiße
589ac8c400
cli: correctly print absolute path for kubeconfig (#2207)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-11 10:40:27 +02:00
Daniel Weiße
e30179a8aa Remove manual state migration steps for AWS
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-10 15:46:59 +02:00
Malte Poll
9aa14f58eb
bazel: remove stale build rules (#2202) 2023-08-10 11:16:06 +02:00
Daniel Weiße
89b342900f Move workspace path functions to sub-package of cmd
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-09 15:42:24 +02:00
Daniel Weiße
99c579b45a Add package design goals to CLI package documentation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-09 15:42:24 +02:00
Daniel Weiße
21c80e7bf3 Remove iamid package
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-09 15:42:24 +02:00
Daniel Weiße
23394ea2e2
cli: fix missing safety check in ShowIAM (#2165)
* Add missing safety check to ShowIAM

* someErr->assert.AnError

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-09 15:25:59 +02:00
Daniel Weiße
c9cae643e2
internal: fix unmarshalling attestation version numbers from JSON (#2187)
* Fix unmarshalling attestation version numbers from JSON

* Add unit test for UnmarshalJSON

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-09 15:11:14 +02:00
Adrian Stobbe
656cdbb4bb
remove unused CloudServiceAccountUri from init request (#2182) 2023-08-09 14:16:45 +02:00
Adrian Stobbe
70861ee8ad
cli: declare mastersecret as immutable and print attestationCfg diff in warning (#2167) 2023-08-08 13:03:23 +02:00
Paul Meyer
e97b2afc14 cli: print maa token in verify
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-08 11:50:26 +02:00
Daniel Weiße
8dbe79500f
cli: fix incorrect usage of masterSecret salt for clusterID generation (#2169)
* Fix incorrect use of masterSecret salt for clusterID generation

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-08-07 15:24:46 +02:00
Malte Poll
15bb9588d7
cli: update config migration to migrate v3 -> v4 (#2166) 2023-08-04 15:57:36 +02:00
Daniel Weiße
d1ace13713
cli: add --workspace flag to set base directory for Constellation workspace (#2148)
* Remove `--config` and `--master-secret` falgs

* Add `--workspace` flag

* In CLI, only work on files with paths created from `cli/internal/cmd`

* Properly print values for GCP on IAM create when not directly updating the config

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-04 13:53:51 +02:00
renovate[bot]
ec33530c38
deps: update gcr.io/kubebuilder/kube-rbac-proxy Docker tag to v0.14.1 (#2063)
* deps: update gcr.io/kubebuilder/kube-rbac-proxy Docker tag to v0.14.1
* deps: use gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-08-04 13:49:38 +02:00
Malte Poll
7bfcb0bd5d cli: remove old config migration from v2 to v3 2023-08-04 12:36:45 +02:00
Malte Poll
56089a4c70 cli: update init_test to use nodeGroups 2023-08-04 12:36:45 +02:00
Malte Poll
7dfac1f758 cli: use nodeGroups when setting default disk size for QEMU 2023-08-04 12:36:45 +02:00
Malte Poll
0c20ccb477 terraform: create nodeGroups in tfvars from nodeGroups in config 2023-08-04 12:36:45 +02:00
Malte Poll
d0ec7a3e54 terraform: move OpenStack flavorID into nodeGroups 2023-08-04 12:36:45 +02:00
Malte Poll
3047cb2798 create: deprecate --control-plane-nodes and --worker-nodes flags
Also print and configure node groups
2023-08-04 12:36:45 +02:00
Malte Poll
c0177c565f config: update tests 2023-08-04 12:36:45 +02:00
Malte Poll
15bb3b31fd config: add nodeGroups 2023-08-04 12:36:45 +02:00
Daniel Weiße
374f8c7dae
cli: fix missing init parameters in mini up (#2159)
* Fix missing init parameters in mini up

* Remove redundant passing of file.Handler in init functions

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-04 10:42:09 +02:00
Moritz Sanft
af05e17f49
ci: keep embedded measurements if stable image is used (#2109)
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-08-04 09:43:32 +02:00
3u13r
720c48ea45
cli: refactor terraform output parsing (#2158) 2023-08-03 16:17:23 +02:00
Adrian Stobbe
70ce195a5f
cli: unify chart value setup (#2153) 2023-08-03 13:54:48 +02:00
3u13r
5119d843f1
terraform: fix uami parsing (#2155) 2023-08-03 13:22:26 +02:00
Adrian Stobbe
13eea1ca31
cli: install cilium in cli instead of bootstrapper (#2146)
* add wait and restartDS

