Commit Graph

47 Commits

Author SHA1 Message Date
Daniel Weiße
6c24963570
attestationconfigapi: revise upload frequency (#3238)
* Add attestationconfigapi compare command
* Only upload the lowest version for each verify test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-07-10 12:59:02 +02:00
Daniel Weiße
d67d0ac9df Enable upload of TDX reports to Constellation CDN
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Daniel Weiße
9159b60331 Implement support for "latest" placeholders for Azure TDX
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Daniel Weiße
a34493caa6 Enable versions API to handle TDX versions
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Daniel Weiße
fbddbc9867 Dont re-marshal fetched objects
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Daniel Weiße
cd4c90af7e Rename apifetcher methods
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Daniel Weiße
52a65c20ac Move upload/delete code to its own package
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-27 09:09:13 +02:00
Moritz Sanft
913b09aeb8
Support SEV-SNP on GCP (#3011)
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
miampf
840f460bac
logging: unify debug log message format (#2997) 2024-04-03 13:49:03 +00:00
Malte Poll
65903459a0 chore: fix unused parameter lint in new golangcilint version 2024-02-21 17:54:07 +01:00
miampf
54cce77bab
deps: convert zap to slog (#2825) 2024-02-08 14:20:01 +00:00
Malte Poll
3a5753045e goleak: ignore rules_go SIGTERM handler
rules_go added a SIGTERM handler that has a goroutine that survives the scope of the goleak check.
Currently, the best known workaround is to ignore this goroutine.

https://github.com/uber-go/goleak/issues/119
https://github.com/bazelbuild/rules_go/pull/3749
https://github.com/bazelbuild/rules_go/pull/3827#issuecomment-1894002120
2024-01-22 13:11:58 +01:00
Markus Rudy
ef6f63dc48
Fix various small things throughout the codebase (#2800)
* bootstrapper: remove obsolete log statement

* ci: simplify variable usage

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>

* cli: add missing formatting directive

* helm: fix rm invocation

* ci: document reproducible-builds workflow

* constants: use variables for measurement files

* constants: use variables for CDN distribution ID

* ci: make Helm version explicit

* api: prettify versionsapi-list output

* ci: remove obsolete docstring

---------

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
2024-01-09 19:37:56 +01:00
renovate[bot]
bacb8ff886
deps: update AWS SDK (#2809)
* deps: update AWS SDK

* deps: fix AWS SDK upgrade breakage

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Markus Rudy <mr@edgeless.systems>
2024-01-09 16:18:33 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Otto Bittner
46f563c7ca ci: call TCB upload step for AWS 2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc api: add support to upload AWS TCB values
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00
Otto Bittner
350397923f api: refactor attestationconfigapi client/fetcher
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00
Otto Bittner
5542f9c63c api: refactor attestationcfgapi cli
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
2023-11-24 15:49:48 +01:00
Moritz Sanft
c922864f30
fetcher: respect HTTP(S)_PROXY environment variable (#2635) 2023-11-23 14:42:13 +01:00
Adrian Stobbe
5819a11d25
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 17:36:50 +02:00
Paul Meyer
c7b728f202 rename armcomputev4 -> armcomputev5
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-27 15:06:55 +02:00
Adrian Stobbe
118f789c2f
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 11:53:02 +02:00
Malte Poll
f399fe148b
api: rename references to moved hack/configapi (#2329)
Fixes 376bc6d39f
2023-09-11 10:57:32 +02:00
3u13r
a25c90e9bb
remove deprecated constellation create flags (#2325)
* chore: clean-up TODOs

* cli: make OpenStack error explicit

* cli: remove deprecated flags

* config: require DeployCSIDriver field
2023-09-08 21:15:02 +02:00
Otto Bittner
376bc6d39f api: move hack/configapi into internal/api
The tool has an e2e test and is part of our production pipeline.
2023-09-04 11:20:13 +02:00
Otto Bittner
97dc15b1d1 staticupload: correctly set invalidation timeout
Previously the timeout was not set in the client's constructor, thus the
zero value was used. The client did not wait for invalidation.
To prevent this in the future a warning is logged if wait is disabled.

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 11:20:13 +02:00
Otto Bittner
fdaa5aab3c api: use new signature type for Azure SNP versions
* Remove signature checks from unittests. Would need to export
signature from client/fetcher (unwanted). Can't figure out a better way.
e2e test completes in ~4sec and runs automatically.
So seems like a acceptable tradeoff.
* list object is now signed, but not verified. If we start to verify the list
we will have to adapt the e2e test to restore the previous list.
Otherwise there could be conflicts between dev and release keys.
2023-09-04 11:20:13 +02:00
Otto Bittner
2b19632e09 api: refine signature types
Wrapping apiObject does not work as intended as the version field
is when fetching objects from the API. Thus we need to insert
the target path of the signature directly.
2023-09-04 11:20:13 +02:00
Otto Bittner
7ffa1344e3 Configapi: pipeline to run e2e test for CLI
Co-authored-by: Paul Meyer <pm@edgeless.systems>
2023-09-04 11:20:13 +02:00
renovate[bot]
2da3ae3f09
deps: update Azure SDK (major) (#2253)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-24 07:55:56 +02:00
Malte Poll
3352a9e988 bazel: set integration go build tag 2023-08-17 10:46:45 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
Otto Bittner
9985ab3c92
api: remove empty files (#2141) 2023-07-26 17:25:12 +02:00
Thomas Tendyck
46e144d19b Use term "attestation variant" consistently 2023-06-26 08:54:11 +02:00
Adrian Stobbe
4f63481b7d
config: fix fetcher parse azure sev-snp version (#1911) 2023-06-12 16:04:54 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Adrian Stobbe
99a88c033c
api: use new signature JSON format (#1872)
* use new impl for client.UploadAzureSEVSNP

* fix: fetcher must parse new signature format

* version-file is not persistentflag

* fix fetcher tests
2023-06-05 16:10:44 +02:00
Adrian Stobbe
c446f36b0f
config: Azure SNP tool can delete specific version from attestation API (#1863)
* client supports delete version

* rename to new attestation / fetcher naming

* add delete command to upload tool

* test client delete

* bazel update

* use general client in attestation client

* Update hack/configapi/cmd/delete.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* daniel feedback

* unit test azure sev upload

* Update hack/configapi/cmd/delete.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* add client integration test

* new client cmds use apiObject

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
Otto Bittner
315b6c2f01
api: use correct error types in versions/cli (#1867)
Imported wrong error types during refactoring.
2023-06-05 10:51:05 +02:00
Adrian Stobbe
a813760f96
config: automatically upload new Azure SNP versions to API + sign version with release key (#1854)
* sign version with release key and remove version from fetcher interface
* extend azure-reporter GH action to upload updated version values to the Attestation API
2023-06-02 12:10:22 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839) 2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg (#1851)
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
Adrian Stobbe
b51cc52945
config: sign Azure versions on upload & verify on fetch (#1836)
* add SignContent() + integrate into configAPI

* use static client for upload versions tool; fix staticupload calleeReference bug

* use version to get proper cosign pub key.

* mock fetcher in CLI tests

* only provide config.New constructor with fetcher

Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00