Otto Bittner
887dcda78b
s3proxy: add keyservice integration
...
Encrypt each object with a random DEK and attach
the encrypted DEK as object metadata.
Encrpt the DEK with a key from the keyservice.
All objects use the same KEK until a keyrotation
takes place.
2023-10-06 11:23:32 +02:00
Otto Bittner
a7ceda37ea
s3proxy: add intial implementation
...
INSECURE!
The proxy intercepts GetObject and PutObject.
A manual deployment guide is included.
The decryption only relies on a hardcoded, static key.
Do not use with sensitive data; testing only.
* Ticket to track ranged GetObject: AB#3466.
2023-10-06 11:23:32 +02:00
katexochen
957f8ad203
image: update measurements and image version
2023-10-06 08:09:28 +02:00
Paul Meyer
b1d5d13990
github: replace discord with GitHub discussions
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Paul Meyer
53bfb3b71a
github: use new issue forms instead of template
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Moritz Sanft
2d797874c7
ci: add msanft to list of possible e2e assignees ( #2410 )
...
* add msanft to list of possible e2e assignees
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add msanft to teams card
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-05 13:54:45 +02:00
3u13r
1452e64675
Refactor Terraform to have all ports in a list ( #2409 )
...
* terraform: aws refactoring
* terraform: gcp refactoring
* terraform: azure refactoring
2023-10-05 12:34:02 +02:00
Daniel Weiße
f69ae26122
csi: fix concurrent use of cryptmapper
package ( #2408 )
...
* Dont error on opening already active devices
* Fix concurrency issues when working with more than one device
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-05 11:20:22 +02:00
3u13r
6ba43b03ee
docs: add gcp permissions needed for upgrade ( #2378 )
2023-10-05 10:28:39 +02:00
Moritz Sanft
13e9359b5c
remove unnecessary link ( #2407 )
2023-10-05 10:05:45 +02:00
edgelessci
7e899d09c4
image: update measurements and image version ( #2405 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-04 14:24:57 +02:00
Malte Poll
6ea0b38a66
ci: add large runner as allowed label
2023-10-04 13:17:44 +02:00
Malte Poll
69cb70e970
deps: update linux kernel to 6.1.55
2023-10-04 13:17:44 +02:00
Moritz Sanft
0885646034
github: add AB ticket link to PR template ( #2397 )
...
* add Azure DevOps ticket to PR template
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make additional info not optional
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-04 10:26:10 +02:00
Malte Poll
b4fb8439d0
ci: use larger runners for os image pipeline ( #2399 )
2023-10-04 10:13:43 +02:00
Moritz Eckert
7c76592a08
docs: add observability page ( #2384 )
...
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-10-04 09:37:46 +02:00
renovate[bot]
e938cc5e63
deps: update module golang.org/x/vuln to v1.0.1 ( #2365 )
...
* deps: update module golang.org/x/vuln to v1.0.1
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-09-29 21:45:42 +02:00
Malte Poll
af532f223d
deps: update golang.org/x/tools ( #2396 )
2023-09-29 15:49:34 +02:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation ( #2336 )
...
* add ASK caching in joinservice
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use cached ASK in Azure SEV-SNP attestation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update test charts
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typ
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make caching mechanism less provider-specific
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add `omitempty` flag
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* frontload certificate getter
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* rename frontloaded function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pass cached certificates to constructor
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix race condition
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix marshalling of empty certs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip] add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unused fields in validator
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate precedence
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use separate context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Remove unnecessary comment
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use background context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Use error format directive
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* `azure` -> `Azure`
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* improve error messages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add x509 -> PEM util function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use crypto util functions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate replacement logic
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only require ASK from certcache
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix comment typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Malte Poll
68d8b29335
nix: update flake.lock
2023-09-29 14:09:58 +02:00
Malte Poll
627a4b6cbb
ci: enable nix binary cache
2023-09-29 14:09:58 +02:00
Malte Poll
b66fa5aaab
hack: remove pseudo-version tool
...
The Go implementation is now unused.
Consumers are all switched over to /tools/workspace_status.sh
2023-09-29 14:09:58 +02:00
Malte Poll
ed4d4d83fd
ci: remove dependency on pseudo-version tool
2023-09-29 14:09:58 +02:00
Malte Poll
055fb32918
ci: stop using raw "go run"
2023-09-29 14:09:58 +02:00
3u13r
eebaef9ddd
init: overwrite kubeconfig address ( #2393 )
2023-09-29 14:01:40 +02:00
Malte Poll
85b4101dc3
deps: update go to 1.21.1 ( #2389 )
2023-09-28 22:29:14 +02:00
3u13r
c74a2e98df
cli: omitempty infrastructure fields ( #2392 )
2023-09-28 18:39:52 +02:00
Daniel Weiße
36c8cf2fd8
ci: fix whitespace in url for some tests ( #2390 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-28 16:31:22 +02:00
Malte Poll
4a66899de8
docs: update attestation section with changes for measured boot
2023-09-27 17:58:19 +02:00
Malte Poll
1da5153627
ci: use nix + mkosi during os image build
2023-09-27 17:58:19 +02:00
Malte Poll
f6d9f91877
image: reimplement and adapt measurement generation in Go
2023-09-27 17:58:19 +02:00
Malte Poll
8e706d6de3
image: update README
2023-09-27 17:58:19 +02:00
Malte Poll
daa5b51904
terraform: disable secure boot for GCP
2023-09-27 17:58:19 +02:00
Malte Poll
4e2b9745bb
terraform: disable secure boot for QEMU / MiniConstellation
2023-09-27 17:58:19 +02:00
Malte Poll
3543fe140e
image: allow toggling secure boot in image upload
2023-09-27 17:58:19 +02:00
Malte Poll
c6ea596eb9
image: system layer
2023-09-27 17:58:19 +02:00
Malte Poll
4ef3d10be3
image: initrd layer
2023-09-27 17:58:19 +02:00
Malte Poll
d904766b9c
image: base layer
2023-09-27 17:58:19 +02:00
Malte Poll
fc1045a4f7
image: remove old mkosi config
2023-09-27 17:58:19 +02:00
Malte Poll
0979a483b4
debugd: package as tar
2023-09-27 17:58:19 +02:00
Malte Poll
274dd9d5d8
upgrade-agent: package as tar
2023-09-27 17:58:19 +02:00
Malte Poll
365a07639c
measurement-reader: package as tar
2023-09-27 17:58:19 +02:00
Malte Poll
200fc79e0c
bootstrapper: package as tar
2023-09-27 17:58:19 +02:00
Malte Poll
9a5566de21
disk-mapper: package as tar
2023-09-27 17:58:19 +02:00
Malte Poll
825dab0e0b
image: add sysroot files
2023-09-27 17:58:19 +02:00
Malte Poll
81c5cc21f8
image: add kernel rpms
2023-09-27 17:58:19 +02:00
Malte Poll
78300ee5b0
use toolchains from nixpkgs (with fallback)
2023-09-27 17:58:19 +02:00
Malte Poll
90967d5bc2
bazel: mkosi_image rule
2023-09-27 17:58:19 +02:00
Malte Poll
5323c2d870
bazel: mkosi toolchain
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-27 17:58:19 +02:00
Malte Poll
347659e2b0
bazel: add rules_nixpkgs
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-27 17:58:19 +02:00