Commit Graph

266 Commits

Author SHA1 Message Date
Moritz Eckert
b278b76df5
docs: add vault benchmark (#2271)
* Refactor benchmark structure
* Add vault-benchmark section
* update 2.10 docs

Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-08-24 15:52:05 +02:00
Daniel Weiße
f33cc647ed
Revert "docs: fix sigstore doc links (#2272)" (#2280)
This reverts commit ec1bba7a8b.
2023-08-24 11:12:28 +02:00
Moritz Sanft
49e5a17aec
docs: document upgrade backup files (#2275)
* document backup files on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* reword TF backup

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update docs/docs/workflows/upgrade.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* Update upgrade.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-08-23 21:22:36 +02:00
Daniel Weiße
053aa60e47
cli: remove helm management from join-config (#2251)
* Replace UpdateAttestationConfig with ApplyJoinConfig

* Dont set up join-config over Helm, it is now only managed by our CLI directly during init and upgrade

* Remove measurementSalt and attestationConfig parsing from helm, they were only needed for the JoinConfig

* Add migration step to remove join-config from Helm management

* Update attestation config trouble shooting tip

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-23 08:14:39 +02:00
Daniel Weiße
ec1bba7a8b
docs: fix sigstore doc links (#2272)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-22 13:33:58 +02:00
3u13r
8325f99b09
deps: support Kubernetes 1.28 (#2242) 2023-08-18 11:13:24 +02:00
edgelessci
dfe7c9884b
docs: add release v2.10.0 (#2220)
* docs: add release v2.10.0

* fix link

---------

Co-authored-by: elchead <elchead@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-08-16 15:07:03 +02:00
Malte Poll
a71eaebf81
docs: update screencasts to demo node groups (#2243) 2023-08-16 13:50:31 +02:00
3u13r
310b80c0a8
docs: update sigstore links (#2225) 2023-08-14 15:52:45 +02:00
Adrian Stobbe
4788467bca
cli: upgrade uses same helm releases as init (#2177) 2023-08-11 15:18:59 +02:00
Malte Poll
e1c6c533ed
docs: document node groups and migration from old config fields (#2175) 2023-08-09 09:46:22 +02:00
Daniel Weiße
d1ace13713
cli: add --workspace flag to set base directory for Constellation workspace (#2148)
* Remove `--config` and `--master-secret` falgs

* Add `--workspace` flag

* In CLI, only work on files with paths created from `cli/internal/cmd`

* Properly print values for GCP on IAM create when not directly updating the config

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-04 13:53:51 +02:00
Malte Poll
82de0b83bd docs: remove deprecated flags from docs 2023-08-04 12:36:45 +02:00
Adrian Stobbe
a3184af7a2
cli: add iam upgrade apply (#2132)
* add new iam upgrade apply

* remove iam tf plan from upgrade apply check

* add iam migration warning to upgrade apply

* update release process

* document migration

* Apply suggestions from code review

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* add iam upgrade

* remove upgrade dir check in test

* ask only without --yes

* make iam upgrade provider specific

* test without seperate logins

* remove csi and only add conditionally

* Revert "test without seperate logins"

This reverts commit 05a12e59c9.

* fix msising cred

* support iam migration for all csps

* add iam upgrade label

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-07-26 17:29:03 +02:00
Adrian Stobbe
a87b7894db
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090)
* add current chart

add current helm chart

* disable service controller for aws ccm

* add new iam roles

* doc AWS internet LB + add to LB test

* pass clusterName to helm for AWS LB

* fix update-aws-lb chart to also include .helmignore

* move chart outside services

* working state

* add subnet tags for AWS subnet discovery

* fix .helmignore load rule with file in subdirectory

* upgrade iam profile

* revert new loader impl since cilium is not correctly loaded

* install chart if not already present during `upgrade apply`

* cleanup PR + fix build + add todos

cleanup PR + add todos

* shared helm pkg for cli install and bootstrapper

* add link to eks docs

* refactor iamMigrationCmd

* delete unused helm.symwallk

* move iammigrate to upgrade pkg

* fixup! delete unused helm.symwallk

* add to upgradecheck

* remove nodeSelector from go code (Otto)

