Commit Graph

819 Commits

Author SHA1 Message Date
Daniel Weiße
daaa7755a7
cli: enable JSON output for constellation verify on Azure TDX (#3164)
* Remove formatter factory
* Enable `constellation verify` with JSON output for Azure TDX

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-06-12 13:18:27 +02:00
Malte Poll
d960121cba bazel: update BUILD files for rules_go bzlmod migration 2024-05-23 09:48:04 +02:00
Daniel Weiße
9def35ed06
deps: update all Go dependencies (#3071)
* Upgrade Go dependencies

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Group Go dependency upgrades

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Remove usage of deprecated docker types

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Fix usage of invalid validation tags

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Regenerate bazel files

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Keep github.com/bazelbuild/buildtools at old version to not break other dependencies

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-08 17:31:47 +02:00
miampf
b187966581
cli: allow tagging cloud resources with custom tags (#3033) 2024-04-19 09:07:57 +00:00
Moritz Sanft
913b09aeb8
Support SEV-SNP on GCP (#3011)
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
miampf
840f460bac
logging: unify debug log message format (#2997) 2024-04-03 13:49:03 +00:00
Malte Poll
c23f17de41 openstack: read credentials from clouds.yaml 2024-03-11 15:59:23 +01:00
Malte Poll
d69673fab7 terraform-provider: Add support for STACKIT / OpenStack 2024-03-11 15:59:23 +01:00
Malte Poll
8b41bcaecc cli: correct measurements in config generate stackit 2024-03-04 18:17:26 +01:00
Malte Poll
f94c6ca0d4 misc: skip message about community license with marketplace image 2024-03-04 18:17:26 +01:00
Malte Poll
1c8a7e4c22 cli: add STACKIT to constellation config instance-types 2024-03-04 18:17:26 +01:00
3u13r
2a61861a1c
stackit: add k8s api load balancer (#2925) 2024-02-22 17:39:34 +01:00
Malte Poll
1e987f6a85 terraform: add subnet for OpenStack LBs 2024-02-22 12:43:04 +01:00
Malte Poll
ffdf23e3f2 libvirt: replace use of deprecated types 2024-02-21 18:40:16 +01:00
Malte Poll
65903459a0 chore: fix unused parameter lint in new golangcilint version 2024-02-21 17:54:07 +01:00
miampf
96c5980651
cli: collect debug logs in file (#2906) 2024-02-21 15:39:12 +00:00
Malte Poll
6f9020d527 cli: use pre-uploaded image on OpenStack
Before, the terraform infrastructure code would upload an image on the fly.
Now, we upload images in advance and specify the image ID instead.
2024-02-19 18:16:45 +01:00
Malte Poll
b5e848a87e terraform: provide required configuration for yawol on OpenStack 2024-02-12 13:13:48 +01:00
Malte Poll
dba835bdf4
openstack: prepare for normal users (#2899)
* image: disable serial console autologin on OpenStack
* cli: remove requirement for CONSTELLATION_OPENSTACK_DEV env var
2024-02-09 14:48:41 +01:00
miampf
54cce77bab
deps: convert zap to slog (#2825) 2024-02-08 14:20:01 +00:00
Moritz Sanft
dde3430da8
terraform: support AWS marketplace images (#2888)
* terraform: support AWS marketplace images

* terraform-provider: support AWS marketplace images

* docs: add instructions on AWS marketplace images

* ci: adapt marketplace image test for AWS

* Update internal/config/config.go

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

* docs: update config

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* docs: update license information

* docs: use CSP tabs for marketplace overview

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2024-02-06 12:13:59 +01:00
Adrian Stobbe
489e07677e
ref: pre v2.15 cleanup (#2871) 2024-01-29 21:32:37 +01:00
Daniel Weiße
e350ca0f57
attestation: add Azure TDX attestation (#2827)
* Implement Azure TDX attestation primitives
* Add default measurements and claims for Azure TDX
* Enable Constellation on Azure TDX

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-24 15:10:15 +01:00
Malte Poll
3a5753045e goleak: ignore rules_go SIGTERM handler
rules_go added a SIGTERM handler that has a goroutine that survives the scope of the goleak check.
Currently, the best known workaround is to ignore this goroutine.

