Commit Graph

337 Commits

Author SHA1 Message Date
Moritz Sanft
e71c33c88d
cli: print attestation document with constellation verify (#1577)
* wip: verification output

* wip: Azure cert parsing

* wip: print actual PCRs

* wip: use string builder for output formatting

* compare PCR expected with actual

* tests

* change naming

* update cli reference

* update bazel buildfile

* bazel update

* change loop signature
2023-04-03 15:06:27 +02:00
Malte Poll
d15968bed7
bootstrapper: make Azure auth method configurable on cluster init (#1346)
* bootstrapper: make Azure auth method configurable on cluster init
* azure: convert uami resource ID to clientID


Co-authored-by: 3u13r <lc@edgeless.systems>
2023-04-03 15:01:25 +02:00
Moritz Sanft
46f5b1734e
cli: show available cli upgrades on upgrade check command (#1394)
* cli: upgrade check show cli upgrades

* only check compatibility for valid upgrades

* use semver.Sort

* extend unit tests

* add unit test for new compatible cli versions

* adapt to feedback

* fix rebase

* rework output

* minor -> major

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* minor -> major

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* dynamic major version

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* remove currentK8sVer argument

* bazel gen & tidy

* bazel update

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-04-03 14:31:17 +02:00
Otto Bittner
7c8215e507 cli: add kubernetes pkg to interface with cluster
Previously the content of files status and upgrade within the
cloudcmd pkg did not fit cloudcmd's pkg description.
This patch introduces a separate pkg to fix that.
2023-04-03 12:03:41 +02:00
Otto Bittner
c8c2953d7b cli: add status cmd
The new command allows checking the status of an upgrade
and which versions are installed.
Also remove the unused restclient.
And make GetConstellationVersion a function.
2023-04-03 12:03:41 +02:00
Daniel Weiße
62c165750f
config: remove deprecated upgradeConfig and require name and microserviceVersion fields (#1541)
* Remove deprecated fields

* Remove warning for not setting attestationVariant

* Dont write attestationVariant to config

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-31 19:19:10 +02:00
Paul Meyer
b8d6b110b1
cli: add missing -y short flag to iam create (#1572)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 17:26:14 +02:00
Paul Meyer
66ee24b5b2
cli: remove duplicated print (#1568)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-31 14:43:39 +02:00
Daniel Weiße
fc0efb6309
config: deprecate confidentialVM option for Azure clusters in favor of using attestationVariant option (#1539)
* Remove confidentialVM option from azure provider config

* Fix cloudcmd creator test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 14:04:37 +02:00
Daniel Weiße
b57413cfa7
cli: set cluster's initial measurements from user's config using Helm (#1540)
* Remove using measurements from the initial control-plane node for the cluster's initial measurements

* Add using measurements from the user's config for the cluster's initial measurements to align behavior with upgrade command

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 11:16:56 +02:00
Daniel Weiße
99b12e4035
internal: refactor oid package to variant package (#1538)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:30:13 +02:00
Daniel Weiße
db5660e3d6
attestation: add context to Issue and Validate methods (#1532)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:06:10 +02:00
Otto Bittner
861bc84f94
cli: only apply upgrades on gcp/azure (#1518)
The constellation-operator currently doesn't support the
necessary operations for AWS, OpenStack and QEMU.
2023-03-24 17:07:14 +01:00
Otto Bittner
bb2b5e1bd1 cli: allow users to only upgrade measurements
In case only measurements are upgrades a confirmation is required.
Alternatively, the `yes` flag can be used.
2023-03-23 18:08:18 +01:00
Otto Bittner
cac43a1dd0 ci: add e2e-upgrade test
The test is implemented as a go test.
It can be executed as a bazel target.
The general workflow is to setup a cluster,
point the test to the workspace in which to
find the kubeconfig and the constellation config
and specify a target image, k8s and
service version. The test will succeed
if it detects all target versions in the cluster
within the configured timeout.
The CI automates the above steps.
A separate workflow is introduced as there
are multiple input fields to the test.
Adding all of these to the manual e2e test
seemed confusing.

Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-03-23 14:57:38 +01:00
Leonard Cohnen
bb009e6166 remove dublicate log in miniconstellation 2023-03-23 14:55:29 +01:00
Paul Meyer
02fc3dc635
measurements: refactor validation option (#1462)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-22 11:47:39 +01:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Malte Poll
f066416a43 cli: add support for constellation init on OpenStack 2023-03-21 10:51:09 +01:00
Nils Hanke
4f37fe38f9 cli: fix typo 2023-03-20 15:30:35 +01:00
Paul Meyer
658cac046f go: remove redundant if-err check
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Nils Hanke
822d7823f8 cli: refuse to retry init once gRPC has reached READY one time 2023-03-20 13:33:46 +01:00
Nils Hanke
77d19eb896 cli: add "Connecting" spinner state for "constellation init" 2023-03-20 13:33:46 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant (#1413)
* Add attestation type to config (optional for now)

* Get attestation variant from config in CLI

* Set attestation variant for Constellation services in helm deployments

* Remove AzureCVM variable from helm deployments

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
Thomas Tendyck
64e1f553d1 cli: remove Edition in version command, which contains duplicate info 2023-03-10 11:36:44 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Daniel Weiße
446b77828b
cli: add missing flag to miniConstellation (#1374)
* Add missing flag to miniConstellation

* Add config merger to miniConstellation

* Soft fail if config can not be merged

* Remove config flattening

* Release spinner stop lock when stopping finished

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2023-03-08 15:48:36 +01:00
Daniel Weiße
19507677c1
cli: attestation validator debug output (#1262)
* Wrote->Written

* Add Validator info logs to debug output

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-03 16:50:25 +01:00
Malte Poll
8ad04f7dbb
cli: log grpc connection state for init call (#1324)
This is a measure to detect cases where an aTLS handshake is performed but the long running call is interrupted, leading to a retry of the init call.
Whenever the grpc connection state reaches ready, we know that the aTLS handshake has succeeded:

> READY: The channel has successfully established a connection all the way through TLS handshake (or equivalent) and protocol-level (HTTP/2, etc) handshaking, and all subsequent attempt to communicate have succeeded (or are pending without any known failure).
2023-03-03 09:38:57 +01:00
Otto Bittner
f0db5d0395
cli: restructure upgrade apply (#1319)
Applies the updated NodeVersion object with one request
instead of two. This makes sure that the first request does
not accidentially put the cluster into a "updgrade in progress"
status. Which would lead users to having to run apply twice.
2023-03-03 09:38:23 +01:00
Nils Hanke
77a375e837
cli: add --kubernetes flag to iam create (when used with --create-config) (#1326) 2023-03-03 09:04:54 +01:00
Nils Hanke
a34ef8ad29 cli/bootstrapper: remove deprecated master secret & KMS related fields 2023-03-02 15:49:02 +01:00
Daniel Weiße
5eb73706f5
internal: refactor storage credentials (#1071)
* Move storage clients to separate packages

* Allow setting of client credentials for AWS S3

* Use managed identity client secret or default credentials for Azure Blob Storage

* Use credentials file to authorize GCS client

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-02 15:08:31 +01:00
Malte Poll
ab0b881cbf
oid: add alternative string representations for attestation variants (#1322) 2023-03-02 10:48:16 +01:00
Nils Hanke
c9ddc93d55 cli: allow existing config for IAM creation without --generate-config 2023-03-01 13:53:34 +01:00
Malte Poll
fc33a74c78
constants: make VersionInfo readonly (#1316)
The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime.
This change ensures the underlying var is private and can only be accessed by a public getter.
2023-03-01 11:55:12 +01:00
Otto Bittner
984f0589d2
cli: upgrade errors for microservice (#1259)
Handle invalid upgrade errors similarly as for images and k8s.
2023-02-28 10:23:09 +01:00
Moritz Sanft
732d15d013
ci: use iam destroy command for resource destruction (#1272)
* replace tf destruction with new command

* move iam destroy cmd

* fix typos

* exit post test on error

* [remove] test failure on iam destroy

* Revert "[remove] test failure on iam destroy"

This reverts commit 99449c0cc0.

* [remove] test failure on terminate

* Revert "[remove] test failure on terminate"

This reverts commit 99c45bbc54.

