renovate[bot]
9191f8ac61
Update Terraform docker to v2.23.0 ( #495 )
...
* Update Terraform docker to v2.23.0
* Readd removed terraform lock hashes
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-11-09 13:35:17 +01:00
renovate[bot]
0e34d35404
Update Terraform google to v4.43.0 ( #484 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-09 10:30:02 +01:00
renovate[bot]
b8acb5e448
Update Terraform aws to v4.38.0 ( #464 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-08 18:34:45 +01:00
Daniel Weiße
011f9c597d
Bring in changes from release branch ( #479 )
...
* Bump version to v2.2.0
* Update changelog
* Fix release detection in pipeline
* Fix PKI selection in pipeline
* Set enforced measurements for AWS
* Update default images
* Fix release docs
* Update mini-con defaults
* Fix measurements action
* Fix syft env variable naming
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-08 18:32:59 +01:00
Nils Hanke
ee55584b90
AWS: Apply security group to worker nodes
2022-11-08 11:22:06 +01:00
Malte Poll
41668d50c2
Add recovery loadbalancer on AWS
2022-11-08 00:07:04 +01:00
Nils Hanke
759c626e0f
AWS: Don't expose SSH debugging ports on the LB
2022-11-07 13:57:22 +01:00
Malte Poll
fa6dfdff4f
Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime ( #442 )
...
* Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime
* Use correct field for nat gateway
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-07 11:04:10 +01:00
Malte Poll
ed58fcccd3
CI: Add secure boot prod keys ( #462 )
...
* Add production secure boot keys
* Refactor OS build and upload settings
2022-11-04 16:48:52 +01:00
3u13r
309a4b5196
cli: remove debug env check for AWS ( #460 )
2022-11-04 15:31:51 +01:00
Fabian Kammel
04d0c770af
limit aws cluster name len ( #454 )
...
* limit aws cluster name len down to 10, 32-character name limit in AWS
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 13:35:32 +01:00
Nils Hanke
19fd3a351a
Make azureCVMRxp in upgradeplan.go case-insensitive
2022-11-04 12:57:24 +01:00
Nils Hanke
4d9fbdb3d3
CI: Use lowercase image name for fetching measurements
2022-11-04 12:57:24 +01:00
renovate[bot]
b89fae8062
Update Terraform azurerm to v3.30.0 ( #452 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 12:34:03 +01:00
renovate[bot]
44b1a92d6b
Update fedora Docker digest to 455fec9 ( #447 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Nirusu <Nirusu@users.noreply.github.com>
2022-11-04 11:49:41 +01:00
renovate[bot]
f71073a77f
Update Terraform google to v4.42.1 ( #434 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 10:14:13 +01:00
Otto Bittner
f164af29cf
AB#2583: deploy autoscaler via helm ( #438 )
2022-11-03 16:42:19 +01:00
Leonard Cohnen
0d0191ba4d
aws: make CCM work
2022-11-02 23:29:04 +01:00
Leonard Cohnen
58d083a433
cli: pass AWS state disk type to terraform
2022-11-02 23:29:04 +01:00
Leonard Cohnen
dd007f4772
metadata: move subnetCIDR to InstanceMetadata
2022-11-02 23:29:04 +01:00
Leonard Cohnen
0cdc7886ee
metadata: don't use podCIDR for Azure CCM setup
2022-11-02 23:29:04 +01:00
Leonard Cohnen
be2b38f2ac
terraform: use HTTPS health check for AWS
2022-11-02 23:29:04 +01:00
Leonard Cohnen
7e385c4c86
terraform: use AWS launch templates
2022-11-02 23:29:04 +01:00
Leonard Cohnen
3dce7de0f1
helm chart loader: increase error verbosity
2022-11-02 23:29:04 +01:00
Leonard Cohnen
cc38506ffa
cli: AWS does not use a service account
2022-11-02 23:29:04 +01:00
Leonard Cohnen
015b12d8ff
attestation: use AWS attestation
2022-11-02 23:29:04 +01:00
Leonard Cohnen
37e8f5fc28
cilium: AWS support
2022-11-02 23:29:04 +01:00
Nils Hanke
8d097424a1
Remove separate function for yesFlag in terminate
2022-11-02 18:18:30 +01:00
Nils Hanke
ad871d1993
Prompt before termination
2022-11-02 18:18:30 +01:00
Nils Hanke
c922136cd4
Fix typos
2022-11-02 18:18:30 +01:00
Otto Bittner
e363f03240
AB#2582: deploy CNM via Helm ( #423 )
2022-11-02 17:47:10 +01:00
Leonard Cohnen
741684843c
terraform: fix azure password constraints
2022-11-02 09:57:54 +01:00
Otto Bittner
30bdbd9b85
Add helm unittests ( #380 )
2022-10-31 19:25:02 +01:00
renovate[bot]
c9e6b4c5b6
Update Terraform azurerm to v3.29.1 ( #405 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-31 10:45:56 +01:00
Daniel Weiße
79f52e67cb
Update go-tpm-tools to fix AWS PCR selection ( #390 )
...
