Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-12-18 04:14:33 -05:00
Code Issues Packages Projects Releases Wiki Activity
1,206 Commits 137 Branches 49 Tags 92 MiB
ee20ff8950
Commit Graph

253 Commits

Author SHA1 Message Date
katexochen
4ccd96bf64 Pin container image hashes 2022-10-06 19:16:20 +02:00
katexochen
884c46179a Bump konnectivity version 2022-10-06 19:16:20 +02:00
katexochen
bede530de7 Bump k8s versions 2022-10-06 19:16:20 +02:00
katexochen
9edfc2f6ba Move k8s version window up 2022-10-06 19:16:20 +02:00
Fabian Kammel
369480a50b
Feat/revive (#212) 
* enable revive as linter
* fix var-naming revive issues
* fix blank-imports revive issues
* fix receiver-naming revive issues
* fix exported revive issues
* fix indent-error-flow revive issues
* fix unexported-return revive issues
* fix indent-error-flow revive issues
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-10-05 15:02:46 +02:00
Daniel Weiße
2ea695896f
AB#2439 Containerized libvirt (#191) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-05 09:11:30 +02:00
Daniel Weiße
acdcb535c0
AB#2444 Verify Azure trusted launch attestation keys (#203) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-04 16:44:44 +02:00
katexochen
a60e76e91f Upgrade operator version 2022-09-30 17:51:49 +02:00
katexochen
ccbc3d9123 Remove exposure of qemu ip_range_start value 2022-09-30 16:50:52 +02:00
katexochen
feffe40987 Remove GCP client from CLI 2022-09-30 16:50:52 +02:00
katexochen
42f273611a Use uid from metadata instead of name 2022-09-30 16:50:52 +02:00
Felix Schuster
eabc433b68 Fix typo 2022-09-29 16:37:52 +02:00
Fabian Kammel
dfa4dd9b85
delete unused config test (#202) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-09-28 16:31:00 +02:00
Felix Schuster
a6d201b761 Make wording around license less verbose 2022-09-27 11:24:01 +02:00
Daniel Weiße
804c173d52
Use terraform in CLI to create QEMU cluster (#172) 
* Use terraform in CLI to create QEMU cluster

* Dont allow qemu creation on os/arch other than linux/amd64

* Allow usage of --name flag for QEMU resources

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-09-26 15:52:31 +02:00
Daniel Weiße
30f0554168
AB#2262 Automatic recovery (#158) 
* Update `constellation recover` to be fully automated

* Update recovery docs

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-09-26 09:57:40 +02:00
katexochen
ba6e41ed5c Upgrade go module to v2 2022-09-22 09:10:19 +02:00
katexochen
6401c345f0 Upgrade node operator 2022-09-20 14:41:54 +02:00
katexochen
88d200232a Remove autoscaling from CLI and bootstrapper 2022-09-20 13:41:23 +02:00
Thomas Tendyck
3d50869ed6 only use test action in license integration test 2022-09-19 12:22:06 +02:00
Daniel Weiße
e367e1a68b
AB#2261 Add loadbalancer for control-plane recovery (#151) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-09-14 13:25:42 +02:00
Leonard Cohnen
2a6c5df7cc fix waiting on gcp load balancer 2022-09-13 11:06:44 +02:00
Leonard Cohnen
2d8f2af91b prepare release v2.0.0 2022-09-12 19:03:01 +02:00
Nils Hanke
25b769d1e2 Remove obsolete tpmPath passed to OpenTPM 2022-09-12 14:38:10 +02:00
Thomas Tendyck
c41018ed32
license messages (#118) 
* license: tell the user whether file couldn't be found or there was another error

