Commit Graph

604 Commits

Author SHA1 Message Date
3u13r
cf9970c051
terraform: allow for multiple instance groups (#1471) 2023-03-21 22:56:03 +01:00
renovate[bot]
02a389e8c0
deps: update Terraform openstack to v1.51.1 (#1424)
* deps: update Terraform openstack to v1.51.1
* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-03-21 13:36:49 +01:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Malte Poll
8559a1ef8b helm: deploy node operator on OpenStack 2023-03-21 10:51:09 +01:00
Malte Poll
7d4ab07163 helm: add tests for AWS and OpenStack 2023-03-21 10:51:09 +01:00
Malte Poll
e5124d1a97 helm: add OpenStack charts 2023-03-21 10:51:09 +01:00
Malte Poll
f066416a43 cli: add support for constellation init on OpenStack 2023-03-21 10:51:09 +01:00
Paul Meyer
f638812143
terraform: unique Azure attestation provider name (#1472)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-21 10:41:48 +01:00
Otto Bittner
5a82c3cef2
cli: add attestationVariant migration (#1467)
Temporarily add the attestationVariant key to the service
values during upgrade. Normally this should not be
modified during upgrade. However, since the field is introduced
in v2.7, we need to add the field manually.
2023-03-21 10:04:48 +01:00
Malte Poll
44db16b42e
cli: give Azure uami all perms previously given to app registration (#1334)
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
2023-03-21 10:00:13 +01:00
Paul Meyer
05f6d1dc65
terraform: valid Azure attestation provider name (#1465)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 17:53:00 +01:00
Otto Bittner
1b12147d83
cli: minor restructuring for loading helm charts (#1441)
Use one loadRelease function instead of one function for each
release.
2023-03-20 17:05:58 +01:00
Nils Hanke
4f37fe38f9 cli: fix typo 2023-03-20 15:30:35 +01:00
Paul Meyer
a474739ab6 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 10:03:52 -04:00
Otto Bittner
9e13b0f917
cli: only create resource backups if upgrade is executed (#1437)
Previously backups were created even if no service upgrades were
executed. To allow this some things are restructured:
* new chartInfo type that holds release name, path and chart name
* upgrade execution and version validity are checked separately
2023-03-20 14:49:04 +01:00
Paul Meyer
658cac046f go: remove redundant if-err check
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Nils Hanke
822d7823f8 cli: refuse to retry init once gRPC has reached READY one time 2023-03-20 13:33:46 +01:00
Nils Hanke
77d19eb896 cli: add "Connecting" spinner state for "constellation init" 2023-03-20 13:33:46 +01:00
Moritz Sanft
f2ce9518a3
cli: support custom attestation policies for maa (#1375)
* create and update maa attestation policy

* use interface to allow unit testing

* fix test csp

* http request for policy patch

* go mod tidy

* remove hyphen

* go mod tidy

* wip: adapt to feedback

* linting fixes

* remove csp from tf call

* fix type assertion

* Add MAA URL to instance tags (#1409)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* conditionally create maa provider

* only set instance tag when maa is created

* fix azure unit test

* bazel tidy

* remove AzureCVM const

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* encode policy at runtime

* remove policy arg

* fix unit test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-03-20 13:33:04 +01:00
Thomas Tendyck
43fbb06426 cli: remove ctx parameter from rollbackOnError to prevent wrong use 2023-03-20 08:49:46 +01:00
renovate[bot]
4d618a4b99
deps: update fedora:37 Docker digest (#1448)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-17 18:47:36 +01:00
renovate[bot]
b03ead589f
deps: update Terraform azuread to v2.36.0 (#1421)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 14:30:17 +01:00
renovate[bot]
03d2232321
deps: update Terraform google-beta to v4.57.0 (#1423)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:43 +01:00
renovate[bot]
f8f3f00595
deps: update Terraform azurerm to v3.47.0 (#1422)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 13:45:08 +01:00
renovate[bot]
95d6618b9d
deps: update Terraform google to v4.57.0 (#1420)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 12:06:53 +01:00
renovate[bot]
0db034db5b
deps: update Terraform aws to v4.58.0 (#1419)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-16 11:43:52 +01:00
Daniel Weiße
6ea5588bdc
config: add attestation variant (#1413)
* Add attestation type to config (optional for now)

