* terraform: enable creation of SEV-SNP VMs on GCP
* variant: add SEV-SNP attestation variant
* config: add SEV-SNP config options for GCP
* measurements: add GCP SEV-SNP measurements
* gcp: separate package for SEV-ES
* attestation: add GCP SEV-SNP attestation logic
* gcp: factor out common logic
* choose: add GCP SEV-SNP
* cli: add TF variable passthrough for GCP SEV-SNP variables
* cli: support GCP SEV-SNP for `constellation verify`
* Adjust usage of GCP SEV-SNP throughout codebase
* ci: add GCP SEV-SNP
* terraform-provider: support GCP SEV-SNP
* docs: add GCP SEV-SNP reference
* linter fixes
* gcp: only run test with TPM simulator
* gcp: remove nonsense test
* Update cli/internal/cmd/verify.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update docs/docs/overview/clouds.md
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* linter fixes
* terraform_provider: correctly pass down CC technology
* config: mark attestationconfigapi as unimplemented
* gcp: fix comments and typos
* snp: use nonce and PK hash in SNP report
* snp: ensure we never use ARK supplied by Issuer (#3025)
* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* attestationconfigapi: add GCP to uploading
* snp: use correct cert
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP
* linter fixes
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* Clean up license checker code
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Create license check depending on init/upgrade actions
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Run license check in Terraform provider
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* fix license integration test action
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Run tests with enterprise tag
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Allow b64 encoding for license ID
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Update checker_enterprise.go
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Fix missing image for Constellation operators in our Helm charts if the desired Kubernetes patch version is no longer supported (but Kubernetes upgrades are skipped)
* Correctly unmarshal Kubernetes Components list if the list uses an old format
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* terraform: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* config: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: use Terraform variables from config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: pass down marketplace variable
* image: pad Azure images to 1GiB
* terraform: add version attribute to marketplace image
* semver: allow versions to be exported without prefix
* cli: boolean var to use marketplace images
* config: remove dive key
* dev-docs: add instructions on how to use marketplace images
* terraform: fix unit test
* terraform: only fetch image for non-marketplace images
* mpimage: refactor image selection
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] increase minor version for image build
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: ignore changes to source_image_reference on upgrade
* operator: add support for parsing Azure marketplace images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* upgrade: fix imagefetcher call
* docs: add info about azure marketplace
* image: ensure more than 1GiB in size
* image: test to pad to 2GiB
* version: change back to v2.14.0-pre
* image: GPT-conformant image size padding
* [remove] increase version
* mpimage: inline prefix func
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: add marketplace image e2e test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register workflow
* ci: fix workflow name
* ci: only allow azure test
* cli: add marketplace image input to interface
* cli: fix argument passing
* version: roll back to v2.14.0
* ci: add force-flag support
* Update docs/docs/overview/license.md
* Update dev-docs/workflows/marketplace-images.md
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Reduce external dependencies of kubecmd package
* Add kubecmd wrapper to constellation-lib
* Update CLI code to use constellation-lib
* Move kubecmd package to subpackage of constellation-lib
* Initialise helm and kubecmd clients when kubeConfig is set
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* cli: refactor `cloudcmd/validators`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make struct fields private
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use errors.New
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* make struct fields private in usage
* fix casing
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* constellation-lib: refactor init RPC
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: pass io.Writer for collecting logs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: add init test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: bin dialer to struct
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: set service CIDR on init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
* cli: move internal packages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: fix buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix exclude dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: move back libraries that will not be used by TF provider
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Allow creation of Constellation clusters using `apply` command
* Add auto-completion for `--skip-phases` flag
* Deprecate create command
* Replace all doc references to create command with apply
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* add Azure Terraform module
* add maa-patching command to cli
* refactor release process
* factor out image fetching to own action
* add CI
* generate
* fix some unnecessary changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `constellation maa-patch` in ci
* insecure flag when using debug image
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only update maa url if existing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make node group zone optional on aws and gcp
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register updated workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Revert "[remove] register updated workflow"
This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.
* create MAA
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make maa-patching only run on azure
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* require node group zone for GCP and AWS
* remove unnecessary bazel action
* stamp version to correct file
* refer to `maa-patch` command in docs
* run Azure test in weekly e2e
* comment / naming improvements
* remove sa_account resource
* disable spellcheck ot use "URL"
* `create_maa` variable
* don't write maa url to config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to nightly image
* use input ref and stream
* fix command check
* don't set region in weekly e2e call
* patch maa if url is not empty
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `create_maa` variable
* remove binaries
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove undefined input
* replace invalid attestation URL error message
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* fix punctuation
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* skip hidden commands in clidocgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* enable spellcheck before code block
* move spellcheck trigger out of info block
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix workflow dependencies
* let image default to CLI version
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* re-use `ReadFromFile` in `CreateOrRead`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip]: add constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip] error formatting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* formatted error messages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* state file validation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* allow overriding the constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dont validate on read
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add pre-create constraints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip]
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* finish pre-init validation test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* finish post-init validation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state file validation in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix apply tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/validation/errors.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use transformator for tests
* tidy
* use empty check directly
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/state/state.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* conditional validation per CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix rebase
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add default case
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* validate state-file as last input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Remove mention of "changes below" for changes that are listed above the message
* Add a spinner for Terraform Plan action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* add self-managed infra e2e test
* self-managed terminatio
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix upgrade test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix indentation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use -r when copying dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add terraform variable parsing
* copy constellation conf
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary line breaks
* add missing value
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add image fetching for CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix quoting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing input to internal lb test
* normalize Azure URLs.. Of course
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix expressions
* initsecret to hex
* update hexdump cmd
* add build test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add node / pod cidr outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* explicitly delete the state file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing license header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* always write all outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix list output
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove state-file and admin-conf on destroy
* dont use test payload
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] use self managed infra in manual e2e for testing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* init: always skip infrastructure phase
* patch maa in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to Constellation-created infra in e2e test
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>