Commit Graph

3583 Commits

Author SHA1 Message Date
Malte Poll
c5acb18c2b bazel: use openssl for selected target platform 2023-12-01 09:35:33 +01:00
Malte Poll
9be252fccb bazel: import C libraries from nix as cc_libary
This also includes aliases to select the correct library based on the target platform.
2023-12-01 09:35:33 +01:00
Malte Poll
e895aa5495 nix: add derivations for C library dependencies
Cryptsetup and libvirt are new.
OpenSSL was moved with the rest.

The dynamic libaries cryptsetup and libvirt also ship a file called closure.tar,
that contains the transitive closure for all of their dependencies.
This tar file can be used as a container image layer or added to a bootable OS image
to provide the runtime dependencies required for dynamic linking.
Additionally, they ship a `rpath` file. This can be used together with patchelf to
fix the RPATH of binaries produced by Bazel.
2023-12-01 09:35:33 +01:00
Malte Poll
e174c4dfe1 bazel: add patchelf rule
This rule allows overwriting a binaries' rpath.
This is required to use binaries built by Bazel that link against cc_library
targets from nix (like `/nix/store/<hash>/lib/*.so`).
2023-12-01 09:35:33 +01:00
Malte Poll
45879c7360 bazel: use pure Go platform where possible
Before, we specified that the platform has glibc 2.23 under /usr/lib.
This is technically not important for statically linked Go binaries.
2023-12-01 09:35:33 +01:00
Malte Poll
cbe08597c3 bazel: define common platforms for multi-platform builds
Default platform for targeting Constellation OS images with nix and cgo:
//bazel/platforms:constellation_os

Other target platforms with nix and cgo:
//bazel/platforms:aarch64-darwin_nix
//bazel/platforms:aarch64-linux_nix
//bazel/platforms:x86_64-darwin_nix
//bazel/platforms:x86_64-linux_nix

Pure go platforms (no cgo, statically linked)
//bazel/platforms:go-pure_aarch64-darwin
//bazel/platforms:go-pure_aarch64-linux
//bazel/platforms:go-pure_x86_64-darwin
//bazel/platforms:go-pure_x86_64-linux
2023-12-01 09:35:33 +01:00
Daniel Weiße
a9cc9d8bbc
Create Kubernetes clients from bytes instead of filepath (#2663)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-01 09:00:44 +01:00
Moritz Sanft
4d6a7fa759
license: refactor license check to be agnostic of input (#2659)
* license: refactor license check to be agnostic of input

* license: remove unused code

* cli: only check license file in enterprise version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix enterprise CLI build

* bazel: add keep directive

* Update internal/constellation/apply.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* license: check for return value

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-01 08:37:52 +01:00
Markus Rudy
381c546c88 rfc: fix path 2023-12-01 08:15:11 +01:00
Markus Rudy
b6fd1787f7
rfc: trusted k8s images (#2648)
* rfc: trusted k8s images 

Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-30 16:33:44 +01:00
Daniel Weiße
581ae0f92a
cli: fix renamed flag for mini-constellation (#2662)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-30 10:12:51 +01:00
Daniel Weiße
b3c734b804
helm: re-enable timeout flag (#2658)
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-29 14:55:10 +01:00
katexochen
e06848c68a image: update measurements and image version 2023-11-29 08:45:52 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Moritz Sanft
03c5692fdd
ci: use given image if set (#2655)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-28 14:34:02 +01:00
Daniel Weiße
ca89a31f46
ci: only run verify with JSON output on v2.14 or newer (#2649)
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:31:27 +01:00
Thomas Tendyck
960118dc00 config: remove AWS SNP warning 2023-11-28 14:26:40 +01:00
Daniel Weiße
3bc25cdd8f
ci: add notify hook to Terraform module test (#2653)
* Enable notification on tf module e2e test failure
* Dont try to change fields with no value

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:14:18 +01:00
Daniel Weiße
43f47cc5c5
ci: fix service accounts introduced by merge (#2652)
* Fix service accounts introduced my merge
* Remove GCP_E2E_PROJECT placeholders

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 10:54:58 +01:00
Daniel Weiße
45f6eec0d0
ci: add missing shell in notify action (#2646)
* Add missing shell
* Remove old teams notify action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-28 09:41:01 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI (#2629)
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-27 13:04:41 +01:00
Adrian Stobbe
98673b0983
ci: only generate lock files where provider is used (#2636) 2023-11-27 12:16:45 +01:00
derpsteb
bff65d563b image: update measurements and image version 2023-11-27 10:57:21 +01:00
edgelessci
2fc82874b7
image: update locked rpms (#2645)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-27 09:01:16 +01:00
Moritz Sanft
34bf3ad296
terraform-provider: add image datasource (#2642)
* terraform-provider: init

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: add basic docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix build steps

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: extend build process and docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dev-docs: document provider usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: upload aspect lib mirror

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: don't try to create lockfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix shellcheck issues

