Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp ( #1916 )
...
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again
There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication ( #1906 )
...
* invalidate app client id field for azure and provide info
* remove TestNewWithDefaultOptions case
* fix test
* remove appClientID field
* remove client secret + rename err
* remove from docs
* otto feedback
* update docs
* delete env test in cfg since no envs set anymore
* Update dev-docs/workflows/github-actions.md
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* WARNING to stderr
* fix check
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP
as new variant ( #1900 )
...
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Thomas Tendyck
947d0cb20a
cli: hide --insecure of config fetch-measurements
2023-06-09 15:07:31 +02:00
Moritz Eckert
9463d6fb27
cli: fix azure config warning message ( #1902 )
2023-06-09 11:16:54 +02:00
edgelessci
f43366ed89
docs: add release v2.8.0 ( #1884 )
...
* docs: add release v2.8.0
* docs: mention required AWS IAM permissions for upgrades
---------
Co-authored-by: malt3 <malt3@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-06-07 10:34:07 +02:00
3u13r
7c07e3be18
Add --insecure to config fetch-measurement ( #1879 )
...
* cli: add --insecure to fetch-measurements
* cli: rename fake to stub
* ci: upload measurements for debug images
* fix cli docs
2023-06-06 10:32:22 +02:00
Malte Poll
eb9bea1cff
docs: refine instructions for upgrade process ( #1865 )
...
Incorporate customer feedback regarding the recommended commands when upgrading a Constellation cluster.
Showing the full command "constellation upgrade check --write-config" is important to ensure only valid, safe upgrades are applied.
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-05 09:10:20 +02:00
renovate[bot]
a31c3dbbcd
deps: update ubuntu:22.04 Docker digest to 2fdb1cf ( #1857 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: malt3 <mp@edgeless.systems>
2023-06-02 11:20:59 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup ( #1837 )
...
* chore: add TODO responsibilities
* chore: remove not needed TODOs
* chore: remove outdated migrations
* chore: remove resolved goleak exception
* chore: remove not needed cosign env
* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Moritz Sanft
6d5e7e1f7c
cli: support StackIT provider on config generate ( #1803 )
...
* support stackit provider on config generate
* update cli reference
* default config values
* deploy csi driver
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2023-05-30 09:02:50 +02:00
3u13r
661f084ffa
cli: use uami for in-cluter authentication ( #1820 )
2023-05-26 11:45:03 +02:00
renovate[bot]
0eeb1d2ceb
deps: update dependency @cmfcmf/docusaurus-search-local to v1
2023-05-24 13:47:50 +02:00
renovate[bot]
9dd428557f
deps: update dependency prism-react-renderer to v2 ( #1824 )
...
* deps: update dependency prism-react-renderer to v2
* Update docusaurus.config.js
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-05-24 13:30:14 +02:00
renovate[bot]
1ea2814fe4
deps: update dependency mermaid to v10 ( #1823 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-05-24 13:10:19 +02:00
Thomas Tendyck
69464bca4b
docs: publish
2023-05-23 15:51:46 +02:00
3u13r
964775c4c2
Add autoscaling and cluster upgrade support for AWS ( #1758 )
...
* aws: autoscaling and upgrades
* docs: update scaling and upgrades for AWS
* deps: pin vuln check against release
2023-05-19 13:57:31 +02:00
Adrian Stobbe
f99e06b63b
cli: new flag to set the attestation type for config generate
( #1769 )
...
* add attestation flag to specify type in config
2023-05-17 16:53:56 +02:00
miampf
e7b7a544f0
docs: add a qemu section ( #1724 )
2023-05-17 13:21:35 +00:00
Moritz Eckert
fd83f3439e
docs: update state of clouds ( #1732 )
...
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-05-10 10:04:20 +02:00
renovate[bot]
f3e14f2b42
deps: update ubuntu:22.04 Docker digest to ca5534a ( #1744 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-05-05 14:38:11 +02:00
Paul Meyer
30cd024076
deps: add Kubernetes v1.27, remove Kubernetes v1.24 ( #1669 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-05-05 13:22:53 +02:00
Malte Poll
653bf3621d
image: replicate AWS images to eu-west-1 and eu-west-3
2023-05-05 12:06:44 +02:00
Daniel Weiße
c3b13178aa
docs: add short explanation on attestation config options ( #1654 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-04 15:00:06 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters ( #1623 )
...
