Adrian Stobbe
e738f15f0f
cdbg: make endpoint deployment failure more transparent ( #1883 )
...
* add retry + timeout + intercept grpc logs
* LogStateChanges inside grplog pkg
* remove retry and tj/assert
* rename nit
* Update debugd/internal/cdbg/cmd/deploy.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update debugd/internal/cdbg/cmd/deploy.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* paul feedback
* return waitFn instead of WaitGroup
* Revert "return waitFn instead of WaitGroup"
This reverts commit 45700f30e341ce3af509b687febbc0125f7ddb38.
* log routine inside debugd constructor
* test doubles names
* Update debugd/internal/cdbg/cmd/deploy.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* fix newDebugClient closeFn
---------
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-06-12 13:45:34 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP
as new variant ( #1900 )
...
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a
cli: hide --insecure of config fetch-measurements
2023-06-09 15:07:31 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version ( #1899 )
...
* fetch latest version when older than 2 weeks
* extend hack upload tool to pass an upload date
* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882 )"
This reverts commit c7b22d314a
.
* fix tests
* use NewAzureSEVSNPVersionList for type guarantees
* Revert "use NewAzureSEVSNPVersionList for type guarantees"
This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.
* assure list is sorted
* improve root.go style
* daniel feedback
2023-06-09 12:48:12 +02:00
Adrian Stobbe
d9c604ed2c
terraform: update aws to v5.1.0 ( #1891 )
2023-06-09 10:37:25 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi ( #1876 )
...
* rename to attestationconfigapi + put client and fetcher inside pkg
* rename api/version to versionsapi and put fetcher + client inside pkg
* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
b3c052e299
operators: cleanup placeholder nodeversion ( #1881 )
...
* operators: cleanup placeholder nodeversion
* e2e: improve upgrade test portability
2023-06-06 15:22:06 +02:00
3u13r
7c07e3be18
Add --insecure to config fetch-measurement ( #1879 )
...
* cli: add --insecure to fetch-measurements
* cli: rename fake to stub
* ci: upload measurements for debug images
* fix cli docs
2023-06-06 10:32:22 +02:00
Malte Poll
439359ffbc
cli: prevent terraform apply drift when patching and re-applying existing terraform deployment ( #1873 )
...
The implementation would recreate the gcp instance template (including all instances and state disks) whenever the image tfvar changes.
Fixed by ignoring lifecycle changes on the instance templates.
Fixes 8c3b963
2023-06-05 14:52:39 +02:00
Adrian Stobbe
c446f36b0f
config: Azure SNP tool can delete specific version from attestation API ( #1863 )
...
* client supports delete version
* rename to new attestation / fetcher naming
* add delete command to upload tool
* test client delete
* bazel update
* use general client in attestation client
* Update hack/configapi/cmd/delete.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* daniel feedback
* unit test azure sev upload
* Update hack/configapi/cmd/delete.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* add client integration test
* new client cmds use apiObject
---------
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-05 12:33:22 +02:00
Otto Bittner
6bda62d397
cli: skip k8s upgrade in case of outdated version ( #1864 )
...
If an unsupported, outdated k8s patch version is used,
the user should still be able to run upgrade apply.
2023-06-05 09:13:02 +02:00
Malte Poll
7c34aef263
cli: write target k8s version to config if new version is found on upgrade check ( #1862 )
2023-06-02 17:19:41 +02:00
Adrian Stobbe
a813760f96
config: automatically upload new Azure SNP versions to API + sign version with release key ( #1854 )
...
* sign version with release key and remove version from fetcher interface
* extend azure-reporter GH action to upload updated version values to the Attestation API
2023-06-02 12:10:22 +02:00
Moritz Sanft
8c3b963a3f
cli: Terraform upgrades maa patching ( #1821 )
...
* patch maa after upgrade
* buildfiles
* reword comment
* remove whitespace
* temp: log measurements URL
* temp: update import
* ignore changes to attestation policies
* add issue URL
* separate output in e2e upgrade test
* use enterprise CLI for e2e test
* remove measurements print
* add license headers
2023-06-02 10:47:44 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg ( #1851 )
...
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
Adrian Stobbe
b51cc52945
config: sign Azure versions on upload & verify on fetch ( #1836 )
...
* add SignContent() + integrate into configAPI
* use static client for upload versions tool; fix staticupload calleeReference bug
* use version to get proper cosign pub key.
* mock fetcher in CLI tests
* only provide config.New constructor with fetcher
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-06-01 13:55:46 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup ( #1837 )
...
* chore: add TODO responsibilities
* chore: remove not needed TODOs
* chore: remove outdated migrations
* chore: remove resolved goleak exception
* chore: remove not needed cosign env
* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Malte Poll
c62e54831b
cli: define feature set of cli editions and exit early if a feature is not supported
2023-05-31 14:00:00 +02:00
Malte Poll
8a851c8f39
cli: dynamically select signature validation pubkey for release and pre-release artifacts
2023-05-31 14:00:00 +02:00
miampf
8686c5e7e2
bootstrapper: collect journald logs on failure ( #1618 )
2023-05-30 11:47:36 +00:00
Malte Poll
60b125cb59
cli: add windows amd64 build target ( #1835 )
2023-05-30 12:02:43 +02:00
Moritz Sanft
6d5e7e1f7c
cli: support StackIT provider on config generate ( #1803 )
...