* cilium working (tested on azure + gcp)

* clean helm code from bootstrapper

* fixup! clean helm code from bootstrapper

* fixup! clean helm code from bootstrapper

* fixup! clean helm code from bootstrapper

* add patchnode for gcp

* fix gcp

* patch node inside bootstrapper

* apply renaming of client

* fixup! apply renaming of client

* otto feedback
2023-08-02 15:49:40 +02:00
renovate[bot]
7e3123232e
deps: update Terraform azurerm to v3.67.0 (#2147)
Also update Azure terraform: 
ignore snp policy changes on resource

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-08-02 08:15:22 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
Adrian Stobbe
26480016a9
azure: fix ccm config with correct uami client_id (#2144)
* fix azure ccm config with correct uami client_id

* fix tests
2023-08-01 08:40:44 +02:00
Adrian Stobbe
26305e8f80
cli: install helm charts in cli instead of bootstrapper (#2136)
* init

* fixup! init

* gcp working?

* fixup! fixup! init

* azure cfg for microService installation

* fixup! azure cfg for microService installation

* fixup! azure cfg for microService installation

* cleanup bootstrapper code

* cleanup helminstall code

* fixup! cleanup helminstall code

* Update internal/deploy/helm/install.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* daniel feedback

* TODO add provider (also to CreateCluster) so we can ensure that provider specific output

* fixup! daniel feedback

* use debugLog in helm installer

* placeholderHelmInstaller

* rename to stub

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-07-31 10:53:05 +02:00
Paul Meyer
372aa0fc08 verify: print formatted SNP report
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-31 08:18:50 +02:00
Paul Meyer
c8b1765e1d verify: use helper function for format writing
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-31 08:18:50 +02:00
Paul Meyer
8e7f4cd046 verify: print VCEK extension values
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-31 08:18:50 +02:00
Daniel Weiße
9bc8217fcd
cli: output CSI driver versions on status (#2128)
* Output CSI driver versions

* Improve status output

* Correctly update CSI version on upgrades

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-27 16:14:36 +02:00
Daniel Weiße
28e29ffe61
cli: don't backup CRs that cannot be found (#2133)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-27 10:28:56 +02:00
Adrian Stobbe
a3184af7a2
cli: add iam upgrade apply (#2132)
* add new iam upgrade apply

* remove iam tf plan from upgrade apply check

* add iam migration warning to upgrade apply

* update release process

* document migration

* Apply suggestions from code review

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* add iam upgrade

* remove upgrade dir check in test

* ask only without --yes

* make iam upgrade provider specific

* test without seperate logins

* remove csi and only add conditionally

* Revert "test without seperate logins"

This reverts commit 05a12e59c9.

* fix msising cred

* support iam migration for all csps

* add iam upgrade label

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-07-26 17:29:03 +02:00
Otto Bittner
7db058f946
cli: wait for public ip update before reading fqdn (#2135) 2023-07-26 15:23:37 +02:00
Adrian Stobbe
7776a890d4
remove csi and only add conditionally (#2138) 2023-07-26 12:45:47 +02:00
Otto Bittner
1d5a8283e0
cli: use Semver type to represent microservice versions (#2125)
Previously we used strings to pass microservice versions. This invited
bugs due to missing input validation.
2023-07-25 14:20:25 +02:00
Adrian Stobbe
04dc6256e6
cli: only install aws-lb and csi charts conditionally (#2131)
* init

* upgrade csi chart conditionally
2023-07-25 10:54:47 +02:00
Adrian Stobbe
39cea48741
aws: fix get version error (#2127)
* init

* only add awsLB to versions if installed
2023-07-24 14:25:11 +02:00
Adrian Stobbe
92abb890ef
upgrade: retry when node image update fails due to conflict error (#2123)
* retry when node image update fails due to conflict error