* Update go-tpm-tools to fix AWS PCR selection
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Ignore leaking glog go routine
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-28 17:57:24 +02:00
Paul Meyer
86906ac536
Use atomic.Bool, added in Go 1.19
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-28 16:06:53 +02:00
Otto Bittner
091e3b2b2b
AB#2538: deploy CCM via Helm
...
Also move helmloader interface/stubs
2022-10-27 18:12:47 +02:00
Otto Bittner
009b2e67e3
Use .Release.Namespace instead of namespace value
2022-10-27 18:12:47 +02:00
Nils Hanke
34f729ccd2
Case insensitive replace for every user input that could break azurerm
2022-10-27 11:35:14 +02:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails ( #360 )
...
* Dont clean up workspace if rollback fails
* Remove dependency on CSP from terminate
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-26 15:57:00 +02:00
Paul Meyer
c05b22f1dc
Remove dead code ( #373 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-26 10:29:28 +02:00
Malte Poll
fa63e51370
Fix "enforceIdKeyDigest" capitalization ( #369 )
...
* Fix "enforceIdKeyDigest" capitalization
* Convert "enforceIdKeyDigest" to string for config map
2022-10-25 16:29:28 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any ( #370 )
2022-10-25 15:51:23 +02:00
Malte Poll
7592143a69
Join-service helm chart: use correct casing for provider name ( #368 )
2022-10-25 13:21:27 +02:00
Malte Poll
52f140a968
Pin terraform provider hashes ( #361 )
2022-10-25 10:10:46 +02:00
Daniel Weiße
b35b74b772
Use tags for UID and role parsing ( #242 )
...
* Apply tags to all applicable GCP resources
* Move GCP UID and role from VM metadata to labels
* Adjust Azure tags to be in line with GCP and AWS
* Dont rely on resource name to find resources
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-24 16:58:21 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm ( #358 )
2022-10-24 12:23:18 +02:00
Daniel Weiße
c82d5ccba9
Hide cursor and fix dots ( #217 )
...
* Hide cursor and fix dots spinner
* Allow restarting of spinner
* Don't spin on non TTY output
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-21 14:26:42 +02:00
Nils Hanke
04c4cff9f6
AB#2436: Initial support for create/terminate AWS NitroTPM instances
...
* Add .DS_Store to .gitignore
* Add AWS to config / supported instance types
* Move AWS terraform skeleton to cli/internal/terraform
* Move currently unused IAM to hack/terraform/aws
* Print supported AWS instance types when AWS dev flag is set
* Block everything aTLS related (e.g. init, verify) until AWS attestation is available
* Create/Terminate AWS dev cluster when dev flag is set
* Restrict Nitro instances to NitroTPM supported specifically
* Pin zone for subnets
This is not great for HA, but for now we need to avoid the two subnets
ending up in different zones, causing the load balancer to not be able
to connect to the targets.
Should be replaced later with a better implementation that just uses
multiple subnets within the same region dynamically
based on # of nodes or similar.
* Add AWS/GCP to Terraform TestLoader unit test
* Add uid tag and create log group
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-10-21 12:24:18 +02:00
Otto Bittner
07f02a442c
Refactor Helm deployments ( #341 )
...
* Wrap KMS deployment in one main chart that
deploys all other services. Other services will follow.
* Use .tgz via helm-package as serialization format
* Change Release type to carry chart as byte slice
* Remove KMSConfig
* Use json-schema to validate values
* Extend release.md to mention updating helm charts
2022-10-21 12:01:28 +02:00