Commit Graph

558 Commits

Author SHA1 Message Date
Leonard Cohnen
b2df6ba07a bump enterprise miniconstellation image 2023-03-23 14:55:29 +01:00
renovate[bot]
090d071993
deps: update Constellation containers to v2.7.0-pre.0.20230322165747-0a190c2bf672 (#1491)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-22 18:30:59 +01:00
renovate[bot]
57f1c8f139
deps: update Kubernetes versions (#1473)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 14:27:07 +01:00
Paul Meyer
02fc3dc635
measurements: refactor validation option (#1462)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 11:47:39 +01:00
renovate[bot]
2d1ffaea4f
deps: update K8s constrained Azure versions (#1408)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 10:23:44 +01:00
renovate[bot]
7a0cbe39f4
deps: update Constellation containers to v2.7.0-pre.0.20230321165012-cab6044f6910 (#1484)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 20:21:42 +01:00
renovate[bot]
248dbb5927
deps: update Constellation containers (#1464)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 17:37:06 +01:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Malte Poll
67f5625f99 versions: add OpenStack CCM image 2023-03-21 10:51:09 +01:00
Malte Poll
071628c6a0 config: add OpenStack in-cluster authentication settings 2023-03-21 10:51:09 +01:00
Malte Poll
f785ae560b openstack: implement account key for cluster-internal authentication 2023-03-21 10:51:09 +01:00
Malte Poll
1b2a927b84 openstack: implement api client UID, InitSecretHash and GetLoadBalancerEndpoint 2023-03-21 10:51:09 +01:00
Otto Bittner
1b12147d83
cli: minor restructuring for loading helm charts (#1441)
Use one loadRelease function instead of one function for each
release.
2023-03-20 17:05:58 +01:00
renovate[bot]
b3b1809251
deps: update K8s version independent containers to v0.1.2 (#1376)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 16:35:26 +01:00
Daniel Weiße
1a0e05c3fb
Set Azure-SEV-SNP as default azure attestation variant (#1461)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-20 14:40:27 +01:00
Paul Meyer
bad05321a0 go: remove redefinitions of builtins
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Moritz Sanft
f2ce9518a3
cli: support custom attestation policies for maa (#1375)
* create and update maa attestation policy

* use interface to allow unit testing

* fix test csp

* http request for policy patch

* go mod tidy

* remove hyphen

* go mod tidy

* wip: adapt to feedback

* linting fixes

* remove csp from tf call

* fix type assertion

* Add MAA URL to instance tags (#1409)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* conditionally create maa provider

* only set instance tag when maa is created

* fix azure unit test

* bazel tidy

* remove AzureCVM const

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* encode policy at runtime

* remove policy arg

* fix unit test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-20 13:33:04 +01:00
renovate[bot]
540978bc98
deps: update Constellation containers (#1417)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-17 07:48:19 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant (#1413)
* Add attestation type to config (optional for now)

* Get attestation variant from config in CLI

* Set attestation variant for Constellation services in helm deployments

* Remove AzureCVM variable from helm deployments

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
renovate[bot]
fb83c1dbc4
deps: update Constellation containers to v2.7.0-pre.0.20230313143044-114ac53872c6 (#1333)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-13 18:49:59 +01:00
Paul Meyer
bab76e8a9a
deps: update containers to v2.7.0-pre (#1407)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-13 13:19:36 +01:00
renovate[bot]
e2ad11320a
deps: update registry.k8s.io/provider-aws/cloud-controller-manager Docker tag to v1.26.1 (#1383)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-13 11:12:50 +01:00
Paul Meyer
a658368d40
deps: update GCP guest agent image (#1400)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-13 10:35:57 +01:00
Paul Meyer
50c4ea9be6 deps: update libvirt container to v2.7.0-pre
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-10 10:46:46 -05:00
Thomas Tendyck
64e1f553d1 cli: remove Edition in version command, which contains duplicate info 2023-03-10 11:36:44 +01:00
Moritz Sanft
01705feb51
ci: upload cli version list (#1377)
* upload cli version list