* improve test
2023-07-24 12:15:11 +02:00
Adrian Stobbe
a87b7894db
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090)
* add current chart

add current helm chart

* disable service controller for aws ccm

* add new iam roles

* doc AWS internet LB + add to LB test

* pass clusterName to helm for AWS LB

* fix update-aws-lb chart to also include .helmignore

* move chart outside services

* working state

* add subnet tags for AWS subnet discovery

* fix .helmignore load rule with file in subdirectory

* upgrade iam profile

* revert new loader impl since cilium is not correctly loaded

* install chart if not already present during `upgrade apply`

* cleanup PR + fix build + add todos

cleanup PR + add todos

* shared helm pkg for cli install and bootstrapper

* add link to eks docs

* refactor iamMigrationCmd

* delete unused helm.symwallk

* move iammigrate to upgrade pkg

* fixup! delete unused helm.symwallk

* add to upgradecheck

* remove nodeSelector from go code (Otto)

* update iam docs and sort permission + remove duplicate roles

* fix bug in `upgrade check`

* better upgrade check output when svc version upgrade not possible

* pr feedback

* remove force flag in upgrade_test

* use upgrader.GetUpgradeID instead of extra type

* remove todos + fix check

* update doc lb (leo)

* remove bootstrapper helm package

* Update cli/internal/cmd/upgradecheck.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* final nits

* add docs for e2e upgrade test setup

* Apply suggestions from code review

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/helm/loader.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/cmd/tfmigrationclient.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix daniel review

* link to the iam permissions instead of manually updating them (agreed with leo)

* disable iam upgrade in upgrade apply

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
2023-07-24 10:30:53 +02:00
Malte Poll
8da6a23aa5
bootstrapper: add fallback endpoint and custom endpoint to SAN field (#2108)
terraform: collect apiserver cert SANs and support custom endpoint

constants: add new constants for cluster configuration and custom endpoint

cloud: support apiserver cert sans and prepare for endpoint migration on AWS

config: add customEndpoint field

bootstrapper: use per-CSP apiserver cert SANs

cli: route customEndpoint to terraform and add migration for apiserver cert SANs

bootstrapper: change interface of GetLoadBalancerEndpoint to return host and port separately
2023-07-21 16:43:51 +02:00
Otto Bittner
cf822f7eee
cli: unify terraform variable creation (#2119)
Before we defined the variables twice.
Once for upgrades, once for create.
Also move default node group names into a constant
2023-07-21 10:04:29 +02:00
3u13r
f9391ed903
cli: print supported k8s versions on error (#2121) 2023-07-20 16:09:23 +02:00
Daniel Weiße
845253373d Add check to cilium vals loading
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
cf0ac148f3 Move control-plane tolerations var
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
e0ad836fdc Fix README
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
9d8e2043a2 Add upgrade path for new/not-installed charts
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
ea5c83587c Move CSI charts to separate chart and cleanup loader code
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
aa00c43156 Add missing validating webhook configuration
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Daniel Weiße
8619a90149 Deploy CSI snapshotter on init
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
Otto Bittner
c2849f4bbe
cli: ignore name changes on lb public ip resource (#2117)
Changing the name forces a recreate, which would break existing clusters.
The name change seems to be "only" about having clearer names.
2023-07-19 10:15:23 +02:00
Malte Poll
f597c12bca
cli: set Azure ConfidentialVM option in terraform vars when migrating (#2113) 2023-07-18 10:30:55 +02:00
Moritz Sanft
9bc143ea7f
remove unused file.Handler (#2114) 2023-07-18 10:17:01 +02:00
Moritz Sanft
5f71934f56
cli: write Terraform migration output directly to constellation-id.json (#2107)
* backup `constellation-id.json` before upgrade

* remove superfluous `file.Handler` arguments

* merge `constellation-id.json` on upgrade

* fix typo
2023-07-18 09:33:42 +02:00
Malte Poll
5cbdb3a519
terraform: allows cluster name length of 10 characters on AWS (#2110) 2023-07-17 17:45:41 +02:00
Malte Poll
26f4a13934
cli: allow helm upgrades with old k8s patch version (#2095) 2023-07-12 12:42:51 +02:00
Malte Poll
37af5f5f50
cli: allow upgrade to succeed if desired attestation config == actual config (#2094) 2023-07-12 11:53:00 +02:00
Malte Poll
738b22caba
cli: fix broken "constellation mini up" due to incompatible terraform json (#2081)
* deps: downgrade terraform-json to v0.15.0

terraform-exec requires a matching version of terraform json.
Since the latest released version of terraform-exec still uses terraform-json v0.15.0,
we need to stay on that version.