* Get attestation variant from config in CLI

* Set attestation variant for Constellation services in helm deployments

* Remove AzureCVM variable from helm deployments

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-14 11:46:27 +01:00
Thomas Tendyck
64e1f553d1 cli: remove Edition in version command, which contains duplicate info 2023-03-10 11:36:44 +01:00
Malte Poll
bdba9d8ba6
bazel: add build files for go (#1186)
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
Daniel Weiße
446b77828b
cli: add missing flag to miniConstellation (#1374)
* Add missing flag to miniConstellation

* Add config merger to miniConstellation

* Soft fail if config can not be merged

* Remove config flattening

* Release spinner stop lock when stopping finished

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
2023-03-08 15:48:36 +01:00
Paul Meyer
630016d1b3 openstack: use password to authenticate in cluster
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 09:04:57 -05:00
Paul Meyer
64fc43f276
use any instead of interface{} (#1354)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-08 10:31:20 +01:00
Daniel Weiße
19507677c1
cli: attestation validator debug output (#1262)
* Wrote->Written

* Add Validator info logs to debug output

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-03 16:50:25 +01:00
Malte Poll
cda2669d40
cli: upgrade libtpms in libvirt container (#1338) 2023-03-03 15:07:27 +01:00
Otto Bittner
b94d23a3e8 cli: create backups before upgrading microservices 2023-03-03 15:02:22 +01:00
Otto Bittner
3cef9ee74d cli: add doc comments for helm 2023-03-03 15:02:22 +01:00
Malte Poll
8aa42e30ad
cli: set OpenStack service account credentials (#1328) 2023-03-03 10:10:36 +01:00
Malte Poll
8ad04f7dbb
cli: log grpc connection state for init call (#1324)
This is a measure to detect cases where an aTLS handshake is performed but the long running call is interrupted, leading to a retry of the init call.
Whenever the grpc connection state reaches ready, we know that the aTLS handshake has succeeded:

> READY: The channel has successfully established a connection all the way through TLS handshake (or equivalent) and protocol-level (HTTP/2, etc) handshaking, and all subsequent attempt to communicate have succeeded (or are pending without any known failure).
2023-03-03 09:38:57 +01:00
Otto Bittner
f0db5d0395
cli: restructure upgrade apply (#1319)
Applies the updated NodeVersion object with one request
instead of two. This makes sure that the first request does
not accidentially put the cluster into a "updgrade in progress"
status. Which would lead users to having to run apply twice.
2023-03-03 09:38:23 +01:00
Nils Hanke
77a375e837
cli: add --kubernetes flag to iam create (when used with --create-config) (#1326) 2023-03-03 09:04:54 +01:00
Nils Hanke
a34ef8ad29 cli/bootstrapper: remove deprecated master secret & KMS related fields 2023-03-02 15:49:02 +01:00
Daniel Weiße
5eb73706f5
internal: refactor storage credentials (#1071)
* Move storage clients to separate packages

* Allow setting of client credentials for AWS S3

* Use managed identity client secret or default credentials for Azure Blob Storage

* Use credentials file to authorize GCS client

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-02 15:08:31 +01:00
Malte Poll
ab0b881cbf
oid: add alternative string representations for attestation variants (#1322) 2023-03-02 10:48:16 +01:00
Nils Hanke
c9ddc93d55 cli: allow existing config for IAM creation without --generate-config 2023-03-01 13:53:34 +01:00
Malte Poll
fc33a74c78
constants: make VersionInfo readonly (#1316)
The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime.
This change ensures the underlying var is private and can only be accessed by a public getter.
2023-03-01 11:55:12 +01:00
Malte Poll
4e202fa483
cli: set constellation uid and role as instance metadata of OpenStack instances (#1311) 2023-03-01 08:48:17 +01:00
Otto Bittner
984f0589d2
cli: upgrade errors for microservice (#1259)
Handle invalid upgrade errors similarly as for images and k8s.
2023-02-28 10:23:09 +01:00
Moritz Sanft
732d15d013
ci: use iam destroy command for resource destruction (#1272)
* replace tf destruction with new command

* move iam destroy cmd

* fix typos

* exit post test on error

* [remove] test failure on iam destroy

* Revert "[remove] test failure on iam destroy"

This reverts commit 99449c0cc0.

* [remove] test failure on terminate

* Revert "[remove] test failure on terminate"

This reverts commit 99c45bbc54.