* fix flag

* name

* allow cli kind for listing

* [remove] update vapi cli

* allow cli kind

* use latest versionsapi image version

* fix kind parsing

* use workflow calls in on_release action

* [remove] update container tag

* change back to latest tag
2023-03-10 10:21:58 +01:00
Nils Hanke
dc4769d0a0 constants: use "Enterprise" for enterprise build 2023-03-09 17:32:50 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Daniel Weiße
8c87bba755
Add measurement reader (#1381)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-09 11:22:58 +01:00
Daniel Weiße
5bad5f768b
attestation: create issuer based on kernel cmd line (#1355)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-09 09:47:28 +01:00
Paul Meyer
acbd70c741 openstack: implement api client and metadata list
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
418f08bf40 openstack: implement imds and metadata self
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
630016d1b3 openstack: use password to authenticate in cluster
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
64fc43f276
use any instead of interface{} (#1354)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 10:31:20 +01:00
Malte Poll
62ea224d36
attestation: remove PCR[0] and PCR[10] from enterprise measurements (#1348)
This will help the measurement generation done as part of internal/attestation/measurements/measurement-generator.
It can currently replace measurements but not reformat the code (in cases where the number of measurements differs).
2023-03-06 17:11:14 +01:00
Thomas Tendyck
c94d1db76d attestation: remove PCR 0 and 10 on GCP 2023-03-06 13:09:57 +01:00
Thomas Tendyck
0a344e4cf6 attestation: validate GCP machine state 2023-03-06 13:09:57 +01:00
Thomas Tendyck
2535073df8 attestation: add MachineState to ValidateCVM 2023-03-06 13:09:57 +01:00
Malte Poll
aae326d430
deps: manually upgrade libvirt container for upcoming release (#1339)
The libvirt container is currently not automatically upgraded (it still has version v2.2.0 before this change).
To ensure we update libvirt for this release, we manually upgrade the libvirt container image.
2023-03-03 16:05:29 +01:00
Malte Poll
8aa42e30ad
cli: set OpenStack service account credentials (#1328) 2023-03-03 10:10:36 +01:00
Otto Bittner
f0db5d0395
cli: restructure upgrade apply (#1319)
Applies the updated NodeVersion object with one request
instead of two. This makes sure that the first request does
not accidentially put the cluster into a "updgrade in progress"
status. Which would lead users to having to run apply twice.
2023-03-03 09:38:23 +01:00
Daniel Weiße
5eb73706f5
internal: refactor storage credentials (#1071)
* Move storage clients to separate packages

* Allow setting of client credentials for AWS S3

* Use managed identity client secret or default credentials for Azure Blob Storage

* Use credentials file to authorize GCS client

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-02 15:08:31 +01:00
Malte Poll
ab0b881cbf
oid: add alternative string representations for attestation variants (#1322) 2023-03-02 10:48:16 +01:00
Malte Poll
fc33a74c78
constants: make VersionInfo readonly (#1316)
The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime.
This change ensures the underlying var is private and can only be accessed by a public getter.
2023-03-01 11:55:12 +01:00
renovate[bot]
0157537852
deps: update Kubernetes versions (#1313)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-03-01 11:41:11 +01:00
Paul Meyer
060faae528
config: use toPtr func to get pointers (#1287)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-28 18:44:21 +01:00
renovate[bot]
2f52091326
deps: update Constellation containers to v2.6.0-pre.0.20230228093604-90ed4701788f (#1288)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-28 17:32:02 +01:00
Daniel Weiße
b3486fc32b
intenal: add logging to attestation issuer (#1264)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-28 16:34:18 +01:00
Moritz Sanft
90ed470178
internal: add custom version type (#1256)
* add custom version type

* extend functionality

* adapt to requested changes

* move to own package

* remove duplicate tests, rename package

* not handle err
2023-02-28 10:36:04 +01:00
Otto Bittner
984f0589d2
cli: upgrade errors for microservice (#1259)
Handle invalid upgrade errors similarly as for images and k8s.
2023-02-28 10:23:09 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Otto Bittner
d98f86686d versions: let renovate update valid k8s versions
Also update lagging v1_24
2023-02-27 16:33:47 +01:00
renovate[bot]
b1d9ede767
deps: update Constellation containers (#1234)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:00:50 +01:00
renovate[bot]
7bcd0650a9
deps: update ghcr.io/edgelesssys/cloud-provider-gcp:v26.0.1 Docker digest to db2b15a (#1267)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 15:57:53 +01:00
Moritz Sanft
a274ac8a7c
ci: add cli k8s compatibility table artifact upload to ci (#1218)
* add cli k8s compatibility api to ci