* support stackit provider on config generate
* update cli reference
* default config values
* deploy csi driver
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2023-05-30 09:02:50 +02:00
3u13r
661f084ffa
cli: use uami for in-cluter authentication ( #1820 )
2023-05-26 11:45:03 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API ( #1808 )
2023-05-25 17:43:44 +01:00
Malte Poll
d0e53cbb59
cli: image info (v2)
2023-05-25 15:01:15 +02:00
Malte Poll
cd7b116794
cli: image measurements (v2)
2023-05-25 15:01:15 +02:00
Malte Poll
e5b394db87
cli: image measurements (v2)
2023-05-25 15:01:15 +02:00
3u13r
6062b10035
cli: split image into oss and enterprise ( #1788 )
2023-05-23 10:49:47 +02:00
Otto Bittner
3b3be85841
cli: fix supportedVersions during upgrade check
...
Previously the service version was always 0.0.0
2023-05-23 07:44:37 +02:00
Moritz Sanft
c69e6777bd
cli: Terraform migrations on upgrade ( #1685 )
...
* add terraform planning
* overwrite terraform files in upgrade workspace
* Revert "overwrite terraform files in upgrade workspace"
This reverts commit 8bdacfb8bef23ef2cdbdb06bad0855b3bbc42df0.
* prepare terraform workspace
* test upgrade integration
* print upgrade abort
* rename plan file
* write output to file
* add show plan test
* add upgrade tf workdir
* fix workspace preparing
* squash to 1 command
* test
* bazel build
* plan test
* register flag manually
* bazel tidy
* fix linter
* remove MAA variable
* fix workdir
* accept tf variables
* variable fetching
* fix resource indices
* accept Terraform targets
* refactor upgrade command
* Terraform migration apply unit test
* pass down image fetcher to test
* use new flags in e2e test
* move file name to constant
* update buildfiles
* fix version constant
* conditionally create MAA
* move interface down
* upgrade dir
* update buildfiles
* fix interface
* fix createMAA check
* fix imports
* update buildfiles
* wip: workspace backup
* copy utils
* backup upgrade workspace
* remove debug print
* replace old state after upgrade
* check if flag exists
* prepare test workspace
* remove prefix
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* respect file permissions
* refactor tf upgrader
* check workspace before upgrades
* remove temp upgrade dir after completion
* clean up workspace after abortion
* fix upgrade apply test
* fix linter
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-05-22 13:31:20 +02:00
3u13r
964775c4c2
Add autoscaling and cluster upgrade support for AWS ( #1758 )
...
* aws: autoscaling and upgrades
* docs: update scaling and upgrades for AWS
* deps: pin vuln check against release
2023-05-19 13:57:31 +02:00
3u13r
3b7bae7535
deps: bump minimum terraform version ( #1797 )
2023-05-18 12:59:10 +02:00
Adrian Stobbe
f99e06b63b
cli: new flag to set the attestation type for config generate
( #1769 )
...
* add attestation flag to specify type in config
2023-05-17 16:53:56 +02:00
Moritz Eckert
6252193879
cli: deploy cinder as OpenStack CSI plugin
2023-05-17 15:20:39 +02:00
Moritz Eckert
9607f01510
cli: add cinder csi helm charts
2023-05-17 15:20:39 +02:00
Daniel Weiße
1d5af5f0f4
Rebase fixes
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Nils Hanke
63d938d9a4
cli: improve error handling for validator
2023-05-17 11:37:26 +02:00
Nils Hanke
e130188ecd
cli: add verify support for TDX
2023-05-17 11:37:26 +02:00
Nils Hanke
c507bd7d95
cli: Generalize PCRs to Measurements in preparation for TDX
2023-05-17 11:37:26 +02:00
Daniel Weiße
c478df36fa
Add TDX bazel files
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Nils Hanke
9e987778e0
measurements: Add length field for WithAllBytes
2023-05-17 11:37:26 +02:00
Daniel Weiße
dd2da25ebe
attestation: tdx issuer/validator ( #1265 )
...
* Add TDX validator
* Add TDX issuer
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Malte Poll
d104af6e51
image: support intel TDX direct linux boot under TDX OVMF
2023-05-17 11:37:26 +02:00
Malte Poll
79986a2b25
cli: implement qemu direct linux boot
2023-05-17 11:37:26 +02:00
renovate[bot]
fdcb74e171
deps: update Terraform aws to v4.67.0 ( #1775 )
...
* deps: update Terraform aws to v4.67.0
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:39:55 +02:00
renovate[bot]
6c1f7a4758
deps: update Terraform azuread to v2.39.0 ( #1776 )
...
* deps: update Terraform azuread to v2.39.0
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:15:57 +02:00
renovate[bot]
f9b4f1765d
deps: update Terraform azurerm to v3.56.0 ( #1777 )
...
* deps: update Terraform azurerm to v3.56.0
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 17:15:25 +02:00
renovate[bot]
fd3c93660e
deps: update Terraform google to v4.65.1 ( #1778 )
...
* deps: update Terraform google to v4.65.1
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 16:07:21 +02:00
renovate[bot]
0ce01cbad3
deps: update Terraform random to v3.5.1 ( #1779 )
...
* deps: update Terraform random to v3.5.1
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 16:01:47 +02:00
renovate[bot]
780fa9a238
deps: update Terraform google-beta to v4.64.0 ( #1767 )
...
* deps: update Terraform google-beta to v4.64.0
* deps: tidy all modules
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-05-16 15:26:26 +02:00