Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 08:15:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,668 Commits 131 Branches 43 Tags 105 MiB
f9458950cb
Commit Graph

411 Commits

Author SHA1 Message Date
Daniel Weiße
d52f3db2a3
AB#2644 Fetch measurements from CDN (#653) 
* Fetch measurements from CDN

* Perform metadata validation on fetched measurements

* Remove deprecated public bucket

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-28 10:27:33 +01:00
Leonard Cohnen
c978329839 helm: fix expected helm charts 2022-11-27 16:43:50 +01:00
Leonard Cohnen
865cd53856 helm: remove non-existent field in operator 2022-11-27 16:43:34 +01:00
Otto Bittner
18fe34c58b loader_test now compares all documents in one file 
Previously only the first document was compared due to
an issue in testify.
Also update testdata to match the adjusted expectations.
 2022-11-25 18:07:40 +01:00
Malte Poll
1af3ff00ad
Constellation Operator: Add image version field (#649) 2022-11-25 14:49:26 +01:00
Daniel Weiße
1968dfe70c
Add warning about non retriable error during init (#644) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-25 10:02:12 +01:00
Daniel Weiße
67d0424f0e
AB#2639 Add functions to fetch k8s and helm version of Constellation (#637) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-24 16:39:33 +01:00
Daniel Weiße
f8001efbc0
Refactor enforced/expected PCRs (#553) 
* Merge enforced and expected measurements

* Update measurement generation to new format

* Write expected measurements hex encoded by default

* Allow hex or base64 encoded expected measurements

* Allow hex or base64 encoded clusterID

* Allow security upgrades to warnOnly flag

* Upload signed measurements in JSON format

* Fetch measurements either from JSON or YAML

* Use yaml.v3 instead of yaml.v2

* Error on invalid enforced selection

* Add placeholder measurements to config

* Update e2e test to new measurement format

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-24 10:57:58 +01:00
Otto Bittner
da1af3f37e Fix type for cert-manager verbose flag 2022-11-23 18:37:36 +01:00
Malte Poll
575b6e93f6 CLI: use global image version field 
- Restructure config by removing CSP-specific image references
- Add global image field
- Download image lookup table on create
- Download QEMU image on QEMU create
 2022-11-23 15:47:46 +01:00
Otto Bittner
3e71459898 AB#2635: Deploy Konnectivity via Helm 2022-11-23 12:21:08 +01:00
Otto Bittner
7283eeb798 AB#2636: Deploy gcp-guest-agent via Helm 2022-11-23 12:21:08 +01:00
Otto Bittner
9b75d651fc Run cert-manager startupapicheck with verbose flag 2022-11-23 11:16:16 +01:00
Leonard Cohnen
1e98b686b6 kubernetes: verify Kubernetes components 2022-11-23 10:48:03 +01:00
Otto Bittner
2c9ddbc6e7 Remove unused LoadConfig type 2022-11-23 08:49:22 +01:00
Otto Bittner
6b2d9d16f8 Remove obsolote revive comments 2022-11-23 08:35:12 +01:00
renovate[bot]
d8c553207b
Update Terraform google to v4.44.0 (#622) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-22 14:30:40 +01:00
Daniel Weiße
b915d03487
AB#2615 Update docs to new CSI installation method (#606) 
* Update docs to new CSI installation method

* Fix invalid volume expansion option

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
 2022-11-22 09:36:08 +01:00
Otto Bittner
1362e40f53
Surpress argument-limit errors and add TODO. (#603) 2022-11-21 17:31:01 +01:00
Otto Bittner
adc09a1ad1
AB#2593: Deploy verification service via Helm (#594) 2022-11-21 17:06:41 +01:00
Daniel Weiße
1f9b6ba90f
Add debug logging for verify command (#610) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-21 17:02:33 +01:00
Otto Bittner
bdd9dd922b
AB#2589: Deploy operators via Helm (#575) 
* Only deploy operators on GCP/Azure.
* cert-manager is now deployed by default (GCP/Azure)
* remove OLM
 2022-11-21 10:35:40 +01:00
Daniel Weiße
9aa9c1bb49
AB#2275 Add azuredisk CSI driver (#548) 
* Add azuredisk CSI driver

