Commit Graph

3658 Commits

Author SHA1 Message Date
Leonard Cohnen
cfcc0898b2 helm: remove konnectivity from control-planes
This is the first step in our migration off of
konnectivity. Before node-to-node encryption
we used konnectivity to route some KubeAPI
to kubelet traffic over the pod network which then
would be encrypted.

Since we enabled node-to-node encryption this has no
security upsides anymore. Note that we still deploy
the konnectivity agents via helm and still have the
load balancer for konnectivity.

In the following releases we will remove both.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
79f562374a bootstrapper: remove cilium restart fix
Tests concluded that restating the Cilium agent after the
first boot is not needed anymore to regain connectivity for
pods.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
1972b635b4 cilium: don't allow remote node identities
The Cilium strict mode has a special mode which
loosens the security a slight bit. For compatability this
mode is enabled by default. But we don't need it for strict
node-to-node encryption. Therefore, we disable it.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
e8840d5fdc terraform: fix azure node cidr
Use the local variable instead of inlining the
node CIDR value.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
aae85f0c3c kubernetes: always use lb for joining
The token given out by control-planes contains the node IP
as an endpoint. Since during this stage the joining node is
not connected to the WireGuard network, we cannot
communicate node-to-node. Therefore, we need to hop over the
load balancer again to have a src IP outside of the strict
range.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
4f32eefe90 cilium: use strict cidrs from state file
For the strict modes we need to dynamically use
the CIDR used in the Terraform files. Therefore,
we write them to our statefile and use them when
installing Cilium.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
7318f605e1 cilium: also encryption control-planes
When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.

In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.

Therefore, we can enable this type of encryption.
2023-11-15 19:27:33 +01:00
Leonard Cohnen
e9694d40b9 deps: update cilium
Bumping Cilium to also enable node-to-node encryption and
node-to-node strict mode. Since the second is not upstream
we use our fork.
2023-11-15 19:27:33 +01:00
katexochen
648eebab24 image: update measurements and image version 2023-11-15 11:10:40 +01:00
Moritz Sanft
2ccc2212c8
add missing runner value (#2602)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-15 08:49:10 +01:00
Daniel Weiße
6d6ef66a31
ci: refactor teams notification action (#2600)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-15 08:48:13 +01:00
edgelessci
02b4ba8413 deps: update dependency bazel_skylib to v1.5.0 2023-11-14 14:04:16 +01:00
edgelessci
b7ed4347d5 deps: update dependency hermetic_cc_toolchain to v2.1.3 2023-11-14 14:04:16 +01:00
renovate[bot]
f1edce0413 deps: update bazel (core) 2023-11-14 14:04:16 +01:00
Moritz Sanft
fd72952738
checkout before selecting image (#2598)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-14 10:33:59 +01:00
renovate[bot]
1ad995e637
deps: update bufbuild/buf to v1.28.0 (#2589)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-11-14 09:08:12 +01:00
renovate[bot]
afed1b2330
deps: update golangci/golangci-lint to v1.55.2 (#2593)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-11-14 09:07:05 +01:00
edgelessci
246b9ce069
image: update measurements and image version (#2594)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-13 21:10:15 +01:00
3u13r
6f195c6f2c
state: add migration (#2580) 2023-11-13 20:49:54 +01:00
3u13r
56ab3e9e04
Revert "operator: always delete terminated pending nodes (#2545)" (#2596)
This reverts commit 5267ad0f08.
2023-11-13 20:25:34 +01:00
Moritz Sanft
8f2f8bdbbd
terraform: allow image to be empty (#2595)
* make image optional in the high level modules

* align azure variable description

* set defaults in convenience modules

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-13 20:13:24 +01:00
Moritz Sanft
8e4feb7e2a
terraform: add Terraform module for Azure (#2566)
* add Azure Terraform module

* add maa-patching command to cli

* refactor release process

* factor out image fetching to own action

* add CI

* generate

* fix some unnecessary changes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `constellation maa-patch` in ci

* insecure flag when using debug image

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only update maa url if existing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make node group zone optional on aws and gcp

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register updated workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Revert "[remove] register updated workflow"

This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.