* cli: add "--skip-helm-wait" flag for "constellation init" to "constellation mini up"
2023-07-10 15:16:45 +02:00
Otto Bittner
ef526562df
cli: remove old migrations (#2079)
The migrations are not required for upgrading from 2.8.
2023-07-10 14:03:45 +02:00
Malte Poll
1ff40533f1
cli: add "--skip-helm-wait" flag (#2061)
* cli: add "--skip-helm-wait" flag

This flag can be used to disable the atomic and wait flags during helm install.
This is useful when debugging a failing constellation init, since the user gains access to
the cluster even when one of the deployments is never in a ready state.
2023-07-07 17:09:45 +02:00
Adrian Stobbe
7e83991154
feat: status shows attestation config (#2056)
* init

* update doc

* fix tests

* unmarshal typed attestation config for consistent yaml formatting

* fix comments

* marshal numerical attestation values in join-config

* GetAttestationConfig marshals numerical value
2023-07-07 17:02:01 +02:00
renovate[bot]
f364bd6b9d
deps: update Terraform google-beta to v4.72.0 (#2027)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-06 11:53:40 +02:00
renovate[bot]
3f1faead94
deps: update Terraform google to v4.72.0 (#2026)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-06 11:53:15 +02:00
renovate[bot]
ff74afa00d
deps: update Terraform azurerm to v3.63.0 (#2025)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-06 11:52:44 +02:00
renovate[bot]
bf09313dcf
deps: update Terraform aws to v5.6.2 (#2024)
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-07-06 10:21:35 +02:00
Thomas Tendyck
274fed0990 cli: fix/improve some user-facing strings 2023-07-06 09:05:17 +02:00
renovate[bot]
e6dbb13c6c
deps: update Terraform openstack to v1.52.1 (#2028)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-05 16:52:58 +02:00
Malte Poll
4283601433
operators: infrastructure autodiscovery (#1958)
* helm: configure GCP cloud controller manager to search in all zones of a region

See also: d716fdd452/providers/gce/gce.go (L376-L380)

* operators: add nodeGroupName to ScalingGroup CRD

NodeGroupName is the human friendly name of the node group that will be exposed to customers via the Constellation config in the future.

* operators: support simple executor / scheduler to reconcile on non-k8s resources

* operators: add new return type for ListScalingGroups to support arbitrary node groups

* operators: ListScalingGroups should return additionally created node groups on AWS

* operators: ListScalingGroups should return additionally created node groups on Azure

* operators: ListScalingGroups should return additionally created node groups on GCP

* operators: ListScalingGroups should return additionally created node groups on unsupported CSPs

* operators: implement external scaling group reconciler

This controller scans the cloud provider infrastructure and changes k8s resources accordingly.
It creates ScaleSet resources when new node groups are created and deletes them if the node groups are removed.

* operators: no longer create scale sets when the operator starts

In the future, scale sets are created dynamically.

* operators: watch for node join/leave events using a controller

* operators: deploy new controllers

* docs: update auto scaling documentation with support for node groups
2023-07-05 07:27:34 +02:00
Adrian Stobbe
e72ec60d13
config: iam create aws check zone contains availability zone (#1913)
* init

* make zone flag mandatory again

* add info about zone update + refactor

* add comment in docs about zone update

* Update cli/internal/cmd/iamcreate_test.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas feedback

* add format check to config validation

* remove TODO

* Update docs/docs/workflows/config.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas nit

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-07-04 13:55:52 +02:00
Adrian Stobbe
c39df2f7da
terraform: openstack node groups (#1966)
* openstack

* rename to base_name

* fix openstack boot vtpm

* add docs for accessing bootstrapper logs

* rename to initial count
2023-07-03 16:33:00 +02:00
Malte Poll
d43242a55f
deps: upgrade AWS CSI driver to v1.1.1 (#1998) 2023-07-03 16:26:42 +02:00
Daniel Weiße
90dbeae16b
cli: fix duplicate backup creation during upgrade apply (#1997)
* Use CLI to fetch measurements in e2e test

* Abort helm service upgrade early if user confirmation is missing

* Add container push to CLI build action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-03 15:13:36 +02:00
Malte Poll
66f1333c31
terraform: use single zone loadbalancer frontend on AWS (#1983)
This change is required to ensure we have not tls handshake errors when connecting to the kubernetes api.
Currently, the certificates used by kube-apiserver pods contain a SAN field with the (single) public ip of the loadbalancer.
If we would allow multiple loadbalancer frontend ips, we could encounter cases where the certificate is only valid for one public ip,
while we try to connect to a different ip.
To prevent this, we consciously disable support for the multi-zone loadbalancer frontend on AWS for now.
This will be re-enabled in the future.
2023-06-30 16:56:31 +02:00
Daniel Weiße
d95ddd01d3
helm: fix upgrade command unintentionally skipping all service upgrades (#1992)
* Fix usage of errors.As in upgrade command implementation

