Otto Bittner
d2967fff6b
cli: fix misleading error while applying kubernetes-only upgrade ( #1630 )
...
* The check would previously fail if e.g. `apply` did not upgrade the
image, but a new image was specified in the config. This could
happen if the specified image was too new, but a valid Kuberentes
upgrade was specified.
* ci: fix variable expansion in e2e-upgrade call
* e2e: do not verify measurement signature
2023-04-13 15:58:37 +02:00
Daniel Weiße
ec01c57661
internal: use config to create attestation validators ( #1561 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-06 17:00:56 +02:00
renovate[bot]
d95a764b65
deps: update golangci/golangci-lint to v1.52.2 ( #1598 )
...
* deps: update golangci/golangci-lint to v1.52.2
* deps: tidy all modules
* fix linting issues
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-04-05 18:40:35 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM ( #1616 )
...
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
2023-04-05 16:49:03 +02:00
Moritz Sanft
e71c33c88d
cli: print attestation document with constellation verify ( #1577 )
...
* wip: verification output
* wip: Azure cert parsing
* wip: print actual PCRs
* wip: use string builder for output formatting
* compare PCR expected with actual
* tests
* change naming
* update cli reference
* update bazel buildfile
* bazel update
* change loop signature
2023-04-03 15:06:27 +02:00
Malte Poll
d15968bed7
bootstrapper: make Azure auth method configurable on cluster init ( #1346 )
...
* bootstrapper: make Azure auth method configurable on cluster init
* azure: convert uami resource ID to clientID
Co-authored-by: 3u13r <lc@edgeless.systems>
2023-04-03 15:01:25 +02:00
Moritz Sanft
46f5b1734e
cli: show available cli upgrades on upgrade check command ( #1394 )
...
* cli: upgrade check show cli upgrades
* only check compatibility for valid upgrades
* use semver.Sort
* extend unit tests
* add unit test for new compatible cli versions
* adapt to feedback
* fix rebase
* rework output
* minor -> major
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* minor -> major
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* dynamic major version
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* remove currentK8sVer argument
* bazel gen & tidy
* bazel update
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-04-03 14:31:17 +02:00
Paul Meyer
176d32599f
terraform: add missing permission to AWS iam
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Paul Meyer
63b07ede8a
terraform: sort permissions
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Otto Bittner
7c8215e507
cli: add kubernetes pkg to interface with cluster
...
Previously the content of files status and upgrade within the
cloudcmd pkg did not fit cloudcmd's pkg description.
This patch introduces a separate pkg to fix that.
2023-04-03 12:03:41 +02:00
Otto Bittner
c8c2953d7b
cli: add status cmd
...
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
2023-04-03 12:03:41 +02:00
Daniel Weiße
62c165750f
config: remove deprecated upgradeConfig and require name and microserviceVersion fields ( #1541 )
...
* Remove deprecated fields
* Remove warning for not setting attestationVariant
* Dont write attestationVariant to config
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-31 19:19:10 +02:00
Paul Meyer
b8d6b110b1
cli: add missing -y short flag to iam create ( #1572 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 17:26:14 +02:00
Paul Meyer
66ee24b5b2
cli: remove duplicated print ( #1568 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 14:43:39 +02:00
Paul Meyer
909bfb9274
bazel: add go generate to //:generate target
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-29 12:51:40 -04:00
Daniel Weiße
fc0efb6309
config: deprecate confidentialVM option for Azure clusters in favor of using attestationVariant option ( #1539 )
...
* Remove confidentialVM option from azure provider config
* Fix cloudcmd creator test
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 14:04:37 +02:00
Daniel Weiße
b57413cfa7
cli: set cluster's initial measurements from user's config using Helm ( #1540 )
...
* Remove using measurements from the initial control-plane node for the cluster's initial measurements
* Add using measurements from the user's config for the cluster's initial measurements to align behavior with upgrade command
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 11:16:56 +02:00
Daniel Weiße
99b12e4035
internal: refactor oid package to variant package ( #1538 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:30:13 +02:00
Daniel Weiße
db5660e3d6
attestation: add context to Issue and Validate methods ( #1532 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:06:10 +02:00
Otto Bittner
861bc84f94
cli: only apply upgrades on gcp/azure ( #1518 )
...
The constellation-operator currently doesn't support the
necessary operations for AWS, OpenStack and QEMU.
2023-03-24 17:07:14 +01:00
Otto Bittner
bb2b5e1bd1
cli: allow users to only upgrade measurements
...
In case only measurements are upgrades a confirmation is required.
Alternatively, the `yes` flag can be used.
2023-03-23 18:08:18 +01:00
Otto Bittner
c057fac315
cli: idkeycfg upgrade migration
...
TODO: revert this commit after v2.7 is released.
2023-03-23 14:57:38 +01:00
Otto Bittner
cac43a1dd0
ci: add e2e-upgrade test
...
The test is implemented as a go test.
It can be executed as a bazel target.
The general workflow is to setup a cluster,
point the test to the workspace in which to
find the kubeconfig and the constellation config
and specify a target image, k8s and
service version. The test will succeed
if it detects all target versions in the cluster
within the configured timeout.
The CI automates the above steps.
A separate workflow is introduced as there
are multiple input fields to the test.
Adding all of these to the manual e2e test
seemed confusing.
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-03-23 14:57:38 +01:00
Leonard Cohnen
bb009e6166
remove dublicate log in miniconstellation
2023-03-23 14:55:29 +01:00
Otto Bittner
9f6e924066
cli: fix upgrade apply
for image-only upgrades ( #1468 )
...
This fixes a bug where `upgrade apply` fails if only the image is
upgraded, due to mishandling of an empty configmap.
Making stubStableClient more complex is needed since it is called
with multiple configMaps now.
2023-03-22 11:53:47 +01:00
Paul Meyer
02fc3dc635
measurements: refactor validation option ( #1462 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 11:47:39 +01:00
3u13r
cf9970c051
terraform: allow for multiple instance groups ( #1471 )
2023-03-21 22:56:03 +01:00
renovate[bot]
02a389e8c0
deps: update Terraform openstack to v1.51.1 ( #1424 )
...
* deps: update Terraform openstack to v1.51.1
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-03-21 13:36:49 +01:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest ( #1257 )
...
* Convert enforceIDKeyDigest setting to enum
* Use MAA fallback in Azure SNP attestation
* Only create MAA provider if MAA fallback is enabled
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Malte Poll
8559a1ef8b
helm: deploy node operator on OpenStack
2023-03-21 10:51:09 +01:00
Malte Poll
7d4ab07163
helm: add tests for AWS and OpenStack
2023-03-21 10:51:09 +01:00
Malte Poll
e5124d1a97
helm: add OpenStack charts
2023-03-21 10:51:09 +01:00
Malte Poll
f066416a43
cli: add support for constellation init on OpenStack
2023-03-21 10:51:09 +01:00
Paul Meyer
f638812143
terraform: unique Azure attestation provider name ( #1472 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 10:41:48 +01:00
Otto Bittner
5a82c3cef2
cli: add attestationVariant migration ( #1467 )
...
Temporarily add the attestationVariant key to the service
values during upgrade. Normally this should not be
modified during upgrade. However, since the field is introduced
in v2.7, we need to add the field manually.
2023-03-21 10:04:48 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration ( #1334 )
...
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.
* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
Paul Meyer
05f6d1dc65
terraform: valid Azure attestation provider name ( #1465 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 17:53:00 +01:00
Otto Bittner
1b12147d83
cli: minor restructuring for loading helm charts ( #1441 )
...
Use one loadRelease function instead of one function for each
release.
2023-03-20 17:05:58 +01:00
Nils Hanke
4f37fe38f9
cli: fix typo
2023-03-20 15:30:35 +01:00
Paul Meyer
a474739ab6
go: remove unused parameters
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 10:03:52 -04:00
Otto Bittner
9e13b0f917
cli: only create resource backups if upgrade is executed ( #1437 )
...
Previously backups were created even if no service upgrades were
executed. To allow this some things are restructured:
* new chartInfo type that holds release name, path and chart name
* upgrade execution and version validity are checked separately
2023-03-20 14:49:04 +01:00
Paul Meyer
658cac046f
go: remove redundant if-err check
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Paul Meyer
0036b24266
go: remove unused parameters
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Nils Hanke
822d7823f8
cli: refuse to retry init once gRPC has reached READY one time
2023-03-20 13:33:46 +01:00
Nils Hanke
77d19eb896
cli: add "Connecting" spinner state for "constellation init"
2023-03-20 13:33:46 +01:00
Moritz Sanft
f2ce9518a3
cli: support custom attestation policies for maa ( #1375 )
...