* gofumpt
2023-02-28 09:52:32 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Nils Hanke
6ae2bc9772 cli: fix force flag debug print in init 2023-02-24 12:11:09 +01:00
miampf
5137e9fa57
cli: iam destroy (#946) 2023-02-24 11:36:41 +01:00
Otto Bittner
d78d22f95a
cli: add config kubernetes-versions subcommand (#1224)
Allows users to learn which k8s versions are supported by the
current CLI.
Extend respective docs section.
2023-02-22 09:52:47 +01:00
leongross
51eef675a2
cli: refer to --force and --config flags (#1205)
* add reference to --config and --force
2023-02-21 16:46:47 +01:00
Otto Bittner
da7a870f54
cli: add --kubernetes flag (#1226)
The flag can be used to specify a Kubernetes version
in format MAJOR.MINOR and let the CLI extend the
value with the patch version.
2023-02-21 14:05:41 +01:00
Moritz Sanft
0ba810240f
ci: integrate automatic iam creation in e2e test (#1158)
* integrate automatic iam creation in e2e test

* fix typo

* break long line comments

* fix semvers

* correct bracing
2023-02-21 12:47:14 +01:00
Paul Meyer
deea806d9c Improve code sequences with multiple errs
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Paul Meyer
12c866bcb9 deps: replace multierr with native errors.Join
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Otto Bittner
87fdb47caa
cli: upgrade apply uses correct measurements key (#1223)
Apply still used the obsolete upgrade key's measurements.
The new, desired behavior is to use the Provider's measurements
key
2023-02-20 10:32:33 +01:00
Daniel Weiße
d90828cb3c
Fix incorrect output for single worker/control-plane clusters (#1209)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-17 08:15:17 +01:00
Fabian Kammel
5e7dc0d7db
Option to disable spinner via environment variable. (#1207)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-02-16 15:43:19 +01:00
Otto Bittner
50646b2a10 cli: refactor upgrade apply cmd to match name
* `upgrade apply` will try to make the locally configured and
actual version in the cluster match by appling necessary
upgrades.
* Skip image or kubernetes upgrades if one is already
in progress.
* Skip downgrades/equal-as-running versions
* Move NodeVersionResourceName constant from operators
to internal as its needed in the CLI.
2023-02-15 16:44:47 +01:00
Otto Bittner
7db584a88e cli: move upgradeApply logic into separate functions
* introduce handleImageUpgrade & handleServiceUpgrade
* rename cloudUpgrader.Upgrade to UpgradeImage
* remove helm flag
* remove hint about development status
2023-02-15 16:44:47 +01:00
Otto Bittner
91e27ac186 cli: rename upgrade execute to upgrade apply 2023-02-15 16:44:47 +01:00
Moritz Sanft
84359063fc
cli: add missing gcp values to config (#1149)
* improve iam value output

* remove duplicate prints
2023-02-15 14:24:52 +01:00
Otto Bittner
33a884d4e4 cli: prefix "v" to cli version in versionCollector
No new images will be found unless this is set
2023-02-15 13:36:16 +01:00
Otto Bittner
1c977b3105
cli: add missing logger to versionCollector object (#1183)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-14 14:46:30 +01:00
Paul Meyer
84a787b538
cli: add name of build type to version cmd output (#1179)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-14 14:30:10 +01:00
Otto Bittner
8a72df89ad
cli: fix init with k8s version without v prefix (#1174) 2023-02-13 11:54:38 +01:00
Moritz Sanft
7410cf8038
cli: fix iam rollback (#1148)
* AB#2897 rename DestroyCluster

* #AB2897 error if terraform dir exists

* AB#2897 reword DestroyResources
2023-02-13 08:42:54 +01:00
Thomas Tendyck
a076587956 cli: adapt "upgrade check" reference to conventions 2023-02-13 08:34:34 +01:00
Daniel Weiße
90ce320bf5
cli: add option to automatically merge kubeconfig file on init (#1136)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 14:59:44 +01:00
Daniel Weiße
c29107f5be
init: create kubeconfig file with unique user/cluster name (#1133)
* Generate kubeconfig with unique name

* Move create name flag to config

* Add name validation to config

* Move name flag in e2e tests to config generation

* Remove name flag from create

* Update ascii cinema flow

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 13:27:22 +01:00
Moritz Sanft
e01ddc08c2
cli: add debug logging to iam create command (#1127)
* AB#2787 add debug logging to iam create command