* Use struct pointers when working with custom errors

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-06-30 16:46:05 +02:00
Daniel Weiße
5a9f9c0a52
bootstraper: delete helm chart on installation failure before retrying installation (#1977)
* Delete helm chart on failure before retrying installation

* Add chart name to debug output

* Remove now unused wait flag from helm Release struct

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-06-30 15:13:29 +02:00
Malte Poll
5f8ea1348a
terraform: instance_count => initial_count (#1989)
Normalize naming for the "instance_count" / "initial_count" int terraform to always use "initial_count".
This is required, since there is a naming confusion on AWS.
"initial_count" is more precise, since it reflects the fact that this value is ignored when applying the terraform template
after the scaling groups already exist.
2023-06-30 10:53:00 +02:00
Moritz Sanft
7ad284d672
cli: deploy aws csi driver per default (#1981)
* add aws csi driver helm chart

* update chart

* add CSI driver to Constellation default deployment

* generate config doc

* update buildfiles

* use upstream chart

* update buildfile

* set `DeployCSIDriver` in default config

* fix helm test

* whitespace
2023-06-30 08:46:32 +02:00
Malte Poll
f64e44a438 aws: support LBs in multiple zones when retrieving metadata 2023-06-28 18:13:01 +02:00
Malte Poll
3edc1c3ebb cli: manual AWS terraform state transitions
This commit is designed to be reverted in the future (AB#3248).
Terraform does not implement moved blocks with dynamic targets: https://github.com/hashicorp/terraform/issues/31335 so we have to migrate the terraform state ourselves.
2023-06-28 18:13:01 +02:00
Malte Poll
22ebdace43 terraform: aws node groups 2023-06-28 18:13:01 +02:00
miampf
77b28cb5e7
cli: change generate-config flag to update-config flag (#1897) 2023-06-28 12:47:44 +00:00
Adrian Stobbe
9bb91ca447
terraform: QEMU node groups (#1961)
* init

add variables

add amount to instance_group again

fix tf validate

rollback old names

make fields optional

fix image ref mini

daniel comments

use latest

* Update cli/internal/terraform/terraform/qemu/main.tf

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

* add uid to resource name

* make machine a global variable again

* fix tf

---------

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-06-28 14:42:34 +02:00
Adrian Stobbe
161bb37cba
config: improve usage and meaning of validate (#1975)
* discuss miniup config.Default() usage + discourage usage for Default() in comment

* Update internal/config/config_test.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* add enterprise version check for config.Default

* split config comment lines

* daniel feedback

* featureset.CanUseEmbeddedMeasurmentsAndImage

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-28 10:28:48 +02:00
Adrian Stobbe
1edbe962c1
cli: fail fast when CLI and Constellation versions don't match (#1972)
* fail on version mismatch

* rename to validateCLIandConstellationVersionAreEqual

* fix test

* image version must only be major,minor patch equal (ignore suffix)

* add version support doc

* fix: do not check patch version equality for image and cli

* skip validate on force
2023-06-27 18:24:35 +02:00
Moritz Sanft
fe0b8c1e5b
remove Terraform targets (#1970) 2023-06-27 11:27:50 +02:00
Otto Bittner
0a36ce6171
config: validate instance type for aws SNP based on attestation variant (#1963)
* config: validate instance type for aws SNP

* apply suggestions
2023-06-26 17:05:12 +02:00
Thomas Tendyck
46e144d19b Use term "attestation variant" consistently 2023-06-26 08:54:11 +02:00
Daniel Weiße
e139eff552
fix: small formating/spelling issues (#1965)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-06-26 08:34:37 +02:00
Malte Poll
92cd9c1dac
terraform: always use uniform role names (#1960) 2023-06-23 12:08:30 +02:00
Otto Bittner
7388240943
Revert "attestation: add SNP-based attestation for aws-sev-snp (#1916)" (#1957)
This reverts commit c7d12055d1.
2023-06-22 17:08:44 +02:00
Adrian Stobbe
487fa1e397
terraform: azure node groups (#1955)
* init

* migration working

* make tf variables with default value optional in go through ptr type

* fix CI build

* pr feedback

* add azure targets tf

* skip migration for empty targets

* make instance_count optional

* change role naming to dashed + add validation

* make node_group.zones optional

* Update cli/internal/terraform/terraform/azure/main.tf

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

* malte feedback

---------

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-06-22 16:53:40 +02:00
Moritz Sanft
224c74f883
csi: aws csi driver policies (#1945)
* add required disk permissions

* update worker node policy for ebs

* Revert "update worker node policy for ebs"

This reverts commit 9c24d374e0b30bc8970e00978462fb36ee6acd4f.

