* wip: switch to attestation
* add extra comments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* MAA checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use provided functions to parse report / cert chain
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* replace `CommitedTCB` check with `LaunchTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove debug check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `LaunchTCB` == `CommitedTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* custom IdKeyDigests check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* basic test of report parsing from instance info
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* retrieve VCEK from AMD KDS
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove VCEK from `azureInstanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `go-sev-guest` TCB version type
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validation parsing test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix error message
* fix comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove certificate chain from `instanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test for idkeydigest check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: update tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] debug prints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix tests, do some clean-up
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test case for fetching error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* correct `hack` dependency
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix id key check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] comment out wip unit tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing newline
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to released version of `go-sev-guest`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add constructor test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add VMPL check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test assertions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use fork with windows fix
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use data from THIM
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update embeds
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* verify against ARK in config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* invalid ASK
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* nits
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* refactoring
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use upstream library with pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* simplify control flow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix return error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix VCEK test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* revert unintentional changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use new upstream release
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix removed AuthorKeyEn field
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix verification report printing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* increase ASG timeout
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make timeout dependent on SEV-SNP option
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* perform upgrades in-place in terraform workspace
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add iam upgrade apply test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make config fetcher stubbable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* change workspace restoring behaviour
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* allow overwriting existing Terraform files
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* allow overwrites of TF variables
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix iam upgrade apply
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix embed directive
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make loader test less brittle
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pass upgrade ID to user
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* naming nit
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use upgradeDir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Check chart versions against target in users config
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Cleaner cli-config version support checking
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Return InvalidUpgradeError
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
* Move IAM migration client to cloudcmd package
* Move Terraform Cluster upgrade client to cloudcmd package
* Use hcl for creating Terraform IAM variables files
* Unify terraform upgrade code
* Rename some cloudcmd files for better clarity
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Replace UpdateAttestationConfig with ApplyJoinConfig
* Dont set up join-config over Helm, it is now only managed by our CLI directly during init and upgrade
* Remove measurementSalt and attestationConfig parsing from helm, they were only needed for the JoinConfig
* Add migration step to remove join-config from Helm management
* Update attestation config trouble shooting tip
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Clean up Terraform pkg
* Add note to Terraform migration functions expecting to be run on initialized workspace
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* deps: limit Terraform version to FOSS releases
* fix: enforce upper version constraint
---------
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
* Fix unmarshalling attestation version numbers from JSON
* Add unit test for UnmarshalJSON
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix incorrect use of masterSecret salt for clusterID generation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
* Remove `--config` and `--master-secret` falgs
* Add `--workspace` flag
* In CLI, only work on files with paths created from `cli/internal/cmd`
* Properly print values for GCP on IAM create when not directly updating the config
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix missing init parameters in mini up
* Remove redundant passing of file.Handler in init functions
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Also update Azure terraform:
ignore snp policy changes on resource
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* add new iam upgrade apply
* remove iam tf plan from upgrade apply check
* add iam migration warning to upgrade apply
* update release process
* document migration
* Apply suggestions from code review
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* add iam upgrade
* remove upgrade dir check in test
* ask only without --yes
* make iam upgrade provider specific
* test without seperate logins
* remove csi and only add conditionally
* Revert "test without seperate logins"
This reverts commit 05a12e59c9.
* fix msising cred
* support iam migration for all csps
* add iam upgrade label
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* add current chart
add current helm chart
* disable service controller for aws ccm
* add new iam roles
* doc AWS internet LB + add to LB test
* pass clusterName to helm for AWS LB
* fix update-aws-lb chart to also include .helmignore
* move chart outside services
* working state
* add subnet tags for AWS subnet discovery
* fix .helmignore load rule with file in subdirectory
* upgrade iam profile
* revert new loader impl since cilium is not correctly loaded
* install chart if not already present during `upgrade apply`
* cleanup PR + fix build + add todos
cleanup PR + add todos
* shared helm pkg for cli install and bootstrapper
* add link to eks docs
* refactor iamMigrationCmd
* delete unused helm.symwallk
* move iammigrate to upgrade pkg
* fixup! delete unused helm.symwallk
* add to upgradecheck
* remove nodeSelector from go code (Otto)
* update iam docs and sort permission + remove duplicate roles
* fix bug in `upgrade check`
* better upgrade check output when svc version upgrade not possible
* pr feedback
* remove force flag in upgrade_test
* use upgrader.GetUpgradeID instead of extra type
* remove todos + fix check
* update doc lb (leo)
* remove bootstrapper helm package
* Update cli/internal/cmd/upgradecheck.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* final nits
* add docs for e2e upgrade test setup
* Apply suggestions from code review
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/helm/loader.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/cmd/tfmigrationclient.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* fix daniel review
* link to the iam permissions instead of manually updating them (agreed with leo)
* disable iam upgrade in upgrade apply
---------
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
terraform: collect apiserver cert SANs and support custom endpoint
constants: add new constants for cluster configuration and custom endpoint
cloud: support apiserver cert sans and prepare for endpoint migration on AWS
config: add customEndpoint field
bootstrapper: use per-CSP apiserver cert SANs
cli: route customEndpoint to terraform and add migration for apiserver cert SANs
bootstrapper: change interface of GetLoadBalancerEndpoint to return host and port separately