* create and update maa attestation policy
* use interface to allow unit testing
* fix test csp
* http request for policy patch
* go mod tidy
* remove hyphen
* go mod tidy
* wip: adapt to feedback
* linting fixes
* remove csp from tf call
* fix type assertion
* Add MAA URL to instance tags (#1409 )
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* conditionally create maa provider
* only set instance tag when maa is created
* fix azure unit test
* bazel tidy
* remove AzureCVM const
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* encode policy at runtime
* remove policy arg
* fix unit test
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-20 13:33:04 +01:00
Thomas Tendyck
43fbb06426
cli: remove ctx parameter from rollbackOnError to prevent wrong use
2023-03-20 08:49:46 +01:00
renovate[bot]
4d618a4b99
deps: update fedora:37 Docker digest ( #1448 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:47:36 +01:00
renovate[bot]
b03ead589f
deps: update Terraform azuread to v2.36.0 ( #1421 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 14:30:17 +01:00
renovate[bot]
03d2232321
deps: update Terraform google-beta to v4.57.0 ( #1423 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:43 +01:00
renovate[bot]
f8f3f00595
deps: update Terraform azurerm to v3.47.0 ( #1422 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:08 +01:00
renovate[bot]
95d6618b9d
deps: update Terraform google to v4.57.0 ( #1420 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 12:06:53 +01:00
renovate[bot]
0db034db5b
deps: update Terraform aws to v4.58.0 ( #1419 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 11:43:52 +01:00
Malte Poll
a73cdb9b14
bazel: command to prepare development workspace ( #1425 )
...
This command symlinks all binaries into the current working directory (or the path specified by the first argument)
* bazel: command to prepare development workspace
* bazel: set malt3 as codeowner
2023-03-14 13:57:39 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant ( #1413 )
...
* Add attestation type to config (optional for now)
* Get attestation variant from config in CLI
* Set attestation variant for Constellation services in helm deployments
* Remove AzureCVM variable from helm deployments
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
Thomas Tendyck
64e1f553d1
cli: remove Edition in version command, which contains duplicate info
2023-03-10 11:36:44 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go ( #1186 )
...
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Daniel Weiße
446b77828b
cli: add missing flag to miniConstellation ( #1374 )
...
* Add missing flag to miniConstellation
* Add config merger to miniConstellation
* Soft fail if config can not be merged
* Remove config flattening
* Release spinner stop lock when stopping finished
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2023-03-08 15:48:36 +01:00
Paul Meyer
630016d1b3
openstack: use password to authenticate in cluster
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
64fc43f276
use any instead of interface{} ( #1354 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 10:31:20 +01:00
Daniel Weiße
19507677c1
cli: attestation validator debug output ( #1262 )
...
* Wrote->Written
* Add Validator info logs to debug output
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-03 16:50:25 +01:00
Malte Poll
cda2669d40
cli: upgrade libtpms in libvirt container ( #1338 )
2023-03-03 15:07:27 +01:00
Otto Bittner
b94d23a3e8
cli: create backups before upgrading microservices
2023-03-03 15:02:22 +01:00
Otto Bittner
3cef9ee74d
cli: add doc comments for helm
2023-03-03 15:02:22 +01:00
Malte Poll
8aa42e30ad
cli: set OpenStack service account credentials ( #1328 )
2023-03-03 10:10:36 +01:00
Malte Poll
8ad04f7dbb
cli: log grpc connection state for init call ( #1324 )
...
This is a measure to detect cases where an aTLS handshake is performed but the long running call is interrupted, leading to a retry of the init call.
Whenever the grpc connection state reaches ready, we know that the aTLS handshake has succeeded:
> READY: The channel has successfully established a connection all the way through TLS handshake (or equivalent) and protocol-level (HTTP/2, etc) handshaking, and all subsequent attempt to communicate have succeeded (or are pending without any known failure).
2023-03-03 09:38:57 +01:00
Otto Bittner
f0db5d0395
cli: restructure upgrade apply
( #1319 )
...
Applies the updated NodeVersion object with one request
instead of two. This makes sure that the first request does
not accidentially put the cluster into a "updgrade in progress"
status. Which would lead users to having to run apply twice.
2023-03-03 09:38:23 +01:00
Nils Hanke
77a375e837
cli: add --kubernetes
flag to iam create
(when used with --create-config
) ( #1326 )
2023-03-03 09:04:54 +01:00
Nils Hanke
a34ef8ad29
cli/bootstrapper: remove deprecated master secret & KMS related fields
2023-03-02 15:49:02 +01:00
Daniel Weiße
5eb73706f5
internal: refactor storage credentials ( #1071 )
...
* Move storage clients to separate packages
* Allow setting of client credentials for AWS S3
* Use managed identity client secret or default credentials for Azure Blob Storage
* Use credentials file to authorize GCS client
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-02 15:08:31 +01:00
Malte Poll
ab0b881cbf
oid: add alternative string representations for attestation variants ( #1322 )
2023-03-02 10:48:16 +01:00
Nils Hanke
c9ddc93d55
cli: allow existing config for IAM creation without --generate-config
2023-03-01 13:53:34 +01:00
Malte Poll
fc33a74c78
constants: make VersionInfo readonly ( #1316 )
...
The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime.
This change ensures the underlying var is private and can only be accessed by a public getter.
2023-03-01 11:55:12 +01:00
Malte Poll
4e202fa483
cli: set constellation uid and role as instance metadata of OpenStack instances ( #1311 )
2023-03-01 08:48:17 +01:00
Otto Bittner
984f0589d2
cli: upgrade errors for microservice ( #1259 )
...
Handle invalid upgrade errors similarly as for images and k8s.
2023-02-28 10:23:09 +01:00
Moritz Sanft
732d15d013
ci: use iam destroy command for resource destruction ( #1272 )
...
* replace tf destruction with new command
* move iam destroy cmd
* fix typos
* exit post test on error
* [remove] test failure on iam destroy
* Revert "[remove] test failure on iam destroy"
This reverts commit 99449c0cc0
.
* [remove] test failure on terminate
* Revert "[remove] test failure on terminate"
This reverts commit 99c45bbc54
.
* gofumpt
2023-02-28 09:52:32 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create
on OpenStack ( #1283 )
...
* image: support OpenStack image build / upload
* cli: add OpenStack terraform template
* config: add OpenStack as CSP
* versionsapi: add OpenStack as CSP
* cli: add OpenStack as provider for `config generate` and `create`
* disk-mapper: add basic support for boot on OpenStack
* debugd: add placeholder for OpenStack
* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Otto Bittner
08ee56911b
cli: overwrite chart versions during install/upgrade
...
* As charts receive information like the container image from
the cli it makes sense to also version the charts based on the cli
version.
* The pseudoversion is recalculated when running cmake.
* When merging changes from release branch to main,
a new commit is introduced to set the PROJECT_VERSION back
to 0.0.0, so that builds include a pseudoversion.
2023-02-27 16:06:35 +01:00
renovate[bot]
83bea18a4f
deps: update fedora:37 Docker digest ( #1274 )
...
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:46:17 +01:00
renovate[bot]
66022fa441
deps: update Terraform aws to v4.55.0 ( #1195 )
...
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:27:11 +01:00
Nils Hanke
6ae2bc9772
cli: fix force flag debug print in init
2023-02-24 12:11:09 +01:00
miampf
5137e9fa57
cli: iam destroy ( #946 )
2023-02-24 11:36:41 +01:00
Otto Bittner
c4fd70684f
Revert "deps: update Terraform azurerm to v3.44.1 ( #1197 )" ( #1255 )
...
This reverts commit 253f833f6c
.
2023-02-22 11:16:05 +01:00
Otto Bittner
d78d22f95a
cli: add config kubernetes-versions
subcommand ( #1224 )
...
Allows users to learn which k8s versions are supported by the
current CLI.
Extend respective docs section.
2023-02-22 09:52:47 +01:00
3u13r
ce09b9dae5
iam: assign uami role to base resource group ( #1247 )
...
* iam: assign uami role to base resource group
* fixup: also change app registration
2023-02-22 09:29:24 +01:00
leongross
51eef675a2
cli: refer to --force and --config flags ( #1205 )
...
* add reference to --config and --force
2023-02-21 16:46:47 +01:00
Otto Bittner
da7a870f54
cli: add --kubernetes
flag ( #1226 )
...
The flag can be used to specify a Kubernetes version
in format MAJOR.MINOR and let the CLI extend the
value with the patch version.
2023-02-21 14:05:41 +01:00
renovate[bot]
477d667360
deps: update Terraform azuread to v2.34.1 ( #1196 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 13:53:18 +01:00
Moritz Sanft
0ba810240f
ci: integrate automatic iam creation in e2e test ( #1158 )
...