* extend versionsapi package

* rework cli info upload via ci

* join errors natively

* fix semver

* upload from hack file

* fix ci checks

* add distributionid

* setup go before running hack file

* setup go after repo checkout

* use logger instead of panic, invalidate cache

* use provided ctx

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

---------

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-24 12:00:04 +01:00
Nils Hanke
28bdeb2427 cli: add support for GCP C2D VMs 2023-02-22 15:25:51 +01:00
Nils Hanke
7360e89182 cli: fix n2d-standard-224 support 2023-02-22 15:25:51 +01:00
Otto Bittner
d78d22f95a
cli: add config kubernetes-versions subcommand (#1224)
Allows users to learn which k8s versions are supported by the
current CLI.
Extend respective docs section.
2023-02-22 09:52:47 +01:00
leongross
51eef675a2
cli: refer to --force and --config flags (#1205)
* add reference to --config and --force
2023-02-21 16:46:47 +01:00
Otto Bittner
da7a870f54
cli: add --kubernetes flag (#1226)
The flag can be used to specify a Kubernetes version
in format MAJOR.MINOR and let the CLI extend the
value with the patch version.
2023-02-21 14:05:41 +01:00
Paul Meyer
6d6d7d4b6e kms: replace deprecated rand.Seed
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Paul Meyer
deea806d9c Improve code sequences with multiple errs
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Paul Meyer
12c866bcb9 deps: replace multierr with native errors.Join
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Otto Bittner
c0a62a52d1
config: allow k8s version MAJOR.MINOR for v2.6 (#1222)
To adhere to our compatibility goal of not breaking
old configs, the kubernetes patch version is automatically
extended for configs in the transistional version v2.6.
2023-02-20 10:50:55 +01:00
Otto Bittner
87fdb47caa
cli: upgrade apply uses correct measurements key (#1223)
Apply still used the obsolete upgrade key's measurements.
The new, desired behavior is to use the Provider's measurements
key
2023-02-20 10:32:33 +01:00
renovate[bot]
93f97cb320
deps: update Constellation containers (#1211)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-17 11:41:48 +01:00
Daniel Weiße
f70447bf7d
Allow unset 'name' key but print warning if unset (#1208)
* Allow unset name key in config but print warning if unset

* Print deprecation warnings for config to os.Stderr

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-17 09:05:42 +01:00
Thomas Tendyck
292f8eef21 attestation: remove VerifyUserData 2023-02-16 16:29:20 +01:00
Thomas Tendyck
dd7d6334ba attestation: bind user data to PCR state 2023-02-16 16:29:20 +01:00
Fabian Kammel
5e7dc0d7db
Option to disable spinner via environment variable. (#1207)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-02-16 15:43:19 +01:00
Otto Bittner
50646b2a10 cli: refactor upgrade apply cmd to match name
* `upgrade apply` will try to make the locally configured and
actual version in the cluster match by appling necessary
upgrades.
* Skip image or kubernetes upgrades if one is already
in progress.
* Skip downgrades/equal-as-running versions
* Move NodeVersionResourceName constant from operators
to internal as its needed in the CLI.
2023-02-15 16:44:47 +01:00
Otto Bittner
3cebd68c24 kubernetes: move k8s-components creation to internal
The CLI will have to create similar objects for k8s upgrades.
2023-02-15 16:44:47 +01:00
Otto Bittner
b4ef4ec370 config: conditionally set default microserviceVersion 2023-02-15 13:36:16 +01:00
Otto Bittner
6f9d76dd6e compatibility: allow newer patch versions for images
Validation incorrectly prevented newer patch versions for images.
2023-02-15 13:36:16 +01:00
Otto Bittner
2a0b56f7b8 config: improve error message for outdated CLIs 2023-02-15 13:36:16 +01:00
renovate[bot]
a7b3a9876b
deps: update Constellation containers to v2.6.0-pre.0.20230215104228-2042e6b3382f (#1185)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-15 13:13:54 +01:00
Otto Bittner
2042e6b338 config: only print upgrade deprecation msg if key is set 2023-02-15 11:42:28 +01:00
Otto Bittner
69a384d978 compatibility: error message wording
The new description represents the error condition more accurately.
2023-02-15 11:41:54 +01:00
renovate[bot]
241d667758
deps: update K8s constrained Azure versions (#1129)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-14 15:18:55 +01:00
Paul Meyer
84a787b538
cli: add name of build type to version cmd output (#1179)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-14 14:30:10 +01:00
renovate[bot]
f60f967bd8
deps: update Constellation containers to v2.6.0-pre.0.20230210122722-c29107f5be7b (#1126)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-10 16:06:46 +01:00
Daniel Weiße
c29107f5be
init: create kubeconfig file with unique user/cluster name (#1133)
* Generate kubeconfig with unique name

