Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 08:15:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,457 Commits 131 Branches 43 Tags 105 MiB
ebf852b3ba
Commit Graph

142 Commits

Author SHA1 Message Date
Malte Poll
ebf852b3ba Add image update API and use for "upgrade plan" 2022-11-30 12:35:12 +01:00
Leonard Cohnen
3b6bc3b28f initserver: add client verification 2022-11-28 19:34:02 +01:00
Daniel Weiße
d52f3db2a3
AB#2644 Fetch measurements from CDN (#653) 
* Fetch measurements from CDN

* Perform metadata validation on fetched measurements

* Remove deprecated public bucket

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-28 10:27:33 +01:00
Daniel Weiße
1968dfe70c
Add warning about non retriable error during init (#644) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-25 10:02:12 +01:00
Daniel Weiße
67d0424f0e
AB#2639 Add functions to fetch k8s and helm version of Constellation (#637) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-24 16:39:33 +01:00
Daniel Weiße
f8001efbc0
Refactor enforced/expected PCRs (#553) 
* Merge enforced and expected measurements

* Update measurement generation to new format

* Write expected measurements hex encoded by default

* Allow hex or base64 encoded expected measurements

* Allow hex or base64 encoded clusterID

* Allow security upgrades to warnOnly flag

* Upload signed measurements in JSON format

* Fetch measurements either from JSON or YAML

* Use yaml.v3 instead of yaml.v2

* Error on invalid enforced selection

* Add placeholder measurements to config

* Update e2e test to new measurement format

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-24 10:57:58 +01:00
Malte Poll
575b6e93f6 CLI: use global image version field 
- Restructure config by removing CSP-specific image references
- Add global image field
- Download image lookup table on create
- Download QEMU image on QEMU create
 2022-11-23 15:47:46 +01:00
Leonard Cohnen
1e98b686b6 kubernetes: verify Kubernetes components 2022-11-23 10:48:03 +01:00
Otto Bittner
6b2d9d16f8 Remove obsolote revive comments 2022-11-23 08:35:12 +01:00
Otto Bittner
1362e40f53
Surpress argument-limit errors and add TODO. (#603) 2022-11-21 17:31:01 +01:00
Daniel Weiße
1f9b6ba90f
Add debug logging for verify command (#610) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-21 17:02:33 +01:00
Malte Poll
74aabe86fa Move PCR[8] -> PCR[12] 2022-11-18 10:37:45 +01:00
Daniel Weiße
b966f57a2f
AB#2554 GCP CSI driver deployment (#532) 
* Allow enabling/disabling of CSI driver through config

* Fix inconsistent namespace parsing

* Deploy GCP CSI driver on init

* Update invalid pod tolerations

* Add generate script for CSI charts

* Update generateCilium script

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-18 10:05:02 +01:00
Fabian Kammel
feae4a86bc
reserve enough time for stable tests (#564) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-17 17:30:35 +01:00
Nils Hanke
6e5895f200 User-friendlier errors 2022-11-17 13:49:34 +01:00
Nils Hanke
4a2cba988c Create separate Terraform workspace directory 2022-11-17 13:49:34 +01:00
Fabian Kammel
bb76a4e4c8
AB#2512 Config secrets via env var & config refactoring (#544) 
* refactor measurements to use consistent types and less byte pushing
* refactor: only rely on a single multierr dependency
* extend config creation with envar support
* document changes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-15 15:40:49 +01:00
Daniel Weiße
a07cab4b97
Update go-tpm dependency (#533) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-14 09:02:56 +01:00
Nils Hanke
db27a6a0dd Increase timeout for fetch-measurements 2022-11-11 11:38:50 +01:00
Fabian Kammel
b92b3772ca
Remove access manager (#470) 
* remove access manager from code base
* document new node ssh workflow
* keep config backwards compatible
* slow down link checking to prevent http 429
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-11 08:44:36 +01:00
Nils Hanke
d41174659b Print "Initializing cluster..." on stderr 2022-11-10 17:51:14 +01:00
Nils Hanke
bc584d61fa Switch spinner TTY detection to stderr 2022-11-10 17:51:14 +01:00
Fabian Kammel
81a5907f26
consistently use stdout and stderr (#502) 
* consistently use stdout and stderr
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-10 10:27:24 +01:00
Fabian Kammel
0d12e37c96
Document exported funcs,types,interfaces and enable check. (#475) 
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
 2022-11-09 15:57:54 +01:00
Daniel Weiße
c9873f2bfb
AB#2523 Refactor GCP metadata/cloud API (#387) 
* Refactor GCP metadata/cloud API

* Remove cloud controller manager from metadata package

* Remove PublicIP

* Move shared cloud packages

* Remove dead code

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-09 14:43:48 +01:00
Daniel Weiße
011f9c597d
Bring in changes from release branch (#479) 
* Bump version to v2.2.0