* integrate automatic iam creation in e2e test
* fix typo
* break long line comments
* fix semvers
* correct bracing
2023-02-21 12:47:14 +01:00
renovate[bot]
253f833f6c
deps: update Terraform azurerm to v3.44.1 ( #1197 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 10:41:04 +01:00
renovate[bot]
3a1e75837f
deps: update Terraform google-beta to v4.53.1 ( #1199 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:22:16 +01:00
renovate[bot]
9a5a7d6852
deps: update Terraform google to v4.53.1 ( #1198 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:21:12 +01:00
Paul Meyer
deea806d9c
Improve code sequences with multiple errs
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Paul Meyer
12c866bcb9
deps: replace multierr with native errors.Join
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Otto Bittner
87fdb47caa
cli: upgrade apply uses correct measurements key ( #1223 )
...
Apply still used the obsolete upgrade key's measurements.
The new, desired behavior is to use the Provider's measurements
key
2023-02-20 10:32:33 +01:00
Daniel Weiße
d90828cb3c
Fix incorrect output for single worker/control-plane clusters ( #1209 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-17 08:15:17 +01:00
Fabian Kammel
5e7dc0d7db
Option to disable spinner via environment variable. ( #1207 )
...
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-02-16 15:43:19 +01:00
Otto Bittner
50646b2a10
cli: refactor upgrade apply
cmd to match name
...
* `upgrade apply` will try to make the locally configured and
actual version in the cluster match by appling necessary
upgrades.
* Skip image or kubernetes upgrades if one is already
in progress.
* Skip downgrades/equal-as-running versions
* Move NodeVersionResourceName constant from operators
to internal as its needed in the CLI.
2023-02-15 16:44:47 +01:00
Otto Bittner
7db584a88e
cli: move upgradeApply logic into separate functions
...
* introduce handleImageUpgrade & handleServiceUpgrade
* rename cloudUpgrader.Upgrade to UpgradeImage
* remove helm flag
* remove hint about development status
2023-02-15 16:44:47 +01:00
Otto Bittner
91e27ac186
cli: rename upgrade execute
to upgrade apply
2023-02-15 16:44:47 +01:00
Moritz Sanft
84359063fc
cli: add missing gcp values to config ( #1149 )
...
* improve iam value output
* remove duplicate prints
2023-02-15 14:24:52 +01:00
Otto Bittner
33a884d4e4
cli: prefix "v" to cli version in versionCollector
...
No new images will be found unless this is set
2023-02-15 13:36:16 +01:00
renovate[bot]
1732795345
deps: update fedora:37 Docker digest ( #1192 )
...
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-15 13:28:53 +01:00
Otto Bittner
7454b69f13
cli: helm: prepare values for upgrade correctly
...
Previously the chart's values were not set, relying on the
values that are already present in the cluster and reusing
those. This does not work as e.g. the image values
are only set while loading the charts. Also, the templates
are not rendered correctly without all values set.
2023-02-15 11:41:54 +01:00
Otto Bittner
4855b20093
cli: helm: move csp into ChartLoader object
2023-02-15 11:41:54 +01:00
Otto Bittner
1728633646
cli: helm: separate user input from static loading
...
Because values in the charts might change in the future and
some values (like the image) are part of a valid upgrade we
need to load all values for an upgrade.
However, during upgrades we don't want to reapply user
input like the masterSecret. Therefore this patch splits the
application of user input and the static loading of chart values.
2023-02-15 11:41:54 +01:00
Otto Bittner
1c977b3105
cli: add missing logger to versionCollector object ( #1183 )
...
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-14 14:46:30 +01:00
Paul Meyer
84a787b538
cli: add name of build type to version cmd output ( #1179 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-14 14:30:10 +01:00
Otto Bittner
8a72df89ad
cli: fix init with k8s version without v prefix ( #1174 )
2023-02-13 11:54:38 +01:00
Moritz Sanft
7410cf8038
cli: fix iam rollback ( #1148 )
...
* AB#2897 rename DestroyCluster
* #AB2897 error if terraform dir exists
* AB#2897 reword DestroyResources
2023-02-13 08:42:54 +01:00
Thomas Tendyck
a076587956
cli: adapt "upgrade check" reference to conventions
2023-02-13 08:34:34 +01:00
Daniel Weiße
90ce320bf5
cli: add option to automatically merge kubeconfig file on init ( #1136 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 14:59:44 +01:00
Daniel Weiße
c29107f5be
init: create kubeconfig file with unique user/cluster name ( #1133 )
...
* Generate kubeconfig with unique name
* Move create name flag to config
* Add name validation to config
* Move name flag in e2e tests to config generation
* Remove name flag from create
* Update ascii cinema flow
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 13:27:22 +01:00
Moritz Sanft
e01ddc08c2
cli: add debug logging to iam create command ( #1127 )
...
* AB#2787 add debug logging to iam create command
* AB#2787 add test logger
* AB#2787 reword log
* separate debug output with empty line
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
---------
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-09 10:37:22 +01:00
Otto Bittner
c275464634
cli: change upgrade-plan to upgrade-check
...
Upgrade check is used to find updates for the current cluster.
Optionally the found upgrades can be persisted to the config
for consumption by the upgrade-execute cmd.
The old `upgrade execute` in this commit does not work with
the new `upgrade plan`.
The current versions are read from the cluster.
Supported versions are read from the cli and the versionsapi.
Adds a new config field MicroserviceVersion that will be used
by `upgrade execute` to update the service versions.
The field is optional until 2.7
A deprecation warning for the upgrade key is printed during
config validation.
Kubernetes versions now specify the patch version to make it
explicit for users if an upgrade changes the k8s version.
2023-02-08 12:30:01 +01:00
Otto Bittner
f204c24174
cli: add version validation and force flag
...
Version validation checks that the configured versions
are not more than one minor version below the CLI's version.
The validation can be disabled using --force.
This is necessary for now during development as the CLI
does not have a prerelease version, as our images do.
2023-02-08 12:30:01 +01:00
Nils Hanke
0331e2dc78
cli: enable jumbo frames for GCP VPCs
2023-02-06 11:07:45 +01:00
Daniel Weiße
f74f589605
ci: add containerized libvirt build workflow ( #1130 )
...
* Add libvirt container build workflow
* Update release workflow
* Update image libvirt base image
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-02 14:40:05 +01:00
Moritz Sanft
6166b52f5d
cli: refactor iam create command ( #1034 )
...
* AB#2788 refactor iam create
* AB#2788 go mod tidy
* AB#2788 encode b64 at runtime
* AB#2788 rename receiver
2023-02-01 11:32:01 +01:00
Otto Bittner
3038b374da
cli: update helm chart render expectations
...
testdata is now expecting the charts to render for ko images.
2023-01-31 11:36:49 +01:00
Otto Bittner
9fc88797d1
cli: use /manager as binary path
...
The change to /ko-app/v2 is incorrect as we are
currently not building ko images for this operator.
2023-01-31 10:35:26 +01:00
leongross
2187aa6cb0
ci: reproducible builds integration ( #1108 )
...
* remove `-ko` suffix from workflows
* integrate into `release.yaml`
* adjust helm charts to use hard coded `ko` binary path
2023-01-30 16:58:49 +01:00
renovate[bot]
a85ba96ac4
deps: update Terraform azurerm to v3.41.0 ( #1097 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:33:32 +01:00
renovate[bot]
38e9ab8254
deps: update Terraform aws to v4.52.0 ( #1096 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:14:17 +01:00
renovate[bot]
b47a2f81a2
deps: update Terraform google to v4.50.0 ( #1098 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:13:44 +01:00
3u13r
6ea6e42519
terraform: make control-planes stateful on gcp ( #1087 )
...
* terraform: make control-planes stateful on gcp
* terraform: lock google-beta provider
2023-01-27 12:59:25 +01:00
Malte Poll
2d326ea3f0
cli: set placeholder uid for QEMU / MiniConstellation ( #1069 )
2023-01-25 14:42:52 +01:00
3u13r
e6ac8e2a91
config: fix digest naming ( #1064 )
...
* config: fix digest naming
2023-01-24 22:20:10 +01:00
github-actions[bot]
9567cc09ce
release: bring back changes from v2.5.0 ( #1061 )
...
* deps: update version to v2.5.0
* attestation: hardcode measurements for v2.5.0
* bump operator versions
Co-authored-by: release[bot] <release[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-01-24 11:35:26 +01:00
3u13r
03154c6e64
docs: document terraform support ( #1037 )
2023-01-23 10:37:28 +01:00
Moritz Sanft
2f2e793810
AB#2834 add go package doc to iamid ( #1054 )
2023-01-23 08:53:25 +01:00
Moritz Sanft
b8648261e3
cli: fix Terraform resource group dependencies ( #1048 )
2023-01-20 18:59:59 +01:00
Paul Meyer
a8cbfd848f
keyservice: use dash in container name ( #1016 )
...