* Update Changelog

* Update chart using go generate

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-18 15:47:01 +01:00
renovate[bot]
54ef6d21f4
Update Terraform aws to v4.40.0 (#586) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-18 15:41:02 +01:00
renovate[bot]
86b03bf08e
Update Terraform azurerm to v3.32.0 (#588) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-18 14:57:34 +01:00
Malte Poll
9d4172002c Upgrade container images to Fedora 37 2022-11-18 10:37:45 +01:00
Malte Poll
74aabe86fa Move PCR[8] -> PCR[12] 2022-11-18 10:37:45 +01:00
Fabian Kammel
56dccb77b4
Merge back changes from v2.2.2 release (#580) 
* prepare v2.2.2 release and update release.md
* Updated QEMU measurements
* Terraform GCP: Always use the local account for resource creation (#571)
* CoreOS is no longer used, change docs to OS.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Malte Poll <mp@edgeless.systems>
 2022-11-18 10:24:45 +01:00
Daniel Weiße
b966f57a2f
AB#2554 GCP CSI driver deployment (#532) 
* Allow enabling/disabling of CSI driver through config

* Fix inconsistent namespace parsing

* Deploy GCP CSI driver on init

* Update invalid pod tolerations

* Add generate script for CSI charts

* Update generateCilium script

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-18 10:05:02 +01:00
Fabian Kammel
feae4a86bc
reserve enough time for stable tests (#564) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-17 17:30:35 +01:00
renovate[bot]
b7852665f3
Update Terraform google to v4.43.1 (#576) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-17 16:44:33 +01:00
Nils Hanke
6e5895f200 User-friendlier errors 2022-11-17 13:49:34 +01:00
Nils Hanke
e1d8926395 Terraform: Only rollback after we fully created the workspace 2022-11-17 13:49:34 +01:00
Nils Hanke
19fb6f1233 Make AWS vars passing consistent with other CSPs 2022-11-17 13:49:34 +01:00
Nils Hanke
158dfe0e2b Remove unused name parameter in CreateCluster 2022-11-17 13:49:34 +01:00
Nils Hanke
b9b618a1f0 Terraform: Try to init before destroy 2022-11-17 13:49:34 +01:00
Nils Hanke
f27af5b588 Terraform: Make variables writing retryable 2022-11-17 13:49:34 +01:00
Nils Hanke
e93527144e Terraform: Try to use existing files on partially unpacked workspace 2022-11-17 13:49:34 +01:00
Nils Hanke
4a2cba988c Create separate Terraform workspace directory 2022-11-17 13:49:34 +01:00
Malte Poll
df0cd43f92
Terraform GCP: Always use local account for resource creation (#571) 
* Terraform GCP: Always use local account for resource creation
* Update CHANGELOG
 2022-11-17 10:33:36 +01:00
Fabian Kammel
ca4764c466
Merge v2.2.1 changes back to main (#563) 
* Bump version to v2.2.0

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Fix release detection in pipeline

