Commit Graph

3334 Commits

Author SHA1 Message Date
edgelessci
e231a24916
image: update measurements and image version (#2428)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-10-11 10:33:54 +02:00
Adrian Stobbe
b35a042abd
fix verify test (#2424) 2023-10-10 20:47:53 +02:00
Malte Poll
02c04f057f
ci: start v2.13-pre window (#2426) 2023-10-10 18:33:04 +02:00
Malte Poll
c4a3e40882 s3proxy: add new page to documentation (v2.12) 2023-10-10 18:31:02 +02:00
Malte Poll
07249b1288 docs: add note about current AWS CVM issues (v2.12) 2023-10-10 18:31:02 +02:00
malt3
34cdfdaf57 docs: add release v2.12.0 2023-10-10 18:31:02 +02:00
Otto Bittner
4ef2e289b2
s3proxy: add new page to documentation (#2417)
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <ts@edgeless.systems>
2023-10-10 15:35:23 +02:00
Thomas Tendyck
714158619a docs: add note about current AWS CVM issues 2023-10-10 12:11:52 +02:00
Malte Poll
e4ed24ee4f image: fix bootstrapper install path 2023-10-10 10:33:54 +02:00
Moritz Sanft
8749cafcbd explicitly initialize struct 2023-10-10 10:33:54 +02:00
Moritz Sanft
6f53dc90cf fix go-sev-guest default product 2023-10-10 10:33:54 +02:00
Moritz Sanft
dbad7c2f7a update go-tpm-tools / go-sev-guest 2023-10-10 10:33:54 +02:00
Otto Bittner
c603b547db
s3proxy: add allow-multipart flag (#2420)
This flag allows users to control wether multipart uploads
are blocked or allowed. At the moment s3proxy doesn't
encrypt multipart uploads, so there is a potential for
inadvertent data leakage. With this flag the default
behavior is changed to a more secure default one: block
multipart uploads. The previous behavior can be enabled
by setting allow-multipart.
2023-10-09 15:18:12 +02:00
Moritz Sanft
005e865a13
cli: use state file on init and upgrade (#2395)
* [wip] use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

take clusterConfig from IDFile for compat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add GCP-specific values in Helm loader test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary pointer

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* write ClusterValues in one step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move stub to test file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove mention of id-file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move output to `migrateTerraform`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unconditional assignments converting from idFile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move require block in go modules file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fall back to id file on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add notice to remove Terraform state check on manual migration

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `name` field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

fix name tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return early if no Terraform diff

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return infrastructure state even if no diff exists

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add TODO to remove comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: remove id-file (#2402)

* remove id-file from `constellation create`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add file renaming to handler

* rename id-file after upgrade

* use idFile on `constellation init`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation verify`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation mini`

* remove id-file from `constellation recover`

* linter fixes

* remove id-file from `constellation terminate`

* fix initSecret type

* fix recover argument precedence

* fix terminate test

* generate

* add TODO to remove id-file removal

* Update cli/internal/cmd/init.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* fix verify arg parse logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add version test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from docs

* add file not found log

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation iam destroy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `cdbg deploy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* use state-file in CI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update orchestration docs

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-10-09 13:04:29 +02:00
Malte Poll
dbf40d185c
ci: free up disk space on GitHub hosted runners (#2419) 2023-10-09 11:00:22 +02:00
Adrian Stobbe
fdd47b7a00
cli: new flag for Azure JSON output of constellation verify (#2391) 2023-10-07 16:24:29 +02:00
Daniel Weiße
cc4ec80e48
cli: update Azure/GCP CSI charts (#2416)
* Update Azure CSI driver to v1.3.0
* Update GCP CSI driver to v1.3.0

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-06 14:56:49 +02:00
Daniel Weiße
8bb23c373b
ci: ensure API is only updated if image and measurements are uploaded (#2413)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-06 14:34:06 +02:00
Daniel Weiße
ce2465c3c7
ci: use West US region for Azure e2e test until problems are resolved (#2414)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-06 11:43:02 +02:00
Moritz Sanft
d0fe6c9272
update list of default idkeydigests (#2415) 2023-10-06 11:32:19 +02:00
Otto Bittner
887dcda78b s3proxy: add keyservice integration
Encrypt each object with a random DEK and attach
the encrypted DEK as object metadata.
Encrpt the DEK with a key from the keyservice.
All objects use the same KEK until a keyrotation
takes place.
2023-10-06 11:23:32 +02:00
Otto Bittner
a7ceda37ea s3proxy: add intial implementation
INSECURE!
The proxy intercepts GetObject and PutObject.
A manual deployment guide is included.
The decryption only relies on a hardcoded, static key.
Do not use with sensitive data; testing only.
* Ticket to track ranged GetObject: AB#3466.
2023-10-06 11:23:32 +02:00
katexochen
957f8ad203 image: update measurements and image version 2023-10-06 08:09:28 +02:00
Paul Meyer
b1d5d13990 github: replace discord with GitHub discussions
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Paul Meyer
53bfb3b71a github: use new issue forms instead of template
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Moritz Sanft
2d797874c7
ci: add msanft to list of possible e2e assignees (#2410)
* add msanft to list of possible e2e assignees

