constellation

mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-08 23:12:18 -04:00

Author	SHA1	Message	Date
miampf	f16ccf5679	rewrote packages keyservice joinservice upgrade-agent measurement-reader debugd disk-mapper rewrote joinservice main rewrote some unit tests rewrote upgrade-agent + some grpc functions rewrote measurement-reader rewrote debugd removed unused import removed forgotten zap reference in measurements reader rewrote disk-mapper + tests rewrote packages verify disk-mapper malicious join bootstrapper attestationconfigapi versionapi internal/cloud/azure disk-mapper tests image/upload/internal/cmd rewrote verify (WIP with loglevel increase) rewrote forgotten zap references in disk-mapper rewrote malicious join rewrote bootstrapper rewrote parts of internal/ rewrote attestationconfigapi (WIP) rewrote versionapi cli rewrote internal/cloud/azure rewrote disk-mapper tests (untested by me rn) rewrote image/upload/internal/cmd removed forgotten zap references in verify/cmd rewrote packages hack/oci-pin hack/qemu-metadata-api debugd/internal/debugd/deploy hack/bazel-deps-mirror cli/internal/cmd cli-k8s-compatibility rewrote hack/qemu-metadata-api/server rewrote debugd/internal/debugd/deploy rewrote hack/bazel-deps-mirror rewrote rest of hack/qemu-metadata-api rewrote forgotten zap references in joinservice server rewrote cli/internal/cmd rewrote cli-k8s-compatibility rewrote packages internal/staticupload e2d/internal/upgrade internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds some missed unit tests rewrote e2e/internal/upgrade rewrote internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds search and replace test logging over all left *_test.go	2024-02-08 13:14:14 +01:00
Moritz Sanft	a5021c52d3	joinservice: cache certificates for Azure SEV-SNP attestation (#2336 ) * add ASK caching in joinservice Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use cached ASK in Azure SEV-SNP attestation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update test charts Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typ Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make caching mechanism less provider-specific Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add `omitempty` flag Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * frontload certificate getter Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * rename frontloaded function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * pass cached certificates to constructor Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix race condition Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix marshalling of empty certs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator usage Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [wip] add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add certcache tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validator test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unused fields in validator Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate precedence Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use separate context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Remove unnecessary comment Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * use background context Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Use error format directive Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * `azure` -> `Azure` Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * improve error messages Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add x509 -> PEM util function Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use crypto util functions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix certificate replacement logic Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only require ASK from certcache Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix comment typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>	2023-09-29 14:29:50 +02:00
Daniel Weiße	2049713620	internal: move watcher package from internal to joinservice (#2212 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2023-08-11 15:17:55 +02:00
Otto Bittner	1d5a8283e0	cli: use Semver type to represent microservice versions (#2125 ) Previously we used strings to pass microservice versions. This invited bugs due to missing input validation.	2023-07-25 14:20:25 +02:00
Otto Bittner	8f21972aec	attestation: add `awsSEVSNP` as new variant (#1900 ) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic.	2023-06-09 15:41:02 +02:00
Daniel Weiße	d7a2ddd939	config: add separate option for handling attestation parameters (#1623 ) * Add attestation options to config * Add join-config migration path for clusters with old measurement format * Always create MAA provider for Azure SNP clusters * Remove confidential VM option from provider in favor of attestation options * cli: add config migrate command to handle config migration (#1678) --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2023-05-03 11:11:53 +02:00
Daniel Weiße	99b12e4035	internal: refactor oid package to variant package (#1538 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2023-03-29 09:30:13 +02:00
Daniel Weiße	6ea5588bdc	config: add attestation variant (#1413 ) * Add attestation type to config (optional for now) * Get attestation variant from config in CLI * Set attestation variant for Constellation services in helm deployments * Remove AzureCVM variable from helm deployments --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2023-03-14 11:46:27 +01:00
Paul Meyer	ebf7dd8842	openstack: use metadata client where possible Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>	2023-03-08 09:04:57 -05:00
Malte Poll	fc33a74c78	constants: make VersionInfo readonly (#1316 ) The variable VersionInfo is supposed to be set by `go build -X ...` during link time but should not be modified at runtime. This change ensures the underlying var is private and can only be accessed by a public getter.	2023-03-01 11:55:12 +01:00
Paul Meyer	a8cbfd848f	keyservice: use dash in container name (#1016 ) Co-authored-by: Otto Bittner <cobittner@posteo.net>	2023-01-20 18:51:06 +01:00
Otto Bittner	90b88e1cf9	kms: rename kms to keyservice In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.	2023-01-16 11:56:34 +01:00
3u13r	f14af0c3eb	upgrade: support Kubernetes components (#839 ) * upgrade: add Kubernetes components to NodeVersion * update rfc	2023-01-03 12:09:53 +01:00
Leonard Cohnen	0c71cc77f6	joinservice: use configmap for k8s components	2022-12-02 14:34:38 +01:00
Daniel Weiße	5efe05d933	AB#2525 clean up unused code (#504 ) * Rename Metadata->Cloud * Remove unused methods, functions, and variables * More privacy for testing stubs Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-11-15 10:31:55 +01:00
Daniel Weiße	f41c54e837	AB#2524 Refactor Azure metadata/cloud API (#477 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-11-15 09:08:18 +01:00
Daniel Weiße	a07cab4b97	Update go-tpm dependency (#533 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-11-14 09:02:56 +01:00
Daniel Weiße	c9873f2bfb	AB#2523 Refactor GCP metadata/cloud API (#387 ) * Refactor GCP metadata/cloud API * Remove cloud controller manager from metadata package * Remove PublicIP * Move shared cloud packages * Remove dead code Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-11-09 14:43:48 +01:00
Leonard Cohnen	3aa0177333	join-service: add AWS attestation	2022-11-02 23:29:04 +01:00
Leonard Cohnen	7a6a0766e8	undefine more -v flags due to glog	2022-10-30 22:13:58 +01:00
katexochen	ba6e41ed5c	Upgrade go module to v2	2022-09-22 09:10:19 +02:00
Otto Bittner	405db3286e	AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>	2022-09-05 12:03:48 +02:00
Thomas Tendyck	bd63aa3c6b	add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w .	2022-09-05 09:17:25 +02:00
Malte Poll	26e9c67a00	Move cloud metadata packages and kubernetes resources marshaling to internal Decouples cloud provider metadata packages from kubernetes related code Signed-off-by: Malte Poll <mp@edgeless.systems>	2022-08-29 16:07:55 +02:00
Daniel Weiße	4151d365fb	AB#2286 Return only primary IPs for instance metadata operations (#335 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-08-04 11:08:20 +02:00
Daniel Weiße	db79784045	AB#2200 Merge Owner and Cluster ID (#282 ) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2022-07-26 10:58:39 +02:00
Malte Poll	cce2611e2a	Simplify node lock and various small changes Co-authored-by: Fabian Kammel <fabian@kammel.dev> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>	2022-07-14 17:25:18 +02:00
Malte Poll	260d2571c1	Only upload kubeadm certs if key is rotated Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: 3u13r <lc@edgeless.systems>	2022-07-14 17:25:18 +02:00
katexochen	66b573ea5d	Bootstrapper	2022-07-14 17:25:18 +02:00
katexochen	1af18e990d	Rename all activation	2022-07-14 17:25:18 +02:00
katexochen	2083d37b11	Create internal package for joinservice	2022-07-14 17:25:18 +02:00
katexochen	dc9e8e75df	Rename activation to joinservice	2022-07-14 17:25:18 +02:00

32 commits