* license: print correct info for community license
 2022-09-12 13:38:50 +02:00
Thomas Tendyck
ab45d5fbfe tidy config 2022-09-12 08:49:51 +02:00
Nils Hanke
c51dec6d00 Use distroless images for JoinService & KMS 2022-09-09 18:11:33 +02:00
Malte Poll
b8b169c93d
Bump node-operator (#114) 2022-09-09 17:33:55 +02:00
Leonard Cohnen
7163c161b6 Deploy Konnectivity 2022-09-09 17:26:02 +02:00
Thomas Tendyck
a85777fd02 enforce pcr4 2022-09-08 17:34:12 +02:00
Nils Hanke
7aded65ea8 Add validation for zero or more than one provider 2022-09-08 13:38:24 +02:00
Moritz Eckert
fb5faa681c
Add provider to license check (#88) 2022-09-08 11:02:04 +02:00
Otto Bittner
611ec25f22 AB#2380: Add unittest for validateAk 
Signed-off-by: Otto Bittner <cobittner@posteo.net>
 2022-09-07 13:59:09 +02:00
Nils Hanke
fe70231f2a Rename IsImageDebug -> IsDebugImage for consistency 2022-09-07 13:27:15 +02:00
Nils Hanke
1a4b4f564a Remove firewall configuration and make it static with a debug flag 2022-09-07 13:27:15 +02:00
Otto Bittner
23bf4aa665
AB#2379: Validate version in SNP report (#80) 
* AB#2379: Validate version in SNP report

* Check that TCB version in VCEK matches COMMITTED_TCB
* Check that LAUNCH, CURRENT and REPORTED TCB are at least
at the same security level as we are currently.
* Rename variables in snpReport struct
* Use default values in validator_test.go

Signed-off-by: Otto Bittner <cobittner@posteo.net>
 2022-09-07 10:39:38 +02:00
Malte Poll
50acded80b
Bump join service (#79) 2022-09-05 17:23:11 +02:00
Malte Poll
c1185241bb temporarily upgrade join-service 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-09-05 16:57:28 +02:00
Malte Poll
c38a142d64 Kubernetes 1.25 preview 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-09-05 16:57:28 +02:00
Malte Poll
571b4ff36f Switch default Kubernetes version 1.24 -> 1.23 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-09-05 16:57:28 +02:00
Malte Poll
57e77ee53f kubernetes version: rename latest -> default 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-09-05 16:57:28 +02:00
Otto Bittner
1b810da331 Bump service versions. 
Signed-off-by: Otto Bittner <cobittner@posteo.net>
 2022-09-05 12:46:40 +02:00
Otto Bittner
405db3286e AB#2386: TrustedLaunch support for azure attestation 
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
 2022-09-05 12:03:48 +02:00
Thomas Tendyck
bd63aa3c6b add license headers 
sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'`
gofumpt -w .
 2022-09-05 09:17:25 +02:00
Fabian Kammel
106635a9ee
Restructure config docs (#44) 
* more guided UX when generating and filling in config
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-09-02 17:11:06 +02:00
Nils Hanke
0aefe2c0ba Move instanceType from CLI to config 2022-09-02 07:04:11 -07:00
Otto Bittner
50d3f3ca7f GetIdKeyDigest: Cut HCL header from raw report 2022-09-02 11:21:35 +02:00
Fabian Kammel
6440904865
Ref/update cosign key (#31) 
* use new cosign keypair
* use community images for production image heuristic
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-09-01 12:58:31 +02:00
Moritz Eckert
db942ee4b5
Update references to docs (#36) 2022-09-01 09:27:25 +02:00
Otto Bittner
4adc19b7f5 AB#2350: Configurably enforce idkeydigest on Azure 
* Add join-config entry for "enforceIdKeyDigest" bool
* Add join-config entry for "idkeydigest"
* Initially filled with TPM value from bootstrapper
* Add config entries for idkeydigest and enforceIdKeyDigest
* Extend azure attestation validator to check idkeydigest,
if configured.
* Update unittests
* Add logger to NewValidator for all CSPs
* Add csp to Updateable type