* Add attestation options to config
* Add join-config migration path for clusters with old measurement format
* Always create MAA provider for Azure SNP clusters
* Remove confidential VM option from provider in favor of attestation options
* cli: add config migrate command to handle config migration (#1678 )
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Moritz Sanft
478b6ddb72
add terraform debug docs ( #1627 )
2023-04-21 08:43:27 +02:00
Moritz Sanft
3031d395a9
cli: force-delete Azure resource group ( #1667 )
...
* force-delete Azure resource group
* were not -> weren't
* fix typo
2023-04-19 08:30:11 +02:00
3u13r
14d26e1af4
terraform: use nat gateway on azure ( #1655 )
...
* terraform: use nat gateway on azure
* docs: add new azure permission
2023-04-17 11:00:35 +02:00
Moritz Sanft
1d0ee796e8
cli: add Terraform log support ( #1620 )
...
* add Terraform logging
* add TF logging to CLI
* fix path
* only create file if logging is enabled
* update bazel files
* register persistent flags manually
* clidocgen
* move logging code to separate file
* reword yes flag parsing error
* update bazel buildfile
* factor out log level setting
2023-04-14 14:15:07 +02:00
Moritz Eckert
af9e03f66b
docs: update versioned benchmarks
2023-04-11 14:28:21 +02:00
Moritz Eckert
0b66119a41
docs: group perf graphics by csp
2023-04-11 14:28:21 +02:00
Moritz Eckert
db32251daa
docs: update benchmarks with v2.6.0
...
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-04-11 14:28:21 +02:00
Moritz Eckert
a1f5e0e53d
ci: Add tooling to create benchmark figures
2023-04-11 14:28:21 +02:00
edgelessci
06bbdda9dc
docs: add release v2.7.0 ( #1592 )
...
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-04-05 10:33:16 +02:00
Moritz Sanft
e71c33c88d
cli: print attestation document with constellation verify ( #1577 )
...
* wip: verification output
* wip: Azure cert parsing
* wip: print actual PCRs
* wip: use string builder for output formatting
* compare PCR expected with actual
* tests
* change naming
* update cli reference
* update bazel buildfile
* bazel update
* change loop signature
2023-04-03 15:06:27 +02:00
Paul Meyer
176d32599f
terraform: add missing permission to AWS iam
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Paul Meyer
63b07ede8a
terraform: sort permissions
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-04-03 07:23:00 -04:00
Otto Bittner
c8c2953d7b
cli: add status cmd
...
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
2023-04-03 12:03:41 +02:00
Paul Meyer
b8d6b110b1
cli: add missing -y short flag to iam create ( #1572 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 17:26:14 +02:00
Moritz Sanft
1f7acf8dfb
docs: list minimal permissions for Constellation setup ( #1442 )
...
* add required Azure perms
* add minimal aws permissions
* add minimal gcp permissions
* [wip] split Azure perms by iam create/create step
* Update docs/docs/getting-started/install.md
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
* Update docs/docs/getting-started/install.md
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
* minimal gcp permissions for iam create/create step
* escape footnote bracket
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* active voice
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* link to config step
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* add predefined roles for Azure
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* add AWS and GCP predefined min roles
* add Azure attestationprovider perm
* footnote for attestation mode
* Update docs/docs/getting-started/install.md
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* accept superset
* fix negation
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
* update footnote
---------
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-30 10:16:57 +02:00
Thomas Tendyck
6fabb2a84b
docs: rearrange troubleshooting
2023-03-29 10:57:17 +02:00
Otto Bittner
861bc84f94
cli: only apply upgrades on gcp/azure ( #1518 )
...
The constellation-operator currently doesn't support the
necessary operations for AWS, OpenStack and QEMU.
2023-03-24 17:07:14 +01:00
derpsteb
870182987c
docs: update cli reference
2023-03-24 08:47:53 +01:00
Otto Bittner
55067b12cd
docs: explain how to change cluster measurements
...
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-23 18:08:18 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration ( #1334 )
...
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.
* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
renovate[bot]
79395ddd20
deps: update ubuntu:22.04 Docker digest to 7a57c69 ( #1452 )
...
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:31:20 +01:00
Moritz Eckert
16f2f9bb64
docs: simplify readme svg ( #1418 )
2023-03-15 12:11:54 +01:00
Paul Meyer
d16f01d810
docs: pin base image of screencast container
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-14 13:08:19 -04:00
Thomas Tendyck
1a4c1f34bc
docs: refer to known issues ( #1414 )
...
* docs: refer to known issues
* publish
2023-03-14 08:27:06 +01:00
Thomas Tendyck
d8895446de
docs: remove pcr warning from asciinema casts
2023-03-13 08:26:56 +01:00