Commit Graph

3570 Commits

Author SHA1 Message Date
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Moritz Sanft
03c5692fdd
ci: use given image if set (#2655)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-28 14:34:02 +01:00
Daniel Weiße
ca89a31f46
ci: only run verify with JSON output on v2.14 or newer (#2649)
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:31:27 +01:00
Thomas Tendyck
960118dc00 config: remove AWS SNP warning 2023-11-28 14:26:40 +01:00
Daniel Weiße
3bc25cdd8f
ci: add notify hook to Terraform module test (#2653)
* Enable notification on tf module e2e test failure
* Dont try to change fields with no value

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:14:18 +01:00
Daniel Weiße
43f47cc5c5
ci: fix service accounts introduced by merge (#2652)
* Fix service accounts introduced my merge
* Remove GCP_E2E_PROJECT placeholders

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 10:54:58 +01:00
Daniel Weiße
45f6eec0d0
ci: add missing shell in notify action (#2646)
* Add missing shell
* Remove old teams notify action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-28 09:41:01 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI (#2629)
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-27 13:04:41 +01:00
Adrian Stobbe
98673b0983
ci: only generate lock files where provider is used (#2636) 2023-11-27 12:16:45 +01:00
derpsteb
bff65d563b image: update measurements and image version 2023-11-27 10:57:21 +01:00
edgelessci
2fc82874b7
image: update locked rpms (#2645)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-27 09:01:16 +01:00
Moritz Sanft
34bf3ad296
terraform-provider: add image datasource (#2642)
* terraform-provider: init

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: add basic docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix build steps

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: extend build process and docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dev-docs: document provider usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: upload aspect lib mirror

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: don't try to create lockfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix shellcheck issues

* bazel: separate paths to check

* terraform-provider: clean up old files

* terraform-provider: update provider resource

* terraform-provider: add image data source

* dev-docs: remove unnecessary init

* bazel: adhere to Terraform naming expectations

* terraform-provider: fix expected data type

* terraform-provider: generate docs

* terraform-provider: improve errors

* terraform-provider: add acceptance tests for data source

* terraform-provider: fix dependencies

* bazel: quote var reference

* terraform-provider: make region optional

* terraform-provider: bind imagefetcher to data source

* bazel: tidy

* terraform-provider: remove unused parameter

* terraform-provider: remove unused parameter

* terraform-provider: extend acceptance tests

* terraform-provider: allow tests to be ran without Bazel

* dev-docs: document testing

* terraform-provider: set binary path accordingly

* dev-docs: document docgen process for the provider

* bazel: run acceptance test in writable environment

* bazel: try to write to `$TMPDIR`

* terraform-provider: style nits

* terraform-provider: leave TODO

* bazel: tidy

* terraform-provider: regenerate docs

* terraform-provider: fix comment

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-27 09:00:08 +01:00
Markus Rudy
42f0aa8eb1 state: fix whitespace issue in generated docs 2023-11-27 08:35:54 +01:00
Moritz Sanft
9a62657b80
terraform-provider: init provider scaffolding (#2632)
* terraform-provider: init

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: add basic docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix build steps

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: extend build process and docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dev-docs: document provider usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: upload aspect lib mirror

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: add docstring to fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: don't try to create lockfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix shellcheck issues

* bazel: separate paths to check

* bazel: explain what updating lockfiles means

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-24 15:58:21 +01:00
Otto Bittner
2b199fd9b1 docs: explain config options for AWS SNP 2023-11-24 15:49:48 +01:00
Otto Bittner
46f563c7ca ci: call TCB upload step for AWS 2023-11-24 15:49:48 +01:00
Otto Bittner
257eb5370f config: only fetch TCB values from api if wanted
If no TCB value is set to `latest`, the fetcher is now no
longer called.
2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc api: add support to upload AWS TCB values
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00
Otto Bittner
4813fcfdb6 config: fetch latest AWS TCB values 2023-11-24 15:49:48 +01:00
Otto Bittner
350397923f api: refactor attestationconfigapi client/fetcher
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00
Otto Bittner
5542f9c63c api: refactor attestationcfgapi cli
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
2023-11-24 15:49:48 +01:00
Otto Bittner
84d8bd8110 verify: query vlek ASK from KDS if not set
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
2023-11-24 15:49:48 +01:00
Otto Bittner
07eed0e319 attestation: use SNP-based attestation for AWS SNP 2023-11-24 15:49:48 +01:00
Otto Bittner
cdc91b50bc verify: move CSP-specific code to internal/verify
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
2023-11-24 15:49:48 +01:00
Otto Bittner
59b096e279 cli: use new instance info struct in verify
This ensure that issuer and verify (as consumer)
use the same types for marshalling/unmarshalling.
2023-11-24 15:49:48 +01:00
Otto Bittner
5ce55e3449 attestation: add snp package
The package holds code shared between SNP-based
attestation implementations on AWS and Azure .
2023-11-24 15:49:48 +01:00
3u13r
635a5d2c0a
Fix Konnectivity migration (#2633)
* helm: let cilium upgrade jump minor versions