* update iam docs and sort permission + remove duplicate roles

* fix bug in `upgrade check`

* better upgrade check output when svc version upgrade not possible

* pr feedback

* remove force flag in upgrade_test

* use upgrader.GetUpgradeID instead of extra type

* remove todos + fix check

* update doc lb (leo)

* remove bootstrapper helm package

* Update cli/internal/cmd/upgradecheck.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* final nits

* add docs for e2e upgrade test setup

* Apply suggestions from code review

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/helm/loader.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/cmd/tfmigrationclient.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix daniel review

* link to the iam permissions instead of manually updating them (agreed with leo)

* disable iam upgrade in upgrade apply

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
2023-07-24 10:30:53 +02:00
Daniel Weiße
2c8c86a0cb
ci: remove Azure portal internal links from docs (#2122)
* Remove Azure internal links from docs

* Ignore Azure internal link in dev-docs

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:04:34 +02:00
Adrian Stobbe
320fd4b726
doc: add iam:DeletePolicyVersion (#2111)
* document iam:DeletePolicyVersion

* add in all doc versions
2023-07-18 10:24:52 +02:00
edgelessci
a300b453f3
docs: add release v2.9.0 (#2102) 2023-07-14 16:24:05 +02:00
Thomas Tendyck
2c1da48437 docs: publish 2023-07-10 09:08:15 +02:00
Thomas Tendyck
0aaf58b710 docs: misc fixes 2023-07-10 09:08:15 +02:00
Malte Poll
1ff40533f1
cli: add "--skip-helm-wait" flag (#2061)
* cli: add "--skip-helm-wait" flag

This flag can be used to disable the atomic and wait flags during helm install.
This is useful when debugging a failing constellation init, since the user gains access to
the cluster even when one of the deployments is never in a ready state.
2023-07-07 17:09:45 +02:00
Thomas Tendyck
492c6a7dae docs: suggest changes for first-steps-local 2023-07-07 15:35:21 +02:00
Adrian Stobbe
94b087197b
docs: how to set up MiniConstellation on Azure (#1999)
* init

* update doc

* move quick-setup to devdocs
2023-07-07 15:14:13 +02:00
Thomas Tendyck
274fed0990 cli: fix/improve some user-facing strings 2023-07-06 09:05:17 +02:00
Malte Poll
4283601433
operators: infrastructure autodiscovery (#1958)
* helm: configure GCP cloud controller manager to search in all zones of a region

See also: d716fdd452/providers/gce/gce.go (L376-L380)

* operators: add nodeGroupName to ScalingGroup CRD

NodeGroupName is the human friendly name of the node group that will be exposed to customers via the Constellation config in the future.

* operators: support simple executor / scheduler to reconcile on non-k8s resources

* operators: add new return type for ListScalingGroups to support arbitrary node groups

* operators: ListScalingGroups should return additionally created node groups on AWS

* operators: ListScalingGroups should return additionally created node groups on Azure

* operators: ListScalingGroups should return additionally created node groups on GCP

* operators: ListScalingGroups should return additionally created node groups on unsupported CSPs

* operators: implement external scaling group reconciler

This controller scans the cloud provider infrastructure and changes k8s resources accordingly.
It creates ScaleSet resources when new node groups are created and deletes them if the node groups are removed.

* operators: no longer create scale sets when the operator starts

In the future, scale sets are created dynamically.

* operators: watch for node join/leave events using a controller

* operators: deploy new controllers

* docs: update auto scaling documentation with support for node groups
2023-07-05 07:27:34 +02:00
Malte Poll
06909f8aca
docs: explain the role of PCR[10] and why it is not reproducible (#2011) 2023-07-04 16:41:01 +02:00
renovate[bot]
f8117b7223
deps: update ubuntu:22.04 Docker digest to b060fff (#2006)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-04 16:04:28 +02:00
Adrian Stobbe
e72ec60d13
config: iam create aws check zone contains availability zone (#1913)
* init