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-01-20 18:51:06 +01:00
renovate[bot]
d4722b434e
Update Terraform aws to v4.50.0 ( #1015 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-19 17:09:01 +01:00
Daniel Weiße
690b50b29d
dev-docs: Go package docs ( #958 )
...
* Remove unused package
* Add Go package docs to most packages
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 15:57:50 +01:00
Otto Bittner
9a1f52e94e
Refactor init/recovery to use kms URI
...
So far the masterSecret was sent to the initial bootstrapper
on init/recovery. With this commit this information is encoded
in the kmsURI that is sent during init.
For recover, the communication with the recoveryserver is
changed. Before a streaming gRPC call was used to
exchanges UUID for measurementSecret and state disk key.
Now a standard gRPC is made that includes the same kmsURI &
storageURI that are sent during init.
2023-01-19 13:14:55 +01:00
Otto Bittner
0e71322e2e
keyservice: move kms code to internal/kms
...
Recovery (disk-mapper) and init (bootstrapper)
will have to work with multiple external KMSes
in the future.
2023-01-19 13:14:55 +01:00
Moritz Sanft
ae2db08f3a
ci: add e2e test for constellation recover ( #845 )
...
* AB#2256 Add recover e2e test
* AB#2256 move test & fix minor objections
* AB#2256 fix path
* AB#2256 rename hacky filename
2023-01-19 10:41:07 +01:00
3u13r
632090c21b
azure: allow a set of idkeydigest values ( #991 )
2023-01-18 16:49:55 +01:00
Nils Hanke
a3db3c8424
cli: debug: various improvements ( #995 )
2023-01-18 13:10:24 +01:00
Thomas Tendyck
f0f109a1ea
verify: use fixed user data
2023-01-17 16:14:00 +01:00
renovate[bot]
4577a5886f
Update Terraform google to v4.48.0 ( #929 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 16:01:02 +01:00
Moritz Sanft
e844ceb2b1
cli: adopt Cobra cli reference style ( #997 )
...
* adapt to Cobra CLI ref style
* linting
* change multi-line reference style
* lowercase short descriptions
* Revert "lowercase short descriptions"
This reverts commit 499dc3577a
.
* use 2 newlines on long description and add dots
* mark required flags
* Update cli/internal/cmd/iamcreateaws.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update cli/internal/cmd/upgradeexecute.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update cli/internal/cmd/upgradeexecute.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 14:01:56 +01:00
Malte Poll
7902dc470f
cli: use non-authoritative methods to manage iam policy memberships ( #989 )
...
- google_project_iam_binding -> google_project_iam_member
2023-01-16 18:08:57 +01:00
Otto Bittner
90b88e1cf9
kms: rename kms to keyservice
...
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
2023-01-16 11:56:34 +01:00
Malte Poll
7bf7286242
cli: include search paths for image info json in error message printed to user ( #963 )
2023-01-13 10:15:49 +01:00
Nils Hanke
b3c3c2fa8c
qemu: remove registry_auth for Docker Terraform module ( #957 )
2023-01-12 15:47:50 +01:00
Moritz Sanft
64ec0408da
cli: automatically add iam values to config ( #782 )
...
* AB#2706 Automatically add IAM values to config
2023-01-12 11:35:26 +01:00
Fabian Kammel
82a0fcbb9d
upgrade: fix broken reference from constellation-os to constellation-version ( #939 )
...
* update constellation-os to constellation-version references
* update nodeimage to nodeversion in CRD type name
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-01-11 16:07:07 +01:00
release[bot]
e8fad4b7f9
Update version to v2.4.0
2023-01-11 11:10:44 +01:00
Leonard Cohnen
2700d5182b
operator: reconcile kubernetesClusterVersion
2023-01-09 12:16:54 +01:00
Paul Meyer
fa85150f3e
hack: move terraform readmes into cli
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-09 11:49:00 +01:00
renovate[bot]
3d6b11e7cb
Update Terraform azurerm to v3.38.0 ( #895 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:28:04 +01:00
renovate[bot]
19b3d68c8a
Update Terraform aws to v4.49.0 ( #894 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:27:40 +01:00
renovate[bot]
ab626ca311
Update Terraform docker to v2.25.0 ( #880 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 15:18:38 +01:00
Paul Meyer
66f2c446a4
versionsapi: replace shortname pkg
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 10:15:27 +01:00
Otto Bittner
075a0e0ad6
cli: ask user to confirm cert-manager upgrades
2023-01-05 17:19:05 +01:00
Otto Bittner
e7c7e35f51
cli: create backups for CRDs and their resources
...
These backups could be used in case an upgrade
misbehaves after helm declared it as successful.
The manual backups are required as helm-rollback
won't touch custom resources and changes to CRDs
delete resources of the old version.
2023-01-05 16:52:06 +01:00
Leonard Cohnen
620436626b
operator: add cluster version to nodeversion
2023-01-05 14:52:09 +01:00
Leonard Cohnen
9bfe2a81ed
cli: fix nodeversion crd name
2023-01-05 14:52:09 +01:00
Leonard Cohnen
25c3a8a1f3
init: add cluster version to kubernetes components
2023-01-05 14:52:09 +01:00
Paul Meyer
f9458950cb
versionsapi: change image path ( #856 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 17:07:16 +01:00
Paul Meyer
35d720e657
cli: deactivate spinner for debug logging
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 12:17:08 +01:00
Paul Meyer
3c24e3fa01
cli: move image package into cli
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
22f43d32dd
versionsapi: use new fetcher in upgrade-plan cmd
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
f43b653231
versionsapi: backup old API
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Alex Darby
97c72f5f32
cli: add verbose debug logging ( #809 )
...
* feat: add debug logging for init command
* feat: add debug logging to recover command
* feat: add debug logging for configfetchmeasurements
* feat: add debug logging for config generate
* feat: added debug logging for miniup command
* feat: add debug logging for upgrade command
* feat: add debug logging for create command
2023-01-04 10:46:29 +01:00
renovate[bot]
7c017e2b67
Update Terraform azurerm to v3.37.0 ( #849 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-03 14:47:44 +01:00
3u13r
f14af0c3eb
upgrade: support Kubernetes components ( #839 )
...
* upgrade: add Kubernetes components to NodeVersion
* update rfc
2023-01-03 12:09:53 +01:00
renovate[bot]
806f6b70dd
Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1 ( #844 )
...
* Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1
* Rename talos-systems/talos to siderolabs/talos
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-02 13:33:56 +01:00
renovate[bot]
d88f144806
Update Terraform libvirt to v0.7.1 ( #830 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:24:54 +01:00
renovate[bot]
cbc34b73ec
Update Terraform google to v4.47.0 ( #843 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:04:00 +01:00
renovate[bot]
320c24e778
Update Terraform aws to v4.48.0 ( #842 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:02:44 +01:00
3u13r
473e16feb2
image: add upgrade-agent ( #827 )
2022-12-29 17:50:11 +01:00
3u13r
0297aed1ea
join: deprecate components migration fallback ( #833 )
2022-12-29 14:51:26 +01:00
Daniel Weiße
942d11a4c8
Only upgrade helm releases if versions changed ( #818 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-22 12:30:04 +01:00
Otto Bittner
efcd0337b4
Microservice upgrades ( #729 )
...
Run with: constellation upgrade execute --helm.
This will only upgrade the helm charts. No config is needed.
Upgrades are implemented via helm's upgrade action, i.e. they
automatically roll back if something goes wrong. Releases could
still be managed via helm, even after an upgrade with constellation
has been done.
Currently not user facing as CRD/CR backups are still in progress.
These backups should be automatically created and saved to the
user's disk as updates may delete CRs. This happens implicitly
through CRD upgrades, which are part of microservice upgrades.
2022-12-19 16:52:15 +01:00
renovate[bot]
fd640afe96
Update Terraform google to v4.46.0 ( #798 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-14 19:15:51 +01:00
renovate[bot]
868d911918
Update fedora:37 Docker digest to 99aa891 ( #797 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-14 10:38:00 +01:00
Paul Meyer
c741ccfb4b
kubernetes: use new registry
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 16:08:19 +01:00
Malte Poll
c3b657de01
Bump version to v2.3.0
2022-12-12 17:45:35 +01:00
3u13r
c993cd6800
join: synchronize control plane joining ( #776 )
...