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add msanft to teams card

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-05 13:54:45 +02:00
3u13r
1452e64675
Refactor Terraform to have all ports in a list (#2409)
* terraform: aws refactoring

* terraform: gcp refactoring

* terraform: azure refactoring
2023-10-05 12:34:02 +02:00
Daniel Weiße
f69ae26122
csi: fix concurrent use of cryptmapper package (#2408)
* Dont error on opening already active devices

* Fix concurrency issues when working with more than one device

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-05 11:20:22 +02:00
3u13r
6ba43b03ee
docs: add gcp permissions needed for upgrade (#2378) 2023-10-05 10:28:39 +02:00
Moritz Sanft
13e9359b5c
remove unnecessary link (#2407) 2023-10-05 10:05:45 +02:00
edgelessci
7e899d09c4
image: update measurements and image version (#2405)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-04 14:24:57 +02:00
Malte Poll
6ea0b38a66 ci: add large runner as allowed label 2023-10-04 13:17:44 +02:00
Malte Poll
69cb70e970 deps: update linux kernel to 6.1.55 2023-10-04 13:17:44 +02:00
Moritz Sanft
0885646034
github: add AB ticket link to PR template (#2397)
* add Azure DevOps ticket to PR template

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make additional info not optional

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-04 10:26:10 +02:00
Malte Poll
b4fb8439d0
ci: use larger runners for os image pipeline (#2399) 2023-10-04 10:13:43 +02:00
Moritz Eckert
7c76592a08
docs: add observability page (#2384)
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-10-04 09:37:46 +02:00
renovate[bot]
e938cc5e63
deps: update module golang.org/x/vuln to v1.0.1 (#2365)
* deps: update module golang.org/x/vuln to v1.0.1

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-09-29 21:45:42 +02:00
Malte Poll
af532f223d
deps: update golang.org/x/tools (#2396) 2023-09-29 15:49:34 +02:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation (#2336)
* add ASK caching in joinservice

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use cached ASK in Azure SEV-SNP attestation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update test charts

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typ

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make caching mechanism less provider-specific

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `omitempty` flag

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* frontload certificate getter

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* rename frontloaded function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass cached certificates to constructor

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix race condition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix marshalling of empty certs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unused fields in validator

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate precedence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use separate context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Remove unnecessary comment

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use background context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Use error format directive

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* `azure` -> `Azure`

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* improve error messages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add x509 -> PEM util function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use crypto util functions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate replacement logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only require ASK from certcache

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix comment typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Malte Poll
68d8b29335 nix: update flake.lock 2023-09-29 14:09:58 +02:00
Malte Poll
627a4b6cbb ci: enable nix binary cache 2023-09-29 14:09:58 +02:00
Malte Poll
b66fa5aaab hack: remove pseudo-version tool
The Go implementation is now unused.
Consumers are all switched over to /tools/workspace_status.sh
2023-09-29 14:09:58 +02:00
Malte Poll
ed4d4d83fd ci: remove dependency on pseudo-version tool 2023-09-29 14:09:58 +02:00
Malte Poll
055fb32918 ci: stop using raw "go run" 2023-09-29 14:09:58 +02:00
3u13r
eebaef9ddd
init: overwrite kubeconfig address (#2393) 2023-09-29 14:01:40 +02:00
Malte Poll
85b4101dc3
deps: update go to 1.21.1 (#2389) 2023-09-28 22:29:14 +02:00
3u13r
c74a2e98df
cli: omitempty infrastructure fields (#2392) 2023-09-28 18:39:52 +02:00
Daniel Weiße
36c8cf2fd8
ci: fix whitespace in url for some tests (#2390)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-28 16:31:22 +02:00
Malte Poll
4a66899de8 docs: update attestation section with changes for measured boot 2023-09-27 17:58:19 +02:00
Malte Poll
1da5153627 ci: use nix + mkosi during os image build 2023-09-27 17:58:19 +02:00