Commit Graph

30 Commits

Author SHA1 Message Date
Nils Hanke
c51dec6d00 Use distroless images for JoinService & KMS 2022-09-09 18:11:33 +02:00
Nils Hanke
0949393dbb Update build environment to Fedora 36 & Go 1.19.1 2022-09-09 18:11:33 +02:00
Nils Hanke
9bedaf20ea Use CMake project version across all places & remove obsolete build tags 2022-09-09 15:33:16 +02:00
Malte Poll
38f461fdee join-service: do not check if kubernetes version is valid
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-09-05 16:57:28 +02:00
Malte Poll
57e77ee53f kubernetes version: rename latest -> default
Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-09-05 16:57:28 +02:00
Otto Bittner
405db3286e AB#2386: TrustedLaunch support for azure attestation
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00
Thomas Tendyck
bd63aa3c6b add license headers
sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'`
gofumpt -w .
2022-09-05 09:17:25 +02:00
katexochen
5d63150bed Silence wget output 2022-09-02 15:20:25 +02:00
Moritz Eckert
b95f3dbc91
Add docs to repo (#38) 2022-09-02 11:52:42 +02:00
Otto Bittner
7c5556864b AB#2333: Add AMD SNP-based attestation
Currently only available on Azure CVMs.

* Get the public attestation key from the TPM.
* Get the snp report from the TPM.
* Get the VCEK and ASK certificate from the metadata api.
* Verify VCEK using hardcoded root key (ARK)
* Verify SNP report using VCEK
* Verify HCLAkPub using SNP report by comparing
AK with runtimeData
* Extend unittest

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-29 16:29:33 +02:00
Malte Poll
26e9c67a00 Move cloud metadata packages and kubernetes resources marshaling to internal
Decouples cloud provider metadata packages from kubernetes related code

Signed-off-by: Malte Poll <mp@edgeless.systems>
2022-08-29 16:07:55 +02:00
Otto Bittner
0892525915 Switch to Azure CVMs 2022-08-19 14:39:36 +02:00
Daniel Weiße
ab536ae3c8 AB#2278 Remove hardcoded values from config (#346)
* Update file handler to avoid incorrect usage of file.Option

* Remove hardcoded values

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-08 11:04:17 +02:00
Daniel Weiße
4151d365fb AB#2286 Return only primary IPs for instance metadata operations (#335)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-08-04 11:08:20 +02:00
Daniel Weiße
9a3bd38912 Generate random salt for key derivation on init (#309)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-29 09:52:47 +02:00
Daniel Weiße
db79784045 AB#2200 Merge Owner and Cluster ID (#282)
* Merge Owner and Cluster ID into single value

* Remove aTLS from KMS, as it is no longer used for cluster external communication

* Update verify command to use cluster-id instead of unique-id flag

* Remove owner ID from init output

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-26 10:58:39 +02:00
Otto Bittner
52ceced223 AB#2255: Fix kubeadm version incompatibility (#293)
* Update image version
* Introduce 'ValidK8sVersion' type. Ensures that consumers
of the k8sVersion receive a valid version, without
having to do their own validation.
* Add testcase to check that kubeadm accepts the currently provided
version.
2022-07-22 15:05:04 +02:00
Otto Bittner
741384158a AB#2076: version specific images (#288)
KubernetesVersion sent by the init command now controls
all downloaded binaries, if they depend on the k8s version.

* Move all download links into /internal/versions.
* Unify files in /internal/versions package
* Move image download links into VersionConfigs
and thus make them dependant on the k8s version,
where the image version is specific to the k8s version.
* Don't specify patch version in k8sVersion
2022-07-21 14:41:07 +02:00
Fabian Kammel
ba5a3aefe3 fix ci-lint issues (#287)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-07-20 16:44:41 +02:00
Otto Bittner
a68ee817ff AB#2074: Choosable K8S Version (#277)
AB#2074: Add configurable k8s version

Configurable version flow:
* cli config holds/validates k8sVersion
* InitCluster receive a k8sVersion arg
* InitCluster creates CM "k8s-version"
* kubeadm's InitConfiguration receives k8sVersion
* joinservice spec mounts/reads k8s-version CM
* joinservice supplies k8sVersion via JoinTicketResponse
Other changes:
* Remove unused test code (FakeK8SClient)
* move VersionConfig map to /internal/versions
* installk8sComponents is now a function instead of a method
2022-07-18 12:28:02 +02:00
Daniel Weiße
c6ff34f4d2 Use Certificate Requests to issue Kubelet Certificates and set CA (#261)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-15 09:33:11 +02:00
Malte Poll
cce2611e2a Simplify node lock and various small changes
Co-authored-by: Fabian Kammel <fabian@kammel.dev>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2022-07-14 17:25:18 +02:00
Daniel Weiße
2bcf001d52 Distribute k8s CA certificates and key over join-service
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-14 17:25:18 +02:00
Malte Poll
260d2571c1 Only upload kubeadm certs if key is rotated
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
2022-07-14 17:25:18 +02:00
daniel-weisse
586b65f089 Cache kubeadm certificate keys to avoid race conditions
Signed-off-by: daniel-weisse <daniel.weisse@gmx.net>
2022-07-14 17:25:18 +02:00
katexochen
66b573ea5d Bootstrapper 2022-07-14 17:25:18 +02:00
katexochen
1af18e990d Rename all activation 2022-07-14 17:25:18 +02:00
katexochen
2083d37b11 Create internal package for joinservice 2022-07-14 17:25:18 +02:00
katexochen
15adba9235 Simplify joinproto 2022-07-14 17:25:18 +02:00
katexochen
dc9e8e75df Rename activation to joinservice 2022-07-14 17:25:18 +02:00