* gofumpt
2023-02-28 09:52:32 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Otto Bittner
08ee56911b cli: overwrite chart versions during install/upgrade
* As charts receive information like the container image from
the cli it makes sense to also version the charts based on the cli
version.
* The pseudoversion is recalculated when running cmake.
* When merging changes from release branch to main,
a new commit is introduced to set the PROJECT_VERSION back
to 0.0.0, so that builds include a pseudoversion.
2023-02-27 16:06:35 +01:00
renovate[bot]
83bea18a4f
deps: update fedora:37 Docker digest (#1274)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:46:17 +01:00
renovate[bot]
66022fa441
deps: update Terraform aws to v4.55.0 (#1195)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-24 17:27:11 +01:00
Nils Hanke
6ae2bc9772 cli: fix force flag debug print in init 2023-02-24 12:11:09 +01:00
miampf
5137e9fa57
cli: iam destroy (#946) 2023-02-24 11:36:41 +01:00
Otto Bittner
c4fd70684f
Revert "deps: update Terraform azurerm to v3.44.1 (#1197)" (#1255)
This reverts commit 253f833f6c.
2023-02-22 11:16:05 +01:00
Otto Bittner
d78d22f95a
cli: add config kubernetes-versions subcommand (#1224)
Allows users to learn which k8s versions are supported by the
current CLI.
Extend respective docs section.
2023-02-22 09:52:47 +01:00
3u13r
ce09b9dae5
iam: assign uami role to base resource group (#1247)
* iam: assign uami role to base resource group

* fixup: also change app registration
2023-02-22 09:29:24 +01:00
leongross
51eef675a2
cli: refer to --force and --config flags (#1205)
* add reference to --config and --force
2023-02-21 16:46:47 +01:00
Otto Bittner
da7a870f54
cli: add --kubernetes flag (#1226)
The flag can be used to specify a Kubernetes version
in format MAJOR.MINOR and let the CLI extend the
value with the patch version.
2023-02-21 14:05:41 +01:00
renovate[bot]
477d667360
deps: update Terraform azuread to v2.34.1 (#1196)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 13:53:18 +01:00
Moritz Sanft
0ba810240f
ci: integrate automatic iam creation in e2e test (#1158)
* integrate automatic iam creation in e2e test

* fix typo

* break long line comments

* fix semvers

* correct bracing
2023-02-21 12:47:14 +01:00
renovate[bot]
253f833f6c
deps: update Terraform azurerm to v3.44.1 (#1197)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 10:41:04 +01:00
renovate[bot]
3a1e75837f
deps: update Terraform google-beta to v4.53.1 (#1199)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:22:16 +01:00
renovate[bot]
9a5a7d6852
deps: update Terraform google to v4.53.1 (#1198)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-21 09:21:12 +01:00
Paul Meyer
deea806d9c Improve code sequences with multiple errs
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Paul Meyer
12c866bcb9 deps: replace multierr with native errors.Join
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-20 12:08:24 -05:00
Otto Bittner
87fdb47caa
cli: upgrade apply uses correct measurements key (#1223)
Apply still used the obsolete upgrade key's measurements.
The new, desired behavior is to use the Provider's measurements
key
2023-02-20 10:32:33 +01:00
Daniel Weiße
d90828cb3c
Fix incorrect output for single worker/control-plane clusters (#1209)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-17 08:15:17 +01:00
Fabian Kammel
5e7dc0d7db
Option to disable spinner via environment variable. (#1207)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-02-16 15:43:19 +01:00
Otto Bittner
50646b2a10 cli: refactor upgrade apply cmd to match name
* `upgrade apply` will try to make the locally configured and
actual version in the cluster match by appling necessary
upgrades.
* Skip image or kubernetes upgrades if one is already
in progress.
* Skip downgrades/equal-as-running versions
* Move NodeVersionResourceName constant from operators
to internal as its needed in the CLI.
2023-02-15 16:44:47 +01:00
Otto Bittner
7db584a88e cli: move upgradeApply logic into separate functions
* introduce handleImageUpgrade & handleServiceUpgrade
* rename cloudUpgrader.Upgrade to UpgradeImage
* remove helm flag
* remove hint about development status
2023-02-15 16:44:47 +01:00
Otto Bittner
91e27ac186 cli: rename upgrade execute to upgrade apply 2023-02-15 16:44:47 +01:00
Moritz Sanft
84359063fc
cli: add missing gcp values to config (#1149)
* improve iam value output