* AB#2787 add test logger

* AB#2787 reword log

* separate debug output with empty line

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-09 10:37:22 +01:00
Otto Bittner
c275464634 cli: change upgrade-plan to upgrade-check
Upgrade check is used to find updates for the current cluster.
Optionally the found upgrades can be persisted to the config
for consumption by the upgrade-execute cmd.
The old `upgrade execute` in this commit does not work with
the new `upgrade plan`.
The current versions are read from the cluster.
Supported versions are read from the cli and the versionsapi.
Adds a new config field MicroserviceVersion that will be used
by `upgrade execute` to update the service versions.
The field is optional until 2.7
A deprecation warning for the upgrade key is printed during
config validation.
Kubernetes versions now specify the patch version to make it
explicit for users if an upgrade changes the k8s version.
2023-02-08 12:30:01 +01:00
Otto Bittner
f204c24174 cli: add version validation and force flag
Version validation checks that the configured versions
are not more than one minor version below the CLI's version.
The validation can be disabled using --force.
This is necessary for now during development as the CLI
does not have a prerelease version, as our images do.
2023-02-08 12:30:01 +01:00
Moritz Sanft
6166b52f5d
cli: refactor iam create command (#1034)
* AB#2788 refactor iam create

* AB#2788 go mod tidy

* AB#2788 encode b64 at runtime

* AB#2788 rename receiver
2023-02-01 11:32:01 +01:00
Malte Poll
2d326ea3f0
cli: set placeholder uid for QEMU / MiniConstellation (#1069) 2023-01-25 14:42:52 +01:00
Daniel Weiße
690b50b29d
dev-docs: Go package docs (#958)
* Remove unused package

* Add Go package docs to most packages

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 15:57:50 +01:00
Otto Bittner
9a1f52e94e Refactor init/recovery to use kms URI
So far the masterSecret was sent to the initial bootstrapper
on init/recovery. With this commit this information is encoded
in the kmsURI that is sent during init.
For recover, the communication with the recoveryserver is
changed. Before a streaming gRPC call was used to
exchanges UUID for measurementSecret and state disk key.
Now a standard gRPC is made that includes the same kmsURI &
storageURI that are sent during init.
2023-01-19 13:14:55 +01:00
Otto Bittner
0e71322e2e keyservice: move kms code to internal/kms
Recovery (disk-mapper) and init (bootstrapper)
will have to work with multiple external KMSes
in the future.
2023-01-19 13:14:55 +01:00
Nils Hanke
a3db3c8424
cli: debug: various improvements (#995) 2023-01-18 13:10:24 +01:00
Thomas Tendyck
f0f109a1ea verify: use fixed user data 2023-01-17 16:14:00 +01:00
Moritz Sanft
e844ceb2b1
cli: adopt Cobra cli reference style (#997)
* adapt to Cobra CLI ref style

* linting

* change multi-line reference style

* lowercase short descriptions

* Revert "lowercase short descriptions"

This reverts commit 499dc3577a.

* use 2 newlines on long description and add dots

* mark required flags

* Update cli/internal/cmd/iamcreateaws.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update cli/internal/cmd/upgradeexecute.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update cli/internal/cmd/upgradeexecute.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 14:01:56 +01:00
Otto Bittner
90b88e1cf9 kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
2023-01-16 11:56:34 +01:00
Moritz Sanft
64ec0408da
cli: automatically add iam values to config (#782)
* AB#2706 Automatically add IAM values to config
2023-01-12 11:35:26 +01:00
Paul Meyer
66f2c446a4 versionsapi: replace shortname pkg
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 10:15:27 +01:00
Otto Bittner
075a0e0ad6 cli: ask user to confirm cert-manager upgrades 2023-01-05 17:19:05 +01:00
Leonard Cohnen
25c3a8a1f3 init: add cluster version to kubernetes components 2023-01-05 14:52:09 +01:00
Paul Meyer
f9458950cb
versionsapi: change image path (#856)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 17:07:16 +01:00
Paul Meyer
35d720e657 cli: deactivate spinner for debug logging
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 12:17:08 +01:00
Paul Meyer
3c24e3fa01 cli: move image package into cli
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
22f43d32dd versionsapi: use new fetcher in upgrade-plan cmd
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
f43b653231 versionsapi: backup old API
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Alex Darby
97c72f5f32
cli: add verbose debug logging (#809)
* feat: add debug logging for init command
* feat: add debug logging to recover command
* feat: add debug logging for configfetchmeasurements
* feat: add debug logging for config generate
* feat: added debug logging for miniup command
* feat: add debug logging for upgrade command
* feat: add debug logging for create command
2023-01-04 10:46:29 +01:00
renovate[bot]
806f6b70dd
Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1 (#844)
* Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1
* Rename talos-systems/talos to siderolabs/talos