https://github.com/uber-go/goleak/issues/119
https://github.com/bazelbuild/rules_go/pull/3749
https://github.com/bazelbuild/rules_go/pull/3827#issuecomment-1894002120
2024-01-22 13:11:58 +01:00
Malte Poll
5063b815f1 config: allow Azure TDX instance types 2024-01-16 17:34:44 +01:00
Markus Rudy
ef6f63dc48
Fix various small things throughout the codebase (#2800)
* bootstrapper: remove obsolete log statement

* ci: simplify variable usage

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>

* cli: add missing formatting directive

* helm: fix rm invocation

* ci: document reproducible-builds workflow

* constants: use variables for measurement files

* constants: use variables for CDN distribution ID

* ci: make Helm version explicit

* api: prettify versionsapi-list output

* ci: remove obsolete docstring

---------

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
2024-01-09 19:37:56 +01:00
Daniel Weiße
90f3336c8e
deps: remove go.mod files from submodules (#2769)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-08 13:19:38 +01:00
Daniel Weiße
519efe637d
constellation-lib: run license check in Terraform provider and refactor code (#2740)
* Clean up license checker code

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Create license check depending on init/upgrade actions

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Run license check in Terraform provider

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* fix license integration test action

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Run tests with enterprise tag

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Allow b64 encoding for license ID

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Update checker_enterprise.go

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-12-22 10:16:36 +01:00
Daniel Weiße
a1f67d0884
cli: fix upgrades when using outdated Kubernetes patch version (#2718)
* Fix missing image for Constellation operators in our Helm charts if the desired Kubernetes patch version is no longer supported (but Kubernetes upgrades are skipped)
* Correctly unmarshal Kubernetes Components list if the list uses an old format

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-15 15:45:52 +01:00
Adrian Stobbe
9667dfff58
terraform: align infrastructure module attributes (#2703)
* all vars have snail_case

* make iam schema consistent

* infrastructure schema

* terraform: update AWS infrastructure module

* fix ci

* terraform: update AWS infrastructure module

* terraform: update AWS IAM module

* terraform: update Azure Infrastructure module inputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update Azure IAM module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update GCP infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update GCP IAM module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update OpenStack Infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: update QEMU Infrastructure module

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-module: fix input name

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: tidy

* cli: ignore whitespace in Terraform variable tests

* terraform-module: fix AWS output names

* terraform-module: fix output references

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: rename `api_server_cert_sans`

* Update terraform/infrastructure/aws/modules/public_private_subnet/variables.tf

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix self-managed

* terraform: revert AWS modules output file renaming

* terraform: remove duplicate varable declaration

* terraform: rename Azure location field

* ci: adjust output name in self-managed e2e test

* e2e: continuously print output in upgrade test

* e2e: write to output variables

* cli: migrate IAM variable names

* cli: make `location` field optional

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-15 10:36:58 +01:00
Moritz Sanft
60fc73e0e7
terraform-provider: implement constellation_cluster resource (#2691)
* terraform: move module to legacy-directory

* constellation-lib: refactor service account marshalling

* terraform-provider: normalize Azure image URIs

* constellation-lib: refactor Kubeconfig endpoint rewriting

* terraform-provider: add conversion functions for AWS and GCP

* terraform-provider: implement `constellation_cluster` resource

* terraform-provider: refactor conversion

* terraform-provider: implement image and k8s upgrades

* terraform-provider: fix linter checks

* terraform-provider: refactor to bundle init & upgrade method

* constellation-lib: rewrite Kubeconfig endpoint in init

* terraform-provider: bind logger and dialer constructors to struct

* terraform-provider: move applier to function pointer

* terraform-provider: gcp conversion fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: fix Azure UAMI input

* terraform-provider: rename Kubeconfig variable

* terraform-provider: tidy

* terraform-provider: regenerate docs

* constellation-lib: provide Kubeconfig in testing initserver

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-12-11 15:55:44 +01:00
Moritz Sanft
6ff321364d
terraform: fix Azure marketplace image defaults (#2692)
* config: default to false instead of null for Azure marketplace image

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: make Azure marketplace image default to null

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-12-11 08:15:47 +01:00
Daniel Weiße
272584a34c
constellation-lib: move state and featureset packages (#2682)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-08 16:27:04 +01:00
Moritz Sanft
c15e4efef6
terraform: Azure Marketplace image support (#2651)
* terraform: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* config: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: use Terraform variables from config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: pass down marketplace variable

* image: pad Azure images to 1GiB

* terraform: add version attribute to marketplace image

* semver: allow versions to be exported without prefix

* cli: boolean var to use marketplace images

* config: remove dive key

* dev-docs: add instructions on how to use marketplace images

* terraform: fix unit test

* terraform: only fetch image for non-marketplace images

* mpimage: refactor image selection

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] increase minor version for image build