* remove duplicate prints
2023-02-15 14:24:52 +01:00
Otto Bittner
33a884d4e4 cli: prefix "v" to cli version in versionCollector
No new images will be found unless this is set
2023-02-15 13:36:16 +01:00
renovate[bot]
1732795345
deps: update fedora:37 Docker digest (#1192)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-02-15 13:28:53 +01:00
Otto Bittner
7454b69f13 cli: helm: prepare values for upgrade correctly
Previously the chart's values were not set, relying on the
values that are already present in the cluster and reusing
those. This does not work as e.g. the image values
are only set while loading the charts. Also, the templates
are not rendered correctly without all values set.
2023-02-15 11:41:54 +01:00
Otto Bittner
4855b20093 cli: helm: move csp into ChartLoader object 2023-02-15 11:41:54 +01:00
Otto Bittner
1728633646 cli: helm: separate user input from static loading
Because values in the charts might change in the future and
some values (like the image) are part of a valid upgrade we
need to load all values for an upgrade.
However, during upgrades we don't want to reapply user
input like the masterSecret. Therefore this patch splits the
application of user input and the static loading of chart values.
2023-02-15 11:41:54 +01:00
Otto Bittner
1c977b3105
cli: add missing logger to versionCollector object (#1183)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-14 14:46:30 +01:00
Paul Meyer
84a787b538
cli: add name of build type to version cmd output (#1179)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-02-14 14:30:10 +01:00
Otto Bittner
8a72df89ad
cli: fix init with k8s version without v prefix (#1174) 2023-02-13 11:54:38 +01:00
Moritz Sanft
7410cf8038
cli: fix iam rollback (#1148)
* AB#2897 rename DestroyCluster

* #AB2897 error if terraform dir exists

* AB#2897 reword DestroyResources
2023-02-13 08:42:54 +01:00
Thomas Tendyck
a076587956 cli: adapt "upgrade check" reference to conventions 2023-02-13 08:34:34 +01:00
Daniel Weiße
90ce320bf5
cli: add option to automatically merge kubeconfig file on init (#1136)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 14:59:44 +01:00
Daniel Weiße
c29107f5be
init: create kubeconfig file with unique user/cluster name (#1133)
* Generate kubeconfig with unique name

* Move create name flag to config

* Add name validation to config

* Move name flag in e2e tests to config generation

* Remove name flag from create

* Update ascii cinema flow

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-10 13:27:22 +01:00
Moritz Sanft
e01ddc08c2
cli: add debug logging to iam create command (#1127)
* AB#2787 add debug logging to iam create command

* AB#2787 add test logger

* AB#2787 reword log

* separate debug output with empty line

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-02-09 10:37:22 +01:00
Otto Bittner
c275464634 cli: change upgrade-plan to upgrade-check
Upgrade check is used to find updates for the current cluster.
Optionally the found upgrades can be persisted to the config
for consumption by the upgrade-execute cmd.
The old `upgrade execute` in this commit does not work with
the new `upgrade plan`.
The current versions are read from the cluster.
Supported versions are read from the cli and the versionsapi.
Adds a new config field MicroserviceVersion that will be used
by `upgrade execute` to update the service versions.
The field is optional until 2.7
A deprecation warning for the upgrade key is printed during
config validation.
Kubernetes versions now specify the patch version to make it
explicit for users if an upgrade changes the k8s version.
2023-02-08 12:30:01 +01:00
Otto Bittner
f204c24174 cli: add version validation and force flag
Version validation checks that the configured versions
are not more than one minor version below the CLI's version.
The validation can be disabled using --force.
This is necessary for now during development as the CLI
does not have a prerelease version, as our images do.
2023-02-08 12:30:01 +01:00
Nils Hanke
0331e2dc78 cli: enable jumbo frames for GCP VPCs 2023-02-06 11:07:45 +01:00
Daniel Weiße
f74f589605
ci: add containerized libvirt build workflow (#1130)
* Add libvirt container build workflow

* Update release workflow

* Update image libvirt base image

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-02 14:40:05 +01:00
Moritz Sanft
6166b52f5d
cli: refactor iam create command (#1034)
* AB#2788 refactor iam create

