Commit Graph

42 Commits

Author SHA1 Message Date
Markus Rudy
b6fd1787f7
rfc: trusted k8s images (#2648)
* rfc: trusted k8s images 

Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-30 16:33:44 +01:00
Markus Rudy
d3b542d781
rfc: add numeric ids to existing RFCs (#2638)
* rfc: add numeric ids to existing RFCs
2023-11-23 17:53:38 +01:00
Moritz Sanft
310960fb4d
rfc: Terraform provider (#2613)
* rfc: Terraform provider

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: annotate fields that force recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* reword "cluster applying"

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: resembles -> declares

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: connect dangling sentence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: indicate sensitive state

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: warn about PVs on recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: idempotent -> nilpotent

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: reword deletion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: mention resource outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-23 10:58:26 +01:00
Moritz Sanft
005e865a13
cli: use state file on init and upgrade (#2395)
* [wip] use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

take clusterConfig from IDFile for compat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add GCP-specific values in Helm loader test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary pointer

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* write ClusterValues in one step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move stub to test file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove mention of id-file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move output to `migrateTerraform`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unconditional assignments converting from idFile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move require block in go modules file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fall back to id file on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add notice to remove Terraform state check on manual migration

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `name` field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

fix name tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return early if no Terraform diff

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return infrastructure state even if no diff exists

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add TODO to remove comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: remove id-file (#2402)

* remove id-file from `constellation create`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add file renaming to handler

* rename id-file after upgrade

* use idFile on `constellation init`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation verify`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation mini`

* remove id-file from `constellation recover`

* linter fixes

* remove id-file from `constellation terminate`

* fix initSecret type

* fix recover argument precedence

* fix terminate test

* generate

* add TODO to remove id-file removal

* Update cli/internal/cmd/init.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* fix verify arg parse logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add version test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from docs

* add file not found log

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation iam destroy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `cdbg deploy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* use state-file in CI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update orchestration docs

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-10-09 13:04:29 +02:00
Malte Poll
b66fa5aaab hack: remove pseudo-version tool
The Go implementation is now unused.
Consumers are all switched over to /tools/workspace_status.sh
2023-09-29 14:09:58 +02:00
Daniel Weiße
25ba8ecfed
rfc: Constellation state file (#2281)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-07 08:55:46 +02:00
Malte Poll
5f5a752b54
rfc: canonical endpoint / custom dns (#1985) 2023-07-10 11:15:08 +02:00
miampf
77b28cb5e7
cli: change generate-config flag to update-config flag (#1897) 2023-06-28 12:47:44 +00:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00
Otto Bittner
3e583946a1
rfc: specify how to handle launchmeasurements (#1894)
* Describes how to keep the values in the API up-to-date.
* Describes API object structure.
* Describe user config options.

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-06-09 08:45:27 +02:00
Malte Poll
e5b394db87 cli: image measurements (v2) 2023-05-25 15:01:15 +02:00
miampf
e7b7a544f0
docs: add a qemu section (#1724) 2023-05-17 13:21:35 +00:00
Moritz Eckert
08b37ad59a
rfc: fix broken link (#1757) 2023-05-11 14:48:23 +02:00
Malte Poll
7d8e36a853 rfc: define measurements v2
The old measurements.json (v1) was contain one set of measurements and had a path scoped for every CSP.
The new version is less structured, allowing for future extensions.
2023-05-05 14:36:45 +02:00
Malte Poll
45e67d9d22 rfc: define image info v2
The version v1 of the image/info.json file is not capable to encode multiple regions and
attestation variants for a given csp.
This is why a v2 is needed with a more extensible structure.
2023-05-05 14:36:45 +02:00
Daniel Weiße
eed533932e
rfc: attestation config options (#1436)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-03-29 14:58:57 +02:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Moritz Sanft
c3347f2eb5
rfc: specify cli version api (#1175)
* add cli compatibility api rfc

* fix typos

* rewording
2023-02-17 10:32:48 +01:00
Fabian Kammel
4c5ab7c5e9
ci: refactor image measurement generation (#1152)
* Merge measurements.image.json and measurements.json into latter.
* Use static (known) measurement values for the ones we cannot precompute.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-02-09 13:33:17 +01:00
Otto Bittner
b14a09f04e
rfc: extend updates rfc with constraints section (#1001)
Co-authored-by: 3u13r <lc@edgeless.systems>
2023-01-24 14:02:56 +01:00
Otto Bittner
90b88e1cf9 kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
2023-01-16 11:56:34 +01:00
Otto Bittner
b89a30130f rfc: mention required iam secrets for recovery 2023-01-11 11:58:55 +01:00
Otto Bittner
43afb86e33
rfc: add recovery section to eKMS rfc (#919)
This new section describes how recovery currently depends on
the mastersecret and how that will change.

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-01-10 11:36:11 +01:00
Paul Meyer
f9458950cb
versionsapi: change image path (#856)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 17:07:16 +01:00
Paul Meyer
baa1b37681
rfc: update documentation of new versions API (#788)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-01-03 15:49:58 +01:00
3u13r
f14af0c3eb
upgrade: support Kubernetes components (#839)
* upgrade: add Kubernetes components to NodeVersion

* update rfc
2023-01-03 12:09:53 +01:00
Leonard Cohnen
1466c12972 rfc: use hash annotation during upgrades 2022-12-08 11:08:37 +01:00
Malte Poll
d2c6e833e5
Write version API RFC (#635) 2022-12-05 17:02:49 +01:00
Paul Meyer
8004edcc14
image: add version and debug field to lookup table (#682)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-01 11:51:33 +01:00
leongross
61dec913ec
rfc: reproducible-builds (#465) 2022-12-01 10:08:48 +01:00
Malte Poll
fb2b1fbaff
Update RFC: use current config format in examples (#688) 2022-11-30 18:50:26 +01:00
3u13r
86bc9f4b38
rfc: include upgrade check command (#646)
* rfc: include upgrade check command
2022-11-29 11:45:21 +01:00
Nils Hanke
89b25f8ebb
Add new generate measurements matrix CI/CD action (now with AWS support) (#641) 2022-11-25 12:08:24 +01:00
Otto Bittner
594b43e629 Remove kubernetesServicesVersion from upgrade RFC.
Tracking two sets of versions would require us to have two versioning patterns
inside the Helm charts. It also complicates
the decision making for the user.
2022-11-24 15:50:37 +01:00
Malte Poll
78481b32e8
Move image artifacts "/v1/" => "/constellation/v1" (#579) 2022-11-17 16:14:38 +01:00
Malte Poll
cdaf1fc476
OS Image Build pipeline: prepare lookup tables and additional artifacts (#560) 2022-11-16 15:45:10 +01:00
Fabian Kammel
b92b3772ca
Remove access manager (#470)
* remove access manager from code base
* document new node ssh workflow
* keep config backwards compatible
* slow down link checking to prevent http 429
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-11 08:44:36 +01:00
Malte Poll
499d7a1fdd
AB#2566 RFC for image discoverability (description of image version uid) (#416)
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2022-11-08 14:04:14 +01:00
Thomas Tendyck
7ad55af07c
RFC: external KMS (#395)
* RFC: external KMS

* fixup! RFC: external

* fixup! RFC: external
2022-11-03 13:52:04 +01:00
Leonard Cohnen
1f8eba37c8 RFC: update updates RFC 2022-10-26 15:51:43 +02:00
3u13r
90c94ec53e
initial draft for automatic updates (#334)
* draft for automatic updates
2022-10-21 15:02:20 +02:00
Moritz Eckert
b95f3dbc91
Add docs to repo (#38) 2022-09-02 11:52:42 +02:00