Commit Graph

340 Commits

Author SHA1 Message Date
Malte Poll
889677c795 image: update mkosi and use package directory feature 2024-02-20 12:50:13 +01:00
Malte Poll
5ef12895fa bazel: remove deprecated Bazel container
It doesn't work properly with nix and a nix shell exists for all developers.
2024-02-20 12:50:13 +01:00
Malte Poll
a4d25646f5 deps: update to bazel 7 2024-02-20 12:50:13 +01:00
Malte Poll
c6e0714a42 deps: update go-git 2024-02-20 10:00:38 +01:00
renovate[bot]
3b2da12781
deps: update Constellation containers (#2919)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-19 16:14:05 +01:00
renovate[bot]
7980689e82
deps: update module helm.sh/helm/v3 to v3.14.1 [SECURITY] (#2911)
* deps: update module helm.sh/helm/v3 to v3.14.1 [SECURITY]

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2024-02-15 18:01:36 +01:00
Markus Rudy
473001be55
vpn: ship our own container image (#2909)
* vpn: ship our own container image

The container image used in the VPN chart should be reproducible and
stable. We're sticking close to the original nixery.dev version by
building the image with nix ourselves, and then publishing the single
layer from the result with Bazel OCI rules. The resulting image should
be handled similar to s3proxy: it's built as a part of the Constellation
release process and then consumed from a Helm chart in our registry.

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2024-02-15 13:08:27 +01:00
Moritz Sanft
901edd420b
terraform: remove cloud loggers (#2892)
* terraform: remove cloud logging apps

* internal/cloud: remove loggers

* bootstrapper: remove logging

* qemu-metadata-api: remove logging endpoint

* docs: add instructions on how to get boot logs

* bazel: tidy

* docs: fix typo

* cloud: remove unused types

* Update go.mod

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* bazel: tidy

* Update docs/docs/workflows/troubleshooting.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/troubleshooting.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/troubleshooting.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* docs: elaborate on how to get boot logs

* bazel: tidy

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2024-02-06 14:27:30 +01:00
Malte Poll
18acd0b12a
deps: update go-uefi and use new authenticode package (#2873) 2024-02-05 12:06:48 +01:00
Markus Rudy
32d3b4e87c
ci: introduce keep-sorted (#2836)
Long lists of items in source code or config can be hard to work with as
a human, most problematic being out-of-order entries in an otherwise
ordered list. This is where keep-sorted comes to the rescue: we can
leave two little comments on every listing we care about, and
keep-sorted ensures that the listing stays in order.

This commit also applied keep-sorted to the CODEOWNERS file, hopefully
demonstrating its usefulness to some extent. I'd expect more uses for
keep-sorted to be discovered organically over time.

keep-sorted is super fast, so it should not be a problem to add it to
the //:tidy target, even if we scan all files in the code base. On my
MacBook:

$ time (find . -not -path "./.git/*" -type f | sort | xargs "${keep_sorted}" --mode fix)

real	0m0.249s
user	0m0.124s
sys	0m0.129s
2024-01-30 14:39:49 +01:00
Malte Poll
d3cffa9fee
image: update Linux to 6.1.74 (#2851) 2024-01-24 17:10:56 +01:00
Daniel Weiße
e350ca0f57
attestation: add Azure TDX attestation (#2827)
* Implement Azure TDX attestation primitives
* Add default measurements and claims for Azure TDX
* Enable Constellation on Azure TDX

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-24 15:10:15 +01:00
Malte Poll
64a4a2230d deps: update gazelle and rules_go 2024-01-22 13:11:58 +01:00
Malte Poll
e40d1e56d8 deps: update hermetic_cc_toolchain 2024-01-22 13:11:58 +01:00
Malte Poll
403acf75aa image: add mainline kernel and azure tdx image target 2024-01-16 17:34:44 +01:00
Malte Poll
f237ae8ae2 bazel: add upload_os_images rule
This rule combines uplosi, the upload command, measurement code and cosign
to upload OS images, extract measurements, sign them and upload the measurements.
2024-01-15 13:53:15 +01:00
renovate[bot]
bacb8ff886
deps: update AWS SDK (#2809)
* deps: update AWS SDK

* deps: fix AWS SDK upgrade breakage

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Markus Rudy <mr@edgeless.systems>
2024-01-09 16:18:33 +01:00
Daniel Weiße
90f3336c8e
deps: remove go.mod files from submodules (#2769)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-08 13:19:38 +01:00
Malte Poll
0dae7908a7 bazel: remove stale bash completion file 2024-01-08 10:44:38 +01:00
Malte Poll
362d07fc52 nix: allow dev setup via direnv 2024-01-08 10:44:38 +01:00
Malte Poll
3a4f6ef9d1
bazel: use prebuilt Go toolchain (go.dev/dl) (#2796)
We had to switch to a Go toolchain from nixpkgs,
since prebuilt Go toolchain versions were not usable on NixOS.
Since Go 1.21, the prebuilt Go toolchain is statically linked
and works out of the box.