* AB#2788 go mod tidy

* AB#2788 encode b64 at runtime

* AB#2788 rename receiver
2023-02-01 11:32:01 +01:00
Otto Bittner
3038b374da cli: update helm chart render expectations
testdata is now expecting the charts to render for ko images.
2023-01-31 11:36:49 +01:00
Otto Bittner
9fc88797d1 cli: use /manager as binary path
The change to /ko-app/v2 is incorrect as we are
currently not building ko images for this operator.
2023-01-31 10:35:26 +01:00
leongross
2187aa6cb0
ci: reproducible builds integration (#1108)
* remove `-ko` suffix from workflows
* integrate into `release.yaml`
* adjust helm charts to use hard coded `ko` binary path
2023-01-30 16:58:49 +01:00
renovate[bot]
a85ba96ac4
deps: update Terraform azurerm to v3.41.0 (#1097)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:33:32 +01:00
renovate[bot]
38e9ab8254
deps: update Terraform aws to v4.52.0 (#1096)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:14:17 +01:00
renovate[bot]
b47a2f81a2
deps: update Terraform google to v4.50.0 (#1098)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-27 16:13:44 +01:00
3u13r
6ea6e42519
terraform: make control-planes stateful on gcp (#1087)
* terraform: make control-planes stateful on gcp

* terraform: lock google-beta provider
2023-01-27 12:59:25 +01:00
Malte Poll
2d326ea3f0
cli: set placeholder uid for QEMU / MiniConstellation (#1069) 2023-01-25 14:42:52 +01:00
3u13r
e6ac8e2a91
config: fix digest naming (#1064)
* config: fix digest naming
2023-01-24 22:20:10 +01:00
github-actions[bot]
9567cc09ce
release: bring back changes from v2.5.0 (#1061)
* deps: update version to v2.5.0

* attestation: hardcode measurements for v2.5.0

* bump operator versions

Co-authored-by: release[bot] <release[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-01-24 11:35:26 +01:00
3u13r
03154c6e64
docs: document terraform support (#1037) 2023-01-23 10:37:28 +01:00
Moritz Sanft
2f2e793810
AB#2834 add go package doc to iamid (#1054) 2023-01-23 08:53:25 +01:00
Moritz Sanft
b8648261e3
cli: fix Terraform resource group dependencies (#1048) 2023-01-20 18:59:59 +01:00
Paul Meyer
a8cbfd848f
keyservice: use dash in container name (#1016)
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-01-20 18:51:06 +01:00
renovate[bot]
d4722b434e
Update Terraform aws to v4.50.0 (#1015)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-19 17:09:01 +01:00
Daniel Weiße
690b50b29d
dev-docs: Go package docs (#958)
* Remove unused package

* Add Go package docs to most packages

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 15:57:50 +01:00
Otto Bittner
9a1f52e94e Refactor init/recovery to use kms URI
So far the masterSecret was sent to the initial bootstrapper
on init/recovery. With this commit this information is encoded
in the kmsURI that is sent during init.
For recover, the communication with the recoveryserver is
changed. Before a streaming gRPC call was used to
exchanges UUID for measurementSecret and state disk key.
Now a standard gRPC is made that includes the same kmsURI &
storageURI that are sent during init.
2023-01-19 13:14:55 +01:00
Otto Bittner
0e71322e2e keyservice: move kms code to internal/kms
Recovery (disk-mapper) and init (bootstrapper)
will have to work with multiple external KMSes
in the future.
2023-01-19 13:14:55 +01:00
Moritz Sanft
ae2db08f3a
ci: add e2e test for constellation recover (#845)
* AB#2256 Add recover e2e test

* AB#2256 move test & fix minor objections

* AB#2256 fix path

* AB#2256 rename hacky filename
2023-01-19 10:41:07 +01:00
3u13r
632090c21b
azure: allow a set of idkeydigest values (#991) 2023-01-18 16:49:55 +01:00
Nils Hanke
a3db3c8424
cli: debug: various improvements (#995) 2023-01-18 13:10:24 +01:00
Thomas Tendyck
f0f109a1ea verify: use fixed user data 2023-01-17 16:14:00 +01:00
renovate[bot]
4577a5886f
Update Terraform google to v4.48.0 (#929)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 16:01:02 +01:00
Moritz Sanft
e844ceb2b1
cli: adopt Cobra cli reference style (#997)
* adapt to Cobra CLI ref style

* linting

* change multi-line reference style

* lowercase short descriptions

* Revert "lowercase short descriptions"

This reverts commit 499dc3577a.