* join: synchronize control plane joining
2022-12-09 18:30:20 +01:00
renovate[bot]
85f9d62a9f
Update Terraform azurerm to v3.35.0 ( #768 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:21:13 +01:00
renovate[bot]
4ec2fceeef
Update Terraform aws to v4.46.0 ( #767 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:13:09 +01:00
renovate[bot]
4e6f88c355
Update gcr.io/kubebuilder/kube-rbac-proxy Docker tag to v0.13.1
2022-12-09 14:30:39 +01:00
Malte Poll
4a8ebfd921
OS images: use "ref", "stream" and "version"
...
Switch azure default region to west us
Update find-image script to work with new API spec
Add version for every os image build
generate measurements: Use new API paths
CLI: config fetch measurements: Use image short versions to fetch measurements
CLI: allows shortnames to specify image in config
Image build pipeline: Change paths to contain "ref" and "stream"
2022-12-09 13:37:43 +01:00
Paul Meyer
f23a2fe073
hack: implement new api for add-version script
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 13:37:43 +01:00
Daniel Weiße
d356a40bc3
Pull in CSI chart from release tag ( #757 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-09 08:32:58 +01:00
renovate[bot]
9d0d561726
Update Terraform google to v4.45.0 ( #742 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-08 15:59:15 +01:00
Leonard Cohnen
a1161ae05d
k8supdates: label nodes with k8s component hash
2022-12-08 11:19:22 +01:00
Moritz Sanft
286803fb97
AB#2579 Add constellation iam create command ( #624 )
2022-12-07 11:48:54 +01:00
Moritz Sanft
85e7b836a3
AB#2651 Compatibility warning for MiniConstellation ( #713 )
2022-12-07 10:20:01 +01:00
Daniel Weiße
dea05c45bc
Use csi chart from release tag ( #727 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-07 08:19:44 +01:00
renovate[bot]
364db78420
Update Terraform azurerm to v3.34.0 ( #726 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-06 13:42:49 +01:00
renovate[bot]
59076b0664
Update Terraform aws to v4.45.0 ( #710 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-05 16:35:38 +01:00
Paul Meyer
9c9c8e3d46
versionsapi: rename package
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-02 18:49:17 +01:00
Leonard Cohnen
0c71cc77f6
joinservice: use configmap for k8s components
2022-12-02 14:34:38 +01:00
renovate[bot]
68bf23b760
Update Terraform aws to v4.44.0 ( #702 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-01 18:46:31 +01:00
Otto Bittner
a20b5461aa
Make loader tests more precise
...
Until now the loader tests did not detect if a file in testdata existed,
but was missing from the actual results. This patch fixes the problem.
It also removes various files that are not needed.
The testdata folder now represents which files end up in a cluster 1:1.
2022-12-01 12:15:32 +01:00
Otto Bittner
c05d1589f8
Bring in CSI driver changes from upstream
2022-12-01 12:15:32 +01:00
Paul Meyer
b93b24e058
debugd: add logcollector
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Malte Poll
9537fb73c0
use constants for default CDN paths
2022-11-30 12:35:12 +01:00
Malte Poll
9bccf26ccf
move update api
2022-11-30 12:35:12 +01:00
Malte Poll
ebf852b3ba
Add image update API and use for "upgrade plan"
2022-11-30 12:35:12 +01:00
renovate[bot]
fe74c937b9
Update Terraform azurerm to v3.33.0 ( #678 )
...
* Update Terraform azurerm to v3.33.0
* [bot] Update HCL lock files
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-30 11:41:31 +01:00
renovate[bot]
7c744c0837
Update Terraform aws to v4.43.0 ( #672 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 11:22:09 +01:00
renovate[bot]
fffd2b79f2
Update Terraform google to v4.44.1 ( #666 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-29 14:45:07 +01:00
renovate[bot]
9d6d9f0a40
Update Terraform docker to v2.23.1 ( #645 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-29 13:06:36 +01:00
Otto Bittner
fc8a2be843
Use ChartLoader to set operator deployment images
...
This allows the (operator) unittests to use dummy values instead of
relying on the real image string from versions.go.
2022-11-29 10:36:55 +01:00
Leonard Cohnen
3b6bc3b28f
initserver: add client verification
2022-11-28 19:34:02 +01:00
Otto Bittner
038ea5fade
Add helm's quote function to various fields
...
The constellationUID is sometimes interpreted as integer if it contains
0e, as the yaml parsing interprets that as scientific notation.
Since it is a best practices to quote string fields anyways this patch
also quotes other fields where an actual string is required.
2022-11-28 11:35:47 +01:00
Daniel Weiße
d52f3db2a3
AB#2644 Fetch measurements from CDN ( #653 )
...
* Fetch measurements from CDN
* Perform metadata validation on fetched measurements
* Remove deprecated public bucket
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-28 10:27:33 +01:00
Leonard Cohnen
c978329839
helm: fix expected helm charts
2022-11-27 16:43:50 +01:00
Leonard Cohnen
865cd53856
helm: remove non-existent field in operator
2022-11-27 16:43:34 +01:00
Otto Bittner
18fe34c58b
loader_test now compares all documents in one file
...
Previously only the first document was compared due to
an issue in testify.
Also update testdata to match the adjusted expectations.
2022-11-25 18:07:40 +01:00
Malte Poll
1af3ff00ad
Constellation Operator: Add image version field ( #649 )
2022-11-25 14:49:26 +01:00
Daniel Weiße
1968dfe70c
Add warning about non retriable error during init ( #644 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-25 10:02:12 +01:00
Daniel Weiße
67d0424f0e
AB#2639 Add functions to fetch k8s and helm version of Constellation ( #637 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 16:39:33 +01:00
Daniel Weiße
f8001efbc0
Refactor enforced/expected PCRs ( #553 )
...
* Merge enforced and expected measurements
* Update measurement generation to new format
* Write expected measurements hex encoded by default
* Allow hex or base64 encoded expected measurements
* Allow hex or base64 encoded clusterID
* Allow security upgrades to warnOnly flag
* Upload signed measurements in JSON format
* Fetch measurements either from JSON or YAML
* Use yaml.v3 instead of yaml.v2
* Error on invalid enforced selection
* Add placeholder measurements to config
* Update e2e test to new measurement format
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 10:57:58 +01:00
Otto Bittner
da1af3f37e
Fix type for cert-manager verbose flag
2022-11-23 18:37:36 +01:00
Malte Poll
575b6e93f6
CLI: use global image version field
...
- Restructure config by removing CSP-specific image references
- Add global image field
- Download image lookup table on create
- Download QEMU image on QEMU create
2022-11-23 15:47:46 +01:00
Otto Bittner
3e71459898
AB#2635: Deploy Konnectivity via Helm
2022-11-23 12:21:08 +01:00
Otto Bittner
7283eeb798
AB#2636: Deploy gcp-guest-agent via Helm
2022-11-23 12:21:08 +01:00
Otto Bittner
9b75d651fc
Run cert-manager startupapicheck with verbose flag
2022-11-23 11:16:16 +01:00
Leonard Cohnen
1e98b686b6
kubernetes: verify Kubernetes components
2022-11-23 10:48:03 +01:00
Otto Bittner
2c9ddbc6e7
Remove unused LoadConfig type
2022-11-23 08:49:22 +01:00
Otto Bittner
6b2d9d16f8
Remove obsolote revive comments
2022-11-23 08:35:12 +01:00
renovate[bot]
d8c553207b
Update Terraform google to v4.44.0 ( #622 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-22 14:30:40 +01:00
Daniel Weiße
b915d03487
AB#2615 Update docs to new CSI installation method ( #606 )
...
* Update docs to new CSI installation method
* Fix invalid volume expansion option
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-11-22 09:36:08 +01:00
Otto Bittner
1362e40f53
Surpress argument-limit errors and add TODO. ( #603 )
2022-11-21 17:31:01 +01:00
Otto Bittner
adc09a1ad1
AB#2593: Deploy verification service via Helm ( #594 )
2022-11-21 17:06:41 +01:00
Daniel Weiße
1f9b6ba90f
Add debug logging for verify command ( #610 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-21 17:02:33 +01:00
Otto Bittner
bdd9dd922b
AB#2589: Deploy operators via Helm ( #575 )
...
* Only deploy operators on GCP/Azure.
* cert-manager is now deployed by default (GCP/Azure)
* remove OLM
2022-11-21 10:35:40 +01:00
Daniel Weiße
9aa9c1bb49
AB#2275 Add azuredisk CSI driver ( #548 )
...
* Add azuredisk CSI driver
* Update Changelog
* Update chart using go generate
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-18 15:47:01 +01:00
renovate[bot]
54ef6d21f4
Update Terraform aws to v4.40.0 ( #586 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-18 15:41:02 +01:00
renovate[bot]
86b03bf08e
Update Terraform azurerm to v3.32.0 ( #588 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-18 14:57:34 +01:00
Malte Poll
9d4172002c
Upgrade container images to Fedora 37
2022-11-18 10:37:45 +01:00
Malte Poll
74aabe86fa
Move PCR[8] -> PCR[12]
2022-11-18 10:37:45 +01:00
Fabian Kammel
56dccb77b4
Merge back changes from v2.2.2 release ( #580 )
...