* cli: reconcile kubeadm cm to not have konnectivity
2023-11-24 12:28:37 +01:00
katexochen
949186e5d7 image: update measurements and image version 2023-11-24 12:06:03 +01:00
Thomas Tendyck
b94a971d8e docs: fix deploy preview and some links 2023-11-23 22:43:10 +01:00
Markus Rudy
d3b542d781
rfc: add numeric ids to existing RFCs (#2638)
* rfc: add numeric ids to existing RFCs
2023-11-23 17:53:38 +01:00
3u13r
0564e4ebb4
dev-docs: add on-prem terraform to vpn setup (#2619)
* vpn: add fake-on-prem infra

* dev-docs: move vpn helm
2023-11-23 16:13:37 +01:00
Moritz Sanft
c922864f30
fetcher: respect HTTP(S)_PROXY environment variable (#2635) 2023-11-23 14:42:13 +01:00
Markus Rudy
d599b80b2a license: enable Bazel-based integration testing
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
b0702cd033 ci: execute integration tests with Bazel, where possible
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
6cfc80454a license: dedicated module for integration test
The integration test for the license module depends on network
connectivity and should be Bazel-tagged as such. Since the unit tests do
not have a network dependency, we should not apply the tag to those. The
easiest way to do this in a Gazelle-compliant way is to move the
integration test into its own module.
2023-11-23 13:48:54 +01:00
Daniel Weiße
64a05b9dea
ci: correctly clean up resource in self-managed infra tests (#2637)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-23 13:08:39 +01:00
Moritz Sanft
310960fb4d
rfc: Terraform provider (#2613)
* rfc: Terraform provider

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: annotate fields that force recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* reword "cluster applying"

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: resembles -> declares

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: connect dangling sentence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: indicate sensitive state

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: warn about PVs on recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: idempotent -> nilpotent

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: reword deletion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: mention resource outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-23 10:58:26 +01:00
Adrian Stobbe
ed22137edb
ci: notify with GH issue + project item on e2e failure (#2607)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-11-22 17:45:50 +01:00
Markus Rudy
284c7e99d1
docs: add Helm chart for VPN connectivity (#2577)
Co-authored-by: 3u13r <lc@edgeless.systems>
2023-11-22 15:08:11 +01:00
Moritz Sanft
968cdc1a38
cli: move cli/internal libraries (#2623)
* cli: move internal packages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: fix buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix exclude dir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: move back libraries that will not be used by TF provider

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-22 14:52:56 +01:00
Malte Poll
d3ce6ffcc1
deps: update module github.com/hashicorp/* (#2626) 2023-11-22 09:35:00 +01:00
Adrian Stobbe
9af514d08e
fix panic in status cmd (#2625) 2023-11-22 08:31:37 +01:00
Adrian Stobbe
0c1e6e97e4
fix unsupported qemu in tests on mac (#2627) 2023-11-22 08:30:52 +01:00
Daniel Weiße
a6cf387a24
docs: update screencasts to use apply command (#2624)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-21 16:03:11 +01:00
renovate[bot]
71dc5170a7
deps: update golang Docker tag to v1.21.4 (#2587)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-11-21 13:43:26 +01:00
renovate[bot]
6b2e41fcde
deps: update Terraform aws to v5.26.0 (#2579)
* deps: update Terraform aws to v5.26.0
* deps: tidy all modules

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-11-21 11:24:31 +01:00
Malte Poll
73eba88c70
Revert "deps: update rules_oci to 1.4.2 (#2616)" (#2618)
This reverts commit 52f7afe6e5.
2023-11-20 16:18:15 +01:00
Daniel Weiße
807824bf79
ci: remove dash from create action (#2617)
* remove dash
* fix flags parsing

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-20 15:19:45 +01:00
edgelessci
60921fcc14
image: update locked rpms (#2614)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-20 14:19:26 +01:00
Malte Poll
52f7afe6e5
deps: update rules_oci to 1.4.2 (#2616) 2023-11-20 14:19:05 +01:00