* use 2 newlines on long description and add dots

* mark required flags

* Update cli/internal/cmd/iamcreateaws.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update cli/internal/cmd/upgradeexecute.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update cli/internal/cmd/upgradeexecute.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-17 14:01:56 +01:00
Malte Poll
7902dc470f
cli: use non-authoritative methods to manage iam policy memberships (#989)
- google_project_iam_binding -> google_project_iam_member
2023-01-16 18:08:57 +01:00
Otto Bittner
90b88e1cf9 kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
2023-01-16 11:56:34 +01:00
Malte Poll
7bf7286242
cli: include search paths for image info json in error message printed to user (#963) 2023-01-13 10:15:49 +01:00
Nils Hanke
b3c3c2fa8c
qemu: remove registry_auth for Docker Terraform module (#957) 2023-01-12 15:47:50 +01:00
Moritz Sanft
64ec0408da
cli: automatically add iam values to config (#782)
* AB#2706 Automatically add IAM values to config
2023-01-12 11:35:26 +01:00
Fabian Kammel
82a0fcbb9d
upgrade: fix broken reference from constellation-os to constellation-version (#939)
* update constellation-os to constellation-version references
* update nodeimage to nodeversion in CRD type name
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-01-11 16:07:07 +01:00
release[bot]
e8fad4b7f9 Update version to v2.4.0 2023-01-11 11:10:44 +01:00
Leonard Cohnen
2700d5182b operator: reconcile kubernetesClusterVersion 2023-01-09 12:16:54 +01:00
Paul Meyer
fa85150f3e hack: move terraform readmes into cli
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-09 11:49:00 +01:00
renovate[bot]
3d6b11e7cb
Update Terraform azurerm to v3.38.0 (#895)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:28:04 +01:00
renovate[bot]
19b3d68c8a
Update Terraform aws to v4.49.0 (#894)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 16:27:40 +01:00
renovate[bot]
ab626ca311
Update Terraform docker to v2.25.0 (#880)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 15:18:38 +01:00
Paul Meyer
66f2c446a4 versionsapi: replace shortname pkg
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-06 10:15:27 +01:00
Otto Bittner
075a0e0ad6 cli: ask user to confirm cert-manager upgrades 2023-01-05 17:19:05 +01:00
Otto Bittner
e7c7e35f51 cli: create backups for CRDs and their resources
These backups could be used in case an upgrade
misbehaves after helm declared it as successful.
The manual backups are required as helm-rollback
won't touch custom resources and changes to CRDs
delete resources of the old version.
2023-01-05 16:52:06 +01:00
Leonard Cohnen
620436626b operator: add cluster version to nodeversion 2023-01-05 14:52:09 +01:00
Leonard Cohnen
9bfe2a81ed cli: fix nodeversion crd name 2023-01-05 14:52:09 +01:00
Leonard Cohnen
25c3a8a1f3 init: add cluster version to kubernetes components 2023-01-05 14:52:09 +01:00
Paul Meyer
f9458950cb
versionsapi: change image path (#856)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 17:07:16 +01:00
Paul Meyer
35d720e657 cli: deactivate spinner for debug logging
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 12:17:08 +01:00
Paul Meyer
3c24e3fa01 cli: move image package into cli
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
22f43d32dd versionsapi: use new fetcher in upgrade-plan cmd
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Paul Meyer
f43b653231 versionsapi: backup old API
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-04 11:39:19 +01:00
Alex Darby
97c72f5f32
cli: add verbose debug logging (#809)
* feat: add debug logging for init command
* feat: add debug logging to recover command
* feat: add debug logging for configfetchmeasurements
* feat: add debug logging for config generate
* feat: added debug logging for miniup command
* feat: add debug logging for upgrade command
* feat: add debug logging for create command
2023-01-04 10:46:29 +01:00
renovate[bot]
7c017e2b67
Update Terraform azurerm to v3.37.0 (#849)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-03 14:47:44 +01:00
3u13r
f14af0c3eb
upgrade: support Kubernetes components (#839)
* upgrade: add Kubernetes components to NodeVersion

* update rfc
2023-01-03 12:09:53 +01:00
renovate[bot]
806f6b70dd
Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1 (#844)
* Update module github.com/talos-systems/talos/pkg/machinery to v1.3.1
* Rename talos-systems/talos to siderolabs/talos

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-02 13:33:56 +01:00
renovate[bot]
d88f144806
Update Terraform libvirt to v0.7.1 (#830)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:24:54 +01:00
renovate[bot]
cbc34b73ec
Update Terraform google to v4.47.0 (#843)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:04:00 +01:00
renovate[bot]
320c24e778
Update Terraform aws to v4.48.0 (#842)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-30 14:02:44 +01:00
3u13r
473e16feb2
image: add upgrade-agent (#827) 2022-12-29 17:50:11 +01:00
3u13r
0297aed1ea
join: deprecate components migration fallback (#833) 2022-12-29 14:51:26 +01:00
Daniel Weiße
942d11a4c8
Only upgrade helm releases if versions changed (#818)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-22 12:30:04 +01:00
Otto Bittner
efcd0337b4
Microservice upgrades (#729)
Run with: constellation upgrade execute --helm.
This will only upgrade the helm charts. No config is needed.

