Malte Poll
c5acb18c2b
bazel: use openssl for selected target platform
2023-12-01 09:35:33 +01:00
Malte Poll
9be252fccb
bazel: import C libraries from nix as cc_libary
...
This also includes aliases to select the correct library based on the target platform.
2023-12-01 09:35:33 +01:00
Malte Poll
e895aa5495
nix: add derivations for C library dependencies
...
Cryptsetup and libvirt are new.
OpenSSL was moved with the rest.
The dynamic libaries cryptsetup and libvirt also ship a file called closure.tar,
that contains the transitive closure for all of their dependencies.
This tar file can be used as a container image layer or added to a bootable OS image
to provide the runtime dependencies required for dynamic linking.
Additionally, they ship a `rpath` file. This can be used together with patchelf to
fix the RPATH of binaries produced by Bazel.
2023-12-01 09:35:33 +01:00
Malte Poll
e174c4dfe1
bazel: add patchelf rule
...
This rule allows overwriting a binaries' rpath.
This is required to use binaries built by Bazel that link against cc_library
targets from nix (like `/nix/store/<hash>/lib/*.so`).
2023-12-01 09:35:33 +01:00
Malte Poll
45879c7360
bazel: use pure Go platform where possible
...
Before, we specified that the platform has glibc 2.23 under /usr/lib.
This is technically not important for statically linked Go binaries.
2023-12-01 09:35:33 +01:00
Malte Poll
cbe08597c3
bazel: define common platforms for multi-platform builds
...
Default platform for targeting Constellation OS images with nix and cgo:
//bazel/platforms:constellation_os
Other target platforms with nix and cgo:
//bazel/platforms:aarch64-darwin_nix
//bazel/platforms:aarch64-linux_nix
//bazel/platforms:x86_64-darwin_nix
//bazel/platforms:x86_64-linux_nix
Pure go platforms (no cgo, statically linked)
//bazel/platforms:go-pure_aarch64-darwin
//bazel/platforms:go-pure_aarch64-linux
//bazel/platforms:go-pure_x86_64-darwin
//bazel/platforms:go-pure_x86_64-linux
2023-12-01 09:35:33 +01:00
Daniel Weiße
a9cc9d8bbc
Create Kubernetes clients from bytes instead of filepath ( #2663 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-01 09:00:44 +01:00
Moritz Sanft
4d6a7fa759
license: refactor license check to be agnostic of input ( #2659 )
...
* license: refactor license check to be agnostic of input
* license: remove unused code
* cli: only check license file in enterprise version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix enterprise CLI build
* bazel: add keep directive
* Update internal/constellation/apply.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* license: check for return value
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-01 08:37:52 +01:00
Markus Rudy
381c546c88
rfc: fix path
2023-12-01 08:15:11 +01:00
Markus Rudy
b6fd1787f7
rfc: trusted k8s images ( #2648 )
...
* rfc: trusted k8s images
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-30 16:33:44 +01:00
Daniel Weiße
581ae0f92a
cli: fix renamed flag for mini-constellation ( #2662 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-30 10:12:51 +01:00
Daniel Weiße
b3c734b804
helm: re-enable timeout flag ( #2658 )
...
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-29 14:55:10 +01:00
katexochen
e06848c68a
image: update measurements and image version
2023-11-29 08:45:52 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source ( #2640 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Moritz Sanft
03c5692fdd
ci: use given image if set ( #2655 )
...
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-28 14:34:02 +01:00
Daniel Weiße
ca89a31f46
ci: only run verify with JSON output on v2.14 or newer ( #2649 )
...
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:31:27 +01:00
Thomas Tendyck
960118dc00
config: remove AWS SNP warning
2023-11-28 14:26:40 +01:00
Daniel Weiße
3bc25cdd8f
ci: add notify hook to Terraform module test ( #2653 )
...
* Enable notification on tf module e2e test failure
* Dont try to change fields with no value
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 14:14:18 +01:00
Daniel Weiße
43f47cc5c5
ci: fix service accounts introduced by merge ( #2652 )
...
* Fix service accounts introduced my merge
* Remove GCP_E2E_PROJECT placeholders
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 10:54:58 +01:00
Daniel Weiße
45f6eec0d0
ci: add missing shell in notify action ( #2646 )
...
* Add missing shell
* Remove old teams notify action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-28 09:41:01 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI ( #2629 )
...
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-27 13:04:41 +01:00
Adrian Stobbe
98673b0983
ci: only generate lock files where provider is used ( #2636 )
2023-11-27 12:16:45 +01:00
derpsteb
bff65d563b
image: update measurements and image version
2023-11-27 10:57:21 +01:00
edgelessci
2fc82874b7
image: update locked rpms ( #2645 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-27 09:01:16 +01:00
Moritz Sanft
34bf3ad296
terraform-provider: add image datasource ( #2642 )
...