* prepare v2.2.2 release and update release.md
* Updated QEMU measurements
* Terraform GCP: Always use the local account for resource creation (#571 )
* CoreOS is no longer used, change docs to OS.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-11-18 10:24:45 +01:00
Daniel Weiße
b966f57a2f
AB#2554 GCP CSI driver deployment ( #532 )
...
* Allow enabling/disabling of CSI driver through config
* Fix inconsistent namespace parsing
* Deploy GCP CSI driver on init
* Update invalid pod tolerations
* Add generate script for CSI charts
* Update generateCilium script
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-18 10:05:02 +01:00
Fabian Kammel
feae4a86bc
reserve enough time for stable tests ( #564 )
...
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-17 17:30:35 +01:00
renovate[bot]
b7852665f3
Update Terraform google to v4.43.1 ( #576 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 16:44:33 +01:00
Nils Hanke
6e5895f200
User-friendlier errors
2022-11-17 13:49:34 +01:00
Nils Hanke
e1d8926395
Terraform: Only rollback after we fully created the workspace
2022-11-17 13:49:34 +01:00
Nils Hanke
19fb6f1233
Make AWS vars passing consistent with other CSPs
2022-11-17 13:49:34 +01:00
Nils Hanke
158dfe0e2b
Remove unused name parameter in CreateCluster
2022-11-17 13:49:34 +01:00
Nils Hanke
b9b618a1f0
Terraform: Try to init before destroy
2022-11-17 13:49:34 +01:00
Nils Hanke
f27af5b588
Terraform: Make variables writing retryable
2022-11-17 13:49:34 +01:00
Nils Hanke
e93527144e
Terraform: Try to use existing files on partially unpacked workspace
2022-11-17 13:49:34 +01:00
Nils Hanke
4a2cba988c
Create separate Terraform workspace directory
2022-11-17 13:49:34 +01:00
Malte Poll
df0cd43f92
Terraform GCP: Always use local account for resource creation ( #571 )
...
* Terraform GCP: Always use local account for resource creation
* Update CHANGELOG
2022-11-17 10:33:36 +01:00
Fabian Kammel
ca4764c466
Merge v2.2.1 changes back to main ( #563 )
...
* Bump version to v2.2.0
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix release detection in pipeline
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Update CHANGELOG for 2.2.1
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* bump constellation versions to 2.2.1
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-11-16 11:13:10 +01:00
Leonard Cohnen
d86d82d2d4
helm: go generate
2022-11-15 18:24:07 +01:00
Fabian Kammel
bb76a4e4c8
AB#2512 Config secrets via env var & config refactoring ( #544 )
...
* refactor measurements to use consistent types and less byte pushing
* refactor: only rely on a single multierr dependency
* extend config creation with envar support
* document changes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-15 15:40:49 +01:00
renovate[bot]
5009de823f
Update Terraform aws to v4.39.0 ( #538 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-14 10:35:26 +01:00
renovate[bot]
7bcd4b2f73
Update Terraform azurerm to v3.31.0 ( #539 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-14 10:34:54 +01:00
Daniel Weiße
a07cab4b97
Update go-tpm dependency ( #533 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-14 09:02:56 +01:00
Paul Meyer
7aa7492474
Fix shellcheck warnings
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-11 13:40:13 +01:00
Nils Hanke
db27a6a0dd
Increase timeout for fetch-measurements
2022-11-11 11:38:50 +01:00
Fabian Kammel
b92b3772ca
Remove access manager ( #470 )
...
* remove access manager from code base
* document new node ssh workflow
* keep config backwards compatible
* slow down link checking to prevent http 429
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-11 08:44:36 +01:00
Nils Hanke
d41174659b
Print "Initializing cluster..." on stderr
2022-11-10 17:51:14 +01:00
Nils Hanke
bc584d61fa
Switch spinner TTY detection to stderr
2022-11-10 17:51:14 +01:00
Fabian Kammel
81a5907f26
consistently use stdout and stderr ( #502 )
...
* consistently use stdout and stderr
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-10 10:27:24 +01:00
Fabian Kammel
0d12e37c96
Document exported funcs,types,interfaces and enable check. ( #475 )
...
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2022-11-09 15:57:54 +01:00
Daniel Weiße
c9873f2bfb
AB#2523 Refactor GCP metadata/cloud API ( #387 )
...
* Refactor GCP metadata/cloud API
* Remove cloud controller manager from metadata package
* Remove PublicIP
* Move shared cloud packages
* Remove dead code
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-09 14:43:48 +01:00
Malte Poll
97bb0f4a91
Update terraform lock files to include hashes for all platforms ( #499 )
...
- linux_arm64
- linux_amd64
- darwin_arm64
- darwin_amd64
- windows_amd64
2022-11-09 14:23:51 +01:00
renovate[bot]
9191f8ac61
Update Terraform docker to v2.23.0 ( #495 )
...
* Update Terraform docker to v2.23.0
* Readd removed terraform lock hashes
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-11-09 13:35:17 +01:00
renovate[bot]
0e34d35404
Update Terraform google to v4.43.0 ( #484 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-09 10:30:02 +01:00
renovate[bot]
b8acb5e448
Update Terraform aws to v4.38.0 ( #464 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-08 18:34:45 +01:00
Daniel Weiße
011f9c597d
Bring in changes from release branch ( #479 )
...
* Bump version to v2.2.0
* Update changelog
* Fix release detection in pipeline
* Fix PKI selection in pipeline
* Set enforced measurements for AWS
* Update default images
* Fix release docs
* Update mini-con defaults
* Fix measurements action
* Fix syft env variable naming
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-08 18:32:59 +01:00
Nils Hanke
ee55584b90
AWS: Apply security group to worker nodes
2022-11-08 11:22:06 +01:00
Malte Poll
41668d50c2
Add recovery loadbalancer on AWS
2022-11-08 00:07:04 +01:00
Nils Hanke
759c626e0f
AWS: Don't expose SSH debugging ports on the LB
2022-11-07 13:57:22 +01:00
Malte Poll
fa6dfdff4f
Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime ( #442 )
...
* Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime
* Use correct field for nat gateway
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-07 11:04:10 +01:00
Malte Poll
ed58fcccd3
CI: Add secure boot prod keys ( #462 )
...
* Add production secure boot keys
* Refactor OS build and upload settings
2022-11-04 16:48:52 +01:00
3u13r
309a4b5196
cli: remove debug env check for AWS ( #460 )
2022-11-04 15:31:51 +01:00
Fabian Kammel
04d0c770af
limit aws cluster name len ( #454 )
...
* limit aws cluster name len down to 10, 32-character name limit in AWS
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 13:35:32 +01:00
Nils Hanke
19fd3a351a
Make azureCVMRxp in upgradeplan.go case-insensitive
2022-11-04 12:57:24 +01:00
Nils Hanke
4d9fbdb3d3
CI: Use lowercase image name for fetching measurements
2022-11-04 12:57:24 +01:00
renovate[bot]
b89fae8062
Update Terraform azurerm to v3.30.0 ( #452 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 12:34:03 +01:00
renovate[bot]
44b1a92d6b
Update fedora Docker digest to 455fec9 ( #447 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Nirusu <Nirusu@users.noreply.github.com>
2022-11-04 11:49:41 +01:00
renovate[bot]
f71073a77f
Update Terraform google to v4.42.1 ( #434 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-04 10:14:13 +01:00
Otto Bittner
f164af29cf
AB#2583: deploy autoscaler via helm ( #438 )
2022-11-03 16:42:19 +01:00
Leonard Cohnen
0d0191ba4d
aws: make CCM work
2022-11-02 23:29:04 +01:00
Leonard Cohnen
58d083a433
cli: pass AWS state disk type to terraform
2022-11-02 23:29:04 +01:00
Leonard Cohnen
dd007f4772
metadata: move subnetCIDR to InstanceMetadata
2022-11-02 23:29:04 +01:00
Leonard Cohnen
0cdc7886ee
metadata: don't use podCIDR for Azure CCM setup
2022-11-02 23:29:04 +01:00
Leonard Cohnen
be2b38f2ac
terraform: use HTTPS health check for AWS
2022-11-02 23:29:04 +01:00
Leonard Cohnen
7e385c4c86
terraform: use AWS launch templates
2022-11-02 23:29:04 +01:00
Leonard Cohnen
3dce7de0f1
helm chart loader: increase error verbosity
2022-11-02 23:29:04 +01:00
Leonard Cohnen
cc38506ffa
cli: AWS does not use a service account
2022-11-02 23:29:04 +01:00
Leonard Cohnen
015b12d8ff
attestation: use AWS attestation
2022-11-02 23:29:04 +01:00
Leonard Cohnen
37e8f5fc28
cilium: AWS support
2022-11-02 23:29:04 +01:00
Nils Hanke
8d097424a1
Remove separate function for yesFlag in terminate
2022-11-02 18:18:30 +01:00
Nils Hanke
ad871d1993
Prompt before termination
2022-11-02 18:18:30 +01:00
Nils Hanke
c922136cd4
Fix typos
2022-11-02 18:18:30 +01:00
Otto Bittner
e363f03240
AB#2582: deploy CNM via Helm ( #423 )
2022-11-02 17:47:10 +01:00
Leonard Cohnen
741684843c
terraform: fix azure password constraints
2022-11-02 09:57:54 +01:00
Otto Bittner
30bdbd9b85
Add helm unittests ( #380 )
2022-10-31 19:25:02 +01:00
renovate[bot]
c9e6b4c5b6
Update Terraform azurerm to v3.29.1 ( #405 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-31 10:45:56 +01:00
Daniel Weiße
79f52e67cb
Update go-tpm-tools to fix AWS PCR selection ( #390 )
...
