* refactor measurements to use consistent types and less byte pushing
* refactor: only rely on a single multierr dependency
* extend config creation with envar support
* document changes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests
Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
* Add join-config entry for "enforceIdKeyDigest" bool
* Add join-config entry for "idkeydigest"
* Initially filled with TPM value from bootstrapper
* Add config entries for idkeydigest and enforceIdKeyDigest
* Extend azure attestation validator to check idkeydigest,
if configured.
* Update unittests
* Add logger to NewValidator for all CSPs
* Add csp to Updateable type
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
* license server interaction
* logic to read from license file
* print license information during init
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
* Merge Owner and Cluster ID into single value
* Remove aTLS from KMS, as it is no longer used for cluster external communication
* Update verify command to use cluster-id instead of unique-id flag
* Remove owner ID from init output
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Update image version
* Introduce 'ValidK8sVersion' type. Ensures that consumers
of the k8sVersion receive a valid version, without
having to do their own validation.
* Add testcase to check that kubeadm accepts the currently provided
version.
AB#2074: Add configurable k8s version
Configurable version flow:
* cli config holds/validates k8sVersion
* InitCluster receive a k8sVersion arg
* InitCluster creates CM "k8s-version"
* kubeadm's InitConfiguration receives k8sVersion
* joinservice spec mounts/reads k8s-version CM
* joinservice supplies k8sVersion via JoinTicketResponse
Other changes:
* Remove unused test code (FakeK8SClient)
* move VersionConfig map to /internal/versions
* installk8sComponents is now a function instead of a method
* Move file watcher and validator to internal
* Add aTLS endpoint to KMS for Kubernetes external requests
* Update Go version in Dockerfiles
* Move most KMS packages to internal
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Add verification service
* Update verify command to use new Constellation verification service
* Deploy verification service on cluster init
* Update pcr-reader to use verification service
* Add verification service build workflow
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Deploy activation service on cluster init
* Use base image with CA certificates for activation service
* Improve KMS server
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
