* terraform: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* config: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: use Terraform variables from config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: pass down marketplace variable
* image: pad Azure images to 1GiB
* terraform: add version attribute to marketplace image
* semver: allow versions to be exported without prefix
* cli: boolean var to use marketplace images
* config: remove dive key
* dev-docs: add instructions on how to use marketplace images
* terraform: fix unit test
* terraform: only fetch image for non-marketplace images
* mpimage: refactor image selection
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] increase minor version for image build
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: ignore changes to source_image_reference on upgrade
* operator: add support for parsing Azure marketplace images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* upgrade: fix imagefetcher call
* docs: add info about azure marketplace
* image: ensure more than 1GiB in size
* image: test to pad to 2GiB
* version: change back to v2.14.0-pre
* image: GPT-conformant image size padding
* [remove] increase version
* mpimage: inline prefix func
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: add marketplace image e2e test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register workflow
* ci: fix workflow name
* ci: only allow azure test
* cli: add marketplace image input to interface
* cli: fix argument passing
* version: roll back to v2.14.0
* ci: add force-flag support
* Update docs/docs/overview/license.md
* Update dev-docs/workflows/marketplace-images.md
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Reduce external dependencies of kubecmd package
* Add kubecmd wrapper to constellation-lib
* Update CLI code to use constellation-lib
* Move kubecmd package to subpackage of constellation-lib
* Initialise helm and kubecmd clients when kubeConfig is set
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
By default, Cilium's tc filters are added add the highest priority,
which makes it impossible to add any tc filters of our own (because the
Cilium eBPF programs don't return to the filter chain).
Two near-future use cases that would benefit from this:
* Network testing could add counting filters to interfaces and observe
e.g. violations of encryption policy.
* The VPN Helm chart could add a filter policy that drops packets on the
"physical" interface before they can leak to the CSP.
* constellation-lib: refactor init RPC
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: pass io.Writer for collecting logs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: add init test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: bin dialer to struct
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* constellation-lib: set service CIDR on init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
The integration test for the license module depends on network
connectivity and should be Bazel-tagged as such. Since the unit tests do
not have a network dependency, we should not apply the tag to those. The
easiest way to do this in a Gazelle-compliant way is to move the
integration test into its own module.
* cli: move internal packages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: fix buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix exclude dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: move back libraries that will not be used by TF provider
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
This is the first step in our migration off of
konnectivity. Before node-to-node encryption
we used konnectivity to route some KubeAPI
to kubelet traffic over the pod network which then
would be encrypted.
Since we enabled node-to-node encryption this has no
security upsides anymore. Note that we still deploy
the konnectivity agents via helm and still have the
load balancer for konnectivity.
In the following releases we will remove both.
The unittest was flacky as testcases with valid certs
in the getter property lead to those certs being cached
inside the trust module. Other testcases however,
may want to explicitly use invalid certs. The cache
interferes with this.
Co-authored-by: Moritz Sanft <ms@edgeless.systems>