* attach aws managed role instead

* add TODO comment

* remove duplicate role attachment

* Update cli/internal/terraform/terraform/iam/aws/main.tf

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-22 14:15:05 +02:00
Adrian Stobbe
4546912f11
cli: upgrade apply --force skips all compatibility checks (#1940)
* use force to skip compatibility and upgrade in progress check

* update doc

* fix tests

* add force check for helm and k8s

* add no-op check

* fix errors as
2023-06-21 15:49:42 +02:00
Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp (#1916)
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again

There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
Moritz Sanft
b25228d175
cli: store upgrade files in versioned folders (#1929)
* upgrade versioning

* dont pass upgrade kind as boolean

* whitespace

* fix godot lint check

* clarify upgrade check directory suffix

* cli: dry-run Terraform migrations on `upgrade check` (#1942)

* dry-run Terraform migrations on upgrade check

* clean whole upgrade dir

* clean up check workspace after planning

* fix parsing

* extend upgrade check test

* rename unused parameters

* exclude false positives in test
2023-06-21 09:22:32 +02:00
Adrian Stobbe
be4a636361
cli: improve user warning / information (#1933)
* print success

* warn when debug img but !debugCluster

* malte feedback

* rename to IsNamedLikeDebugImage
2023-06-19 16:51:39 +02:00
Malte Poll
2808012c9c
terraform: gcp node groups (#1941)
* terraform: GCP node groups

* cli: marshal GCP node groups to terraform variables

This does not have any side effects for users.
We still strictly create one control-plane and one worker group.
This is a preparation for enabling customizable node groups in the future.
2023-06-19 13:02:01 +02:00
renovate[bot]
ab52e6d4c5
fix: GCP service account creation fails sometimes (#1935)
* deps: update Terraform google to v4.69.1

* deps: tidy all modules

* add delay for service account

* deps: tidy all modules

* add delay for service account

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-16 09:37:31 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication (#1906)
* invalidate app client id field for azure and provide info

* remove TestNewWithDefaultOptions case

* fix test

* remove appClientID field

* remove client secret + rename err

* remove from docs

* otto feedback

* update docs

* delete env test in cfg since no envs set anymore

* Update dev-docs/workflows/github-actions.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* WARNING to stderr

* fix check

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
3u13r
a2c98eb1d5
Correctly deploy the AWS CCM (#1853)
* aws: stop using the imds api for tags

* aws: disable tags in imds api

* aws: only tag instances with non-lecagy tag

* bootstrapper: always let coredns run before cilium

* debugd: make debugd less noisy

* fixup fix aws imds test

* fixup unsued context

* move getting instance id to readInstanceTag
2023-06-13 09:58:39 +02:00
Adrian Stobbe
e738f15f0f
cdbg: make endpoint deployment failure more transparent (#1883)
* add retry + timeout + intercept grpc logs

* LogStateChanges inside grplog pkg

* remove retry and tj/assert

* rename nit

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* paul feedback

* return waitFn instead of WaitGroup

* Revert "return waitFn instead of WaitGroup"

This reverts commit 45700f30e341ce3af509b687febbc0125f7ddb38.

* log routine inside debugd constructor

* test doubles names

* Update debugd/internal/cdbg/cmd/deploy.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* fix newDebugClient closeFn

---------

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-06-12 13:45:34 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a cli: hide --insecure of config fetch-measurements 2023-06-09 15:07:31 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00
Adrian Stobbe
d9c604ed2c
terraform: update aws to v5.1.0 (#1891) 2023-06-09 10:37:25 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
b3c052e299
operators: cleanup placeholder nodeversion (#1881)
* operators: cleanup placeholder nodeversion
* e2e: improve upgrade test portability
2023-06-06 15:22:06 +02:00