* terraform-provider: init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: add basic docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix build steps
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: extend build process and docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dev-docs: document provider usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: upload aspect lib mirror
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: don't try to create lockfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix shellcheck issues
* bazel: separate paths to check
* terraform-provider: clean up old files
* terraform-provider: update provider resource
* terraform-provider: add image data source
* dev-docs: remove unnecessary init
* bazel: adhere to Terraform naming expectations
* terraform-provider: fix expected data type
* terraform-provider: generate docs
* terraform-provider: improve errors
* terraform-provider: add acceptance tests for data source
* terraform-provider: fix dependencies
* bazel: quote var reference
* terraform-provider: make region optional
* terraform-provider: bind imagefetcher to data source
* bazel: tidy
* terraform-provider: remove unused parameter
* terraform-provider: remove unused parameter
* terraform-provider: extend acceptance tests
* terraform-provider: allow tests to be ran without Bazel
* dev-docs: document testing
* terraform-provider: set binary path accordingly
* dev-docs: document docgen process for the provider
* bazel: run acceptance test in writable environment
* bazel: try to write to `$TMPDIR`
* terraform-provider: style nits
* terraform-provider: leave TODO
* bazel: tidy
* terraform-provider: regenerate docs
* terraform-provider: fix comment
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-27 09:00:08 +01:00
Markus Rudy
42f0aa8eb1
state: fix whitespace issue in generated docs
2023-11-27 08:35:54 +01:00
Moritz Sanft
9a62657b80
terraform-provider: init provider scaffolding ( #2632 )
...
* terraform-provider: init
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: add basic docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix build steps
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: extend build process and docgen
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dev-docs: document provider usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: upload aspect lib mirror
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: add docstring to fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: don't try to create lockfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bazel: fix shellcheck issues
* bazel: separate paths to check
* bazel: explain what updating lockfiles means
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-24 15:58:21 +01:00
Otto Bittner
2b199fd9b1
docs: explain config options for AWS SNP
2023-11-24 15:49:48 +01:00
Otto Bittner
46f563c7ca
ci: call TCB upload step for AWS
2023-11-24 15:49:48 +01:00
Otto Bittner
257eb5370f
config: only fetch TCB values from api if wanted
...
If no TCB value is set to `latest`, the fetcher is now no
longer called.
2023-11-24 15:49:48 +01:00
Otto Bittner
67348792dc
api: add support to upload AWS TCB values
...
The attestationconfig api CLI now uploads SNP TCB
versions for AWS.
2023-11-24 15:49:48 +01:00
Otto Bittner
4813fcfdb6
config: fetch latest AWS TCB values
2023-11-24 15:49:48 +01:00
Otto Bittner
350397923f
api: refactor attestationconfigapi client/fetcher
...
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00
Otto Bittner
5542f9c63c
api: refactor attestationcfgapi cli
...
The cli now takes CSP and object kind as argument.
Also made upload an explicit command and the report
path/version an argument.
Previously the report was a flag. The CSP was hardcoded.
There was only one object kind (snp-report).
2023-11-24 15:49:48 +01:00
Otto Bittner
84d8bd8110
verify: query vlek ASK from KDS if not set
...
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
2023-11-24 15:49:48 +01:00
Otto Bittner
07eed0e319
attestation: use SNP-based attestation for AWS SNP
2023-11-24 15:49:48 +01:00
Otto Bittner
cdc91b50bc
verify: move CSP-specific code to internal/verify
...
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
2023-11-24 15:49:48 +01:00
Otto Bittner
59b096e279
cli: use new instance info struct in verify
...
This ensure that issuer and verify (as consumer)
use the same types for marshalling/unmarshalling.
2023-11-24 15:49:48 +01:00
Otto Bittner
5ce55e3449
attestation: add snp package
...
The package holds code shared between SNP-based
attestation implementations on AWS and Azure .
2023-11-24 15:49:48 +01:00
3u13r
635a5d2c0a
Fix Konnectivity migration ( #2633 )
...
* helm: let cilium upgrade jump minor versions
* cli: reconcile kubeadm cm to not have konnectivity
2023-11-24 12:28:37 +01:00
katexochen
949186e5d7
image: update measurements and image version
2023-11-24 12:06:03 +01:00
Thomas Tendyck
b94a971d8e
docs: fix deploy preview and some links
2023-11-23 22:43:10 +01:00
Markus Rudy
d3b542d781
rfc: add numeric ids to existing RFCs ( #2638 )
...
* rfc: add numeric ids to existing RFCs
2023-11-23 17:53:38 +01:00
3u13r
0564e4ebb4
dev-docs: add on-prem terraform to vpn setup ( #2619 )
...
* vpn: add fake-on-prem infra
* dev-docs: move vpn helm
2023-11-23 16:13:37 +01:00
Moritz Sanft
c922864f30
fetcher: respect HTTP(S)_PROXY environment variable ( #2635 )
2023-11-23 14:42:13 +01:00
Markus Rudy
d599b80b2a
license: enable Bazel-based integration testing
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
b0702cd033
ci: execute integration tests with Bazel, where possible
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-23 13:48:54 +01:00
Markus Rudy
6cfc80454a
license: dedicated module for integration test
...
The integration test for the license module depends on network
connectivity and should be Bazel-tagged as such. Since the unit tests do
not have a network dependency, we should not apply the tag to those. The
easiest way to do this in a Gazelle-compliant way is to move the
integration test into its own module.
2023-11-23 13:48:54 +01:00
Daniel Weiße
64a05b9dea
ci: correctly clean up resource in self-managed infra tests ( #2637 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-23 13:08:39 +01:00
Moritz Sanft
310960fb4d
rfc: Terraform provider ( #2613 )
...
* rfc: Terraform provider
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typo
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* rfc: annotate fields that force recreation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* reword "cluster applying"
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* rfc: resembles -> declares
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: connect dangling sentence
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: indicate sensitive state
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: warn about PVs on recreation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: idempotent -> nilpotent
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: reword deletion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rfc: mention resource outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-23 10:58:26 +01:00