* bazel: separate paths to check

* terraform-provider: clean up old files

* terraform-provider: update provider resource

* terraform-provider: add image data source

* dev-docs: remove unnecessary init

* bazel: adhere to Terraform naming expectations

* terraform-provider: fix expected data type

* terraform-provider: generate docs

* terraform-provider: improve errors

* terraform-provider: add acceptance tests for data source

* terraform-provider: fix dependencies

* bazel: quote var reference

* terraform-provider: make region optional

* terraform-provider: bind imagefetcher to data source

* bazel: tidy

* terraform-provider: remove unused parameter

* terraform-provider: remove unused parameter

* terraform-provider: extend acceptance tests

* terraform-provider: allow tests to be ran without Bazel

* dev-docs: document testing

* terraform-provider: set binary path accordingly

* dev-docs: document docgen process for the provider

* bazel: run acceptance test in writable environment

* bazel: try to write to `$TMPDIR`

* terraform-provider: style nits

* terraform-provider: leave TODO

* bazel: tidy

* terraform-provider: regenerate docs

* terraform-provider: fix comment

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-27 09:00:08 +01:00
Markus Rudy
42f0aa8eb1 state: fix whitespace issue in generated docs 2023-11-27 08:35:54 +01:00
Moritz Sanft
9a62657b80
terraform-provider: init provider scaffolding (#2632)
* terraform-provider: init

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: add basic docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix build steps

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: extend build process and docgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dev-docs: document provider usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: upload aspect lib mirror

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: add docstring to fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: don't try to create lockfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix shellcheck issues

* bazel: separate paths to check

* bazel: explain what updating lockfiles means

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-24 15:58:21 +01:00
Otto Bittner
2b199fd9b1 docs: explain config options for AWS SNP 2023-11-24 15:49:48 +01:00
Otto Bittner
46f563c7ca ci: call TCB upload step for AWS 2023-11-24 15:49:48 +01:00
Otto Bittner
257eb5370f config: only fetch TCB values from api if wanted
If no TCB value is set to `latest`, the fetcher is now no
longer called.
2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc api: add support to upload AWS TCB values
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00
Otto Bittner
4813fcfdb6 config: fetch latest AWS TCB values 2023-11-24 15:49:48 +01:00
Otto Bittner
350397923f api: refactor attestationconfigapi client/fetcher
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00
Otto Bittner
5542f9c63c api: refactor attestationcfgapi cli
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
2023-11-24 15:49:48 +01:00
Otto Bittner
84d8bd8110 verify: query vlek ASK from KDS if not set
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
2023-11-24 15:49:48 +01:00
Otto Bittner
07eed0e319 attestation: use SNP-based attestation for AWS SNP 2023-11-24 15:49:48 +01:00
Otto Bittner
cdc91b50bc verify: move CSP-specific code to internal/verify
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
2023-11-24 15:49:48 +01:00
Otto Bittner
59b096e279 cli: use new instance info struct in verify
This ensure that issuer and verify (as consumer)
use the same types for marshalling/unmarshalling.
2023-11-24 15:49:48 +01:00
Otto Bittner
5ce55e3449 attestation: add snp package
The package holds code shared between SNP-based
attestation implementations on AWS and Azure .
2023-11-24 15:49:48 +01:00
3u13r
635a5d2c0a
Fix Konnectivity migration (#2633)
* helm: let cilium upgrade jump minor versions

* cli: reconcile kubeadm cm to not have konnectivity
2023-11-24 12:28:37 +01:00
katexochen
949186e5d7 image: update measurements and image version 2023-11-24 12:06:03 +01:00
Thomas Tendyck
b94a971d8e docs: fix deploy preview and some links 2023-11-23 22:43:10 +01:00
Markus Rudy
d3b542d781
rfc: add numeric ids to existing RFCs (#2638)
* rfc: add numeric ids to existing RFCs
2023-11-23 17:53:38 +01:00
3u13r
0564e4ebb4
dev-docs: add on-prem terraform to vpn setup (#2619)
* vpn: add fake-on-prem infra

* dev-docs: move vpn helm
2023-11-23 16:13:37 +01:00
Moritz Sanft
c922864f30
fetcher: respect HTTP(S)_PROXY environment variable (#2635) 2023-11-23 14:42:13 +01:00
Markus Rudy
d599b80b2a license: enable Bazel-based integration testing
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
b0702cd033 ci: execute integration tests with Bazel, where possible
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
6cfc80454a license: dedicated module for integration test
The integration test for the license module depends on network
connectivity and should be Bazel-tagged as such. Since the unit tests do
not have a network dependency, we should not apply the tag to those. The
easiest way to do this in a Gazelle-compliant way is to move the
integration test into its own module.
2023-11-23 13:48:54 +01:00
Daniel Weiße
64a05b9dea
ci: correctly clean up resource in self-managed infra tests (#2637)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-23 13:08:39 +01:00
Moritz Sanft
310960fb4d
rfc: Terraform provider (#2613)
* rfc: Terraform provider

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: annotate fields that force recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* reword "cluster applying"

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* rfc: resembles -> declares

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: connect dangling sentence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: indicate sensitive state

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: warn about PVs on recreation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: idempotent -> nilpotent

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: reword deletion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rfc: mention resource outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-23 10:58:26 +01:00