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-31 15:26:04 +02:00
Malte Poll
c84e44913b Fork node maintenance operator and deploy it on all supported k8s versions 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-08-31 14:53:06 +02:00
katexochen
10e5249631 Manual client secrets on azure 2022-08-31 14:10:08 +02:00
katexochen
69abe17c96 Refactor Azure IMDS client and metadata 2022-08-31 14:10:08 +02:00
katexochen
f15605cb45 Manually manage resource group on Azure 2022-08-31 14:10:08 +02:00
Daniel Weiße
ce02878019
AB#2308 / AB#2317 constellation upgrade plan (#3) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-31 11:59:07 +02:00
Daniel Weiße
b27e205399
Use 4 vCPU instances by default (#24) 
* Use 4 vcpu instances by default

* Remove 2 vcpu instance type option

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-31 10:33:33 +02:00
Fabian Kammel
66d8c8037b
Release/v0.0.1 (#20) 
* bump images to 0.0.1
* add gh cli commands
* varibale with default value should not be required
* update release docs
* build and upload version manifest as part of release
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-30 15:54:35 +02:00
Thomas Tendyck
650ab76fe7 Update measurements.go 2022-08-30 15:50:40 +02:00
Fabian Kammel
778952e07c
AB#2287 support community image IDs (#9) 
* support community image IDs
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-30 15:15:51 +02:00
Fabian Kammel
e0a457b6ff
change default image to new format of public images for next release (#19) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-30 13:42:22 +02:00
Otto Bittner
2343c91bc7 Update service image versions 2022-08-30 09:42:18 +02:00
Daniel Weiße
7c832273fd
AB#2309 constellation upgrade execute (#2) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-29 16:49:44 +02:00
Otto Bittner
7c5556864b AB#2333: Add AMD SNP-based attestation 
Currently only available on Azure CVMs.

* Get the public attestation key from the TPM.
* Get the snp report from the TPM.
* Get the VCEK and ASK certificate from the metadata api.
* Verify VCEK using hardcoded root key (ARK)
* Verify SNP report using VCEK
* Verify HCLAkPub using SNP report by comparing
AK with runtimeData
* Extend unittest

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-29 16:29:33 +02:00
Fabian Kammel
22c912a56d move nodestate and role 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-29 16:07:55 +02:00
Malte Poll
26e9c67a00 Move cloud metadata packages and kubernetes resources marshaling to internal 
Decouples cloud provider metadata packages from kubernetes related code

Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-08-29 16:07:55 +02:00
Thomas Tendyck
6b8a2a0063 remove image pull secret 2022-08-28 15:57:08 +02:00
Malte Poll
716ba52588 create on Azure: Allow toggling between CVMs / Trusted Launch VMs (#401) 2022-08-25 15:24:31 +02:00
Fabian Kammel
45beec15f5 AB#2360 enterprise build tag (#397) 
* enterprise build switch to disable license checking in default (OSS) version
* remove community license quota
* empty image references on OSS build in config
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-25 14:06:29 +02:00
katexochen
35a5d34497 Remove legacy build tags 2022-08-24 14:56:30 +02:00
katexochen
e761c9bf97 Manually manage GCP service accounts 2022-08-24 11:44:05 +02:00
katexochen
d770957975 Add debugd ssh key distribution 2022-08-23 18:11:20 +02:00
katexochen
a02a46e454 Use multiple loadbalancers on GCP 2022-08-23 18:11:20 +02:00
katexochen
c2faa20d6e Fix naming in state file 2022-08-23 18:11:20 +02:00
Moritz Eckert
94460654e7 Apply feedback for readme (#389) 
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
 2022-08-23 13:46:06 +02:00
Malte Poll
ec548a6d17 Update image references for v1.5.0 2022-08-19 18:22:55 +02:00
Malte Poll
fdcdd5fb78 Update versions 2022-08-19 18:22:55 +02:00
Paul Meyer
0969ff4ac3 Fix tests and linting (#370) 
* Fix license integration test
* Fix build tags in lint config
* Fix missing error checks
* Fix use of MarkNodeAsInitialized
* Fix attestation tests
* Add license integration test to cmake list
 2022-08-17 13:50:43 +02:00
Fabian Kammel
82eb9f4544 AB#2299 License check in CLI during init (#366) 
* license server interaction
* logic to read from license file
* print license information during init
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
 2022-08-16 16:06:38 +02:00
Fabian Kammel
170a8bf5e0 AB#2306 Public image sharing in Google (#358) 
* document how to publicly share images in gcloud
* Write disclamer in debugd
* Add disclamer about debug images to contributing file
* Print debug banner on startup
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-16 15:53:54 +02:00
Malte Poll
abb4fb4f0f Build GCP guest agent from github actions in constellation repo 2022-08-16 08:47:58 +02:00
Daniel Weiße
ba4471a228 AB#2316 Configurable enforced PCRs (#361) 
* Add warnings for non enforced, untrusted PCRs