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-02 13:33:56 +01:00
Otto Bittner
efcd0337b4
Microservice upgrades (#729)
Run with: constellation upgrade execute --helm.
This will only upgrade the helm charts. No config is needed.

Upgrades are implemented via helm's upgrade action, i.e. they
automatically roll back if something goes wrong. Releases could 
still be managed via helm, even after an upgrade with constellation
has been done.

Currently not user facing as CRD/CR backups are still in progress.
These backups should be automatically created and saved to the 
user's disk as updates may delete CRs. This happens implicitly 
through CRD upgrades, which are part of microservice upgrades.
2022-12-19 16:52:15 +01:00
Malte Poll
4a8ebfd921 OS images: use "ref", "stream" and "version"
Switch azure default region to west us
Update find-image script to work with new API spec
Add version for every os image build
generate measurements: Use new API paths
CLI: config fetch measurements: Use image short versions to fetch measurements
CLI: allows shortnames to specify image in config
Image build pipeline: Change paths to contain "ref" and "stream"
2022-12-09 13:37:43 +01:00
Paul Meyer
f23a2fe073 hack: implement new api for add-version script
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 13:37:43 +01:00
Moritz Sanft
286803fb97
AB#2579 Add constellation iam create command (#624) 2022-12-07 11:48:54 +01:00
Moritz Sanft
85e7b836a3
AB#2651 Compatibility warning for MiniConstellation (#713) 2022-12-07 10:20:01 +01:00
Paul Meyer
9c9c8e3d46 versionsapi: rename package
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-02 18:49:17 +01:00
Leonard Cohnen
0c71cc77f6 joinservice: use configmap for k8s components 2022-12-02 14:34:38 +01:00
Malte Poll
9537fb73c0 use constants for default CDN paths 2022-11-30 12:35:12 +01:00
Malte Poll
9bccf26ccf move update api 2022-11-30 12:35:12 +01:00
Malte Poll
ebf852b3ba Add image update API and use for "upgrade plan" 2022-11-30 12:35:12 +01:00
Leonard Cohnen
3b6bc3b28f initserver: add client verification 2022-11-28 19:34:02 +01:00
Daniel Weiße
d52f3db2a3
AB#2644 Fetch measurements from CDN (#653)
* Fetch measurements from CDN

* Perform metadata validation on fetched measurements

* Remove deprecated public bucket

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-28 10:27:33 +01:00
Daniel Weiße
1968dfe70c
Add warning about non retriable error during init (#644)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-25 10:02:12 +01:00
Daniel Weiße
67d0424f0e
AB#2639 Add functions to fetch k8s and helm version of Constellation (#637)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 16:39:33 +01:00
Daniel Weiße
f8001efbc0
Refactor enforced/expected PCRs (#553)
* Merge enforced and expected measurements