Reference: https://github.com/golang/go/issues/57007
2024-01-05 11:52:22 +01:00
3u13r
07c884b945
ci: remove artifact encryption for public artifacts (#2776)
* ci: remove artifact encryption for public artifacts

* revert parts of  #2765

* ci: add unused action exception for encrypted artifact download
2023-12-29 11:02:37 +01:00
Adrian Stobbe
ac1f322044
terraform-provider: only build as enterprise user (#2770)
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-12-22 08:38:28 +01:00
Markus Rudy
837b24bf54
versions: generate k8s image patches (incl etcd) (#2764)
* versions: generate k8s image patches (incl etcd)
2023-12-21 20:56:55 +01:00
renovate[bot]
37ec431fab
deps: update K8s dependencies (#2763)
* deps: update K8s dependencies

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-12-21 12:42:04 +01:00
renovate[bot]
1409d4aa3f
deps: update dependency aspect_bazel_lib to v2.0.3 (#2751)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-12-20 18:10:49 +01:00
renovate[bot]
110bf9103d
deps: update Constellation containers (#2760)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-12-20 18:03:44 +01:00
renovate[bot]
4f374fbeb2
deps: update module github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 to v5 (#2748)
* deps: update module github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 to v5
* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-12-20 15:58:55 +01:00
renovate[bot]
db65f5116d
deps: update dependency rules_python to v0.27.1 (#2591)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-12-20 15:42:36 +01:00
Malte Poll
ae6b22a143
deps: update rules_oci to a pre-release version to fix memory leak (#2729)
rules_oci spawns local container registry processes and in the past,
those would not be cleaned up explicitly, leading to an accumulation
of processes when using remote execution with buildbarn.
This pre-release contains a fix: https://github.com/bazel-contrib/rules_oci/pull/421
Additionally, windows support for rules_oci was removed in this fork,
since it is currently broken.
2023-12-19 15:40:04 +01:00
renovate[bot]
6c5170da79
deps: update module golang.org/x/crypto to v0.17.0 [SECURITY] (#2736)
* deps: update module golang.org/x/crypto to v0.17.0 [SECURITY]
* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-12-19 08:53:15 +01:00
Malte Poll
f487c2a6d0 image: update Linux to 6.1.68
Changelogs:

https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.65
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.66
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.67
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.68
2023-12-14 18:18:07 +01:00
Daniel Weiße
9a4e96905f
bazel: place Terraform provider binaries in local registry path on devbuild (#2714)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-14 08:18:48 +01:00
Markus Rudy
ae00b0a198 installer: add support for data URLs
RFC 015 proposes the introduction of data URLs to materialize static
content to files on disk. This commit adds support for data URLs to the
installer. The corresponding content will be added to versions.go in a
subsequent commit.
2023-12-13 09:35:19 +01:00
Moritz Sanft
367136add2
terraform-provider: support importing Constellation clusters (#2702)
* terraform-provider: support importing Constellation clusters

* bazel: shfmt exclusion for import script

* ci: fix godot check

* bazel: shellcheck exclusion for import script

* Update dev-docs/workflows/terraform-provider.md

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* ci: fix Terraform lock exclude directories

---------

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-12-12 16:00:03 +01:00
Adrian Stobbe
4c8041d2cf
bazel: used sed from nixpkgs (#2706)
This is required since sed on macos has different flags and may behave differently.

Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-12-12 14:46:11 +01:00
renovate[bot]
6db0318b2f
deps: update module github.com/docker/docker to v24.0.7+incompatible [SECURITY] (#2541)
* deps: update module github.com/docker/docker to v24.0.7+incompatible [SECURITY]

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-12-12 13:34:28 +01:00
Markus Rudy
dac4bb04f2 ci: disable curses support
Comparison of output for a failed build. Old setup produces >3k lines of
unhelpful messages:

https://github.com/edgelesssys/constellation/actions/runs/7165242775/job/19506817413

Without curses support, we get <400 lines with relevant details:

https://github.com/edgelesssys/constellation/actions/runs/7166031624/job/19509201790
2023-12-11 14:27:31 +01:00
Markus Rudy
a1dbd13f95 versions: consolidate various types of Components
There used to be three definitions of a Component type, and conversion
routines between the three. Since the use case is always the same, and
the Component semantics are defined by versions.go and the installer, it
seems appropriate to define the Component type there and import it in
the necessary places.
2023-12-11 14:26:54 +01:00
edgelessci
90d92e5b51 deps: tidy all modules 2023-12-08 13:59:51 +01:00
Malte Poll
93d505ef7f
deps: bump Go to 1.21.5 (#2689) 2023-12-08 12:11:31 +01:00
Malte Poll
c0d8508931
ci: fix repository name of shellcheck for linux arm64 (#2670) 2023-12-06 13:34:22 +01:00
Daniel Weiße
b7425db72a
constellation-lib: add Helm wrapper (#2680)
* Add Helm wrapper to constellation-lib
* Move helm package to constellation-lib

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-06 10:01:39 +01:00
Daniel Weiße
f5718b6655
docs: add Kubernetes version support list (#2661)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-05 15:13:25 +01:00
Malte Poll
5e2cad34c9
image: update Linux to 6.1.64 (#2677)
Changelogs:

https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.63
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.64
2023-12-05 09:35:48 +01:00
Malte Poll
432c4294c5 bazel: remove unused go_ld_test
This was an attempt to make unit tests work where we linked against libraries and ld from Fedora.
This is no longer needed.
2023-12-01 09:35:33 +01:00
Malte Poll
4ca88cd779 bazel: remove bazeldnf and pinned rpms 2023-12-01 09:35:33 +01:00
Malte Poll
ee3ff9ac01 bazel: use patched RPATH in bootstrapper and disk-mapper binaries 2023-12-01 09:35:33 +01:00
Malte Poll
cd6e03049a libvirt: build containerized libvirt as nix container image 2023-12-01 09:35:33 +01:00
Malte Poll
e174c4dfe1 bazel: add patchelf rule
This rule allows overwriting a binaries' rpath.
This is required to use binaries built by Bazel that link against cc_library
targets from nix (like `/nix/store/<hash>/lib/*.so`).
2023-12-01 09:35:33 +01:00