* Fix global state in Config PCR map

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-12 15:59:45 +02:00
3u13r
9478303f80 deploy cilium via helmchart (#321) 2022-08-12 10:20:19 +02:00
Malte Poll
2c7129987a Deploy operator-lifecycle-manager (OLM), node-maintenance-operator (NMO) and constellation-node-operator 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-08-11 10:48:50 +02:00
Daniel Weiße
ab536ae3c8 AB#2278 Remove hardcoded values from config (#346) 
* Update file handler to avoid incorrect usage of file.Option

* Remove hardcoded values

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-08 11:04:17 +02:00
Otto Bittner
129caae0e4 AB#2258: Fix flacky retry_test.go 
Co-authored-by: <mp@edgeless.systems>
Co-authored-by: <pm@edgeless.systems>
 2022-08-05 18:58:47 +02:00
Malte Poll
bf5816cc00 linter cleanup (#344) 
* go fmt
* static check
 2022-08-05 15:30:23 +02:00
Malte Poll
081dfb5037 Upgrade Azure SDK 
Signed-off-by: Malte Poll <mp@edgeless.systems>
 2022-08-05 10:35:38 +02:00
Daniel Weiße
4151d365fb AB#2286 Return only primary IPs for instance metadata operations (#335) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-04 11:08:20 +02:00
Malte Poll
d3435b06a2 AB#2283 Build CCM GCP from github actions in constellation repo (#334) 
* Build CCM GCP from github actions in constellation repo
* Deploy correct version of GCP CCM
 2022-08-03 11:46:11 +02:00
Otto Bittner
a13d1d8bd8 Bump coreos-img version 2022-08-03 08:06:05 +02:00
Otto Bittner
ba9555033d Bump service-image versions to v1.4.0 2022-08-03 08:06:05 +02:00
Fabian Kammel
985585f578 fix linter issues (#329) 
* fix linter issues
* replace fmt with logger
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
 2022-08-02 16:25:47 +02:00
Daniel Weiße
aa7fcce8af Add configurable node disk type (#317) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-02 12:24:55 +02:00
Fabian Kammel
050e8fdc4a AB#2159 Feat/cli/fetch measurements (#301) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-08-01 09:37:05 +02:00
Daniel Weiße
7baf98f014 Add test vectors for key derivation functions (#320) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-08-01 09:11:13 +02:00
Daniel Weiße
e0ae4e1fe6 Bump kms, joinservice, and verification service image to latest (#319) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-07-29 10:42:23 +02:00
Daniel Weiße
9a3bd38912 Generate random salt for key derivation on init (#309) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-07-29 09:52:47 +02:00
Otto Bittner
5d87b48769 Bump image version 2022-07-28 09:57:11 +02:00
Otto Bittner
44b5e042ea AB#2077: Kubernetes 1.22.12 support (#302) 
* Necessary changes to build join-service image
* Reference new join-service image

Tested on GCP and Azure using microservice-demo.
 2022-07-27 13:38:14 +02:00
Otto Bittner
83d2c7b6a3 AB#2077: add v1.24.3 support (#298) 
This is a squashed commit. 
* Necessary changes for 1.24 support. Trigger join-service build.
* Update joinservice version. Image was created 
by manually triggered workflow, based on now squashed commit.

microservice-demo can be deployed successfully.
No errors during cluster setup.
 2022-07-26 17:08:57 +02:00