* create MAA

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make maa-patching only run on azure

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* require node group zone for GCP and AWS

* remove unnecessary bazel action

* stamp version to correct file

* refer to `maa-patch` command in docs

* run Azure test in weekly e2e

* comment / naming improvements

* remove sa_account resource

* disable spellcheck ot use "URL"

* `create_maa` variable

* don't write maa url to config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to nightly image

* use input ref and stream

* fix command check

* don't set region in weekly e2e call

* patch maa if url is not empty

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove `create_maa` variable

* remove binaries

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove undefined input

* replace invalid attestation URL error message

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* fix punctuation

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* skip hidden commands in clidocgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* enable spellcheck before code block

* move spellcheck trigger out of info block

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix workflow dependencies

* let image default to CLI version

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-11-13 18:46:20 +01:00
Daniel Weiße
e8f0c58558
ci: fix maa-patch action for self-managed create (#2578)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-13 16:29:33 +01:00
Malte Poll
f79d5e8b08
deps: update linux kernel to 6.1.62 (#2582) 2023-11-13 14:54:53 +01:00
renovate[bot]
5af6ee058c
deps: update module k8s.io/kubernetes to v1.27.5 [SECURITY] (#2548)
* deps: update module k8s.io/kubernetes to v1.27.5 [SECURITY]

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-11-13 10:43:12 +01:00
Moritz Sanft
ae8025cd16
ci: fix path in self managed create test (#2574)
* fix path

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix path in doc

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-13 08:34:54 +01:00
edgelessci
e918a7af90
image: update measurements and image version (#2571)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-11-13 06:54:09 +01:00
edgelessci
285b7bc47d
image: update locked rpms (#2575)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-12 11:20:48 +01:00
edgelessci
e29d32af7f
image: update locked rpms (#2555)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-10 19:50:38 +01:00
Malte Poll
e11b1a0576 ci: use rbe for unit tests 2023-11-10 18:15:59 +01:00
Malte Poll
4e07965e87 bazel: disable local repository and disk cache 2023-11-10 18:15:59 +01:00
Malte Poll
b29b970c36 deps: remove dangling symlinks from libvirt-libs 2023-11-10 18:15:59 +01:00
Malte Poll
84cd22b6ee bazel: add buildbarn toolchain (Ubuntu 22.04) 2023-11-10 18:15:59 +01:00
Malte Poll
955c16a57d deps: upgrade rules_nixpkgs 2023-11-10 18:15:59 +01:00
Malte Poll
8d5ce524d5 bazel: add bazel itself as nixpkgs dependency 2023-11-10 18:15:59 +01:00
Malte Poll
bf06a014a4 bootstrapper: ignore "journald" not in $PATH in constructor
In unit tests, NewCollector may be called on systems that do not have
"journalctl" in $PATH.
We can defer checking if the command can work by not checking cmd.Err in
the constructor.
2023-11-10 18:15:59 +01:00
Adrian Stobbe
22d82a59ed
terraform: Terraform module for GCP (#2553) 2023-11-10 13:32:18 +01:00
Adrian Stobbe
b765231175
deps: bump Go to 1.21.4 (#2569)
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-11-09 20:17:14 +01:00
Adrian Stobbe
c506991eb4
docs: fix tf links (#2570) 2023-11-09 12:51:02 +01:00
Daniel Weiße
e9eb75bb83
ci: dont run SNP version upload on v2.12.0 CLI tests (#2568)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-09 08:26:42 +01:00
Adrian Stobbe
cea6204b37
terraform: Terraform module for AWS (#2503) 2023-11-08 19:10:01 +01:00
Daniel Weiße
0bac72261d
ci: fix failure issue creation for Windows e2e test (#2565)
* Add missing bazel set-up in windows e2e-failure notify
* Enable bazel caching for e2e-upgrade test
* Remove whitespace

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-08 15:27:40 +01:00
Otto Bittner
b1b8571877 validation: use regex instead of dns lookup
Doing a DNS lookup may fail for domain names that are valid
but currently not assigned.
The old test also breaks inside the bazel sandbox.
2023-11-08 14:43:05 +01:00
Otto Bittner
8341db3c33 attestation: clear certificate cache in azure snp
The unittest was flacky as testcases with valid certs
in the getter property lead to those certs being cached
inside the trust module. Other testcases however,
may want to explicitly use invalid certs. The cache
interferes with this.

Co-authored-by: Moritz Sanft <ms@edgeless.systems>
2023-11-08 13:31:26 +01:00
katexochen
45df17d527 image: update measurements and image version 2023-11-08 11:40:07 +01:00
Daniel Weiße
32706f50f6
[Windows] cli: fix incorrect filepath separator causing upgrades to fail (#2562)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-08 10:26:02 +01:00
renovate[bot]
7eb28e4f6e
deps: update module github.com/google/go-tpm-tools to v0.4.2 (#2374)
* deps: update module github.com/google/go-tpm-tools to v0.4.2

* deps: tidy all modules

* remove go-tpm-tools replace

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-08 09:09:00 +01:00
Daniel Weiße
273a6ba853
ci: use structured logging for all parts of the malicious-join test (#2557)
* Use structured logging for all parts of the test
* Fix malicious-join image build action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-07 09:02:19 +01:00
Malte Poll
4fe51cd5f4
image: use dissect from nix (#2558) 2023-11-06 17:50:21 +01:00
Daniel Weiße
ac4ac6a148
cli: don't validate unused ownerID field (#2556)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-06 11:55:20 +01:00