* Reduce external dependencies of kubecmd package
* Add kubecmd wrapper to constellation-lib
* Update CLI code to use constellation-lib
* Move kubecmd package to subpackage of constellation-lib
* Initialise helm and kubecmd clients when kubeConfig is set
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* cli: refactor `cloudcmd/validators`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make struct fields private
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use errors.New
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* make struct fields private in usage
* fix casing
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
By default, Cilium's tc filters are added add the highest priority,
which makes it impossible to add any tc filters of our own (because the
Cilium eBPF programs don't return to the filter chain).
Two near-future use cases that would benefit from this:
* Network testing could add counting filters to interfaces and observe
e.g. violations of encryption policy.
* The VPN Helm chart could add a filter policy that drops packets on the
"physical" interface before they can leak to the CSP.
* constellation-lib: refactor init RPC
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: pass io.Writer for collecting logs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: add init test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: bin dialer to struct
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: set service CIDR on init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
This allows cross compiling from aarch64-darwin to x86_64-linux.
It is required for building Go binaries on macos that target Linux and have CGO enabled.
Cryptsetup and libvirt are new.
OpenSSL was moved with the rest.
The dynamic libaries cryptsetup and libvirt also ship a file called closure.tar,
that contains the transitive closure for all of their dependencies.
This tar file can be used as a container image layer or added to a bootable OS image
to provide the runtime dependencies required for dynamic linking.
Additionally, they ship a `rpath` file. This can be used together with patchelf to
fix the RPATH of binaries produced by Bazel.
This rule allows overwriting a binaries' rpath.
This is required to use binaries built by Bazel that link against cc_library
targets from nix (like `/nix/store/<hash>/lib/*.so`).
Default platform for targeting Constellation OS images with nix and cgo:
//bazel/platforms:constellation_os
Other target platforms with nix and cgo:
//bazel/platforms:aarch64-darwin_nix
//bazel/platforms:aarch64-linux_nix
//bazel/platforms:x86_64-darwin_nix
//bazel/platforms:x86_64-linux_nix
Pure go platforms (no cgo, statically linked)
//bazel/platforms:go-pure_aarch64-darwin
//bazel/platforms:go-pure_aarch64-linux
//bazel/platforms:go-pure_x86_64-darwin
//bazel/platforms:go-pure_x86_64-linux
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Enable notification on tf module e2e test failure
* Dont try to change fields with no value
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Add missing shell
* Remove old teams notify action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>