* Update go-tpm-tools to fix AWS PCR selection
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Ignore leaking glog go routine
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-28 17:57:24 +02:00
Paul Meyer
86906ac536
Use atomic.Bool, added in Go 1.19
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-28 16:06:53 +02:00
Otto Bittner
091e3b2b2b
AB#2538: deploy CCM via Helm
...
Also move helmloader interface/stubs
2022-10-27 18:12:47 +02:00
Otto Bittner
009b2e67e3
Use .Release.Namespace instead of namespace value
2022-10-27 18:12:47 +02:00
Nils Hanke
34f729ccd2
Case insensitive replace for every user input that could break azurerm
2022-10-27 11:35:14 +02:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails ( #360 )
...
* Dont clean up workspace if rollback fails
* Remove dependency on CSP from terminate
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-26 15:57:00 +02:00
Paul Meyer
c05b22f1dc
Remove dead code ( #373 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-26 10:29:28 +02:00
Malte Poll
fa63e51370
Fix "enforceIdKeyDigest" capitalization ( #369 )
...
* Fix "enforceIdKeyDigest" capitalization
* Convert "enforceIdKeyDigest" to string for config map
2022-10-25 16:29:28 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any ( #370 )
2022-10-25 15:51:23 +02:00
Malte Poll
7592143a69
Join-service helm chart: use correct casing for provider name ( #368 )
2022-10-25 13:21:27 +02:00
Malte Poll
52f140a968
Pin terraform provider hashes ( #361 )
2022-10-25 10:10:46 +02:00
Daniel Weiße
b35b74b772
Use tags for UID and role parsing ( #242 )
...
* Apply tags to all applicable GCP resources
* Move GCP UID and role from VM metadata to labels
* Adjust Azure tags to be in line with GCP and AWS
* Dont rely on resource name to find resources
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-24 16:58:21 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm ( #358 )
2022-10-24 12:23:18 +02:00
Daniel Weiße
c82d5ccba9
Hide cursor and fix dots ( #217 )
...
* Hide cursor and fix dots spinner
* Allow restarting of spinner
* Don't spin on non TTY output
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-21 14:26:42 +02:00
Nils Hanke
04c4cff9f6
AB#2436: Initial support for create/terminate AWS NitroTPM instances
...
* Add .DS_Store to .gitignore
* Add AWS to config / supported instance types
* Move AWS terraform skeleton to cli/internal/terraform
* Move currently unused IAM to hack/terraform/aws
* Print supported AWS instance types when AWS dev flag is set
* Block everything aTLS related (e.g. init, verify) until AWS attestation is available
* Create/Terminate AWS dev cluster when dev flag is set
* Restrict Nitro instances to NitroTPM supported specifically
* Pin zone for subnets
This is not great for HA, but for now we need to avoid the two subnets
ending up in different zones, causing the load balancer to not be able
to connect to the targets.
Should be replaced later with a better implementation that just uses
multiple subnets within the same region dynamically
based on # of nodes or similar.
* Add AWS/GCP to Terraform TestLoader unit test
* Add uid tag and create log group
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-10-21 12:24:18 +02:00
Otto Bittner
07f02a442c
Refactor Helm deployments ( #341 )
...
* Wrap KMS deployment in one main chart that
deploys all other services. Other services will follow.
* Use .tgz via helm-package as serialization format
* Change Release type to carry chart as byte slice
* Remove KMSConfig
* Use json-schema to validate values
* Extend release.md to mention updating helm charts
2022-10-21 12:01:28 +02:00
Malte Poll
f3d78a573f
Disable Azure VM agent and report VM as ready
2022-10-21 11:04:25 +02:00
Malte Poll
ed9acef9d4
Upgrade terraform azure provider to 3.28.0
2022-10-21 11:04:25 +02:00
Malte Poll
743f5fa627
Remove all traces of CoreOS from the codebase
2022-10-21 11:04:25 +02:00
Malte Poll
3b6ee703f5
Move PCR indices for owner ID and cluster ID
2022-10-21 11:04:25 +02:00
Malte Poll
34367ea3cc
Create mkosi image build pipeline
2022-10-21 11:04:25 +02:00
Daniel Weiße
085f7b1a2a
Prompt user for confirmation before overwriting config
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-20 15:35:31 +02:00
Otto Bittner
c6ccee1250
AB#2490: deploy KMS via Helm
...
* Bundle helm-install related code in speparate package
* Move cilium installation to new helm package
2022-10-18 13:33:37 +02:00
Otto Bittner
62168bbf98
AB#2490: Add KMS helm chart
...
* Also run helm-lint in CI now
2022-10-18 13:33:37 +02:00
renovate[bot]
9af0640aad
Update Terraform azurerm to v3.27.0 ( #301 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-18 11:54:29 +02:00
Paul Meyer
01df06e142
Use HTTPS for kube lb health check on Azure ( #305 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-18 11:46:22 +02:00
renovate[bot]
c85dc674ba
Update Terraform libvirt to v0.7.0 ( #304 )
...
* Update Terraform libvirt to v0.7.0
* Use disk block
* Remove nulled disk options
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-18 11:24:43 +02:00
renovate[bot]
0c0a83550d
Update Terraform google to v4.41.0 ( #302 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-18 08:30:24 +02:00
Daniel Weiße
f068e50dee
Attestation logging ( #275 )
...
* Add section for checking joinservice logs
* Add logging for attestation validation
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-14 16:29:21 +02:00
Malte Poll
0c65e41dae
Use worker count to create workers on azure (instead of control plane count)
2022-10-14 14:44:08 +02:00
github-actions[bot]
74c3c93dec
Update CLI reference ( #248 )
...
Co-authored-by: katexochen <49727155+katexochen@users.noreply.github.com>
2022-10-14 10:48:20 +02:00
renovate[bot]
b8d8562a6f
Update Terraform random to v3.4.3
2022-10-14 09:13:35 +02:00
Paul Meyer
282117666e
Fix Azure Terraform for non-CVMs ( #251 )
2022-10-13 16:35:55 +02:00
katexochen
4b2dd1317a
Normalize URIs for azurerm Terraform provider
2022-10-13 15:29:29 +02:00
katexochen
1556e239ca
Remove state file
2022-10-13 15:29:29 +02:00
katexochen
0d1fd8fb2a
Remove Azure client from CLI
2022-10-13 15:29:29 +02:00
katexochen
f4af9c56f5
Use Terraform for create Azure
2022-10-13 15:29:29 +02:00
katexochen
98a16b2b47
Create Terraform module for Azure
...
Co-authored-by: Benedict Schlueter <bs@edgeless.systems>
2022-10-13 15:29:29 +02:00
katexochen
a4a61e98ee
Fix Terraform validation errors
2022-10-13 14:54:19 +02:00
Fabian Kammel
57b8efd1ec
Improve measurements verification with Rekor ( #206 )
...
Fetched measurements are now verified using Rekor in addition to a signature check.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-11 13:57:52 +02:00
Paul Meyer
1c29638421
Use env to find bash in shebang ( #225 )
2022-10-10 14:21:17 +02:00
katexochen
10004875f4
Add spinner interrrupt for rollback
2022-10-10 13:43:15 +02:00
Daniel Weiße
0edae36e43
AB#2426 Mini Constellation ( #198 )
...