* Move create name flag to config

* Add name validation to config

* Move name flag in e2e tests to config generation

* Remove name flag from create

* Update ascii cinema flow

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 13:27:22 +01:00
Otto Bittner
fd860ddb91
config: fix incorrect kubernetes version validation (#1155)
Fix incorrect string comparison by replacing it with
call to semver.Compare.
Also add handling to check for missing v prefix.
2023-02-09 17:38:02 +01:00
Otto Bittner
c275464634 cli: change upgrade-plan to upgrade-check
Upgrade check is used to find updates for the current cluster.
Optionally the found upgrades can be persisted to the config
for consumption by the upgrade-execute cmd.
The old `upgrade execute` in this commit does not work with
the new `upgrade plan`.
The current versions are read from the cluster.
Supported versions are read from the cli and the versionsapi.
Adds a new config field MicroserviceVersion that will be used
by `upgrade execute` to update the service versions.
The field is optional until 2.7
A deprecation warning for the upgrade key is printed during
config validation.
Kubernetes versions now specify the patch version to make it
explicit for users if an upgrade changes the k8s version.
2023-02-08 12:30:01 +01:00
Otto Bittner
f204c24174 cli: add version validation and force flag
Version validation checks that the configured versions
are not more than one minor version below the CLI's version.
The validation can be disabled using --force.
This is necessary for now during development as the CLI
does not have a prerelease version, as our images do.
2023-02-08 12:30:01 +01:00
Daniel Weiße
3a7b829107
internal: use go-kms-wrapping for KMS backends (#1012)
* Replace external KMS backend logic for AWS, Azure, and GCP with go-kms-wrapping

* Move kms client setup config into its own package for easier parsing

* Update kms integration flag naming

* Error if nil storage is passed to external KMS

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-08 12:03:54 +01:00
Daniel Weiße
68ce23b909
Enable cryptsetup read/write workqueue bypass (#1150)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-08 12:01:14 +01:00
renovate[bot]
535c359ee7
deps: update Constellation containers to v2.6.0-pre.0.20230131161703-e0354826e058 (#1105)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-31 18:08:40 +01:00
Otto Bittner
6415d80ee4 versions: update constellation operator image 2023-01-31 11:36:49 +01:00
renovate[bot]
11e233e4be
deps: update ghcr.io/edgelesssys/cloud-provider-gcp:v26.0.1 Docker digest to 8708a33 (#1110)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-30 16:54:11 +01:00
renovate[bot]
dcde73b4c4
deps: update Constellation containers to v2.6.0-pre.0.20230127131021-e174146e0c93 (#1091)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:01:08 +01:00
renovate[bot]
fb1b1f50fd
deps: update K8s version independent containers to v0.1.1 (#1020)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 15:25:05 +01:00
3u13r
e174146e0c
azure: add new idkeydigest (#1094) 2023-01-27 14:10:21 +01:00
Paul Meyer
8364856d55 versions: remove Kubernetes v1.23
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 13:32:20 +01:00
renovate[bot]
c758aef1ff
deps: update registry.k8s.io/provider-aws/cloud-controller-manager Docker tag to v1.25.3 (#1082)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 11:30:43 +01:00
renovate[bot]
dd1140868e
deps: update Constellation containers to v2.6.0-pre (#1074)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-26 14:58:51 +01:00
Daniel Weiße
aa3ac82408
Add a bit more logging to attestation and join-service on error (#1076)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-01-26 11:24:29 +01:00
Malte Poll
2d326ea3f0
cli: set placeholder uid for QEMU / MiniConstellation (#1069) 2023-01-25 14:42:52 +01:00
3u13r
e6ac8e2a91
config: fix digest naming (#1064)
* config: fix digest naming
2023-01-24 22:20:10 +01:00