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Update CHANGELOG for 2.2.1

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

* bump constellation versions to 2.2.1

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-16 11:13:10 +01:00
Leonard Cohnen
d86d82d2d4 helm: go generate 2022-11-15 18:24:07 +01:00
Fabian Kammel
bb76a4e4c8
AB#2512 Config secrets via env var & config refactoring (#544) 
* refactor measurements to use consistent types and less byte pushing
* refactor: only rely on a single multierr dependency
* extend config creation with envar support
* document changes
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-15 15:40:49 +01:00
renovate[bot]
5009de823f
Update Terraform aws to v4.39.0 (#538) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-14 10:35:26 +01:00
renovate[bot]
7bcd4b2f73
Update Terraform azurerm to v3.31.0 (#539) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-14 10:34:54 +01:00
Daniel Weiße
a07cab4b97
Update go-tpm dependency (#533) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-14 09:02:56 +01:00
Paul Meyer
7aa7492474 Fix shellcheck warnings 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-11 13:40:13 +01:00
Nils Hanke
db27a6a0dd Increase timeout for fetch-measurements 2022-11-11 11:38:50 +01:00
Fabian Kammel
b92b3772ca
Remove access manager (#470) 
* remove access manager from code base
* document new node ssh workflow
* keep config backwards compatible
* slow down link checking to prevent http 429
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-11 08:44:36 +01:00
Nils Hanke
d41174659b Print "Initializing cluster..." on stderr 2022-11-10 17:51:14 +01:00
Nils Hanke
bc584d61fa Switch spinner TTY detection to stderr 2022-11-10 17:51:14 +01:00
Fabian Kammel
81a5907f26
consistently use stdout and stderr (#502) 
* consistently use stdout and stderr
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-10 10:27:24 +01:00
Fabian Kammel
0d12e37c96
Document exported funcs,types,interfaces and enable check. (#475) 
* Include EXC0014 and fix issues.
* Include EXC0012 and fix issues.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
 2022-11-09 15:57:54 +01:00
Daniel Weiße
c9873f2bfb
AB#2523 Refactor GCP metadata/cloud API (#387) 
* Refactor GCP metadata/cloud API

* Remove cloud controller manager from metadata package

* Remove PublicIP

* Move shared cloud packages

* Remove dead code

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-09 14:43:48 +01:00
Malte Poll
97bb0f4a91
Update terraform lock files to include hashes for all platforms (#499) 
- linux_arm64
- linux_amd64
- darwin_arm64
- darwin_amd64
- windows_amd64
 2022-11-09 14:23:51 +01:00
renovate[bot]
9191f8ac61
Update Terraform docker to v2.23.0 (#495) 
* Update Terraform docker to v2.23.0
* Readd removed terraform lock hashes

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
 2022-11-09 13:35:17 +01:00
renovate[bot]
0e34d35404
Update Terraform google to v4.43.0 (#484) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-09 10:30:02 +01:00
renovate[bot]
b8acb5e448
Update Terraform aws to v4.38.0 (#464) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-08 18:34:45 +01:00
Daniel Weiße
011f9c597d
Bring in changes from release branch (#479) 
* Bump version to v2.2.0

* Update changelog

* Fix release detection in pipeline

* Fix PKI selection in pipeline

* Set enforced measurements for AWS

* Update default images

* Fix release docs

* Update mini-con defaults

* Fix measurements action

* Fix syft env variable naming

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-11-08 18:32:59 +01:00
Nils Hanke
ee55584b90 AWS: Apply security group to worker nodes 2022-11-08 11:22:06 +01:00
Malte Poll
41668d50c2 Add recovery loadbalancer on AWS 2022-11-08 00:07:04 +01:00
Nils Hanke
759c626e0f AWS: Don't expose SSH debugging ports on the LB 2022-11-07 13:57:22 +01:00
Malte Poll
fa6dfdff4f
Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime (#442) 
* Mark externally managed terraform resources to make infrastructure terraform appliable throughout its lifetime
* Use correct field for nat gateway