* Update measurement generation to new format

* Write expected measurements hex encoded by default

* Allow hex or base64 encoded expected measurements

* Allow hex or base64 encoded clusterID

* Allow security upgrades to warnOnly flag

* Upload signed measurements in JSON format

* Fetch measurements either from JSON or YAML

* Use yaml.v3 instead of yaml.v2

* Error on invalid enforced selection

* Add placeholder measurements to config

* Update e2e test to new measurement format

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 10:57:58 +01:00
Malte Poll
575b6e93f6 CLI: use global image version field
- Restructure config by removing CSP-specific image references
- Add global image field
- Download image lookup table on create
- Download QEMU image on QEMU create
2022-11-23 15:47:46 +01:00
Leonard Cohnen
1e98b686b6 kubernetes: verify Kubernetes components 2022-11-23 10:48:03 +01:00
Otto Bittner
6b2d9d16f8 Remove obsolote revive comments 2022-11-23 08:35:12 +01:00
Otto Bittner
1362e40f53
Surpress argument-limit errors and add TODO. (#603) 2022-11-21 17:31:01 +01:00
Daniel Weiße
1f9b6ba90f
Add debug logging for verify command (#610)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-21 17:02:33 +01:00
Malte Poll
74aabe86fa Move PCR[8] -> PCR[12] 2022-11-18 10:37:45 +01:00
Daniel Weiße
b966f57a2f
AB#2554 GCP CSI driver deployment (#532)
* Allow enabling/disabling of CSI driver through config

* Fix inconsistent namespace parsing

* Deploy GCP CSI driver on init

* Update invalid pod tolerations

* Add generate script for CSI charts

* Update generateCilium script

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-18 10:05:02 +01:00
Fabian Kammel
feae4a86bc
reserve enough time for stable tests (#564)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-17 17:30:35 +01:00
Nils Hanke
6e5895f200 User-friendlier errors 2022-11-17 13:49:34 +01:00
Nils Hanke
4a2cba988c Create separate Terraform workspace directory 2022-11-17 13:49:34 +01:00
Fabian Kammel
bb76a4e4c8
AB#2512 Config secrets via env var & config refactoring (#544)
* refactor measurements to use consistent types and less byte pushing
* refactor: only rely on a single multierr dependency
* extend config creation with envar support
* document changes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-15 15:40:49 +01:00
Daniel Weiße
a07cab4b97
Update go-tpm dependency (#533)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-14 09:02:56 +01:00
Nils Hanke
db27a6a0dd Increase timeout for fetch-measurements 2022-11-11 11:38:50 +01:00
Fabian Kammel
b92b3772ca
Remove access manager (#470)
* remove access manager from code base
* document new node ssh workflow
* keep config backwards compatible
* slow down link checking to prevent http 429
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-11 08:44:36 +01:00
Nils Hanke
d41174659b Print "Initializing cluster..." on stderr 2022-11-10 17:51:14 +01:00
Nils Hanke
bc584d61fa Switch spinner TTY detection to stderr 2022-11-10 17:51:14 +01:00
Fabian Kammel
81a5907f26
consistently use stdout and stderr (#502)
* consistently use stdout and stderr
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-10 10:27:24 +01:00
Fabian Kammel
0d12e37c96
Document exported funcs,types,interfaces and enable check. (#475)
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2022-11-09 15:57:54 +01:00
Daniel Weiße
c9873f2bfb
AB#2523 Refactor GCP metadata/cloud API (#387)
* Refactor GCP metadata/cloud API

* Remove cloud controller manager from metadata package

* Remove PublicIP

* Move shared cloud packages

* Remove dead code

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-09 14:43:48 +01:00
Daniel Weiße
011f9c597d
Bring in changes from release branch (#479)
* Bump version to v2.2.0

* Update changelog

* Fix release detection in pipeline

* Fix PKI selection in pipeline

* Set enforced measurements for AWS

* Update default images

* Fix release docs

* Update mini-con defaults

* Fix measurements action

* Fix syft env variable naming

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-08 18:32:59 +01:00
3u13r
309a4b5196
cli: remove debug env check for AWS (#460) 2022-11-04 15:31:51 +01:00
Fabian Kammel
04d0c770af
limit aws cluster name len (#454)
* limit aws cluster name len down to 10, 32-character name limit in AWS
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 13:35:32 +01:00
Nils Hanke
19fd3a351a Make azureCVMRxp in upgradeplan.go case-insensitive 2022-11-04 12:57:24 +01:00
Nils Hanke
4d9fbdb3d3 CI: Use lowercase image name for fetching measurements 2022-11-04 12:57:24 +01:00
Leonard Cohnen
cc38506ffa cli: AWS does not use a service account 2022-11-02 23:29:04 +01:00
Leonard Cohnen
015b12d8ff attestation: use AWS attestation 2022-11-02 23:29:04 +01:00
Nils Hanke
8d097424a1 Remove separate function for yesFlag in terminate 2022-11-02 18:18:30 +01:00
Nils Hanke
ad871d1993 Prompt before termination 2022-11-02 18:18:30 +01:00
Nils Hanke
c922136cd4 Fix typos 2022-11-02 18:18:30 +01:00
Otto Bittner
30bdbd9b85
Add helm unittests (#380) 2022-10-31 19:25:02 +01:00
Daniel Weiße
79f52e67cb
Update go-tpm-tools to fix AWS PCR selection (#390)
* Update go-tpm-tools to fix AWS PCR selection