Upgrades are implemented via helm's upgrade action, i.e. they
automatically roll back if something goes wrong. Releases could 
still be managed via helm, even after an upgrade with constellation
has been done.

Currently not user facing as CRD/CR backups are still in progress.
These backups should be automatically created and saved to the 
user's disk as updates may delete CRs. This happens implicitly 
through CRD upgrades, which are part of microservice upgrades.
2022-12-19 16:52:15 +01:00
renovate[bot]
fd640afe96
Update Terraform google to v4.46.0 (#798)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-14 19:15:51 +01:00
renovate[bot]
868d911918
Update fedora:37 Docker digest to 99aa891 (#797)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-14 10:38:00 +01:00
Paul Meyer
c741ccfb4b kubernetes: use new registry
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 16:08:19 +01:00
Malte Poll
c3b657de01 Bump version to v2.3.0 2022-12-12 17:45:35 +01:00
3u13r
c993cd6800
join: synchronize control plane joining (#776)
* join: synchronize control plane joining
2022-12-09 18:30:20 +01:00
renovate[bot]
85f9d62a9f
Update Terraform azurerm to v3.35.0 (#768)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:21:13 +01:00
renovate[bot]
4ec2fceeef
Update Terraform aws to v4.46.0 (#767)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 15:13:09 +01:00
renovate[bot]
4e6f88c355 Update gcr.io/kubebuilder/kube-rbac-proxy Docker tag to v0.13.1 2022-12-09 14:30:39 +01:00
Malte Poll
4a8ebfd921 OS images: use "ref", "stream" and "version"
Switch azure default region to west us
Update find-image script to work with new API spec
Add version for every os image build
generate measurements: Use new API paths
CLI: config fetch measurements: Use image short versions to fetch measurements
CLI: allows shortnames to specify image in config
Image build pipeline: Change paths to contain "ref" and "stream"
2022-12-09 13:37:43 +01:00
Paul Meyer
f23a2fe073 hack: implement new api for add-version script
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-09 13:37:43 +01:00
Daniel Weiße
d356a40bc3
Pull in CSI chart from release tag (#757)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-09 08:32:58 +01:00
renovate[bot]
9d0d561726
Update Terraform google to v4.45.0 (#742)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-08 15:59:15 +01:00
Leonard Cohnen
a1161ae05d k8supdates: label nodes with k8s component hash 2022-12-08 11:19:22 +01:00
Moritz Sanft
286803fb97
AB#2579 Add constellation iam create command (#624) 2022-12-07 11:48:54 +01:00
Moritz Sanft
85e7b836a3
AB#2651 Compatibility warning for MiniConstellation (#713) 2022-12-07 10:20:01 +01:00
Daniel Weiße
dea05c45bc
Use csi chart from release tag (#727)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-12-07 08:19:44 +01:00
renovate[bot]
364db78420
Update Terraform azurerm to v3.34.0 (#726)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-06 13:42:49 +01:00
renovate[bot]
59076b0664
Update Terraform aws to v4.45.0 (#710)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-05 16:35:38 +01:00
Paul Meyer
9c9c8e3d46 versionsapi: rename package
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-02 18:49:17 +01:00
Leonard Cohnen
0c71cc77f6 joinservice: use configmap for k8s components 2022-12-02 14:34:38 +01:00
renovate[bot]
68bf23b760
Update Terraform aws to v4.44.0 (#702)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-01 18:46:31 +01:00
Otto Bittner
a20b5461aa Make loader tests more precise
Until now the loader tests did not detect if a file in testdata existed,
but was missing from the actual results. This patch fixes the problem.
It also removes various files that are not needed.
The testdata folder now represents which files end up in a cluster 1:1.
2022-12-01 12:15:32 +01:00
Otto Bittner
c05d1589f8 Bring in CSI driver changes from upstream 2022-12-01 12:15:32 +01:00
Paul Meyer
b93b24e058 debugd: add logcollector
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Malte Poll
9537fb73c0 use constants for default CDN paths 2022-11-30 12:35:12 +01:00
Malte Poll
9bccf26ccf move update api 2022-11-30 12:35:12 +01:00
Malte Poll
ebf852b3ba Add image update API and use for "upgrade plan" 2022-11-30 12:35:12 +01:00
renovate[bot]
fe74c937b9
Update Terraform azurerm to v3.33.0 (#678)
* Update Terraform azurerm to v3.33.0
* [bot] Update HCL lock files