* Update changelog

* Fix release detection in pipeline

* Fix PKI selection in pipeline

* Set enforced measurements for AWS

* Update default images

* Fix release docs

* Update mini-con defaults

* Fix measurements action

* Fix syft env variable naming

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-08 18:32:59 +01:00
3u13r
309a4b5196
cli: remove debug env check for AWS (#460) 2022-11-04 15:31:51 +01:00
Fabian Kammel
04d0c770af
limit aws cluster name len (#454) 
* limit aws cluster name len down to 10, 32-character name limit in AWS
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-04 13:35:32 +01:00
Nils Hanke
19fd3a351a Make azureCVMRxp in upgradeplan.go case-insensitive 2022-11-04 12:57:24 +01:00
Nils Hanke
4d9fbdb3d3 CI: Use lowercase image name for fetching measurements 2022-11-04 12:57:24 +01:00
Leonard Cohnen
cc38506ffa cli: AWS does not use a service account 2022-11-02 23:29:04 +01:00
Leonard Cohnen
015b12d8ff attestation: use AWS attestation 2022-11-02 23:29:04 +01:00
Nils Hanke
8d097424a1 Remove separate function for yesFlag in terminate 2022-11-02 18:18:30 +01:00
Nils Hanke
ad871d1993 Prompt before termination 2022-11-02 18:18:30 +01:00
Nils Hanke
c922136cd4 Fix typos 2022-11-02 18:18:30 +01:00
Otto Bittner
30bdbd9b85
Add helm unittests (#380) 2022-10-31 19:25:02 +01:00
Daniel Weiße
79f52e67cb
Update go-tpm-tools to fix AWS PCR selection (#390) 
* Update go-tpm-tools to fix AWS PCR selection

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Ignore leaking glog go routine

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-28 17:57:24 +02:00
Paul Meyer
86906ac536 Use atomic.Bool, added in Go 1.19 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-10-28 16:06:53 +02:00
Otto Bittner
091e3b2b2b AB#2538: deploy CCM via Helm 
Also move helmloader interface/stubs
 2022-10-27 18:12:47 +02:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails (#360) 
* Dont clean up workspace if rollback fails

* Remove dependency on CSP from terminate

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-26 15:57:00 +02:00
Paul Meyer
c05b22f1dc
Remove dead code (#373) 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-10-26 10:29:28 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any (#370) 2022-10-25 15:51:23 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm (#358) 2022-10-24 12:23:18 +02:00
Daniel Weiße
c82d5ccba9
Hide cursor and fix dots (#217) 
* Hide cursor and fix dots spinner

* Allow restarting of spinner

* Don't spin on non TTY output

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-21 14:26:42 +02:00
Nils Hanke
04c4cff9f6
AB#2436: Initial support for create/terminate AWS NitroTPM instances 
* Add .DS_Store to .gitignore

* Add AWS to config / supported instance types

* Move AWS terraform skeleton to cli/internal/terraform

* Move currently unused IAM to hack/terraform/aws

* Print supported AWS instance types when AWS dev flag is set

* Block everything aTLS related (e.g. init, verify) until AWS attestation is available

* Create/Terminate AWS dev cluster when dev flag is set

* Restrict Nitro instances to NitroTPM supported specifically

* Pin zone for subnets

This is not great for HA, but for now we need to avoid the two subnets
ending up in different zones, causing the load balancer to not be able
to connect to the targets.

Should be replaced later with a better implementation that just uses
multiple subnets within the same region dynamically
based on # of nodes or similar.

* Add AWS/GCP to Terraform TestLoader unit test

* Add uid tag and create log group

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
 2022-10-21 12:24:18 +02:00
Otto Bittner
07f02a442c
Refactor Helm deployments (#341) 
* Wrap KMS deployment in one main chart that
deploys all other services. Other services will follow.
* Use .tgz via helm-package as serialization format
* Change Release type to carry chart as byte slice
* Remove KMSConfig
* Use json-schema to validate values
* Extend release.md to mention updating helm charts
 2022-10-21 12:01:28 +02:00
Malte Poll
743f5fa627 Remove all traces of CoreOS from the codebase 2022-10-21 11:04:25 +02:00
Malte Poll
3b6ee703f5 Move PCR indices for owner ID and cluster ID 2022-10-21 11:04:25 +02:00
Daniel Weiße
085f7b1a2a Prompt user for confirmation before overwriting config 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-20 15:35:31 +02:00
github-actions[bot]
74c3c93dec
Update CLI reference (#248) 
Co-authored-by: katexochen <49727155+katexochen@users.noreply.github.com>
 2022-10-14 10:48:20 +02:00