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Ignore leaking glog go routine

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-28 17:57:24 +02:00
Paul Meyer
86906ac536 Use atomic.Bool, added in Go 1.19
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-28 16:06:53 +02:00
Otto Bittner
091e3b2b2b AB#2538: deploy CCM via Helm
Also move helmloader interface/stubs
2022-10-27 18:12:47 +02:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails (#360)
* Dont clean up workspace if rollback fails

* Remove dependency on CSP from terminate

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-26 15:57:00 +02:00
Paul Meyer
c05b22f1dc
Remove dead code (#373)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-10-26 10:29:28 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any (#370) 2022-10-25 15:51:23 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm (#358) 2022-10-24 12:23:18 +02:00
Daniel Weiße
c82d5ccba9
Hide cursor and fix dots (#217)
* Hide cursor and fix dots spinner

* Allow restarting of spinner

* Don't spin on non TTY output

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-21 14:26:42 +02:00
Nils Hanke
04c4cff9f6
AB#2436: Initial support for create/terminate AWS NitroTPM instances
* Add .DS_Store to .gitignore

* Add AWS to config / supported instance types

* Move AWS terraform skeleton to cli/internal/terraform

* Move currently unused IAM to hack/terraform/aws

* Print supported AWS instance types when AWS dev flag is set

* Block everything aTLS related (e.g. init, verify) until AWS attestation is available

* Create/Terminate AWS dev cluster when dev flag is set

* Restrict Nitro instances to NitroTPM supported specifically

* Pin zone for subnets

This is not great for HA, but for now we need to avoid the two subnets
ending up in different zones, causing the load balancer to not be able
to connect to the targets.

Should be replaced later with a better implementation that just uses
multiple subnets within the same region dynamically
based on # of nodes or similar.

* Add AWS/GCP to Terraform TestLoader unit test

* Add uid tag and create log group

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2022-10-21 12:24:18 +02:00
Otto Bittner
07f02a442c
Refactor Helm deployments (#341)
* Wrap KMS deployment in one main chart that
deploys all other services. Other services will follow.
* Use .tgz via helm-package as serialization format
* Change Release type to carry chart as byte slice
* Remove KMSConfig
* Use json-schema to validate values
* Extend release.md to mention updating helm charts
2022-10-21 12:01:28 +02:00
Malte Poll
743f5fa627 Remove all traces of CoreOS from the codebase 2022-10-21 11:04:25 +02:00
Malte Poll
3b6ee703f5 Move PCR indices for owner ID and cluster ID 2022-10-21 11:04:25 +02:00
Daniel Weiße
085f7b1a2a Prompt user for confirmation before overwriting config
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-20 15:35:31 +02:00
github-actions[bot]
74c3c93dec
Update CLI reference (#248)
Co-authored-by: katexochen <49727155+katexochen@users.noreply.github.com>
2022-10-14 10:48:20 +02:00
katexochen
1556e239ca Remove state file 2022-10-13 15:29:29 +02:00
katexochen
0d1fd8fb2a Remove Azure client from CLI 2022-10-13 15:29:29 +02:00
Fabian Kammel
57b8efd1ec
Improve measurements verification with Rekor (#206)
Fetched measurements are now verified using Rekor in addition to a signature check.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-11 13:57:52 +02:00
katexochen
10004875f4 Add spinner interrrupt for rollback 2022-10-10 13:43:15 +02:00
Daniel Weiße
0edae36e43
AB#2426 Mini Constellation (#198)
* Mini Constellation commands to quickly deploy a local Constellation cluster

* Download libvirt container image if not present locally

* Fix libvirt KVM permission issues by creating kvm group using host GID inside container

* Remove QEMU specific values from state file

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2022-10-07 09:38:43 +02:00