* make zone flag mandatory again

* add info about zone update + refactor

* add comment in docs about zone update

* Update cli/internal/cmd/iamcreate_test.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas feedback

* add format check to config validation

* remove TODO

* Update docs/docs/workflows/config.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas nit

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-07-04 13:55:52 +02:00
Moritz Eckert
31a22bb443
docs: enable ga and cookie banner (#1986) 2023-06-30 14:42:55 +02:00
Thomas Tendyck
54a313b247 docs: update "feature status of clouds" regarding current AWS SNP offering 2023-06-30 14:07:04 +02:00
Moritz Sanft
a587558df9
docs: document aws encrypted storage (#1974)
* document AWS encrypted storage

* dont use block express disks

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/workflows/storage.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-06-30 09:06:52 +02:00
miampf
77b28cb5e7
cli: change generate-config flag to update-config flag (#1897) 2023-06-28 12:47:44 +00:00
Thomas Tendyck
46e144d19b Use term "attestation variant" consistently 2023-06-26 08:54:11 +02:00
Otto Bittner
3a7bb52560
attestation: docs and config changes for SNP attestation (#1959)
* docs: describe SEV-SNP support on AWS
* config: remove launchMeasurement

awsSEVSNP attestation config should not have this value.
It doesn't have a function yet.
2023-06-23 15:38:24 +02:00
Otto Bittner
7388240943
Revert "attestation: add SNP-based attestation for aws-sev-snp (#1916)" (#1957)
This reverts commit c7d12055d1.
2023-06-22 17:08:44 +02:00
Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp (#1916)
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again

There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication (#1906)
* invalidate app client id field for azure and provide info

* remove TestNewWithDefaultOptions case

* fix test

* remove appClientID field

* remove client secret + rename err

* remove from docs

* otto feedback

* update docs

* delete env test in cfg since no envs set anymore

* Update dev-docs/workflows/github-actions.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* WARNING to stderr

* fix check

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a cli: hide --insecure of config fetch-measurements 2023-06-09 15:07:31 +02:00
Moritz Eckert
9463d6fb27
cli: fix azure config warning message (#1902) 2023-06-09 11:16:54 +02:00
edgelessci
f43366ed89
docs: add release v2.8.0 (#1884)
* docs: add release v2.8.0
* docs: mention required AWS IAM permissions for upgrades

---------

Co-authored-by: malt3 <malt3@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-06-07 10:34:07 +02:00
3u13r
7c07e3be18
Add --insecure to config fetch-measurement (#1879)
* cli: add --insecure to fetch-measurements

* cli: rename fake to stub

* ci: upload measurements for debug images

* fix cli docs
2023-06-06 10:32:22 +02:00
Malte Poll
eb9bea1cff
docs: refine instructions for upgrade process (#1865)
Incorporate customer feedback regarding the recommended commands when upgrading a Constellation cluster.
Showing the full command "constellation upgrade check --write-config" is important to ensure only valid, safe upgrades are applied.

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-05 09:10:20 +02:00
renovate[bot]
a31c3dbbcd
deps: update ubuntu:22.04 Docker digest to 2fdb1cf (#1857)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: malt3 <mp@edgeless.systems>
2023-06-02 11:20:59 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837)
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Moritz Sanft
6d5e7e1f7c
cli: support StackIT provider on config generate (#1803)
* support stackit provider on config generate

* update cli reference

* default config values

* deploy csi driver

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2023-05-30 09:02:50 +02:00
3u13r
661f084ffa
cli: use uami for in-cluter authentication (#1820) 2023-05-26 11:45:03 +02:00
renovate[bot]
0eeb1d2ceb deps: update dependency @cmfcmf/docusaurus-search-local to v1 2023-05-24 13:47:50 +02:00
renovate[bot]
9dd428557f
deps: update dependency prism-react-renderer to v2 (#1824)
* deps: update dependency prism-react-renderer to v2

* Update docusaurus.config.js

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-05-24 13:30:14 +02:00
renovate[bot]
1ea2814fe4
deps: update dependency mermaid to v10 (#1823)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-05-24 13:10:19 +02:00