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: ignore changes to source_image_reference on upgrade

* operator: add support for parsing Azure marketplace images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* upgrade: fix imagefetcher call

* docs: add info about azure marketplace

* image: ensure more than 1GiB in size

* image: test to pad to 2GiB

* version: change back to v2.14.0-pre

* image: GPT-conformant image size padding

* [remove] increase version

* mpimage: inline prefix func

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: add marketplace image e2e test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register workflow

* ci: fix workflow name

* ci: only allow azure test

* cli: add marketplace image input to interface

* cli: fix argument passing

* version: roll back to v2.14.0

* ci: add force-flag support

* Update docs/docs/overview/license.md

* Update dev-docs/workflows/marketplace-images.md

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-12-08 14:40:31 +01:00
Daniel Weiße
b7425db72a
constellation-lib: add Helm wrapper (#2680)
* Add Helm wrapper to constellation-lib
* Move helm package to constellation-lib

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-06 10:01:39 +01:00
Daniel Weiße
3691defce7
constellation-lib: move kubecmd package usage (#2673)
* Reduce external dependencies of kubecmd package
* Add kubecmd wrapper to constellation-lib
* Update CLI code to use constellation-lib
* Move kubecmd package to subpackage of constellation-lib
* Initialise helm and kubecmd clients when kubeConfig is set

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-05 16:23:31 +01:00
Moritz Sanft
781ac85711
cli: move cloudcmd/validators to cmd (#2679)
* cli: refactor `cloudcmd/validators`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make struct fields private

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* use errors.New

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* make struct fields private in usage

* fix casing

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-05 12:28:40 +01:00
Moritz Sanft
17aecaaf5f
constellation-lib: refactor init RPC to be shared (#2665)
* constellation-lib: refactor init RPC

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* constellation-lib: pass io.Writer for collecting logs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* constellation-lib: add init test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* constellation-lib: bin dialer to struct

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* constellation-lib: set service CIDR on init

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-12-04 13:40:24 +01:00
Daniel Weiße
0e91650631
cli: fix helm-timeout flags for deprecated commands (#2676)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-04 10:14:16 +01:00
3u13r
63cdd03d09
Make Kubernetes serviceCIDR configurable in config (#2660)
* config: pass serviceCIDR to kubeadm init

* terraform: add serviceCIDR
2023-12-01 14:39:05 +01:00
Adrian Stobbe
c2d1a7b7fb
ref: decouple helm from config (#2669) 2023-12-01 12:51:51 +01:00
Malte Poll
cd6e03049a libvirt: build containerized libvirt as nix container image 2023-12-01 09:35:33 +01:00
Malte Poll
fb735419ac bazel: provide runtime dependencies of libvirt where needed
This adds nix store paths to container images that have binaries linking
against libvirt from nix.
2023-12-01 09:35:33 +01:00
Daniel Weiße
a9cc9d8bbc
Create Kubernetes clients from bytes instead of filepath (#2663)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-01 09:00:44 +01:00
Moritz Sanft
4d6a7fa759
license: refactor license check to be agnostic of input (#2659)
* license: refactor license check to be agnostic of input

* license: remove unused code

* cli: only check license file in enterprise version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bazel: fix enterprise CLI build

* bazel: add keep directive

* Update internal/constellation/apply.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* license: check for return value

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-12-01 08:37:52 +01:00
Daniel Weiße
581ae0f92a
cli: fix renamed flag for mini-constellation (#2662)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-30 10:12:51 +01:00
Daniel Weiße
b3c734b804
helm: re-enable timeout flag (#2658)
* Honor (hidden) timeout flag for applying helm charts
* Set only internally used structs to private

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-29 14:55:10 +01:00
Adrian Stobbe
a2de1d23ec
terraform-provider: add attestation data source (#2640)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-11-28 17:30:11 +01:00
Thomas Tendyck
960118dc00 config: remove AWS SNP warning 2023-11-28 14:26:40 +01:00
Otto Bittner
350397923f api: refactor attestationconfigapi client/fetcher
There is now one SEVSNPVersions type that has a variant
property. That property is used to build the correct JSON
path. The surrounding methods handling the version objects
are also updated to receive a variant argument and work
for multiple variants. This simplifies adding AWS support.
2023-11-24 15:49:48 +01:00