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-07 11:04:10 +01:00
Malte Poll
ed58fcccd3
CI: Add secure boot prod keys (#462) 
* Add production secure boot keys
* Refactor OS build and upload settings
 2022-11-04 16:48:52 +01:00
3u13r
309a4b5196
cli: remove debug env check for AWS (#460) 2022-11-04 15:31:51 +01:00
Fabian Kammel
04d0c770af
limit aws cluster name len (#454) 
* limit aws cluster name len down to 10, 32-character name limit in AWS
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
 2022-11-04 13:35:32 +01:00
Nils Hanke
19fd3a351a Make azureCVMRxp in upgradeplan.go case-insensitive 2022-11-04 12:57:24 +01:00
Nils Hanke
4d9fbdb3d3 CI: Use lowercase image name for fetching measurements 2022-11-04 12:57:24 +01:00
renovate[bot]
b89fae8062
Update Terraform azurerm to v3.30.0 (#452) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-04 12:34:03 +01:00
renovate[bot]
44b1a92d6b
Update fedora Docker digest to 455fec9 (#447) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Nirusu <Nirusu@users.noreply.github.com>
 2022-11-04 11:49:41 +01:00
renovate[bot]
f71073a77f
Update Terraform google to v4.42.1 (#434) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-11-04 10:14:13 +01:00
Otto Bittner
f164af29cf
AB#2583: deploy autoscaler via helm (#438) 2022-11-03 16:42:19 +01:00
Leonard Cohnen
0d0191ba4d aws: make CCM work 2022-11-02 23:29:04 +01:00
Leonard Cohnen
58d083a433 cli: pass AWS state disk type to terraform 2022-11-02 23:29:04 +01:00
Leonard Cohnen
dd007f4772 metadata: move subnetCIDR to InstanceMetadata 2022-11-02 23:29:04 +01:00
Leonard Cohnen
0cdc7886ee metadata: don't use podCIDR for Azure CCM setup 2022-11-02 23:29:04 +01:00
Leonard Cohnen
be2b38f2ac terraform: use HTTPS health check for AWS 2022-11-02 23:29:04 +01:00
Leonard Cohnen
7e385c4c86 terraform: use AWS launch templates 2022-11-02 23:29:04 +01:00
Leonard Cohnen
3dce7de0f1 helm chart loader: increase error verbosity 2022-11-02 23:29:04 +01:00
Leonard Cohnen
cc38506ffa cli: AWS does not use a service account 2022-11-02 23:29:04 +01:00
Leonard Cohnen
015b12d8ff attestation: use AWS attestation 2022-11-02 23:29:04 +01:00
Leonard Cohnen
37e8f5fc28 cilium: AWS support 2022-11-02 23:29:04 +01:00
Nils Hanke
8d097424a1 Remove separate function for yesFlag in terminate 2022-11-02 18:18:30 +01:00
Nils Hanke
ad871d1993 Prompt before termination 2022-11-02 18:18:30 +01:00
Nils Hanke
c922136cd4 Fix typos 2022-11-02 18:18:30 +01:00
Otto Bittner
e363f03240
AB#2582: deploy CNM via Helm (#423) 2022-11-02 17:47:10 +01:00
Leonard Cohnen
741684843c terraform: fix azure password constraints 2022-11-02 09:57:54 +01:00
Otto Bittner
30bdbd9b85
Add helm unittests (#380) 2022-10-31 19:25:02 +01:00
renovate[bot]
c9e6b4c5b6
Update Terraform azurerm to v3.29.1 (#405) 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-10-31 10:45:56 +01:00
Daniel Weiße
79f52e67cb
Update go-tpm-tools to fix AWS PCR selection (#390) 
* Update go-tpm-tools to fix AWS PCR selection

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Ignore leaking glog go routine

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-28 17:57:24 +02:00
Paul Meyer
86906ac536 Use atomic.Bool, added in Go 1.19 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-10-28 16:06:53 +02:00
Otto Bittner
091e3b2b2b AB#2538: deploy CCM via Helm 
Also move helmloader interface/stubs
 2022-10-27 18:12:47 +02:00
Otto Bittner
009b2e67e3 Use .Release.Namespace instead of namespace value 2022-10-27 18:12:47 +02:00
Nils Hanke
34f729ccd2 Case insensitive replace for every user input that could break azurerm 2022-10-27 11:35:14 +02:00
Daniel Weiße
e66cb84d6e
AB#2532 Dont clean up workspace if rollback fails (#360) 
* Dont clean up workspace if rollback fails

* Remove dependency on CSP from terminate

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2022-10-26 15:57:00 +02:00
Paul Meyer
c05b22f1dc
Remove dead code (#373) 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2022-10-26 10:29:28 +02:00
Malte Poll
fa63e51370
Fix "enforceIdKeyDigest" capitalization (#369) 
* Fix "enforceIdKeyDigest" capitalization
* Convert "enforceIdKeyDigest" to string for config map
 2022-10-25 16:29:28 +02:00
Malte Poll
2d121d9243
Replace interface{} -> any (#370) 2022-10-25 15:51:23 +02:00
Malte Poll
7592143a69
Join-service helm chart: use correct casing for provider name (#368) 2022-10-25 13:21:27 +02:00
Malte Poll
52f140a968
Pin terraform provider hashes (#361) 2022-10-25 10:10:46 +02:00