* Mini Constellation commands to quickly deploy a local Constellation cluster
* Download libvirt container image if not present locally
* Fix libvirt KVM permission issues by creating kvm group using host GID inside container
* Remove QEMU specific values from state file
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2022-10-07 09:38:43 +02:00
Leonard Cohnen
92618d5284
align load balancer timeout
2022-10-07 03:38:05 +02:00
Paul Meyer
b668b8ed2b
Reduce activation indication movement ( #215 )
2022-10-06 11:20:01 +02:00
Fabian Kammel
369480a50b
Feat/revive ( #212 )
...
* enable revive as linter
* fix var-naming revive issues
* fix blank-imports revive issues
* fix receiver-naming revive issues
* fix exported revive issues
* fix indent-error-flow revive issues
* fix unexported-return revive issues
* fix indent-error-flow revive issues
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-05 15:02:46 +02:00
Daniel Weiße
2ea695896f
AB#2439 Containerized libvirt ( #191 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-05 09:11:30 +02:00
Valentyn Yukhymenko
abe40de3e5
Activity indicator for init command ( #207 )
...
* first version of spinner
- implemented class with basic method
- covered with dummy test
- integrated with init command
* Style and license remarks
* fixed review remarks
* fixed typo + integration of spinner with terminate command
* integration of spinner with create command
2022-10-04 18:17:05 +02:00
katexochen
f69db6f26e
Enable serial port in debug mode
2022-09-30 16:50:52 +02:00
katexochen
9a96f2ffe1
No public IPs for GCP instances
2022-09-30 16:50:52 +02:00
katexochen
ccbc3d9123
Remove exposure of qemu ip_range_start value
2022-09-30 16:50:52 +02:00
katexochen
feffe40987
Remove GCP client from CLI
2022-09-30 16:50:52 +02:00
katexochen
d973740b03
Use Terraform for create on GCP
2022-09-30 16:50:52 +02:00
Daniel Weiße
804c173d52
Use terraform in CLI to create QEMU cluster ( #172 )
...
* Use terraform in CLI to create QEMU cluster
* Dont allow qemu creation on os/arch other than linux/amd64
* Allow usage of --name flag for QEMU resources
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-26 15:52:31 +02:00
Daniel Weiße
30f0554168
AB#2262 Automatic recovery ( #158 )
...
* Update `constellation recover` to be fully automated
* Update recovery docs
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-26 09:57:40 +02:00
katexochen
ba6e41ed5c
Upgrade go module to v2
2022-09-22 09:10:19 +02:00
katexochen
88d200232a
Remove autoscaling from CLI and bootstrapper
2022-09-20 13:41:23 +02:00
3u13r
774e300a32
Constellation conformance mode ( #161 )
...
* add conformance mode
2022-09-20 10:07:55 +02:00
Daniel Weiße
9c00f4efc2
Enable GCP serial console for debug mode ( #162 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-19 15:21:33 +02:00
Thomas Tendyck
72d5aa7558
docs: fix command in trusted launch workflow and add fetch-measurements
2022-09-14 18:26:41 +02:00
Daniel Weiße
e367e1a68b
AB#2261 Add loadbalancer for control-plane recovery ( #151 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-14 13:25:42 +02:00
Daniel Weiße
1f4fb3feda
Fix manifest url ( #128 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-12 14:33:08 +02:00
Thomas Tendyck
0952435e25
fix some doc links
2022-09-12 13:09:55 +02:00
Thomas Tendyck
4b36d3a930
cli: minor improvements of output
2022-09-12 12:56:29 +02:00
Thomas Tendyck
d83a5f8693
cli verify: remove ownerid
2022-09-12 08:50:36 +02:00
Thomas Tendyck
53560ca6c5
cli verify: revert flow change to print correct errors again
2022-09-12 08:50:36 +02:00
Thomas Tendyck
ab45d5fbfe
tidy config
2022-09-12 08:49:51 +02:00
Leonard Cohnen
7163c161b6
Deploy Konnectivity
2022-09-09 17:26:02 +02:00
Thomas Tendyck
a85777fd02
enforce pcr4
2022-09-08 17:34:12 +02:00
Daniel Weiße
8cb155d5c5
AB#2260 Refactor disk-mapper recovery ( #82 )
...
* Refactor disk-mapper recovery
* Adapt constellation recover command to use new disk-mapper recovery API
* Fix Cilium connectivity on rebooting nodes (#89 )
* Lower CoreDNS reschedule timeout to 10 seconds (#93 )
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-09-08 14:45:27 +02:00
Nils Hanke
ce0edc8c80
Purge provider argument from constellation create and verify
2022-09-08 13:38:24 +02:00
Moritz Eckert
fb5faa681c
Add provider to license check ( #88 )
2022-09-08 11:02:04 +02:00
Fabian Kammel
e3ede64ae6
Document trusted launch on Azure ( #48 )
...
* Document trusted launch usage for Azure
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* there is no valid link because there is no valid release yet
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* fix link
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* fix linter issues
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* improve
* importAzure.sh: print final image ID
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2022-09-07 15:05:24 +02:00
Nils Hanke
30725bb0c6
Warn when a debug cluster is created
2022-09-07 13:27:15 +02:00
Nils Hanke
fe70231f2a
Rename IsImageDebug -> IsDebugImage for consistency
2022-09-07 13:27:15 +02:00
Nils Hanke
72d4456b3f
GCP: Only create debugd loadbalancer when debugCluster is set
2022-09-07 13:27:15 +02:00
Nils Hanke
d74c7a3769
Azure: Only create debugd loadbalancer when debugCluster is set
2022-09-07 13:27:15 +02:00
Nils Hanke
1a4b4f564a
Remove firewall configuration and make it static with a debug flag
2022-09-07 13:27:15 +02:00
Thomas Tendyck
9d264604c0
cli: remove GCP ADC project name check
2022-09-07 10:29:41 +02:00
Malte Poll
47b3195bac
cli: azure scale set poller: check for power state of every instance ( #78 )
2022-09-06 10:05:51 +02:00
Fabian Kammel
020cf51fc6
AB#2392 Store serial logs in actions ( #39 )
...
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2022-09-05 18:12:46 +02:00
Malte Poll
c38a142d64
Kubernetes 1.25 preview
...
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-09-05 16:57:28 +02:00
Leonard Cohnen
e80948a263
add tags to cluster id file struct
2022-09-05 16:35:59 +02:00
Leonard Cohnen
7b00005ed6
fix qemu initialization
2022-09-05 16:35:59 +02:00
Otto Bittner
405db3286e
AB#2386: TrustedLaunch support for azure attestation
...
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42 )
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests
Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00
Nils Hanke
71fb62fe31
Remove note to instance types specifically
2022-09-05 09:36:58 +02:00
Thomas Tendyck
bd63aa3c6b
add license headers
...
sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'`
gofumpt -w .
2022-09-05 09:17:25 +02:00
Fabian Kammel
106635a9ee
Restructure config docs ( #44 )
...
* more guided UX when generating and filling in config
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-09-02 17:11:06 +02:00
Nils Hanke
c0bfb9b61e
Add 'constellation config instance-types'
2022-09-02 07:04:11 -07:00
Nils Hanke
0aefe2c0ba
Move instanceType from CLI to config
2022-09-02 07:04:11 -07:00
Moritz Eckert
b95f3dbc91
Add docs to repo ( #38 )
2022-09-02 11:52:42 +02:00
Leonard Cohnen
cce2575d68
remove broken test: create azure service account
2022-09-01 17:06:01 +02:00
Leonard Cohnen
00e72db5d8
write master secret after config verification
2022-09-01 16:43:54 +02:00
Fabian Kammel
6440904865
Ref/update cosign key ( #31 )
...
* use new cosign keypair
* use community images for production image heuristic
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-09-01 12:58:31 +02:00
3u13r
f649219cbf
Feat/cilium strict mode2.0 ( #25 )
...
* bump cilium helm charts
* integrate cilium strict mode v2
2022-08-31 15:37:07 +02:00
Otto Bittner
4adc19b7f5
AB#2350: Configurably enforce idkeydigest on Azure
...
* Add join-config entry for "enforceIdKeyDigest" bool
* Add join-config entry for "idkeydigest"
* Initially filled with TPM value from bootstrapper
* Add config entries for idkeydigest and enforceIdKeyDigest
* Extend azure attestation validator to check idkeydigest,
if configured.
* Update unittests
* Add logger to NewValidator for all CSPs
* Add csp to Updateable type
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-31 15:26:04 +02:00
katexochen
10e5249631
Manual client secrets on azure
2022-08-31 14:10:08 +02:00
katexochen
1861dc2744
Tag Azure resources with UID
2022-08-31 14:10:08 +02:00
katexochen
f15605cb45
Manually manage resource group on Azure
2022-08-31 14:10:08 +02:00
Daniel Weiße
ce02878019
AB#2308 / AB#2317 constellation upgrade plan ( #3 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-31 11:59:07 +02:00