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-30 11:41:31 +01:00
renovate[bot]
7c744c0837
Update Terraform aws to v4.43.0 (#672)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 11:22:09 +01:00
renovate[bot]
fffd2b79f2
Update Terraform google to v4.44.1 (#666)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-29 14:45:07 +01:00
renovate[bot]
9d6d9f0a40
Update Terraform docker to v2.23.1 (#645)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-29 13:06:36 +01:00
Otto Bittner
fc8a2be843 Use ChartLoader to set operator deployment images
This allows the (operator) unittests to use dummy values instead of
relying on the real image string from versions.go.
2022-11-29 10:36:55 +01:00
Leonard Cohnen
3b6bc3b28f initserver: add client verification 2022-11-28 19:34:02 +01:00
Otto Bittner
038ea5fade Add helm's quote function to various fields
The constellationUID is sometimes interpreted as integer if it contains
0e, as the yaml parsing interprets that as scientific notation.
Since it is a best practices to quote string fields anyways this patch
also quotes other fields where an actual string is required.
2022-11-28 11:35:47 +01:00
Daniel Weiße
d52f3db2a3
AB#2644 Fetch measurements from CDN (#653)
* Fetch measurements from CDN

* Perform metadata validation on fetched measurements

* Remove deprecated public bucket

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-28 10:27:33 +01:00
Leonard Cohnen
c978329839 helm: fix expected helm charts 2022-11-27 16:43:50 +01:00
Leonard Cohnen
865cd53856 helm: remove non-existent field in operator 2022-11-27 16:43:34 +01:00
Otto Bittner
18fe34c58b loader_test now compares all documents in one file
Previously only the first document was compared due to
an issue in testify.
Also update testdata to match the adjusted expectations.
2022-11-25 18:07:40 +01:00
Malte Poll
1af3ff00ad
Constellation Operator: Add image version field (#649) 2022-11-25 14:49:26 +01:00
Daniel Weiße
1968dfe70c
Add warning about non retriable error during init (#644)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-25 10:02:12 +01:00
Daniel Weiße
67d0424f0e
AB#2639 Add functions to fetch k8s and helm version of Constellation (#637)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 16:39:33 +01:00
Daniel Weiße
f8001efbc0
Refactor enforced/expected PCRs (#553)
* Merge enforced and expected measurements

* Update measurement generation to new format

* Write expected measurements hex encoded by default

* Allow hex or base64 encoded expected measurements

* Allow hex or base64 encoded clusterID

* Allow security upgrades to warnOnly flag

* Upload signed measurements in JSON format

* Fetch measurements either from JSON or YAML

* Use yaml.v3 instead of yaml.v2

* Error on invalid enforced selection

* Add placeholder measurements to config

* Update e2e test to new measurement format

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-24 10:57:58 +01:00
Otto Bittner
da1af3f37e Fix type for cert-manager verbose flag 2022-11-23 18:37:36 +01:00
Malte Poll
575b6e93f6 CLI: use global image version field
- Restructure config by removing CSP-specific image references
- Add global image field
- Download image lookup table on create
- Download QEMU image on QEMU create
2022-11-23 15:47:46 +01:00
Otto Bittner
3e71459898 AB#2635: Deploy Konnectivity via Helm 2022-11-23 12:21:08 +01:00
Otto Bittner
7283eeb798 AB#2636: Deploy gcp-guest-agent via Helm 2022-11-23 12:21:08 +01:00
Otto Bittner
9b75d651fc Run cert-manager startupapicheck with verbose flag 2022-11-23 11:16:16 +01:00
Leonard Cohnen
1e98b686b6 kubernetes: verify Kubernetes components 2022-11-23 10:48:03 +01:00
Otto Bittner
2c9ddbc6e7 Remove unused LoadConfig type 2022-11-23 08:49:22 +01:00
Otto Bittner
6b2d9d16f8 Remove obsolote revive comments 2022-11-23 08:35:12 +01:00